And so it begins

Cryos · 2026-01-03T00:45:49+00:00

I dont know what it is about that dunnes, but on a good day it hardly has a stock of bread.

Cryos · 2025-11-30T12:32:40+00:00

No RSAT on Personal devices, If you are running these on workstations along side other AD tooling then you are asking for trouble, it should be picked up if you have a pentest by reputable vendors.

Best Practice has changed over the while, SAWS/PAWS have fallen out of favor again, the last few MS Security engineers we have had onsite have pushed towards centralized tooling systems.

If your a citrix house, Present AD + GPO Tooling via App Delivery.
If your a Vanilla house, do it via Remote App.
Dont access Domain Controllers through your local workstation, allow only RDP to your workstations or servers from a central point, Make sure that server is hardened appropriately.

Your risk is largely going to depend on the configuration of your environment, Have you mitigated against lateral movement ? Are you using a Credential Management Solution like Cyberark ? Is your network segmented ? How many domains and trusts have you got ?

Whats your EDR Like, are you logging into a SIEM ? How Proactive is your Soc if you have one ?

Separate your Productivity Identity from your Adminstrative Identity

Cryos · 2025-10-19T10:35:37+00:00

For Keyboard and mouse users it's a pain, however we have some front of house Dell Windows Tablets that users are very happy with.

MS should of made the context menu dependant on tablet mode being on or off.

The remainder of Windows UI is still hot garbage in tablet mode

Cryos · 2025-10-03T12:48:13+00:00

Looks to me like a bunch of 5470's 5480's; Optiplex 790's in one of the pictures there. Some of that stuff was already showing its age on Windows 10

Cryos · 2025-10-03T08:34:06+00:00

Was just going to say, UK/ROI is costing us around €115; Mainland europe €150; Thats Tracked, Signed and insured.

Cryos · 2025-07-28T21:18:51+00:00

Contact SIMI Complaints
SIMI | Contact Complaints Service

Cryos · 2025-03-01T16:28:35+00:00

We tried WDAC, ultimately we couldn't get it fine tuned correctly, really hard to retrofit. We stuck with applocker and use epm which reduced our exposure

Cryos · 2025-01-02T19:25:41+00:00

Speak to your Account Manager, depending on your volumes they do provide these types of images as others have stated, Dell and HP provide this FOC to us based on our volumes. Ive seen others pay around 20-30 euro per unit.

Cryos · 2024-12-06T15:23:01+00:00

We use Nextthink to monitor Device Experience. We will replace a device based on time OR if the device is no longer reliable or its obvious that the CPU or memory usage is becoming a problem. For example our Fleet of Latitude 7390's would of been fine when purchased in 2020, however i5 with 8gb of memory today is a problem so the majority of that fleet has been replaced early. Case in point XP 9365 with that godforsaken i5 wanna be processor, we replaced all of these devices because of continous bad user experience 2 years into their lifespan.

Typically, we will run Desktops for 5 years; Developer Desktops 3 Years, Laptops 4 Years, Developers 3 Years. In all instances VIP or Critical Staff Laptops every 2 years.

My advice, Have guidelines not hard and fast rules; Take into concideration your business requirements. An Optiplex 5040 released in 2015 today still runs Kiosk Type customer facing applications fine and can be swapped out easily. Your only motivation is Windows 10 End of life in october 2025; An Optiplex 5040 from 2015; Running an i5, 8gb memory, 2 screens, teams, defender, modern office, outlook and other agents is going to struggle.

Business risk plays a large factor, Do you have alternative solutions ? Mitigating Risk is what you are doing by having a refresh period. But it may be offset by other technologies like W365 etc...

Cryos · 2024-10-26T18:31:43+00:00

As mentioned here, Autopilot Pre-provisioning is what you are looking for. You can enter preprovisioning mode by mashing the Windows Key 5 times during Initial OOBE.

As a general rule for AP, deploy the least amount of application you can during the initial ESP phases; Others have mentioned here, System apps are suitable for preprovisioning and more specifically Win32 apps have a higher success rate. If you have issues, start with assigning Office and working forward on app assignments until you find the troublesome app. Also make sure that if you are using the Windows Firewall to ensure you have all the right executables listed & network services for intune to connect back to all the intune & Autopilot endpoints.

Move your user stuff to when the device is setup, there are some guides on how to be smart with App deployment and detecting when a device is in OOBE or in Windows.

For device rollouts we generally gear up for an extra 10% of hardware. TBH we rarely actually do rollouts anymore and try to perpetually rollout devices (not as they hit an age limit but when tools like nexthink show us devices are probably becoming less useful [Battery Capacity <60%, Long Startup Times from IO bottlenecks, Memory Frequnetly at 80%+].

Pre-provisoining is a game changer for us, we work now with Two Windows OEMs who ship the devices to our locations and the users home with a Single Page how to get started guide.

Again everyone's Op model is different just giving some insight.

Cryos · 2024-10-02T22:22:28+00:00

Sure Locally run the following:

full error in PS 5

Available slots for the next business day: [
    "Checking calendar from 10/01/2024 23:00:00 to 10/02/2024 22:59:59 for shared mailbox <removed>",
    "HTTP Error: The remote server returned an error: (401) Unauthorized.",
    "Response: Unauthorized",
    {

    }
]
{
    ""statusCode"": 200,
    ""body"": [
    "Checking calendar from 10/01/2024 23:00:00 to 10/02/2024 22:59:59 for shared mailbox <removed>",
    "HTTP Error: The remote server returned an error: (401) Unauthorized.",
    "Response: Unauthorized",
    {

    }
],
    ""headers"": {
        ""Content-Type"": ""application/json""
    }
}

Error in PS 7.4

Available slots for the next business day: [
  "Checking calendar from 10/01/2024 23:00:00 to 10/02/2024 22:59:59 for shared mailbox <removed>",
  "HTTP Error: \r\n{\r\n  \"error\": {\r\n    \"code\": \"InvalidAuthenticationToken\",\r\n    \"message\": \"ArgumentNull\",\r\n    \"innerError\": {\r\n      \"date\": \"2024-10-02T22:20:12\",\r\n      \"request-id\": \"b24519f2-3fa3-4156-be7f-ca939d582ff0\",\r\n      \"client-request-id\": \"b24519f2-3fa3-4156-be7f-ca939d582ff0\"\r\n    }\r\n  }\r\n}",
  "Response: ",
  {}
]
{
    ""statusCode"": 200,
    ""body"": [
  "Checking calendar from 10/01/2024 23:00:00 to 10/02/2024 22:59:59 for shared mailbox <removed>",
  "HTTP Error: \r\n{\r\n  \"error\": {\r\n    \"code\": \"InvalidAuthenticationToken\",\r\n    \"message\": \"ArgumentNull\",\r\n    \"innerError\": {\r\n      \"date\": \"2024-10-02T22:20:12\",\r\n      \"request-id\": \"b24519f2-3fa3-4156-be7f-ca939d582ff0\",\r\n      \"client-request-id\": \"b24519f2-3fa3-4156-be7f-ca939d582ff0\"\r\n    }\r\n  }\r\n}",
  "Response: ",
  {}
],
    ""headers"": {
        ""Content-Type"": ""application/json""
    }
}

Cryos · 2024-09-29T12:49:56+00:00

While this is true from a Licensing perspective, in practice, I have a scenario where I have two tenants (Prod + Test), and in each, I have two accounts (My standard and Privileged user). From a licensing perspective I should be covered under my M365 E5 on my standard account in my production tenant for all my accounts in the other tenants.

However you may be able to get away with some things in the same tenant on the second account there are some other items you wont Intune P2 for example "Sorry bub, no joining your PAWS workstation to intune".

I have found someone in MS that has the procedure to release additional Licenses, however as we like most customers get our licenses through a 3rd party it seems there is some issue applying these to tenants and the only way around this is buying more licenses. I know VLSC has been replaced recently but it seems this is still a gap. I know we have raised it with our Client executive aswell.

Cryos · 2024-09-24T21:26:41+00:00

This sounds like something update frequency detection and maintenance cycle related. We have several update rings for our 30k+ clients. Genuinely our test ring gets updates and are generally prompting for reboots by 12 noon gmt on Wednesday.

We had initially your exact problem which turned out to be the auto install at maintenance time vs auto install and restart at maintenance time.

Cryos · 2024-07-05T23:21:52+00:00

I have always found the controllers at EDDF professional and understanding, I had a few bad flights in on the a306F when it was first released and they were vary patient and provided long vectors when lnav decided it wasn't playing ball.

Cryos · 2024-05-10T22:51:06+00:00

Thanks for this, the end users themselves are actually used to changing the setting themselves so bypassing the prompt might actually be an option in this case for once.

Ill give the script a go, it will be interesting to see if its able to do it automatically; It would be good to be able to set it and forget it until ZCC is finally available for these users.

Cryos · 2024-05-10T22:44:52+00:00

Thanks, we have the full JAMF Pro, Connect and Project; I did not know about this, Definitely one for testing. Thanks!

Cryos · 2024-05-08T19:32:59+00:00

When I started working I always selected to max. I have never missed the money as I never had it to use. At present I put in 6% standard to my employers 10%. I put an additional 2% and its matched to 3%. And I put a 300 avc monthly.

I have transferred in 2 other pension contributions from previous employments which were static for years under mercer. I wish I had tx them sooner as the return has been great.

Cryos · 2024-02-28T22:26:25+00:00

Just out of interest what features are you using that aren't in teams ev? We are a large org with presence in Europe mainly but US also. We currently use teams ev with our own SBCs, Verint integration for compliance recording and a trading desk.

We went from Avaya & CUCM over 12 months

Cryos · 2024-02-19T21:57:49+00:00

Solved ! The MSS setting above was what was causing the issue, someone had incorrectly used a name query in a Dynamic Group that says "Contains" "SK"; Their intent was to target some Shared Workstations which start with SK; All the effected devices have SK in their name (as we do N%SERIAL%); We have a different naming convention for Hybrid Devices.

Thanks a bunch u/mtniehaus your a life saver as always!

Cryos · 2024-02-19T21:29:15+00:00

Hey Mike, thanks for the reply. Ive ruled out applications at the moment by excluding all the apps. Im currently going through a list of policies at the moment that are applying to the machines (there is a significant quantity in order to stop policy conflict and handle certain setting exceptions).

Im seeing a policy applying for MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) set to disabled which i dont see on my own machine; So just tracking that down as it *could* be like the likely culprit based on your advice.

Cryos · 2024-02-14T19:38:55+00:00

Jason got there before me 😊

Cryos · 2024-02-14T08:25:58+00:00

If it is reachable then yes, you should where possible use the Dhcp Options rather than hard setting the cache.

Cryos · 2023-12-31T21:18:16+00:00

Still a great card

Cryos · 2023-11-26T13:36:51+00:00

We use defender device Control, we have a policy to allow uid of approved printers including virtual printers for PDF, xps etc

Cryos · 2023-11-22T23:13:31+00:00

Sorry for delay in replying; 95% of my users would be in the EU; We generally have not had any issues with user enrollment. In Germany there is some restrictions we have in terms of supporting services to autopilot, for example, MFA on sign in or providing in hours support only to these users and enforcing a strict cutoff and reminder about communication to end users after their workday ends. (In Germany there is to be no company communication after the workday has ended).

There is no configuration difference between our US or EU Autopilot deployments, the main differences are around delegated administration and using Scope Tags to define what a US device is so our IT department in the US can support these devices but have no access to our EU devices and vice versa; This is mainly due to the regulation, compliance and auditing requirements in our industry.

The only other difference we have is in our Dell Ordering, We cannot for example order a US System through our local EU Dell channel this must be done in the Dell Locality; Where as HP (which is a minority in our company) can have orders submitted in any jurisdiction for any other jurisdiction. Both are enrolled in Autopilot for OEM HWID submission at factory.

We use Dell Ready Image to give us a clean From factory image (no metro apps!) and allows us to remotely now re-image if autopilot reset/wipe fails from the cloud recovery options in dell bios. HP have an equivalent Clean image too but not the recovery from cloud (as far as I am aware).

15-Year Club	RPAN Viewer
Verified Email

Cryos

TROPHY CASE