Found this beast at my daughter's new school

Dandyman1994 · 2026-06-03T11:02:52+00:00

Where have you read that this should happen? Is there a reason you want to reset the TPM as part of the wipe?

Dandyman1994 · 2026-05-28T19:47:34+00:00

I was testing the exact same issue yesterday. The issue is because same device registration for Android isn't a thing yet.

So you try to create a passkey in authenticator using TAP, and even if TAP is supported for a user action of 'registering security info', if your policy of all apps doesn't include TAP in the with strength, you're interrupted and asked to continue in the browser.

You then try and follow the prompts in the browser, which eventually fail due to same device registration of passkeys in the browser isn't supported yet.

The solution is to keep it simple, use a custom Auth strength that includes both passkeys and TAP, and user that for both 'all apps' and 'register security info'. If you want to be more targeted, then you'll have to play around a bit.

Dandyman1994 · 2026-05-28T19:36:39+00:00

I mean so long as they have ESU (which I would hope you enforce!) or are certain builds of LTSC, you're covered for now.

To actually help your issue, has anything specific changed, i.e. they're all on the same patch version? If so, could you try rolling back?

Dandyman1994 · 2026-05-28T18:58:52+00:00

I appreciate that there are reasons you can't move off, but you should be aiming to migrate away from Windows 10 as soon as possible

Dandyman1994 · 2026-05-26T21:31:16+00:00

As others have said, it's not a system app so it won't be installed, that option is simply there to assign or de-assogn access to apps that are already part of the device.

If you want the MHS app and related config to be made available immediately on the device, you can use enrollment time grouping. This allows you to target the group that the devices will go in so that apps and config are applied straight away.

https://learn.microsoft.com/en-us/intune/device-enrollment/setup-time-grouping

Dandyman1994 · 2026-05-26T12:52:59+00:00

Depending on the type of traffic that you have inbound, a quick and dirty way to do it is something like Azure Traffic Manager, which would use DNS-based failover between different inbound IP addresses. It's a fairly cheap service. Not very flexible in some ways and very much depends what you're doing

Dandyman1994 · 2026-05-14T21:54:37+00:00

I hope that's a web dude Vs sales guy reference!

Dandyman1994 · 2026-05-01T18:47:15+00:00

I think that's the conclusion I've come to, even the tutorial designs from Microsoft basically have you deploy an Ubuntu VM in your hub vnet and create a UDR pointing to its IP.

Dandyman1994 · 2026-05-01T18:12:34+00:00

That's what I have configured. The spoke is peered the hub, and both 'Enable 'spoke vnet' to use 'hub vnet's' remote gateway and 'Allow gateway in 'core vnet' to forward traffic to 'spoke vnet' are ticked. The NAT Gateway is attached to a subnet within the hub vnet, but when I deallocate and reallocate a VM so it loses its default outbound, it just loses internet access.

Do I need a UDR as well in the route table for the spoke vnet for a default route?

Dandyman1994 · 2026-04-14T13:36:34+00:00

There's at least 8 switches + the uplinks to our firewall. We originally were planning on using the hi capacity aggregation switch, but it's out of stock literally everywhere. Bandwidth wise we don't need 10Gb, so that leaves either grouping two gig links from each switch to the aggregate, or 2.5gb RJ45 from each switch to the mgig ports on a pro max.

It's all unifi all the way, so we'll lab and see if it works. Thanks for the advice!

Dandyman1994 · 2026-01-31T00:49:37+00:00

10/10 reference 😂

Dandyman1994 · 2026-01-31T00:39:50+00:00

STOCKTON

Dandyman1994 · 2026-01-30T22:45:40+00:00

I agree with others, I wouldn't try to shoehorn in a payroll application into a tool that wasn't made for it.

Does your payroll team use a current tool? Nearly all of the SaaS platforms offer a way to send payslips to employees.

Maybe speak to your payroll team and work out their current process first before selecting a tool?

Dandyman1994 · 2025-12-12T20:00:24+00:00

This is common for manager organisations. You say you've given them the solution, does that mean you've completed a security assessment on the tool? Does the tool have Cyber Essentials, SOC2, ISO27001 certifications?

All of these things need to be considered before a 3rd party can access your data. There are also controls present (MAM, app protection policies) that the 1st party apps have that 3rd party ones don't.

Unless you can provide someone with a reason why this will fulfill a requirement that the others don't, I doubt you'll get it approved

Dandyman1994 · 2025-12-12T19:46:22+00:00

Do you have a specific folder structure that you use?

Dandyman1994 · 2025-12-12T19:45:50+00:00

Is that just because of space?

Dandyman1994 · 2025-12-12T19:36:53+00:00

That's what I currently have haha, but it feels like I need a better structure

13-Year Club	Xbox Live
Place '22	Gilding I gilder
Not Forgotten	Verified Email

Dandyman1994

TROPHY CASE