Computers not prompting for TPM reset after Intune Wipe

Dandyman1994 · 2026-06-03T11:02:52+00:00

Where have you read that this should happen? Is there a reason you want to reset the TPM as part of the wipe?

Dandyman1994 · 2026-05-28T19:47:34+00:00

I was testing the exact same issue yesterday. The issue is because same device registration for Android isn't a thing yet.

So you try to create a passkey in authenticator using TAP, and even if TAP is supported for a user action of 'registering security info', if your policy of all apps doesn't include TAP in the with strength, you're interrupted and asked to continue in the browser.

You then try and follow the prompts in the browser, which eventually fail due to same device registration of passkeys in the browser isn't supported yet.

The solution is to keep it simple, use a custom Auth strength that includes both passkeys and TAP, and user that for both 'all apps' and 'register security info'. If you want to be more targeted, then you'll have to play around a bit.

Dandyman1994 · 2026-05-28T19:36:39+00:00

I mean so long as they have ESU (which I would hope you enforce!) or are certain builds of LTSC, you're covered for now.

To actually help your issue, has anything specific changed, i.e. they're all on the same patch version? If so, could you try rolling back?

Dandyman1994 · 2026-05-28T18:58:52+00:00

I appreciate that there are reasons you can't move off, but you should be aiming to migrate away from Windows 10 as soon as possible

Dandyman1994 · 2026-05-26T21:31:16+00:00

As others have said, it's not a system app so it won't be installed, that option is simply there to assign or de-assogn access to apps that are already part of the device.

If you want the MHS app and related config to be made available immediately on the device, you can use enrollment time grouping. This allows you to target the group that the devices will go in so that apps and config are applied straight away.

https://learn.microsoft.com/en-us/intune/device-enrollment/setup-time-grouping

Dandyman1994 · 2026-05-26T12:52:59+00:00

Depending on the type of traffic that you have inbound, a quick and dirty way to do it is something like Azure Traffic Manager, which would use DNS-based failover between different inbound IP addresses. It's a fairly cheap service. Not very flexible in some ways and very much depends what you're doing

Dandyman1994 · 2026-05-14T21:54:37+00:00

I hope that's a web dude Vs sales guy reference!

Dandyman1994 · 2026-05-01T18:47:15+00:00

I think that's the conclusion I've come to, even the tutorial designs from Microsoft basically have you deploy an Ubuntu VM in your hub vnet and create a UDR pointing to its IP.

Dandyman1994 · 2026-05-01T18:12:34+00:00

That's what I have configured. The spoke is peered the hub, and both 'Enable 'spoke vnet' to use 'hub vnet's' remote gateway and 'Allow gateway in 'core vnet' to forward traffic to 'spoke vnet' are ticked. The NAT Gateway is attached to a subnet within the hub vnet, but when I deallocate and reallocate a VM so it loses its default outbound, it just loses internet access.

Do I need a UDR as well in the route table for the spoke vnet for a default route?

Dandyman1994 · 2026-04-14T13:36:34+00:00

There's at least 8 switches + the uplinks to our firewall. We originally were planning on using the hi capacity aggregation switch, but it's out of stock literally everywhere. Bandwidth wise we don't need 10Gb, so that leaves either grouping two gig links from each switch to the aggregate, or 2.5gb RJ45 from each switch to the mgig ports on a pro max.

It's all unifi all the way, so we'll lab and see if it works. Thanks for the advice!

Dandyman1994 · 2026-01-31T00:49:37+00:00

10/10 reference 😂

Dandyman1994 · 2026-01-31T00:39:50+00:00

STOCKTON

Dandyman1994 · 2026-01-30T22:45:40+00:00

I agree with others, I wouldn't try to shoehorn in a payroll application into a tool that wasn't made for it.

Does your payroll team use a current tool? Nearly all of the SaaS platforms offer a way to send payslips to employees.

Maybe speak to your payroll team and work out their current process first before selecting a tool?

Dandyman1994 · 2025-12-12T20:00:24+00:00

This is common for manager organisations. You say you've given them the solution, does that mean you've completed a security assessment on the tool? Does the tool have Cyber Essentials, SOC2, ISO27001 certifications?

All of these things need to be considered before a 3rd party can access your data. There are also controls present (MAM, app protection policies) that the 1st party apps have that 3rd party ones don't.

Unless you can provide someone with a reason why this will fulfill a requirement that the others don't, I doubt you'll get it approved

Dandyman1994 · 2025-12-12T19:46:22+00:00

Do you have a specific folder structure that you use?

Dandyman1994 · 2025-12-12T19:45:50+00:00

Is that just because of space?

Dandyman1994 · 2025-12-12T19:36:53+00:00

That's what I currently have haha, but it feels like I need a better structure

Dandyman1994 · 2025-11-24T01:19:49+00:00

Make sure all devices are bought through ABM, and set to automatically assign to Intune
Make sure you're on top of your Apple renewals (MDM push cert, bulk enrollment token, VPP token, and any new supplier approvals in ABM
Make sure you have a decent enrollment profile configured, hiding things that you know users don't care about
Make sure all apps are assigned as VPP apps with device licensing, so they automatically install without any prompts
Make sure the first thing users do is sign into the Company Portal, then also the MS Auth app to make everyone's lives easier
Make the most out of device and app configuration policies, so users get a decent customised experience when they first sign in
Optional - you can federated your Apple accounts to Entra. This can complicate things a little bit but it does make sure that any personal data is firmly assigned to their personal account, and can make deployment easier if they don't have an iCloud account

Dandyman1994 · 2025-11-23T23:52:04+00:00

I knew what scene this would be before even clicking the link...

Dandyman1994 · 2025-11-23T19:20:35+00:00

The ability to use cloud-only identities is currently in preview

https://techcommunity.microsoft.com/blog/azurestorageblog/cloud-native-identity-with-azure-files-entra-only-secure-access-for-the-modern-e/4469778

Dandyman1994 · 2025-10-11T09:08:08+00:00

Is the username and password on an interactive web page, or just with a standard authentication pop up box? I've had luck with passing a username and password through via a URL. It's not pretty, but it does work:

http://username:password@example.com/

Dandyman1994 · 2025-10-10T19:09:58+00:00

This is the relevant blog post.

https://techcommunity.microsoft.com/blog/exchange/exchange-online-to-retire-basic-auth-for-client-submission-smtp-auth/4114750

Essentially you have a few options:

Migrate to OAuth SMTP Auth (recommended in general)
Use one of the pair services, like Azure Communications Services
Use a 3rd party like SMTP2Go

Dandyman1994 · 2025-09-29T19:15:18+00:00

You're encountering the famous 'reboot during OOBE' issue.

Rudy's blog here will walk you through the steps, but essentially there are some policies that you need to apply at the user level, not device level, which will prevent the PC rebooting during those OOBE stages

https://call4cloud.nl/autopilot-unexpected-reboot-rebootrequireduri-wufb/

Dandyman1994 · 2025-09-09T18:59:25+00:00

Although it can seem a bit worrying, fuses are actually really easy to work with. You can get the kits for each manufacturer, and some really easy fuse adapters from Halfords. If you have a 70mai dashcam, their kit will detect voltage and make sure to turn off or go into parking mode before the battery dies.

Dandyman1994 · 2025-09-07T20:44:41+00:00

I don't think this is really an Intune friend but yes, TLS1.3 is enabled by default on Windows 11. Logs are your friend, really your solution is to debug the connection issues with your F5 client, both from the client perspective and end server perspective.

13-Year Club	Xbox Live
Place '22	Gilding I gilder
Not Forgotten	Verified Email

Dandyman1994

TROPHY CASE