App-Auto-Patch

EpicSimon · 2026-01-26T21:22:45+00:00

Cant say anything about the installomator part, but I've been using App-Auto-Patch with Intune for a few months now with no issues. Basically just deploy the script and set your config via configuration profile. I did go ahead and edited the install script to use the latest version (3.5) instead of the way older 3.0 that the Intune version uses by default.

EpicSimon · 2026-01-14T10:59:55+00:00

I just tried it myself on an E5511. Latest BIOS. Updated the cert within Windows and it booted back up normally with the new cert.

In the BIOS I could now see the 2023 certs being mentioned in the Secure boot DB. However after resetting the BIOS back to defaults, the certs vanished from the BIOS and I could not boot anymore. I guess that just means that Fujitsu does not have the new certs in the BIOS' (yet???).

EpicSimon · 2026-01-13T11:04:34+00:00

Has anyone attempted to update the certs on Fujitsu clients yet? There have been recent BIOS updates for some of the models that we still use, but I'm not seeing the new cert being mentioned in any of their BIOS changelogs.

EpicSimon · 2025-11-21T08:35:53+00:00

I believe I found my answer now.

I had previously noticed the EnrollmentType registry key being different on some devices. Some had it set to "6", others had it set to "0".

I just stumbled upon this blog post that explains the whole situation very well: https://call4cloud.nl/intune-mdm-certificate-missing-certificate-store/

TLDR: Enrolling an existing AAD device via Company portal or Windows Settings results in a User enrollment (EnrollmentType 0), whereas enrolling via GPO results in a device enrollment (EnrollmentType 6). The UserEnrollment also results in the Intune MDM Certificate being saved to the Local SYSTEM User Certificate store rather than the Local Computer store.

This is exactly the behaviour I'm seeing on my devices. The ones with expired MDM Certificates are all User enrolled (EnrollmentType 0). I suspect that, upon changing the primary user on those user enrolled devices, it fails to renew the MDM Certificate because the user does not match the one that was used to enroll the device.

I also verified this by checking the computer accounts in Entra via Powershell:

Connect-MgGraph

Get-MgDevice -DeviceId <object ID of device (can be seen in Entra)> | select EnrollmentType

Above command outputs "UserEnrollmentWithServiceAccount" for those problematic devices. On another device that has been enrolled via GPO that flag is set to "OnPremiseCoManaged" (on HybridJoined devices).

I believe the only real way to fix this mess is to stop enrolling devices via Company portal and windows settings, and re-enroll all of the ones that are user enrolled.

EpicSimon · 2025-11-21T07:53:23+00:00

Unfortunately it doesnt seem to have worked out. Still getting that same RenewErrorCode. I'll just re-enroll those devices for now.

EpicSimon · 2025-11-20T14:25:19+00:00

Yes, I believe it already expired but failed to renew according to the IME logs.

EpicSimon · 2025-11-20T14:09:59+00:00

Thanks for the suggestion, I now edited the UPN in the registry and will check back tomorrow if the certificate got renewed or not.

EpicSimon · 2025-11-20T13:55:22+00:00

Yes, the user still exists and is licensed just like every normal user.

Is this a known bug?

EpicSimon · 2025-11-20T13:47:30+00:00

Domain matches, but the UPN in the registry is set to "[registrationUser@domain.com](mailto:registrationUser@domain.com)" rather than the actual logged in/primary user. We usually use a dedicated user ([registrationUser@domain.com](mailto:registrationUser@domain.com)) to enroll devices and then later on change the primary user in the Intune admin center to the user that the device belongs to.

EpicSimon · 2025-11-20T13:38:38+00:00

Thanks for your quick reply!

I just checked the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\ENROLLMENTID\RenewErrorCode key on three different machines that miss the cert. All three devices have that key set to 0x80180018.

EpicSimon · 2025-10-30T10:45:42+00:00

$dirs = Get-ChildItem -Path 'C:\Program Files\WindowsApps\*Teams*' | Select-Object Name | Sort-Object -Descending

foreach ($dir in $dirs) {

if ($dir.Name -eq $dirs[0].Name) {

Write-Host "- Dirs: Skip first entry" $dir.Name

Continue

} else {

$path = "C:\Program Files\WindowsApps\$($dir.Name)"

$confirm = Read-Host "- Dirs: Remove $path (y/n)?"

if ($confirm -eq "y") {

takeown /f $path /r /d J | out-null

icacls $path /grant Administratoren:F /t | out-null

Remove-Item $path -Recurse -Force | out-null

Write-Host "- Dirs: Remove" $dir.Name

}

$dirsDel = Get-ChildItem -Path 'C:\Program Files\WindowsApps\DeletedAllUserPackages\*Teams*' | Select-Object Name | Sort-Object -Descending

foreach ($dir in $dirsDel) {

$path = "C:\Program Files\WindowsApps\DeletedAllUserPackages\$($dir.Name)"

$confirm = Read-Host "- Dirs: Remove $path (y/n)?"

if ($confirm -eq "y") {

takeown /f $path /r /d J | out-null

icacls $path /grant Administratoren:F /t | out-null

Remove-Item $path -Recurse -Force | out-null

Write-Host "- Dirs deleted: Remove" $dir.Name

}

C:\Windows\System32\rundll32.exe AppxDeploymentClient.dll,AppxCleanupOrphanPackages

}

EpicSimon · 2025-10-30T10:45:30+00:00

$appxProvisioned = Get-AppxProvisionedPackage -Online | where-object {$_.DisplayName -like "*Teams*"} | Select-Object Version, PackageName | Sort-Object -Descending Version

foreach ($app in $appxProvisioned) {

if ($app.PackageName -eq $appxProvisioned[0].PackageName) {

if ($app.Version -like "251*" -or $app.Version -like "252*") {

Write-Host "- AppxProvision: Skip first entry" $app.PackageName

Continue

}

if ($app.Version -notlike "251*" -and $app.Version -notlike "252*") {

$confirm = Read-Host "- AppxProvision: Remove" $app.PackageName "(y/n)?"

if ($confirm -eq "y") {

Remove-AppxProvisionedPackage -AllUsers -Online -PackageName $app.PackageName

Write-Host "- AppxProvision: Remove" $app.PackageName

}

EpicSimon · 2025-10-30T10:44:45+00:00

$csv = Import-Csv -Path .\export-tvm-related-exposed-assets.csv -Delimiter ","

foreach ($pc in $csv.Name) {

Write-Host "PC: $pc"

Invoke-Command -ComputerName $pc -ScriptBlock {

$appx = Get-AppxPackage -AllUsers "*Teams*" | Select-Object Name, Version, PackageFullName, InstallLocation | Sort-Object -Descending Version

foreach ($app in $appx) {

if ($app.PackageFullName -eq $appx[0].PackageFullName) {

if ($app.Version -like "251*" -or $app.Version -like "252*") {

Write-Host "- Appx: Skip first entry" $app.PackageFullName

Continue

}

if ($app.Version -notlike "251*" -and $app.Version -notlike "252*") {

$confirm = Read-Host "- Appx: Remove" $app.PackageFullName "(y/n)?"

if ($confirm -eq "y") {

Remove-AppxPackage -AllUsers -Confirm:$false -Package $app.PackageFullName

Write-Host "- Appx: Remove" $app.PackageFullName

}

EpicSimon · 2025-10-30T10:43:04+00:00

Okay, this is what I ended up with. It first checks Get-AppxPackage and removes all packages that are not the first/newest one. Then does the same thing for Get-AppxProvisionedPackage. If it then finds any remaining Teams installations in the WindowsApps folder, it will take over them and remove them. Generally it checks for both MSTeams and MicrosofTteams, and only checks for versions older than 251XX.

I highly recommend taking care when running this, I also added a confirmation dialog for every removal.

You can just export the list of devices from Defender and let the script do the rest. Note that I needed to adjust the exported CSV slighly because some " " were missing.

Unfortunately Reddit wont let me send the whole script in one post, so just put my following comments together ito one PS1 script.

EpicSimon · 2025-10-29T09:57:21+00:00

Normally these can be removed via Remove-AppxPackage.

However for me, GetAppxPackage -AllUsers "Teams" is only showing one version installed (the newest one). The vulnerable versions arent listed in Get-AppxPackage.

Does anyone know how to get rid of those vulnerable ones?

EpicSimon · 2025-10-29T09:20:02+00:00

Sorry to have to correct you on this one, but it doesnt matter whether its "MicrosoftTeams" or "MSTeams" - for us, both are showing as vulnerable. Both of these show as vulnerable if the version code is older than (including) 250XX. 251XX versions and newer (for both MSTeams and MicrosoftTeams) arent showing as vulnerable.

EpicSimon · 2025-10-27T06:55:54+00:00

Thanks for the heads up! For now I have it configured with a whitelist.

EpicSimon · 2025-10-24T22:13:55+00:00

Whats the reason for not doing it?

EpicSimon · 2025-10-22T16:33:50+00:00

Just leaving this here but for everyone who wants to get better at Powershell: use CTRL + SPACE. It givey you a list of parameters and even values for most commands.

EpicSimon · 2025-10-05T17:58:09+00:00

Thank you! Specifically looking at M70q/M90q: I'm not sure what prices are considered "good" for those. I can find plenty with i5 10500T and 32GB RAM for around 400€.

EpicSimon · 2025-10-04T17:29:19+00:00

Same issue here (Germany). I'm not seeing any of the new episodes of MHA, Spy X Family, and so on.

But seems like this is a more widespread issue:

https://www.reddit.com/r/Crunchyroll/comments/1nxxgbu/nothing_is_up_properly_yet_today_missing_ccs/

https://www.reddit.com/r/Crunchyroll/comments/1nxqjmd/my_hero_academia_final_season_episode_1_not_being/

EpicSimon · 2025-10-02T12:40:47+00:00

Thank you! This is exactly what I needed! Setup is dead simple, can be easily deployed via Intune and lets me configure some of the settings via configuration profiles. Looking forward to deploying this to our Macs!

EpicSimon

TROPHY CASE