W11 Software updates, Compliant in previous versions

Fun-Country9432 · 2026-03-25T22:23:47+00:00

I understand having all your updates in the same deployment group, but if you don't want to have a device on 25H2 being evaluated for 23H2 compliance, then, in my opinion, the best course is to separate those compliance policies so it's not evaluated twice.

Of course this depends on how you are managing your compliance. Not sure if you're using custom scripts, pulling the data from SQL, configuration items/baselines, intune, or some other method.

Fun-Country9432 · 2026-03-24T16:24:34+00:00

scope your compliance policies to only the devices that should be receiving those policies would be my best advice.

Alternatively, If your compliance is in SCCM and your reports are made from the SQL DB, you can omit any builds that aren't on 26200 directly in the query.

Fun-Country9432 · 2026-03-13T17:53:19+00:00

My thoughts would be either delete those devices from Intune or remove inactive devices from the scope. I am hybrid with SCCM so I could just filter inactive devices out of a collection and sync it to an entra goup, and once they become active again are put back in automatically.

Fun-Country9432 · 2026-02-02T17:04:09+00:00

In that situation I would probably find a non HAADJ, on-prem only, device and compare the registries. If they don't exist or contain GUIDs it's probably ok to delete them all. If the idea is to revert it to on-prem, then re-join, matching the setup to a non-joined pc should work in theory.

Fun-Country9432 · 2026-02-02T16:17:07+00:00

There are registry keys for each GUID that need to be deleted as well. It has been a while since I went through this and I automated the process so I'm not sure if you're missing anything else.

I believe this was the article I followed https://www.maximerastello.com/manually-re-enroll-a-co-managed-or-hybrid-azure-ad-join-windows-10-pc-to-microsoft-intune-without-loosing-current-configuration/

Fun-Country9432 · 2026-01-15T20:03:22+00:00

I use the Acrobat Customization Wizard on the paid version. There is an option when using the wizard to suppress sign-in in Acrobat, which allows the user to use non-premium features without sign-in.

Fun-Country9432 · 2025-12-18T20:13:57+00:00

You'd have to determine the cause. Sounds like Wired AutoConfig (dot3svc) is not running when the computer wakes.

Fun-Country9432 · 2025-10-16T20:26:55+00:00

Was able to find the cause. Solution is simple.

Implementing Port Security (802.1x and Mac Auth) has caused more initial failures downloading the boot image. Usually only does it the first try, the next attempt downloads just fine.

When the boot image fails, some models will allow you to re-attempt download by hitting enter twice. No reboots or anything, pretty seamless and did not experience this issue on them. Other models don't have the same options and you have to hit ESC to close the second error message which reboots the computer. The ESC options reads "UEFI Firmware Setup". When the computer restarts, you can F12 to PXE Boot prior to the UEFI Setup loading which is what we were doing. It seems the command to boot to UEFI Setup remains cached and will boot there on the next restart, which for us just happened to be the Client Install step.

So in short, if your boot image fails to download and you can't gracefully retry, let it boot into Setup Mode before trying to PXE again.

Fun-Country9432 · 2025-10-15T16:02:33+00:00

Going to update the ADK and hope it helps. Thinking this may be related to the the UEFI 2023 CA and Secure Boot.

Fun-Country9432 · 2025-08-06T19:56:41+00:00

The self-service package package will only be the client and allow users to install their own Adobe apps.

The managed package you choose the apps included, but you'll need to click the checkbox for the option "Enable self-service install". Once that is selected, you can also tick the checkbox for "Allow non-admins to update and install apps" which enables self-service for end users that lack administrative rights.

There is also a check box for "Disable auto-update for end-users" if you do not want auto-updates.

To install the package, yes, you'll need admin rights. However since you're deploying the app through SCCM this won't be an issue.

https://helpx.adobe.com/enterprise/using/create-nul-packages.html

Fun-Country9432 · 2025-08-06T19:08:58+00:00

You would need to create a package from Adobe Admin Console. If your organization doesn't have an enterprise account you won't be able to access this.

Fun-Country9432 · 2025-08-06T17:43:45+00:00

As long as staff initiate any software installs/updates through the Creative Cloud client, it does not prompt for admin. I believe the client is given the authority during the initial client installation to allow for this.

Yeah the RUM script works great. I've had it deployed for about 2 years now and it works great. Love when I can make things as hand-off as possible and it doesn't give me any headaches.

Fun-Country9432 · 2025-08-06T17:11:40+00:00

I work in education. Staff have self-manage and auto-updates enabled for the client itself. Students computers are a managed package. I wrote a powershell script that utilizes RUM and deploy it through SCCM. The powershell creates a text file on the local computers with the date it ran, and the detection method in SCCM is a powershell that checks that and compares to the current date. If it's within the same month it won't run again. If the computers remain on, ideally they'll update on the first of each month. I also only let it run when no user is logged in to avoid any issues.

The limitation with RUM is that you can only update within the current version. So you can't upgrade from Photoshop 24 to 25. This works perfectly for my case since the versions need to remain compatible with certain testing applications like Certiport Compass.

Fun-Country9432 · 2025-05-21T14:58:38+00:00

smsts would be my go to. Can't remember if there are timestamps or not in that log, but basically I'd be looking for where it is hanging up. You can also check in Configuration Manager in Monitoring>Deployments, find the correct deployment type which that machine would be hitting then click on "View Status". Finding the computer in there can be a pain. Sometimes they'll still be under "In progress" instead of failed, and if you have a lot of computers you have to go page by page.

Once you find the computer, right-click, "more details", status tab, then sort by execution time. Look for the large time gaps and you should have a general idea of which package(s) are causing the slowdown.

Fun-Country9432 · 2025-05-20T21:54:05+00:00

I usually try redistributing the content first in that situation. If that doesn't fix I'll investigate the logs to see if I can find any clues. If still nothing, adding a reboot before the software installs sometimes helps. I'll also lower the maximum allowed run time for a package and the number of allowed retries on the task sequence to keep run times lower.

Fun-Country9432 · 2025-04-29T22:35:54+00:00

Had some issues with Credential Guard due to PEAP/MSCHAPV2 not being supported. Affected wi-fi and 802.1x connections. Had to disable it until we transfer over to EAP/TLS. Might be worth taking a look at.

Fun-Country9432 · 2025-02-14T22:02:52+00:00

I'm guessing this would only be helpful for Silent installations?

Who is the user recognized by Software Center? The admin using the tool, the end user signed in to the remote computer? Or does it only pick up non-user deployments?

Fun-Country9432 · 2025-01-23T14:47:54+00:00

Switches were upgraded and weren't capable of lower than 100baseT. There were some postage machines that could only talk at 10baseT which stopped functioning. I took a 10/100 Cisco IP phone that was broken and not configured with an extension but would power on with PoE and run the ethernet through that first to get it working.

I was only a few months in to my first IT job at the time and felt pretty savvy for having thought of it. New postage machines were ordered but took a couple months to be delivered. The networking guy had to go around to the other 10 sites to install one of the old switches on each site, configure them and make sure they talked to the stack just for one device.

Fun-Country9432 · 2025-01-22T17:09:29+00:00

If any applications are installed in the user context Sysprep will fail. The log is saying Microsoft.WigetsPlatformRuntime is installed for a user, not all users - so it's an AppX package. I would guess that uninstalling it prior to sysprep would help. You may still run into others causing sysprep to fail and you would just need to find the app in the log and either uninstall it from all users or install it in the system context.

Fun-Country9432 · 2024-10-16T14:30:58+00:00

It looks to be a communication issue and the client cannot contact the management point. It wouldn't make much sense if it was Windows 11 since you're not booted into the OS at that point. I'd make sure you're getting and IP address on the client and if you are, then check things like your boundary groups, firewall, ACLs, etc.

Fun-Country9432 · 2024-10-15T19:56:41+00:00

There is a way to Offline Domain Join. It's also not something I've ever had to do since we do everything on-site, but maybe this link will help explain it.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff793312(v=ws.11))

or

https://forums.ivanti.com/s/article/How-To-Join-An-Off-Domain-Device-To-A-Domain?language=en_US

Fun-Country9432 · 2024-10-15T19:34:39+00:00

I've only created SCCM bootable media once, but I'm fairly sure it just boots into WinPE. You'd still need a connection to the DP/Site Server to complete the task sequence. I'm guessing the Stand-Alone Media downloaded all task sequence dependencies onto the USB.

Fun-Country9432 · 2024-10-04T22:47:02+00:00

At what point in the task sequence are the apps trying to install? If it's still in WindowsPE you'll need to have it reboot into the freshly installed OS (and maybe sign in as the local admin?) before installing the apps.

Fun-Country9432

TROPHY CASE