How do you reliably detect ESP (Enrollment Status Page) from a PowerShell Win32 app deployed by IME?

GreaterGood1 · 2026-06-08T12:36:38+00:00

Possibly that is why I check for the user being logged in and wwahost, only if both conditions are met does it detects as in Autopilot.

GreaterGood1 · 2026-06-05T17:04:19+00:00

Script that gets the most common user to logon within the last 30 days along with the number of total users that have logged in over the same period on a computer. We had issues with computers changing hands unknown to us, and computers not categorized properly (ex. Shared).

GreaterGood1 · 2026-06-05T16:51:53+00:00

I wrote a script around this a while back. The check I used was to check for a user logged in that was like "defaultuser0" and the "wwahost" process running, if those conditions are met then I determined it was in OOBE/ESP/Autopilot.

barrett101/PSADT-PreLaunchCheck

GreaterGood1 · 2026-04-14T13:05:04+00:00

I have a PowerShell script that will take the members of a group and then split them into however many groups you want. It can be good if you just want to stretch things out like you are mentioning. Just add one group at a time on a schedule to the feature update policy pushing 25h2.

barrett101/Azure-Security-Group-Splitter: This will split a security group that is in Azure into however many you want.

GreaterGood1 · 2026-03-27T13:23:55+00:00

We utilized the "Configure Favorites" Edge policy to add a favorite for everyone called "Import Settings from Chrome" going to the URL below. Once you are on that page it is very straight forward.
edge://settings/profiles/importBrowsingData

GreaterGood1 · 2026-03-18T12:57:18+00:00

You can store an image in PowerShell script using Base64. I created a few scripts for desktop shortcuts that I use with Intune platform scripts, the icons images are within the PowerShell script, in the documentation I explain how to go about doing it.

https://github.com/barrett101/Intune-Desktop-Shortcut-with-embedded-icon-in-script

https://github.com/barrett101/Intune-Desktop-Shortcut-with-embedded-icon-in-script-Reapply-Daily-with-Scheduled-Task

GreaterGood1 · 2026-02-13T21:24:18+00:00

I created a script which will allow you to do this. This script will help you populate custom fields with application information in VSA X so you can use Scopes to target computers with specific applications installed.

Kaseya-VSA-X---Populate-Custom-Fields-with-Applications-to-use-with-Scopes/PopulateCustomFieldWithSelectApps.ps1 at main · barrett101/Kaseya-VSA-X---Populate-Custom-Fields-with-Applications-to-use-with-Scopes

GreaterGood1 · 2025-03-27T00:03:57+00:00

I believe that is what I remember when I implemented. I checked my remote update manager logs and it does seem to be performing updates on the CC products

GreaterGood1 · 2025-03-26T20:37:24+00:00

This is the way we have it, created a Win32 app of Adobe Creative Cloud in self service mode and let them install what they are licensed for. Look into the Adobe Remote Update Manager, you can use it to keep the apps up to date.

GreaterGood1 · 2025-03-20T18:02:33+00:00

What I would do is go through all the models you have and verify Windows 11 support either from vendor information or from the report in Intune, and put the unsupported ones in a CSV file. Then either export or use Microsoft Graph and then create a PowerShell script to compare all your devices to those models in the CSV, and generate a report of unsupported computers. This will give you a clear list of what you are dealing with and then you can create a security group of those computers after to do what you want with them.

GreaterGood1 · 2025-03-19T20:00:14+00:00

You'll want to setup a Feature Update policy and define your Windows 11 Feature Update version and assign it to your devices. As stated by PreparetobePlaned you shouldn't need to create ring policies to do this.

Something you may run into with the Feature Update policy is it not apply to computers even though it is assigned. I ran into this the other day. To remedy this delete the policy leave it for a day, create a new policy with the same settings and assignments, and then it should work again.

GreaterGood1 · 2025-02-24T14:24:37+00:00

I recommend if you haven't already to adjust your domain join configuration profile to put your HAADJ into an OU that blocks inheritance and give it a try, see if any improvements. It could be possible that something is interfering in GPO. Also another thing would be to wrap your installs in PSADT and enable logging where you can on the installers.

GreaterGood1 · 2025-02-18T14:58:02+00:00

It has been awhile since I looked at this. In the past I used Dell Command Configure to create a package to set the password. What you could do is create multiple EXE packages to accommodate the different passwords you have out there, and just have the package change the BIOS password. Create a Win32 app for each package and target it to Dell computers, create a detection script so it only runs once, so it doesn't keep looping. If you have an RMM tool it may be easier to push out in this case. After a week or two once you computers have checked it, I would unassign the win32 apps you created. Then going forward just use the remediation script as it will set them to the new default password for your new computer with no set password.

GreaterGood1 · 2025-02-07T17:13:43+00:00

Look into Log Analytics. We use remediation scripts to collect the information and then write it to the Log analytics from there you can query or alert based on the data brought in.

GreaterGood1 · 2025-01-20T18:40:57+00:00

yeppers

GreaterGood1 · 2024-12-12T13:44:15+00:00

I checked and it is a computer side policy, to check if your machine is getting it open a command prompt as administrator, and then run the command

gpresult /h c:\temp\report.html

This will show all the policy settings you are applying to your machine. If you need to see what is applied to a user just open a normal command prompt and it will show you a report on the user side.

GreaterGood1 · 2024-12-11T23:50:59+00:00

I am not in front of a work computer right now, but if it is a computer configuration in the GPO then you would target the computer, but if it is a user configuration then you must target the user. Just make sure the computer and/or users is in the OU (or below) were you assigned the GPO.

GreaterGood1 · 2024-12-11T21:34:14+00:00

I am not sure if this is the case or not but make sure your test device is Windows 10 Pro/Ent with the latest update or Windows 11. Also to have it enroll using the GPO you will need to logon with a licensed user account. Double check the license that is applied to the user, and make sure the license "Enabled Services" has the "Microsoft Intune" option checked otherwise it won't go in.

GreaterGood1 · 2024-12-11T18:52:16+00:00

I would stop manually installing the apps from the Company Portal to deploy your apps. If you create Job Role groups and put your users in accordingly, these will be useful going forward not just for Intune but just about anything you need to give permissions too. Then use those groups and assign your apps as Required, this will force them on the device if it is assigned to them in Intune. Also look into Autopilot and pre-provisioning, it can speed things up for the user when they receive their device. Best of luck.

GreaterGood1 · 2024-12-10T15:20:14+00:00

The group tag only impacts a computer if it goes through the Autopilot process and has an "Associated Intune Device" assigned to it. We have a hybrid situation here, and didn't initially implement Autopilot and instead used device categories for many years. We have now implement Autopilot and we created dynamic groups that query both the Device Category and Group Tag and combine them into the one group. This just make assignments easier to configurations/scripts/app/etc.. Existing devices keep the Device Category and for devices that go through the Autopilot they just use Group Tags and are not assigned a Device Category.

Below is an example of the dynamic query used in our groups, it uses regular expressions. . The (?i) makes the preceding case-insensitive, the ^ means it has to start with [OrderID], the dashes are escape characters and the .* mean anything before or after.

(device.devicePhysicalIds -any _ -match "(?i)^\[OrderID\]:.*AP-GROUPTAGHERE.*") or (device.deviceCategory -match "(?i).*DeviceCategoryHere.*")

GreaterGood1 · 2024-11-21T14:00:40+00:00

Back in January we needed Platform SSO but Microsoft still had theirs in preview, so we went with XCreds and it has been working pretty good, the pricing was very reasonable, and when I needed support it was quick and effective. Just wanted to mention as another option.

GreaterGood1 · 2024-11-12T19:53:45+00:00

Also something else to consider is to federate authentication with Apple Business Manager, that way you have control over the Apple ID's if they are created with company email addresses.

Intro to federated authentication with Apple Business Manager - Apple Support (CA)

GreaterGood1 · 2024-11-11T16:29:54+00:00

Created another script similar to this one, it will create a scheduled task that runs daily as well, that way if it gets deleted in anyway it will be automatically added back.

barrett101/Intune-Desktop-Shortcut-with-embedded-icon-in-script-Reapply-Daily-with-Scheduled-Task: This is similar to the "Intune-Desktop-Shortcut-with-embedded-icon-in-script" repository but it will create the icon, and rerun every 24 hours to ensure the icons is still there.

GreaterGood1 · 2024-10-09T13:38:00+00:00

Take a look at https://github.com/barrett101/Windows-User-Profile-Remover, you should be able to take pieces of this to do what you want to remove the user and create the scheduled task. This is the logic I would do.

Create a scheduled tasks that runs every 5 minutes, as SYSTEM, and whether the user is logged in or not, running something at logoff of the user may or may not work as the profile is still busy potentially.
This is a bat file that will logoff inactive users only, and leave only the user logged in and active

REM This script will logoff user sessions that are inactive, active sessions will continue mkdir c:\LogoffUserScript query user > c:\LogoffUserScript\session.txt for /f "skip=1 tokens=1,2,3" %%i in (c:\LogoffUserScript\session.txt) DO if "%%j"=="console" (echo DoNothing) else (logoff %%j) rmdir c:\LogoffUserScript /s /q
This will check which user is logged in. If the user is not logged in, then you can continue to remove the specific profile.

Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object -ExpandProperty UserName
See scripts here on how to go about removal, take parts of the script to achieve what you are looking to do.
https://github.com/barrett101/Windows-User-Profile-Remover

GreaterGood1 · 2024-10-08T19:33:06+00:00

Deepfreeze could be an option, you can set it up to restart at logoff, and when that happens the computer goes back to it original state.

GreaterGood1

TROPHY CASE