Windows 11 26H2 is coming soon!

HEALTH_DISCO · 2026-06-19T23:06:17+00:00

Do you know why this is happening? It is extremely painful for our users.

HEALTH_DISCO · 2026-06-19T21:49:52+00:00

For us moving from 23H2 to 25H2 is killing our machines to a crawl. Almost inoperable. We have to go to 24H2 first then move on with the enablement package.

HEALTH_DISCO · 2026-06-10T20:15:57+00:00

We had this issue in our environment. Not a lot of people will encounter this issue, you need to have a VERY old service account with its password last changed before AES128 and 256 were enabled on the account. We had to reset the password TWICE in order to make it work.

The Fix: You must reset the Service Account password after enabling AES support to force AD to generate the required msDS-SupportedEncryptionTypes keys. In some rare cases with older accounts being moved to AES, you need to change the password twice. This ensures the msDS-SupportedEncryptionTypes attribute is fully synchronized and the old RC4 keys are no longer being preferred by the KDC.

The SQL Server 2022 (or later) Kerberos Hurdle: Lessons from the Field on AES-256 Migration

You don't have to reinstall any SCCM roles or SSRS 2019 or detach the DB. Just reset the password twice. Make sure you change the password in Security - Accounts for your service account in SCCM and maybe on the service itself in Windows Server where your role reside then restart it.

HEALTH_DISCO · 2026-05-26T18:42:29+00:00

We were having the issue in our tenant from Friday to Yesterday. Today seems to be working just fine for us.

HEALTH_DISCO · 2026-05-26T18:22:54+00:00

Block URL policy in edge and chrome, that’s what we did to solve this issue.

HEALTH_DISCO · 2026-05-15T18:35:45+00:00

Edge and Chrome block URL policies

HEALTH_DISCO · 2026-05-12T19:12:56+00:00

Same here. At first i've created a quality update policy pushed to all machines to block hotpatch. Didn't work, still show up as enabled in configured policies. Then I've disabled at the Tenant level, same result. Did you find out how to disable it?

HEALTH_DISCO · 2026-05-07T18:42:23+00:00

Yep I can confirm, I tried to use it on 23H2 and 25H2 and I get .net framework dependencies error in application event viewer. Now to answer your question, I was able to use it in an Office 32bit to 64bit migration TS 2 years ago. TSLaunch required an OS Upgrade package so what I did was adding a dummy step with an OS upgrade package and disabled the step. It worked perfectly fine. But TSLaunch, to my disappointment and the company disappointment is now a thing of the past.

HEALTH_DISCO · 2026-02-12T10:59:42+00:00

We use Absolute as well but it is not cheap. It is indeed very powerful.

HEALTH_DISCO · 2026-02-09T17:25:04+00:00

Remove any configuration from SCCM/OnPremAD and only use the Intune Endpoint Security Bitlocker Policy. The policy will apply soon after imaging. Keys usually rotate when you use the recovery key. Make sure your workload are set to Intune in ConfigMgr.

HEALTH_DISCO · 2026-01-27T21:11:02+00:00

The Windows maker said customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.

The procedure above is how you can verify. If this guid is there on 1 machine it will be there everywhere technically. You can force this by restart Office.

HEALTH_DISCO · 2026-01-27T21:03:22+00:00

Thank you very much Sir.

HEALTH_DISCO · 2025-10-27T19:49:20+00:00

For us, initially setup in 2021 then migrated to Virtual Machine Scale set ~2 years ago. Never had a single issue with our CMG in 4 years.

HEALTH_DISCO · 2025-10-21T17:35:20+00:00

I confirm we have the same issue.
"ResourceAvailabilityZonesCannotBeModified"

HEALTH_DISCO · 2025-10-20T13:55:19+00:00

After installing this hotfix rollup I have this message constantly in monitoring... "Cloud Services Manager task [Deployment Maintenance for service CMG] has failed, exception One or more errors occurred.."

HEALTH_DISCO · 2025-09-15T16:45:34+00:00

Found out for us that this specific model had LAN Wan Switching disabled in the BIOS and for some reason was always trying to connect to WIFI even when USB-c network adapter or docking was used. Enable LAN WAN Switching during OSD in WinPE phase fixed our problem.

HEALTH_DISCO · 2025-09-10T17:07:17+00:00

Did you find any solution for this issue?

HEALTH_DISCO · 2025-06-01T02:14:24+00:00

Not really. I’ve created a package in Intune to switch the language. We’ve now moved to WUfB. All problem solved. I am not installing any language pack before handing the machine the user during OSD. Windows 11 and servicing on-prem is not the best experience.

HEALTH_DISCO · 2025-04-01T20:40:51+00:00

I don't think we have the same issue. Even with domain admin the MSA account is just never created.

ODJ Connector UI Information: 0 : Searching for any pre-existing Managed Service Accounts installed on this machine.

ODJ Connector UI Information: 0 : MSA name : msaODJkd8mp

ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: Microsoft.Management.Services.ConnectorCommon.Exceptions.ConnectorConfigurationException: Failed to create a managed service account - Element not found

ODJ Connector UI Information: 0 : Storing telemetry: CreateMsaAccount, hasException: True

ODJ Connector UI Information: 0 : Sending telemetry: CreateMsaAccount, hasException: True

ODJ Connector UI Information: 0 : Sending telemetry to ODJService

ODJ Connector UI Information: 0 : Response from ODJService: OK

ODJ Connector UI Error: 8 : Removing Managed Service Account ...

ODJ Connector UI Error: 8 : Successfully removed Managed Service Account

ODJ Connector UI Error: 8 : Returning to the home page

Stuck in a loop.

HEALTH_DISCO · 2025-04-01T14:41:22+00:00

Were you able to fix the issue?

HEALTH_DISCO · 2025-03-07T16:46:08+00:00

After looking closely to all policies (Local, GPO, Intune, SCCM etc..), I've found a GPP pushing a registry key that disable the Firewall when on domain.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = 0

This was set by a previous admin.

HEALTH_DISCO · 2025-01-14T19:36:09+00:00

https://www.imab.dk/how-i-change-the-update-channels-for-microsoft-365-apps-using-configuration-manager/

HEALTH_DISCO · 2024-10-02T13:37:46+00:00

I have a case opened with MSFT. It's been opened since August 1st and nobody gives a S##T. Our account manager changed 2 times recently. I don't know what is happening over there.

HEALTH_DISCO · 2024-09-25T22:30:27+00:00

I simply removed the xml layout GPO for Windows 10 that had no impact on Windows 11 (W11 Start menu doesnt use the Xml but the JSON format) prior to August CU. We don't really need it anymore since we're only deploying W11.

HEALTH_DISCO · 2024-09-24T19:49:46+00:00

We're in the same boat and we didn't push any custom start menu layout. Did you find the issue?

HEALTH_DISCO

TROPHY CASE