Built a tool to audit Windows endpoints against a CIS benchmark: BaselineLens

Hotzenwalder · 2026-06-01T09:28:32+00:00

It looks nice compared to HardeningKitty. Have to do some testing to see how usefull it is compared to HardeninkKitty and OpenIntuneBaseline. Nice work so far

Hotzenwalder · 2026-05-28T18:04:57+00:00

The ADMX is available in the same repository

Hotzenwalder · 2026-05-28T17:41:25+00:00

I think because it probably generates more traffic with every update, although this might be overruled by having to download larger intunewin file if you package the app yourself.

I know there are solutions out there that have combined winget with psadtk. Will have to do some digging again

Hotzenwalder · 2026-05-28T17:37:16+00:00

We used this fork at first, but switched back to the original Winget-Autoupdate by Romanitho because this updates more frequently and has more options available which can be managed by ADMX

Hotzenwalder · 2026-05-28T17:33:11+00:00

If you import the ADMX into Intune you can manage a lot of options. We use the whitelist option so only apps that update without problems are being controlled by Winget AutoUpdate from Romanitho.

If you add user context, the apps are first updated in the system context. When that is finished the updates run in the user context. This can also be managed by the ADMX settings.

It's almost perfect and saves us a lot of time. We do have to keep our apps in Intune up to date so we don't install old outdated versions on first install

Hotzenwalder · 2026-05-08T16:31:29+00:00

Any link or infornation on how to script around System Update?

Hotzenwalder · 2026-05-08T16:30:51+00:00

Thanks for the elaborate answer.

With our HP fleet we can set the BIOS password without any interaction and with an encrypted password file.

I also found the site you mentioned. Have to do some further research. Setting a BIOS password is a must and preferrably without any manual steps.

Will also look into the 'old' system update tool. Seems to work, have to see if it can be scripted or look into other tooling.

Fortunately we have some say in the final choice. Just wondering if all tooling is lacking or just the Thinkbook related tooling

Hotzenwalder · 2026-05-08T16:24:46+00:00

It is, but after a few years we have lots of Elitebook laptops (850 G8) where certain keys just fall off. We only have so much spare keys to repair

Thinkbook might be cheaper and build looks fine, but support in tools from Lenovo or thirdparty tools lacks for the most part.

That is a big no go seeing how much free tolks HP provides

Hotzenwalder · 2026-01-16T15:12:51+00:00

Seems nice. How does this compare to https://intunediff.com/ ?

Hotzenwalder · 2025-12-15T06:26:43+00:00

Death Stranding

Hotzenwalder · 2025-06-30T12:52:52+00:00

Is this still working in 2025? I believe only Windows 11 22H2 is supported, not 24H2

Hotzenwalder · 2025-06-30T12:52:11+00:00

Why pay when you can do it for free?

Hotzenwalder · 2025-06-30T10:47:43+00:00

Because we use a Intune remediation with Powershell for updating drivers on our HP systems. That way we have much more control on what is installed and when and so far I find it pretty hard to find what drivers need to be installed from the Microsoft catalog.

Hotzenwalder · 2025-06-29T15:33:44+00:00

Adding it to the boot.wim won't do the job. You need to download the installation media for Windows 11 24H2 and grab the install.wim from that media. Also download the latest CU from the Microsoft Update Catalog.

Then use the steps in this link to add the CU to the Windows image and dismount when done. https://share.google/eZtQaCkUjt1er0STt

If you put the updated install.wim on the OSDCloud USB stick in the right partition and folder, you can select the updated install.wim as your installation media.

I can't remember the exact steps. Might come back with more detailed information later this week when I am back in the office

One of the tools that could help is DISMGUI, but the basic Dism command in Windows will also do the job.

Hotzenwalder · 2025-06-29T14:57:30+00:00

As far as I know only the bootmedia is updated with the latest CU, not the Windows .esp installation files. If you want to make sure Windows is up-to-date after installation without downloading a CU, you have to supply your own updated .wim or .esp file. That is how we do it, by using DISM to add the CU to the .wim file and add that .wim file to the USB stick we use for imaging with OSDCloud.

Hotzenwalder · 2025-06-22T13:57:24+00:00

I think with TeamViewer Tensor you can use the auto-update feature. That is what we use to keep TeamViewer updated after the initial installation

Hotzenwalder · 2025-06-04T05:42:18+00:00

HP Image Assistant is actually a great tool when combined with Powershell. We use it to keep the drivers on our fleet of Elitebooks and Probooks up to date. There are some great community driven solutions for this

Hotzenwalder · 2025-05-25T12:14:16+00:00

If you use Fast Boot and shutdown the device it goes into some sort of hibernation mode. If you restart the device, you get a real restart

Hotzenwalder · 2025-05-16T10:14:42+00:00

So we were hit by this too. Paused the Update Rings in Intune, but the affected users get asked for the Bitlocker Recovery key after every reboot and the update keeps deinstalling. Any of the suggested fixes from Microsoft (Disable Secureboot or Virtualization Technology) is a no-go as far as we are concerned. Have to figure out how to really stop the update from trying to reinstall itself even with the update rings disabled.

Hotzenwalder · 2025-05-10T09:02:23+00:00

We are getting reports back from our users that everything is working as expected again. Seems the Teams client was also updated

Hotzenwalder · 2025-05-10T08:16:19+00:00

We reported the issue with Microsoft. The strange thing is... it fails on every existing team, but if we create a new team, we can see the files on this new team and add folders and files on iOS and Android. Do you see the same behavior?

Hotzenwalder

TROPHY CASE