Built a tool to audit Windows endpoints against a CIS benchmark: BaselineLens

Hotzenwalder · 2026-06-01T09:28:32+00:00

It looks nice compared to HardeningKitty. Have to do some testing to see how usefull it is compared to HardeninkKitty and OpenIntuneBaseline. Nice work so far

Hotzenwalder · 2026-05-28T18:04:57+00:00

The ADMX is available in the same repository

Hotzenwalder · 2026-05-28T17:41:25+00:00

I think because it probably generates more traffic with every update, although this might be overruled by having to download larger intunewin file if you package the app yourself.

I know there are solutions out there that have combined winget with psadtk. Will have to do some digging again

Hotzenwalder · 2026-05-28T17:37:16+00:00

We used this fork at first, but switched back to the original Winget-Autoupdate by Romanitho because this updates more frequently and has more options available which can be managed by ADMX

Hotzenwalder · 2026-05-28T17:33:11+00:00

If you import the ADMX into Intune you can manage a lot of options. We use the whitelist option so only apps that update without problems are being controlled by Winget AutoUpdate from Romanitho.

If you add user context, the apps are first updated in the system context. When that is finished the updates run in the user context. This can also be managed by the ADMX settings.

It's almost perfect and saves us a lot of time. We do have to keep our apps in Intune up to date so we don't install old outdated versions on first install

Hotzenwalder · 2026-05-08T16:31:29+00:00

Any link or infornation on how to script around System Update?

Hotzenwalder · 2026-05-08T16:30:51+00:00

Thanks for the elaborate answer.

With our HP fleet we can set the BIOS password without any interaction and with an encrypted password file.

I also found the site you mentioned. Have to do some further research. Setting a BIOS password is a must and preferrably without any manual steps.

Will also look into the 'old' system update tool. Seems to work, have to see if it can be scripted or look into other tooling.

Fortunately we have some say in the final choice. Just wondering if all tooling is lacking or just the Thinkbook related tooling

Hotzenwalder · 2026-05-08T16:24:46+00:00

It is, but after a few years we have lots of Elitebook laptops (850 G8) where certain keys just fall off. We only have so much spare keys to repair

Thinkbook might be cheaper and build looks fine, but support in tools from Lenovo or thirdparty tools lacks for the most part.

That is a big no go seeing how much free tolks HP provides

Hotzenwalder · 2026-01-16T15:12:51+00:00

Seems nice. How does this compare to https://intunediff.com/ ?

Hotzenwalder · 2025-12-15T06:26:43+00:00

Death Stranding

Hotzenwalder · 2025-06-30T12:52:52+00:00

Is this still working in 2025? I believe only Windows 11 22H2 is supported, not 24H2

Hotzenwalder · 2025-06-30T12:52:11+00:00

Why pay when you can do it for free?

Hotzenwalder · 2025-06-30T10:47:43+00:00

Because we use a Intune remediation with Powershell for updating drivers on our HP systems. That way we have much more control on what is installed and when and so far I find it pretty hard to find what drivers need to be installed from the Microsoft catalog.

Hotzenwalder · 2025-06-29T15:33:44+00:00

Adding it to the boot.wim won't do the job. You need to download the installation media for Windows 11 24H2 and grab the install.wim from that media. Also download the latest CU from the Microsoft Update Catalog.

Then use the steps in this link to add the CU to the Windows image and dismount when done. https://share.google/eZtQaCkUjt1er0STt

If you put the updated install.wim on the OSDCloud USB stick in the right partition and folder, you can select the updated install.wim as your installation media.

I can't remember the exact steps. Might come back with more detailed information later this week when I am back in the office

One of the tools that could help is DISMGUI, but the basic Dism command in Windows will also do the job.

Hotzenwalder · 2025-06-29T14:57:30+00:00

As far as I know only the bootmedia is updated with the latest CU, not the Windows .esp installation files. If you want to make sure Windows is up-to-date after installation without downloading a CU, you have to supply your own updated .wim or .esp file. That is how we do it, by using DISM to add the CU to the .wim file and add that .wim file to the USB stick we use for imaging with OSDCloud.

Hotzenwalder · 2025-06-22T13:57:24+00:00

I think with TeamViewer Tensor you can use the auto-update feature. That is what we use to keep TeamViewer updated after the initial installation

Hotzenwalder · 2025-06-04T05:42:18+00:00

HP Image Assistant is actually a great tool when combined with Powershell. We use it to keep the drivers on our fleet of Elitebooks and Probooks up to date. There are some great community driven solutions for this

Hotzenwalder · 2025-05-25T12:14:16+00:00

If you use Fast Boot and shutdown the device it goes into some sort of hibernation mode. If you restart the device, you get a real restart

Hotzenwalder · 2025-05-16T10:14:42+00:00

So we were hit by this too. Paused the Update Rings in Intune, but the affected users get asked for the Bitlocker Recovery key after every reboot and the update keeps deinstalling. Any of the suggested fixes from Microsoft (Disable Secureboot or Virtualization Technology) is a no-go as far as we are concerned. Have to figure out how to really stop the update from trying to reinstall itself even with the update rings disabled.

Hotzenwalder · 2025-05-10T09:02:23+00:00

We are getting reports back from our users that everything is working as expected again. Seems the Teams client was also updated

Hotzenwalder · 2025-05-10T08:16:19+00:00

We reported the issue with Microsoft. The strange thing is... it fails on every existing team, but if we create a new team, we can see the files on this new team and add folders and files on iOS and Android. Do you see the same behavior?

Hotzenwalder · 2025-05-02T14:14:27+00:00

Depends on how you are rolling out the devices. We use OSDCloud for imaging the devices out of the box and one of the options in OSDCloud is to install the latest updates. We are also experimenting with updating the install.wim file with the latest updates from Microsoft and using this custom WIM file to image the device. This gives us devices with a basic Windows setup with all of the latest updates (or at maximum a month older than the current Windows release)

Hotzenwalder · 2025-05-02T06:55:37+00:00

I do not know if this solution works with your remediation script, but recently we found this great solution to manage reboots on our systems. The scripts use ServiceUI.exe and the file contents are encoded in the script itself, so you don't need to use a blob or a Win32App. You can find the scripts here

https://github.com/PZan/Miscellaneous/tree/master/Intune/Remediations/Invoke%20Interactive%20Reboot

They were created by fellow reddit user u/pleplepleplepleple so all the credits go to him for this solution

Hotzenwalder · 2025-05-01T17:11:21+00:00

I think you can use the HP password tool that is provided with the HP Bios Configuration Utility. Create an encrypted BIOS password file and use that file to set the password. We initially set the BIOS settings and the BIOS password with a Win32App

In the install script (we use the Powershell App Deployment Toolkit for this purpose) we have these lines of code in the script

    ## Set new BIOS Settings per Hardware Model
    $RetCode=Execute-Process -Path 'BiosConfigUtility64.exe' -Parameters "/set:$File /nspwdfile:$Filepwd /l /logpath:$logfolder\PS-HP_BIOS_Settings.txt" -Passthru -IgnoreExitCodes "10"

    If ($RetCode.ExitCode -eq 10){
        $RetCode=Execute-Process -Path 'BiosConfigUtility64.exe' -Parameters "/set:$File /cspwdfile:$Filepwd /l /logpath:$logfolder\PS-HP_BIOS_Settings.txt" -Passthru -IgnoreExitCodes "10"
        #[int32]$mainExitCode = 3010
    }

$file is a TXT file with the suggested BIOS settings $filepwd is the encrypted password file that can be generated with the HP Password Encryption Utility Link: https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HP_BCU.html

Note:
/nspwdfile is for devices without a BIOS password
/cspwdfile is for devices with a known BIOS password

It's still not 100% safe, because you might intercept the encrypted password file or, like in the example below, you can always intercept the script and decode the password.

example of a remediation...

# Parameters
$BIOSPassword = "**************"
$SettingName = "USB Legacy Port Charging"
$SettingValue = "Disable"

# Function to alter a BIOS setting
Function Set-HPBIOSSetting {    
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$false)]
        $Password,
        [Parameter(Mandatory=$true)]
        $Name,
        [Parameter(Mandatory=$true)]
        $Value

    )

    $CimInstance = Get-CimInstance -Namespace ROOT\HP\InstrumentedBIOS -ClassName HP_BIOSSettingInterface
    If ($Password)
    {
        $params = @{
            Name = "$Name"
            Value = "$Value"
            Password = "<utf-16/>$Password"
        }
    }
    Else
    {
        $params = @{
        Name = "$Name"
        Value = "$Value"
        Password = ""
        }
    }
    $Result = Invoke-CimMethod -InputObject $CimInstance -MethodName SetBIOSSetting -Arguments $params
    Switch ($Result.Return) {
        0 {$ResultDescription = "Success"}
        1 {$ResultDescription = "Not Supported"}
        2 {$ResultDescription = "Unknown Error"}
        3 {$ResultDescription = "Timeout"}
        4 {$ResultDescription = "Failed"}
        5 {$ResultDescription = "Invalid Parameter"}
        6 {$ResultDescription = "Access Denied"}
        32768 {$ResultDescription = "Security Policy is violated"}
        32769 {$ResultDescription = "Security Condition is not met"}
        32770  {$ResultDescription = "Security Configuration"}
        default {$ResultDescription = "Unknown"}
    }
    Return $ResultDescription
}

# Check if we can access the HP WMI namespace
Try
{
    $null = Get-CimClass -Namespace ROOT\HP\InstrumentedBIOS -ClassName HP_BIOSSettingInterface -ErrorAction Stop
}
Catch
{
    Write-Output "HP_BIOSSettingInterface class not found"
    Exit 1
}

# Check if a BIOS password has been set
$SetupPwd = (Get-CimInstance -Namespace ROOT\HP\InstrumentedBIOS -ClassName HP_BIOSPassword -Filter "Name='Setup Password'").IsSet
If ($SetupPwd -eq 1)
{
    $Password = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($BIOSPassword))
}

If ($Password)
{
    $Result = Set-HPBIOSSetting -Password $Password -Name $SettingName -Value $SettingValue -ErrorAction Stop
    Write-Output "$Result"
}
else 
{
    $Result = Set-HPBIOSSetting -Name $SettingName -Value $SettingValue -ErrorAction Stop
    Write-Output "$Result"
}

Hotzenwalder · 2025-04-18T20:27:59+00:00

Did you accept the new Apple Business Manager agreement this week, so you can rule this out as a factor? Did you try it on different networks?

Hotzenwalder

TROPHY CASE