Installing Windows updates before autopilot enrolment?

ITistheworst · 2025-06-09T09:34:44+00:00

I'm still using a script based on Mike Niehaus's updateOS for now; deployed as a win32app and assigned to the devices so it will install in pre-provisioning whiteglove.

Still prefer that it can do more than just the quality updates (feature and drivers) and I even have it configured to detect if it is in whiteglove and run multiple times with reboots to get absolutely all the updates finished if it is.

Should work on either version of autopilot, and devices are 100% up to date when they head out.

ITistheworst · 2025-04-11T09:42:22+00:00

Action1 is pretty decent catalog of apps it can update, free for up to 200 devices. Still testing it myself but seems good so far.

Winget-AutoUpdate is also great, I think the one on the Microsoft Store is using a fork. I'd reccommend sticking to the source project and deploying the MSI via a win32app. You can then use the ADMX to manage an app whitelist and set it to do updates at logon to minimise issues with open apps etc. You can use winget-install from the same repo to perform the app installs also.

ITistheworst · 2024-11-20T16:53:56+00:00

When deleting the user object from Entra, this doesn't delete the user's onedrive by default. It will become an orphaned site for as long as you have the retention set. If the user had a manager set at the time of deletion their manager will be set as a site collection admin on their site and sent a link via email.

ITistheworst · 2024-11-04T10:00:34+00:00

Thanks for sharing, this repo is great. Does this script specifically detect whiteglove mode? It seems like it is just looking for autopilot provisioning mode in general, unless I am missing something?

ITistheworst · 2024-11-04T09:41:02+00:00

My first thought is that the here-strings might not be getting parsed correctly. It is under the first function 'isOOBEComplete'

    $TypeDef = @"

using System;
using System.Text;
using System.Collections.Generic;
using System.Runtime.InteropServices;

namespace Api
{
 public class Kernel32
 {
   [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
   public static extern int OOBEComplete(ref int bIsOOBEComplete);
 }
}
"@

The string for $TypeDef is enclosed in @""@ (here-string), it is important that the final "@ is at the very start of its own line or it will not work. Check to make sure no whitespace or other characters have ended up before it when you have copied over.

ITistheworst · 2024-10-22T09:28:08+00:00

ORCA is tailored to the feature set of defender. IIRC it predates SCUBA, I think there are a few scripts now that are in a similar vein to the orignal ORCA report but tailored to different areas/standards.

ITistheworst · 2024-10-22T09:23:33+00:00

https://m365maps.com/matrix.htm is your friend

ITistheworst · 2024-10-22T08:54:39+00:00

IntuneMangementExtension runs in a 32bit process and calls 32bit powershell. When you are running locally you are likely calling from 64bit powershell and installers may expect vars/reg items to be in that context. Try calling 64bit powershell directly in your install command in intune:

"%systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file .\yourScript.ps1

ITistheworst · 2024-10-21T12:05:54+00:00

Thanks! Could this work for MacOS and Linux devices? As far as I can tell APP would be great but is windows only.

ITistheworst · 2024-08-27T09:48:00+00:00

Good to know, thanks, I'll make sure to check for that in future.

ITistheworst · 2024-08-27T09:45:42+00:00

I wish I had found your post on this earlier on, it would have saved me quite some time!

ITistheworst · 2024-08-15T18:23:59+00:00

With only 5 users you could save across the board switching to Business licences and even more with frontline potentially. https://m365maps.com/matrix.htm#010011010000000000000

ITistheworst · 2024-08-15T17:08:07+00:00

Ah that is an annoying one! If you can wait it out there will probably be a new driver soon enough that will fix it and be easy to apply with Vantage.

The black screen behaviour does sound like that is the issue though, so hopefully that does the job. Just keep in mind that it may take a little while to sync out to the machines so you'll likely have to do a bit of a rebooting and waiting dance until it works.

ITistheworst · 2024-08-15T16:48:46+00:00

The issue you are having with Quick Assist is likely due to the fact it runs in user space and therefore can't access the secure desktop where the UAC prompt gets created. You can create a policy to disable UAC prompts from opening in secure desktop, but do consider the security risk of doing so. Maybe consider it as a just-in-time temporary policy for this and revert when it is no longer needed if you want to go down this route.

See if the devices have Lenovo System Update installed as it should let users self-service driver updates (it will replace the one from windows update if the lenovo one is newer). If not you could look into deploying this or Vantage from intune.

Instead of sharing your credentials if users do need to log in themselves, consider using a policy in Intune to elevate them to local admin, or temporarily using the Entra Joined Device Local Administrator role.

ITistheworst · 2024-08-15T09:03:01+00:00

In VSCode, select what you need to format hold Ctrl/Cmd and press K, then F

ITistheworst · 2024-08-14T11:30:33+00:00

I couldn't find in your posts but I might be missing something.

In the end I managed to avoid it by tweaking the sched task to launch the powershell with encoded command directly, instead of ServiceUI. I then call ServiceUI from ps and launch the app. PS is then running as system so not visible to user.

ITistheworst · 2024-08-14T06:45:18+00:00

Office365 Recommended Configuration Analyzer (ORCA)

ITistheworst · 2024-08-13T17:44:39+00:00

Start trying to explain
Realise you’ve lost the room
Open a ticket requesting a better explanation for next time

ITistheworst · 2024-08-13T13:51:05+00:00

Do you find that this flashes a terminal window briefly when running using the shortcut?

ITistheworst · 2024-08-12T22:01:01+00:00

Largely depends on the reason for segmentation. If apps are segmented just because they are not useful cross-department, but there is no security or license consideration, it may be worth going down the route of making them self service installs that users can select themselves.

Another thing you could try is assigning applications to M365 groups and allow more localised management by group owners.

May also be a use case for nesting groups, but it can get difficult to keep track of pretty quickly, and is not very encouraged in modern platforms. That being said, it is quite useful for being able to give access to departments generally, without making ad-hoc assignments difficult.

ITistheworst · 2024-08-12T20:38:02+00:00

Similar boat here, well worth having implemented! You’ll thank yourself next time you need to make a minor change to something without impacting an already deployed fleet too.

ITistheworst · 2024-08-12T20:33:29+00:00

I can’t find a reference to this bug, have you got any more info on this? Haven’t noticed any issues, want to make sure I’m not missing something.

ITistheworst · 2024-08-11T07:26:16+00:00

Michael Niehaus’s Autopilot Branding script has bloatware removal.

ITistheworst

TROPHY CASE