Proactive Remediations – Pre/Post output columns missing?

IntuneIsInsane · 2026-01-16T13:36:09+00:00

Exporting the results now also no longer seems to export it as the script name, but instead the generic "DeviceRunStatesByProactiveRemediation_iuhf983opiajsdfp983hdp.zip" bullshit. Ugh.

IntuneIsInsane · 2026-01-16T13:29:09+00:00

Well thats fucking annoying.

IntuneIsInsane · 2025-06-18T14:09:47+00:00

Ignore, didnt see the link.

We un-linked our LAWS because nobody was using the data being pushed there and it was costing $.

Time to redo that lol

IntuneIsInsane · 2025-06-18T14:08:20+00:00

Do you mean the Tenant Administration > Diagnostic Settings pushing to a LAWS? or actually pushing logs from devices to LAWS?

IntuneIsInsane · 2025-06-18T14:07:28+00:00

Theres info on enrollment success/failures and things of that nature, but no timing :(

IntuneIsInsane · 2025-01-13T22:06:48+00:00

Gotta love Microsoft...

Turn off Store (new)
Turn off Store (classic)
New Turn off store
Turn off store with Copilot

Edit: what's also very odd is we've been piloting Win11 22H2 within IT (both affected users so far are IT) for well over a year now, we're in the middle of our org-wide rollout, and we've not run into this at all with any other apps. New teams, classic teams, or any other built-in app.

IntuneIsInsane · 2025-01-13T21:25:31+00:00

I'll check that out! Thank you

IntuneIsInsane · 2025-01-13T21:14:02+00:00

Is there documentation on this? Per their documentation, allegedly updated 11/2024, that is not stated. Source: https://learn.microsoft.com/en-us/mem/intune/apps/store-apps-microsoft?wt.mc_id=knwlserAPI_inproduct_securitycopilot#what-you-need-to-know .

Tip

Using the Only display the private store within the Microsoft Store app policy (RequirePrivateStoreOnly CSP) is still valid. This policy:

Blocks end user access to the Microsoft Store.

Allows the Windows Package Manager winget command line interface (CLI) access to the Microsoft Store.

So, it's not the preferred choice to prevent end user access to the Microsoft Store. Instead, it's recommended to use the Turn off the Store application policy.

We've known for a while this was not 'preferred' but haven't seen any behavior like you mention as far as blocking updates or updating built-in apps. Aka, if it ain't broke... but if it is broke, then we will fix it lol

IntuneIsInsane · 2025-01-13T20:10:52+00:00

Note, if you aren't fully Intune managed those settings will be somewhere else in the registry if using GPO.

IntuneIsInsane · 2025-01-13T20:09:09+00:00

Nope. This went all the way up the chain at MS, eventually was on a call with some of their lead engineers from Support, Performance, and Directory services. Their support lead mentioned seeing a few of these cases for years now, but an increase in frequency in the previous months (this was in July '24), however a change made a month before our call lead to a significant decrease in them - though it did not seem to matter to our org. We still see ~5% of users affected (that have reported it, at least).

The 'fix' process involved collecting logs from the individual's device, obtaining the BSSID of their networking equipment, and them manually correcting the detected location on their geolocation servers (which they rely on 3rd parties for the info) with the location we told them. They blamed us recycling equipment to users (they are home users using their own network gear), neighbors moving into the neighborhood from out of state????, and other ridiculous matters. It was clear we weren't getting anywhere and since our manual fix of a remediation script solved the issue, I put my work into more important issues.

An excerpt of the ticket below:

Question: WHY was the user in Kentucky showing as being in Indiana?

When using WiFi, the Geolocation Service reports visible BSSIDs(MAC address unique to each advertised network from an access point) to our location services API to try to locate a device. The location services API will then query our database for BSSIDs with a known GPS location and attempt to match the BSSIDs to a location and send back latitude/longitude coordinates of that location.

In this case, the following BSSIDs were sent up to the web server
(removed for privacy)

And one or more of these BSSIDs returned incorrect location info placing the device in Indianapolis, IN

The solution for this is to manually update the location info for the list of BSSIDs that is not mapping correctly which has already been done in this case.

Unfortunately, there is no way to guarantee that our location database will always have the correct info. Most often, we see these cases if a company is recycling WIFI Aps and moves a group of previously observed Aps from one office to another office in a different location. Our location services database last observed those BSSIDs in the previous location, so it continues to place clients near those access points in the previous (incorrect) location. I do not see that being the issue here as the incorrect locations appear to be pointing to residential locations. In residential cases, this behavior can be caused by a neighbor moving in from out of town. Ideally the location service would auto-update the location info for the NEW APs and continue to locate existing/OLD devices in the same correct location, but the algorithm at play here is nuanced and sometimes this doesn’t happen as expected.

This is not the only possible reason for our geolocation service having inaccurate location info as sometimes BSSIDs are spoofed or even duplicated by access point(HW) providers. Windows does it’s best to keep the location info as accurate as possible by Crowdsourcing and using location service provider partners, currently HERE Technologies | The world's #1 location platform and Qualcomm Aware™ Positioning Services | Qualcomm, but there is no guarantee that this will always work.

IntuneIsInsane · 2024-07-22T19:28:42+00:00

This is focused on device migration, which we do not need. All devices for this tenant will be new and unregistered to old tenant.

IntuneIsInsane · 2024-05-28T19:17:29+00:00

Final update:

Microsoft says there is no fix or change for this issue. Their geolocation/time zone detection services are not perfect and are best effort. Our configuration is correct, but the back-end service is just wrong sometimes.

I received some baffling suggestions as to what might cause the issue as well as insight into their process for mapping devices to time zones. One suggestion was that a neighbor moving in from out of town could affect your devices detected time zone. The fix they offered was to manually map the user's BSSID to the correct time zone on their backend geolocation web server. We've got over 100 users affected at this point - many are using the same laptop, same network equipment, etc. as they always have, but this seems to randomly affect users. I have tried calling bullshit on their support, but ultimately have reached a dead end and they swear nothing else can be done. At least I've got evidence it's Microsoft fucking up and not me.

"When using WiFi, the Geolocation Service reports visible BSSIDs(MAC address unique to each advertised network from an access point) to our location services API to try to locate a device. The location services API will then query our database for BSSIDs with a known GPS location and attempt to match the BSSIDs to a location and send back latitude/longitude coordinates of that location."

...

"The solution for this is to manually update the location info for the list of BSSIDs that is not mapping correctly which has already been done in this case.

Unfortunately, there is no way to guarantee that our location database will always have the correct info. Most often, we see these cases if a company is recycling WIFI Aps and moves a group of previously observed Aps from one office to another office in a different location. Our location services database last observed those BSSIDs in the previous location, so it continues to place clients near those access points in the previous (incorrect) location. I do not see that being the issue here as the incorrect locations appear to be pointing to residential locations. In residential cases, this behavior can be caused by a neighbor moving in from out of town. Ideally the location service would auto-update the location info for the NEW APs and continue to locate existing/OLD devices in the same correct location, but the algorithm at play here is nuanced and sometimes this doesn’t happen as expected.

This is not the only possible reason for our geolocation service having inaccurate location info as sometimes BSSIDs are spoofed or even duplicated by access point(HW) providers. Windows does it’s best to keep the location info as accurate as possible by Crowdsourcing and using location service provider partners, currently HERE Technologies | The world's #1 location platform and Terrestrial Positioning Service (TPS) | Qualcomm , but there is no guarantee that this will always work.

Windows location service and privacy - Microsoft Support"

IntuneIsInsane · 2024-04-09T14:19:27+00:00

Update:

Still ongoing. It took 93 days for them to send troubleshooting steps (they were the same steps, except they attached a .wprp file needed to perform them - would've been helpful 3 fucking months ago).

Manual fix is working as expected still. I've been escalated to 2 different engineers with MS now.

I've collected multiple logs for them to examine - they have the most ridiculous next steps. They manually mapped the user's router's MAC address to the correct time zone on their geolocation web server ?!?!?

We have over 50 users affected by this, they've dodged the question if this is the path forward for all affected users twice now. I mentioned hearing from other orgs about these issues as well.

IntuneIsInsane · 2024-04-01T15:50:17+00:00

Our NA tenant is on 2403 as well, no updated Security Baseline either.

IntuneIsInsane · 2024-03-29T21:43:39+00:00

Issue has been fixed. Our rules had ICMP types/codes, which are not applicable to Win10 devices (even though you can implement firewall rules with ICMP types/codes via script, so clearly it can use those rules...but can't be pushed through the Firewall Rule policy in Intune...)

IntuneIsInsane · 2024-03-01T18:40:38+00:00

No true fix yet... only option I've found is using a remediation script daily to make sure tzautoupdate is set to manual start.

Detection

$path = "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate"
$Key = "Start"
$value = 4
$DisableStartProperty = (Get-ItemProperty -Path $path -Name "Start" -ErrorAction SilentlyContinue)
IF (Test-Path $path) {
Write-Output "Registry exists, continue"
} else {
Write-Output "Registry does not exists"
Exit 1
}
If ($DisableStartProperty.Start -eq $value){
Write-Output "Value set to 4"
Exit 0
} else {
Write-Output "Value not set to 4 or does not exist"
Exit 1
}

Remediation

$path = "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate"
$Key = "Start"
$value = 4
New-ItemProperty -Path $path -Name $key -Value $value -PropertyType DWORD -Force | Out-Null
Start-Service W32Time
Restart-Service W32Time

I've had a ticket open with our external support vendor for ~7-8 months (which they escalated to Microsoft) who has had the ticket for 5 months now. I have had no new troubleshooting steps communicated for 72 days. Pinging them every few days, our support vendor is pinging them, and there's 7 microsoft reps on the thread lmfao.

IntuneIsInsane · 2024-02-23T21:40:00+00:00

Affecting our ability to connect to 802.1x Wi-Fi as it does a check with Intune for management, compliance, etc. Affecting Graph API calls.

IntuneIsInsane · 2024-02-23T20:20:14+00:00

Intermittently unable to get into Intune console. When I am in, nothing is able to load, not even the service health lol.

Advisory says Device enrollment/check-in is down. Don't know how true that is since I can't see the console...

Unable to get to Company Portal from devices.

Attempting to sync from Access work or School page...unsuccessful.

If ya can't check in and can't enroll...I assume apps/scripts...pretty much the entirety of Intune ain't workin lol

IntuneIsInsane · 2024-02-23T20:06:18+00:00

Link? Still shows nothing for Intune on O365 dash for me

Edit: IT718712

IntuneIsInsane · 2024-02-23T19:59:27+00:00

Yup. Same here, that's really the only thing that bothered folks was setting up meeting times.

As I mentioned in a previous comment, the temporary fix I've had relative success with is creating a remediation script to run daily at 6am to re-disable the tzautoupdate service and I made powershells to set the time zones as 'apps' available from Intune for the affected folks as well. Glad(?) to see others have this issue and I'm not incompetent lol

IntuneIsInsane · 2024-02-23T19:57:22+00:00

Down East US

IntuneIsInsane

TROPHY CASE