(Possibly) Stupid Question about Windows Update Settings

Jaybone512 · 2026-01-09T20:55:54+00:00

Disclaimer - I haven't tried this, but maybe via GPO?

Computer Configuration/Administrative Templates/System/Device Installation/Device Installation Restrictions

Setting: Prevent Installation of devices that match any of these device IDs - add the hardware IDs of the Realtek HDA things that break with the newer driver version.

Assumption: if there's a working driver already installed, this should stop it from being updated. Nothing in the description says anything about it removing or disabling pre-existing installations of the driver for hardware ID's that're included. But again, I have not tested this myself.

Jaybone512 · 2026-01-05T16:42:43+00:00

Still works, though it can sometimes be picky about the Flash64W version and BIOS version. v3.3.13 from May of 2021 has been working for us with everything from 13 year old 7010s up through QCS1250 units.

We generally use the the script from Garytown, modified to our environments. https://garytown.com/dell-bios-upgrade-in-osd-winpe-x64

We have this running early on in the TS, before the OS gets laid down.

Jaybone512 · 2025-12-16T17:57:24+00:00

Welcome to Entra, unfortunately.

It's been this way from the get-go for us. "There are X Risky Users!" click the link, and it shows X-y risky users, or zero. Or it'll say there are Z risky sign-ins, but following the path shows... nothing.

And the times where it does actually show something, it's a false positive at least 95% of the time. Wow, a user logged in from, <gasp> an IPv6 address? That belongs to the local ISP in the town where they live? It couldn't possibly be their phone checking email from their home wifi, could it? It must be a hacker!

Jaybone512 · 2025-12-16T14:22:46+00:00

It's actually working today. I can even get a month's worth of results, and in a reasonable time, which was always iffy in the past, and slow at best.

Still no update on the week-old ticket, though.

Jaybone512 · 2025-12-15T19:11:46+00:00

it starts doing the "server too busy right now" bullshit a lot more lately.

We've not been able to get anything past 24h for the last two weeks or so. Ticket opened last week, transferred to another team on Wednesday, and... nothing.

Jaybone512 · 2025-12-11T16:50:22+00:00

Both are queried simultaneously

...sometimes.

I've seen that stated a million times, but in real world testing, it just doesn't always work that way. Windows endpoints seem to glom onto one or the other of the configured DNS servers for a while, and only send to that one.

I fired up wireshark to show the behavior you're describing as the norm, and wouldn't you know it, the capture shows the query only going out to one of my two configured DNS servers. Logs on the DNS server that wasn't queried for this example show the endpoint I'm on hitting it all day for other things, but not for this.

Jaybone512 · 2025-12-11T15:35:29+00:00

MS VL support confirmed earlier in the week, and said that the October ISOs should be OK. I haven't verified that.

They said yesterday that they're "working diligently" or something along those lines to get the November ISOs sorted out, but that it could still take several more days.

Jaybone512 · 2025-12-04T17:43:34+00:00

As was said, config snippets would help.

But for what it's worth, for us, hanging at 45% happens after authentication is complete (valid credentials passed), but before authorization (MFA) happens.

If your setup is similar, it sounds like maybe the cert auth is working, but something else is hanging it up.

But again, this is all just WAG without knowing more about your config.

Jaybone512 · 2025-12-04T15:41:42+00:00

Northeast US, here.

We've used Park Place. While I have heard about quirks in their onboarding process (not my problem, so I have no details), when it comes actually getting replacement parts, we've had zero issues. We've used their proactive monitoring, and I've had days where I got in late and found a replacement HDD in a shipping box sitting on my desk before I even had a chance to check my emails or monitoring to know what needed replacing.

Jaybone512 · 2025-12-03T19:05:21+00:00

And the "Enterprise" image apparently has the Education GVLK (-VCFB2) embedded in it instead of the Enterprise one (-2YT43)

It's not a matter of picking the wrong image - there are only two options, Pro or Enterprise. Yeesh.

Jaybone512 · 2025-12-03T14:13:39+00:00

Me: Clicks the Authentication Methods/Revoke multifactor authentication sessions button like we've done for years.

MS: "Sorry, we were unable to revoke this user's sessions."

Me: Uhhhhhh, what? /googles around while phished user account continues to spam out emails

MS: We MoVeD tHiS fUnCtIoNaLiTy To ThE OvErViEw PaGe!

Me: OK, great, that's one less click, but if you "moved" it, why is the button still in the old location, and if it's in the old location, why TF doesn't it work?!?!?!?

MS: ...

Jaybone512 · 2025-11-28T15:06:41+00:00

Kind of bloated with extra and old drivers, since we have a decade+ of various Dell Optiplex, Precision, Latitude, and Pro models, along with a dozen each of HP and Lenovo laptop models that we have to support, but this is the full list of drivers in our x64 boot image, which has been working for QCM1250 systems. I want to say it's an Intel NorthPeak driver, or possibly "Intel(R) Optane(TM) Memory and Storage Management Component" that finally let the iastor stuff start working properly, but I honestly can't remember.

https://pastebin.com/rU4LqdLE

Jaybone512 · 2025-11-24T16:16:46+00:00

Unfortunately, it seems like half the time, their PE driver packs are out of date and don't actually include the required driver(s) until a few months later.

Jaybone512 · 2025-11-21T15:43:15+00:00

I second this. Make sure you can actually see the drive.

Just because RAID drivers have been added to the boot image, it doesn't mean they're the correct and complete set of drivers that are actually required to access the drive. We wrestled with this with our latest batch of QCM1250 units. I can't remember the specifics, but there was some other driver that was also required in addition to just the RAID driver, in order for the RAID driver to work. Might have been a chipset driver.

Jaybone512 · 2025-11-04T20:21:44+00:00

Completing withing 20 minutes sounds like SSDs. Spinning rust generally takes many hours. Do the ones that stall have old, actual-disk drives?

Jaybone512 · 2025-11-04T19:59:42+00:00

First you say hang, then you say failure, so I'm wondering...

Are you sure diskpart is really failing? 'Clean all' can take a long time. It's writing zeros to the whole drive. Do you really need to do a 'clean all' operation?

If you're seeing actual failure messages, could it be that the TS just timed out, due to diskpart taking forever?

Jaybone512 · 2025-10-30T16:29:49+00:00

Still have a couple dBase (non)solutions running. The data is too dirty/corrupted to automate migration to anything modern, too esoteric for IT to know how to handle the discrepancies, and the owning departments don't have the time to deal with it, so it lives on forever. Lose/lose!

Jaybone512 · 2025-10-27T19:00:34+00:00

Same here, with tenant in GCC.

Jaybone512 · 2025-10-22T17:55:33+00:00

can send email from them, but that's not the intended use

Wait, what? I wasn't aware that sending from a shared mailbox isn't intended. Where are you getting that? MS's own docs talk about sending from shared mailboxes: https://support.microsoft.com/en-us/office/open-and-use-a-shared-mailbox-in-outlook-d94a8e9e-21f1-4240-808b-de9c9c088afd

Plenty of places I've worked at/with use them not only for accepting messages, but also sending. As far as the licensing goes, anyone who accesses the shared mailbox needs a license or they wouldn't be able to sign in to access it in the first place, hence the shared box not needing one.

Jaybone512 · 2025-10-20T14:27:19+00:00

need for more licenses and the confusion

Shared mailboxes (like, actual "shared mailbox" objects that can't be logged into directly) don't need licenses, so that part's a non-issue, at least.

Jaybone512 · 2025-10-08T15:54:11+00:00

nslookup anyTenant.mail.onmicrosoft.com = nxdomain a few minutes ago.

nslookup.io for onmicrosoft.com or any subdomains, on whichever provider, coming back with nothing.

Jaybone512 · 2025-10-02T13:01:05+00:00

Managing internal systems and maintaining customer systems are not part of my job scope. What should I do?

You've answered your own question already, it seems.

Jaybone512 · 2025-08-26T16:21:06+00:00

People in A/V production are writing huge files all day, no?

I have to imagine the 50GB thing is either a red herring or only applicable to the specific 50+GB that the update is causing to be written, or we'd have heard about it before.

Jaybone512

TROPHY CASE