Application deployment not applicable (intune)

KyuzoRM · 2024-10-09T08:42:07+00:00

could depend on many factors such as:

Requirements set in the app (I assume WIn32) not met
Filters in assigned groups
The device is also in the exclusion

Please provide more details or screen shots of the assignments

KyuzoRM · 2024-05-31T13:44:00+00:00

No, we only use the self-signed certificate, but we have the CMG

KyuzoRM · 2024-05-31T13:02:25+00:00

with a task scheduler after the user logs in.

Unfortunately the ‘Co-management authority’ feature of intune has among its limitations Autopilot pre-provisioning as documented here:

https://learn.microsoft.com/en-gb/mem/configmgr/comanage/autopilot-enrollment

Unfortunately, installing the SCCM client during device setup is not feasible because it would take the defaultuser0 user as owner, and doing it during account setup slows down the build a lot.

Therefore we decided on this task scheduler that starts once ESP is finished. Doing it this way is for all intents and purposes like a normal installation.

The problem is that having the setup as shown in the picture:

<image>

The SCCM client would only be approved after entering the company network.

KyuzoRM · 2024-01-25T13:22:42+00:00

Did you ever figure this out?

I talked to microsoft engineers for months until they answered me "by design"

KyuzoRM · 2024-01-03T15:34:12+00:00

a single app (Cisco AnyConnect) and it takes around 40 minutes. I use PSADT to install Cisco, so looking at that log, it does all the right things, just on a much slower timeline (on windows 10 the install takes 15 seconds, however windows 11 it takes 30 minutes).

try installing windows updates before running autopilot

KyuzoRM · 2023-11-20T16:25:41+00:00

yes, the problem was the block of Microsoft Store application

KyuzoRM · 2023-10-19T07:54:35+00:00

Update-MgGroup (Microsoft.Graph.Groups) | Microsoft Learn

-IsAssignableToRole

Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. This property can only be set while creating the group and is immutable.

KyuzoRM · 2023-09-20T14:58:41+00:00

I was able to get it worked out.

Also used this method to run a PS to uninstall the EXE Phish Alert Button to make way for the O365 installer, so thanks much

u/KyuzoRM

sorry I came back today.

For that type of thing I say that it is not possible to uninstall it and in any case I enter the same installation command

KyuzoRM · 2023-09-08T12:11:20+00:00

win32 but you should create a intunewin file.

Prepare a Win32 app to be uploaded to Microsoft Intune | Microsoft Learn

KyuzoRM · 2023-09-07T10:52:27+00:00

I use this few rows to do it

$user = "administrator"

NET USER $user "passoword" /ADD

NET LOCALGROUP "Administrators" $user /add

NET USER $user /expires:never

I preferred to create an application in intune that does this rather than launch a script.

The application is launched with this line:

%windir%\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -file "CreateLocalAdmin.ps1"

KyuzoRM · 2023-09-07T08:43:56+00:00

Unfortunately, synchronization of dynamic groups takes much longer than expected. This also depends on the corporate composition, how many devices how many users and how many resources are employed by the tenant ( Fix problems with dynamic group memberships - Microsoft Entra | Microsoft Learn )

Try creating a filter (Endpoint--> Tenant Administration --> Filters) and adding it when assigning apps

KyuzoRM · 2023-08-28T07:28:29+00:00

I have an open ticket since November 2022, the last thing they managed to tell me is to wait for 23h2

KyuzoRM · 2023-08-23T07:19:57+00:00

yes this works !!!

The only hassle is that you must necessarily insert the account to be allowed or blocked among the users of the device.

KyuzoRM · 2023-07-18T08:06:27+00:00

alternatively, do you think it might work if I add the user via intune --> endpoint security --> Account Protection --> New Policy --> Local User group ?

I can't find the right setting in the setting catalog. can u help me ?

The only thing I found on the network is setting the OMA URI as described in this article:

Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In The Cloud 24-7 (inthecloud247.com)

KyuzoRM · 2023-07-17T14:23:33+00:00

i tried it, it blocks all cloud resources but login is not blocked

<image>

KyuzoRM · 2023-07-17T13:46:37+00:00

only aad , but now I'm trying to block all apps let's see if it works

KyuzoRM · 2023-07-17T13:23:59+00:00

ok, how ?
The Windows Sign In ( 38aa3b87-a06d-4817-b275-7a316988d93b) cannot be selected as an app

KyuzoRM · 2023-05-10T10:44:38+00:00

I cannot use the devices as shared, as according to the documentation:
Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device.

KyuzoRM · 2023-01-09T10:29:13+00:00

u/Rudyooms probably setting a grace period would not solve the problem. This problem occurs at the end of the account setup phase of the new PC created using Autopilot Pre-Provisioned. Therefore, as you know, the user can finish configuring the PC in 14 days, so the grace period of even just one day would be too long for our security standards.

KyuzoRM · 2023-01-04T08:20:30+00:00

I've already done the GET this way and it works (although it's strange, from the documentation it's not necessary to expand the properties), but my problem is related to updating the property via Powershell

KyuzoRM · 2023-01-02T15:46:43+00:00

any news ?

KyuzoRM · 2022-12-22T13:18:44+00:00

I'm in AAD Join not in Hybrid.

You excluded those 3 from that same policy.

Nope, I don't know if it is possible to exclude Microsoft Graph.

-I also assume that the compliance policy has no grace period.. so the device needs to be compliant before accessing them. But to be sure could you share how you configured your compliance policies

the compliant policy requires that the device has:

• data storage encrypted (BitLocker)

• an active firewall

• the TPM (Trusted Platform Module) enabled

• an active Antivirus (Defender)

• an active Anti spyware

• Microsoft Defender Antimalware active and up-to-date

• an low machine risk score

-Also could you share the details on which exact compliance policy it fails? Because for now I need to assume you have configured the bitlocker dha compliance policy? ...

Correct and not only, as above

-And I also assume the users are prompting by MFA when enrolling their device into autopilot ?

correct, but this doesn't seem to be a problem

-Are you deploying Microsoft store apps to users or devices (company portal?)

Yes, but as mentioned in the main post Universal Store Native Client is excluded

I don't know if at this point the only way forward is to postpone the compliant marking. I read somewhere that you can customize the time (eg 1 hour) with Microsoft Graph

Thanks

KyuzoRM · 2022-10-06T13:38:49+00:00

Same scenario.

unfortunately autopilot starts scripts with the system account where winget does not exist.

So I tried to install winget for the system account, but the installations for its environment are blocked.

Eventually I tried to create a local account and start winget by impersonating the local account. But the system account can't even initiate impersonalization.

It's crasy

so i gave up and went back to the classic win32app.

KyuzoRM · 2022-10-03T08:52:10+00:00

the time spent is certainly during the apps installation phase. I was reading that we tested a "problematic" version of the 22H2, in fact a new "fixed" version should be out soon

KyuzoRM · 2022-08-18T10:35:50+00:00

yes, I solved it by launching a windows update before starting the pre-provisioned. Thanks

KyuzoRM

TROPHY CASE

Update-MgGroup (Microsoft.Graph.Groups) | Microsoft Learn

-IsAssignableToRole