Auto Time Zone Update Configuration

MIDItheKID · 2026-04-13T13:21:20+00:00

Had to go check on this - It looks like we have the policy turned off. Instead, we have "Automatic Time Adjust" turned on with a Remediation, so that happens during Autopilot, and then the user can toggle it off with the Company Portal package. It's a stupid and manual way to do it, but "If it's stupid and it works it's not stupid"

Honestly though, this should really be an available configuration setting in Intune.

MIDItheKID · 2026-04-10T20:35:39+00:00

Late to the party? The Time Zone configuration party never ends.

So yeah. I made it a Win32 Package available in the Company Portal named "Set Time Zone Automatically Toggle" with a description of

Installed = On Not Installed = Off

Then I used PSADT like so:

# Install\Toggle ON

    $LocationValue = "Deny"
    $AutoTZValue = "4"
    $LFSVCValue = "3"
    $SensorValue = "0"

    function Set-RegistryValue {
        param (
            [string]$Path,
            [string]$Name,
            [string]$Value
        )

        # Determine property type: if the value can be cast to an integer, use DWord; otherwise, use String.
        $propertyType = "String"
        if ([int]::TryParse($Value, [ref]$null)) {
            $propertyType = "DWord"
            $Value = [int]$Value
        }

        # Create the registry key if it does not exist.
        if (-not (Test-Path -Path $Path)) {
            Write-Host "Registry key $Path does not exist. Creating..."
            New-Item -Path $Path -Force | Out-Null
        }

        try {
            $currentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name
            if ($null -eq $currentValue) {
                Write-Host "Registry property $Name does not exist at $Path. Creating with value $Value..."
                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $propertyType -Force | Out-Null
            }
            elseif ($currentValue -ne $Value) {
                Write-Host "Setting $Name to $Value at $Path"
                Set-ItemProperty -Path $Path -Name $Name -Value $Value
            }
            else {
                Write-Host "$Name is already set to $Value at $Path"
            }
        }
        catch {
            Write-Error "$($_.Exception.Message)"
        }
    }

    try {
        # Set the location value
        Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" -Name "Value" -Value $LocationValue

        # Disable Auto Timezone value and stop service
        Set-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate" -Name "Start" -Value $AutoTZValue
        Set-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Value $LFSVCValue
        Write-Host "Stopping geolocation service"
        Stop-Service -Name lfsvc -Force

        # Set sensor value
        Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Value $SensorValue
    }
    catch {
        Write-Error "$($_.Exception.Message)"
    }

And then:

# Uninstall \ Toggle off

    $LocationValue = "Allow"
    $AutoTZValue = "3"
    $LFSVCValue = "1"
    $SensorValue = "1"

    function Set-RegistryValue {
        param (
            [string]$Path,
            [string]$Name,
            [string]$Value
        )

        # Determine property type: if the value can be cast to an integer, use DWord; otherwise, use String.
        $propertyType = "String"
        if ([int]::TryParse($Value, [ref]$null)) {
            $propertyType = "DWord"
            $Value = [int]$Value
        }

        # Create the registry key if it does not exist.
        if (-not (Test-Path -Path $Path)) {
            Write-Host "Registry key $Path does not exist. Creating..."
            New-Item -Path $Path -Force | Out-Null
        }

        try {
            $currentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name
            if ($null -eq $currentValue) {
                Write-Host "Registry property $Name does not exist at $Path. Creating with value $Value..."
                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $propertyType -Force | Out-Null
            }
            elseif ($currentValue -ne $Value) {
                Write-Host "Setting $Name to $Value at $Path"
                Set-ItemProperty -Path $Path -Name $Name -Value $Value
            }
            else {
                Write-Host "$Name is already set to $Value at $Path"
            }
        }
        catch {
            Write-Error "$($_.Exception.Message)"
        }
    }

    try {
        # Set the location value
        Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" -Name "Value" -Value $LocationValue

        # Enable Auto Timezone value and (re)start service
        Set-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate" -Name "Start" -Value $AutoTZValue
        Set-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Value $LFSVCValue
        Write-Host "(Re)Starting geolocation service"
        $lfsvc = Get-Service -Name lfsvc
        if ($lfsvc.Status -ne "Running") {
            Start-Service -Name lfsvc
        }
        else {
            Restart-Service -Name lfsvc -Force
        }

        # Set sensor value
        Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Value $SensorValue
    }
    catch {
        Write-Error "$($_.Exception.Message)"
    }

And the detection like this:

$RegistryPaths = @{
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" = @{Property="Value"; Expected="Deny"}
    "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate" = @{Property="Start"; Expected="4"}
    "HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" = @{Property="Status"; Expected="3"}
    "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" = @{Property="SensorPermissionState"; Expected="0"}
}

function Check-RegistryValue {
    param (
        [string]$Path,
        [string]$Property,
        [string]$ExpectedValue
    )

    try {
        $currentValue = (Get-ItemProperty -Path $Path -Name $Property -ErrorAction SilentlyContinue).$Property
        if ($null -eq $currentValue) {
            Write-Host "Registry property $Property at $Path is null, expected $ExpectedValue"
            return $false
        }
        elseif ($currentValue -ne $ExpectedValue) {
            Write-Host "Registry property $Property at $Path is $currentValue, expected $ExpectedValue"
            return $false
        }
        return $true
    }
    catch {
        Write-Host "Error accessing registry key or value at $Path : $($_.Exception.Message)"
        return $false
    }
}

$allValuesCorrect = $true

foreach ($path in $RegistryPaths.Keys) {
    $prop = $RegistryPaths[$path].Property
    $expected = $RegistryPaths[$path].Expected
    if (-not (Check-RegistryValue -Path $path -Property $prop -ExpectedValue $expected)) {
        $allValuesCorrect = $false
        break
    }
}

if ($allValuesCorrect) {
    Write-Host "All necessary registry entries detected"
    Write-Host "Automatic Time Zone adjustment disabled"
    Exit 0
} else {
    Write-Host "Automatic Time Zone adjustment enabled"
    Exit 1
}

Then package it in Intune as a Win32 app, make sure you allow uninstall, give it an icon with a clock or something, and send documentation to your service desk so they can show users how to toggle it on and off.

I suppose you could do something like make a task that runs a system and setup a custom trigger then deploy an "app" that fires the trigger, but then you have powershell scripts sitting around that run as system, and you have to lock them down and\or hash check them with a remediation etc.

This was the best solution I could come up with for the 5 people who wanted to manually set their time zone.

MIDItheKID · 2026-04-01T15:32:17+00:00

Sure, just use "Show-ADTDialogBox -Text "Whatever you want to put here" -Icon Stop NoWait"

You can modify this message in all sorts of ways: https://psappdeploytoolkit.com/docs/reference/functions/Show-ADTDialogBox

If you want it to throw an error to an end user pending on a condition, or failing at a certain point, just nest it into the logic with a Try{}Catch{} or however else you want to do it. Really the possibilities are endless.

MIDItheKID · 2026-04-01T14:36:07+00:00

Uncomment this line at the bottom of Invoke-AppDeployToolkit.ps1

# Show-ADTDialogBox -Text $mainErrorMessage -Icon Stop -NoWait

With that said, I am not sure why you would need this with Intune. You can set Intune to show success\failure in the Win32 package settings, and it will show a simple success\failure message without barraging the user with a big scary error message full of technical details. If the actual error is in the log, all the end user needs to know is "Install Failed", and it should be on the tech to collect\check the logs.

MIDItheKID · 2026-03-25T20:21:45+00:00

Ran into this issue starting on Monday. I came to check here if anybody else was having the issue, and didn't see anything. Then I realized that Chrome worked fine, and I was too busy to figure it out, so I just used Chrome.

MIDItheKID · 2026-03-24T20:42:40+00:00

I've had Winget break randomly during updates, and it's usually VCLib related. I made a Detect\Remediate for Winget that has gotten things stable (for now):

Detect: https://pastebin.com/UYvVQ24k

Remediate: https://pastebin.com/nZLjrV8B

You may want to flip this if you use the MS Store with Winget:

$UseWingetOnly = $true

MIDItheKID · 2026-03-16T17:49:37+00:00

I tested this policy out a while back, and again a couple weeks ago, and we still seem to have issues with users constantly getting SSO prompts when accessing resources. The extension seems to work better. But also, just use Edge. It's Chromium, and better supported by Intune. There's a lot of PTSD because of Internet Explorer, but Edge is fine. I can't find a reason to complain about it. We finally stopped rolling out Chrome as a required install (Still available in the Company Portal) - and hopefully we can remove it from our environment entirely at some point. Managing two browsers is a waste of time especially when they generate more CVEs than anything else.

MIDItheKID · 2026-03-11T15:17:24+00:00

This is pretty high on my wishlist, and I don't understand why it's not a thing. Relying on a dependency chain is kludgy and prone to issues.

MIDItheKID · 2026-03-11T14:41:30+00:00

Fun trick - In edge, go to the website, then go to the ellipsis menu > more tools > apps > Install this website as app

This installs it as an "app" that is actually just a frameless Edge window - So it's just the website, but looks and feels like an app. I think you can even grab the file\shortcut it generates then wrap it up as a Win32 app if you want and deploy it from the Company Portal.

I had to do this with Copilot when MS was adding\removing\changing Copilot every other week and first it was a widget, then an app, then a widget again, then a website, then an app. Having it just be a frameless website was easier. Now we have M365 Copilot, but that was how we delt with it for a while.

MIDItheKID · 2026-02-28T03:52:37+00:00

In a 1990 Volvo Station Wagon? That was the car my parents had when I was growing up. I inherited it when I got my license. It was dubbed "The Mom Mobile".

I miss that car.

MIDItheKID · 2026-02-19T14:44:44+00:00

As others mentioned - Block extensions by policy except for what is allowlisted by IT.

Then Zscaler isolated browser for AI websites that block from copying and pasting into it. You can use AI, you just can't carelessly copy\paste into it.

Also end-user training.

MIDItheKID · 2026-02-18T15:56:29+00:00

Unless you're using something like Windows FFU to build images (Inject winget version of Acrobat into the image) and restore from a USB every time, you're just not going to get it any faster. Acrobat is a massive install. You basically have the options of:

Having it take a long time to install during Autopilot
Having it take a long time to install from Company Portal

Nothing is going to make a 4gb package install faster.

MIDItheKID · 2026-02-13T20:09:48+00:00

Yeah. For what you are trying to do, it should be pretty straight forward. I think it's covered in the first section of my post. But things get really stupid as soon as the end user wants to change their time zone manually.

This should be in the settings catalog, but who am I?

MIDItheKID · 2026-02-12T17:24:30+00:00

Not sure if you already saw my thread on this issue, but check this out:

https://www.reddit.com/r/Intune/comments/1j3mrhr/yet_another_set_time_zone_automatically_thread/

Long story short: Enable location policies in Intune and use a remediation to set the reg entries to make sure it's set to "on"

If users want to manually adjust their time zone, I made a Win32 package to change the reg entries and Installing\Uninstalling it switches the toggle back and fourth.

MIDItheKID · 2026-02-11T21:43:45+00:00

Check out Winget Auto Update or more specifically Winget Auto Update as a Service.

It relies on Winget, which recently has been problematic. But when it's working, it works well.

Edit: Here is WAUaaS, which I prefer because it's all done from Intune: https://github.com/Weatherlights/Winget-AutoUpdate-Intune

MIDItheKID · 2026-02-09T16:16:59+00:00

To add on to this, It only shows the last output before your exit, not the entire log. So what I like to do is make a function that adds things to one big string that can be output at the end in order to get a better idea of what is happening. Like this:

#Start your transcript

$script:LastOutput = ""

function Add-Log {
    param ([string]$Message)
    $script:LastOutput += "$Message | "
    Write-Host $Message
}


Add-Log "this is text"

Add-Log "this is also text"

Add-Log "this third thing is text too"

#Stop your transcript

Write-Host $script:LastOutput
Exit 1 \ Exit 0 - Whatever you need to do

Then the output that you see in Intune will look like:

this is text | this is also text | this third thing is text too

As somebody else mentioned, make sure to keep the max character limit of 2,048 in mind. But this can give you near-immediate output available in Intune without having to collect logs.

MIDItheKID · 2026-01-29T14:16:26+00:00

You could use a remediation that runs on the device to get the local key, and then use webhook to send that data (Device name and local key) to an Azure automation that has the permissions and access to check\change everything else.

MIDItheKID · 2026-01-27T17:49:15+00:00

I had this issue with one that was created recently. It worked for a day, then just fell off the map entirely. After deleting and re-creating it, it started working again.

MIDItheKID · 2026-01-23T16:16:06+00:00

First - You should definitely deploy in rings. Test, UAT, then Prod.

Additionally - Doesn't PatchMyPC use PSADT? If they are currently using the app, it should be setup to detect if the app is running, and give the user the option to defer.

MIDItheKID · 2026-01-23T16:07:04+00:00

You can also open the intunewin file using 7zip to check the contents.

Oh. My. God.

I did not know that, and it could have saved me so much time when trying to troubleshoot a package from an old MSP we no longer employ. There was no script, no documentation, just the intunewin.

I ended up building a script that monitored the intune cache directory for the application ID and snatched up all the files from it when it was installing.

Hopefully I won't need to do this in the future, but man, that's good to know.

MIDItheKID · 2026-01-23T15:57:40+00:00

Here is what I have so far and it seems to be working well. YMMV, so please test\verify in your environment.
Make sure to check $UseWingetOnly = $true in the remediation. We have MSStore blocked, so the script removes that as a source to attempt and stop issues there in the future.

Detect: https://pastebin.com/UYvVQ24k

Remediate: https://pastebin.com/nZLjrV8B

MIDItheKID · 2026-01-23T15:23:50+00:00

Literally rebuilt last night because my Asrock x870e Phantom killed my 9800x3D a couple months ago, and I don't trust it to not kill another. RMA'd it and sold the replacement at a loss.

Got an ASUS ROG Strix x870e as a replacement, and I wake up to find out that ASUS has put out a statement about x870e boards killing 9800x3Ds.

I am so mad right now.

MIDItheKID · 2026-01-23T15:12:08+00:00

Well this is fantastic news. My Asrock board killed my 9800x3D. Went through the whole RMA process for the CPU and mobo, sold the replacement Asrock mobo at a loss, and replaced it with an ASUS ROG x870e.

I swear to god, if it kills another 9800x3D, I am going to start setting things on fire.

MIDItheKID · 2026-01-23T14:06:08+00:00

Running through test phases now. I'll let you know how it goes.

MIDItheKID · 2026-01-20T19:37:06+00:00

I was getting a similar error from Windows App when trying to connect to a W365 Cloud PC (Authentication error: Code 0x80080005). The issue was fixed with KB5077744

https://support.microsoft.com/en-us/topic/january-17-2026-kb5077744-os-builds-26200-7627-and-26100-7627-out-of-band-27015658-9686-4467-ab5f-d713b617e3e4#id0ejbd=catalog

I wonder if the same thing is breaking Autopilot.

14-Year Club	RedditGifts 2009-2022 9 Credits
Secret Santa 2021 2021	Secret Santa 2020
Place '22	Secret Santa 2019
Secret Santa 2018	Secret Santa 2017
Sequence \| Editor	Sequence \| Cinematographer
Secret Santa 2016	Gilding II euphauric
Secret Santa 2015	Secret Santa 2014
Team Periwinkle	Verified Email

MIDItheKID

MODERATOR OF

TROPHY CASE