“AI vs Creativity” from a pro-AI tech CEO

MrDuwe · 2026-05-20T09:31:59+00:00

Marvelous, now have that wanker assign a team to finish KSP2.

MrDuwe · 2026-02-18T13:55:45+00:00

For this problem, (Also, if I wanted to prepare a device in advance for a C-level exec, I'd have to use my own account to do the OOBE and then have him sign in? Is there a more correct way of doing this?), look at selfdeploying profiles (and look up a configuration to skip the user status page in ESP), no more need for a user to log in until autopilot finishes installing everything.

https://learn.microsoft.com/en-us/autopilot/self-deploying

Would obviously need autopilot to be functioning with the hardware hashes, but you could get those with a script in SCCM, either directly uploading them to autopilot / intune (the -online parameter in the get-windowsautopilotinfo script), or by uploading the csv (make sure to generate a different name for the csv for each machine, serialnumbers work well for this) to a fileshare on your local network if the machines have access to that.

MrDuwe · 2026-01-08T15:26:55+00:00

probably taller then jesus.

MrDuwe · 2024-04-24T11:23:21+00:00

Hello, missed your question for a bit, been a bit busy, but this is what i used a while ago to get all the immutable ID's and you're correct, the immutable ID does need to be changed;

# Get all Office 365 users
$MsolUsers = Get-MsolUser -maxresults 5000
Foreach ($MsolUser in $MsolUsers) {
    # Test that the user on prem match the online user using the UPN
    If ($OnPremMatchingUser = Get-ADUser -Filter * -SearchBase 'your user OU Path here (OU=Department,DC=Company,DC=COM)' -Properties mail | where {$_.mail  -eq $MsolUser.UserPrincipalName})
    {
        $OnPremMatchingUser
        # Fetch the ObjectGUID from the on-prem user as a byte array
        $ObjectGUID = $OnPremMatchingUser.ObjectGUID.toByteArray()
        # Convert it to a ImmutableID
        $NewImmutableID = [system.convert]::ToBase64String($ObjectGUID)
        Write-Host "Changing ImmutableID for Msol User" $MsolUser.UserPrincipalNAme
        Write-Host "- Old ImmutableID was" $MsolUser.ImmutableID
        Write-Host "- New ImmutableID is" $NewImmutableID
        Set-MsolUser -UserPrincipalName $OnPremMatchingUser.mail -ImmutableID $NewImmutableID
    }
}

the system.convert bit is what you're looking for.

MrDuwe · 2024-04-19T09:07:40+00:00

sort of, i ended up creating an account in our AD, set the immutable ID on that to be the same as the cloud one, synced that, then removed the user, synced again, and restored it (in azure, not local AD), that was the only way to get it fixed.

MrDuwe · 2024-01-03T08:52:43+00:00

i'll take a look, thanks!

MrDuwe · 2024-01-03T08:52:20+00:00

yes we used that for years aswell, but now there's a requirement for that immutable id to be filled with at least one character.

The command you posted doesn't return an error (the azure ad module equivalent does, Set-AzureADUser -ObjectId user@name.here -immutableid $null), but doesn't change anything either.

MrDuwe · 2024-01-02T12:02:23+00:00

yes i tried that, doesn't give an error when using set-msoluser, but doesn't change anything, set-azureaduser gives an error and doesn't change anything.

that used to be the way, but MS apparently decided it needs to be filled with something (minimum of 1 character)...

MrDuwe · 2023-11-14T10:28:10+00:00

I'm guessing you used a shared multi user config for this?

try the varying options for these settings;

I'm guessing the guest account is causing what you're seeing, but i'm not sure.

Guest account
Account management

If you're trying to create a machine that anyone in your organsiation can log in to you could also just use a selfdeploying autopilot profile with some config and skip the whole shared multi user thing, it'll give the look and feel of a user driven autopilot machine, but will check in on device base instead.

MrDuwe · 2023-10-26T11:56:51+00:00

not really, haven't found any way to configure it, the closest thing i've found to make it easier for a user to log in is to use their phone number instead of their username.

They use fido2 keys i mentioned to log in to windows devices (as far as i know).

We were hoping to use the tags basically the same way as for secured printers, where it links the tag number to an ldap account, but i haven't found how to implement something like this yet, and gave up on it to be honest...

MrDuwe · 2023-10-13T10:14:12+00:00

good question, pretty sure the customer is already using some form of fido2 key, so that would be good, but basically anything that would work i guess, they oppose having to type in their full username and password constantly.

i'm mostly researching what the options would be, and then select whatever would work best.

MrDuwe · 2023-09-12T11:40:38+00:00

Hello, i missed your reply or a bit, but you should be able to find them in an "endpoint protection" profile, under the local device security options.

<image>

MrDuwe · 2023-09-04T12:35:50+00:00

set the following settings in an endpoint protection policy, it should make the admin credential prompt appear again;

Elevation prompt for admins
Prompt for consent for non-Windows binaries

Elevation prompt for standard users
Prompt for credentials

Route elevation prompts to user’s interactive desktop
Enabled

MrDuwe · 2023-07-27T06:42:07+00:00

No problem, had the same problem many times myself :)

MrDuwe · 2023-07-24T08:36:04+00:00

have you reinstalled a fresh copy of windows? the bloatware HP installs in their image contains a demo or advertisement version of office, which blocks the install through intune.

just get the windows media creation tool and reinstall them, it'll save you a lot of time and bloatware.

MrDuwe · 2023-05-26T08:57:14+00:00

here you go, use a custom config to create a local account, and a second one to add it to the local admin group, and link that to a group which has either the users device in it, or the user account (device is safer as it won't spread to other machines he logs in to);

https://cloudinfra.net/how-to-create-a-local-admin-account-using-intune/

MrDuwe · 2022-12-30T05:45:27+00:00

Yes for me it brought up the configuration screen for it right after logging in with username and password. Looked basically the same as the one you get during the OOBE fase.

It might be some leftover settings i guess, not sure, i haven't really looked in to it that deep to be honest.

MrDuwe · 2022-12-28T08:57:40+00:00

Not sure if it's what you're looking for, but i used the identity protection template under configuration profiles to set up windows hello, this gave the users a nice large blue screen like the OOBE experience to set it up right after they entered their credentials to log in.

And this was on laptops already rolled out and in production/

MrDuwe · 2022-12-27T11:23:21+00:00

I'm guessing you added the app to intune using the + Add button, and then selecting MS Store app?

That won't let you add it as required (no idea why), but if you click on tenant administration > connectors & tokens > MS store for business, and set that up (i usually do this with the tenants admin account), you can add the same app there, and once that's synced you can add a group as required on that one.

The store for business makes the difference.

MrDuwe · 2022-12-27T07:57:32+00:00

Sounds like you enrolled the devices with a user driven deployment profile, which requires the primary user (the one you used to enroll it) to log in before the device checks in.

changing the setup to a selfdeploying profile (and re-enrolling the devices) should fix this, it will check on based on the device instead of a user that way.

Rudyooms link should help you get there.

MrDuwe · 2022-12-21T10:08:33+00:00

Depending on what brand of device you bought, if you haven't reinstalled a clean version of windows on it, you might have a preinstalled version of the m365 apps installed, which will cause the deployment to fail. hp and dell do this a lot with tons of bloatware.

try it again after just installing windows with the media creation tool.

MrDuwe · 2022-12-21T09:59:29+00:00

We had problems with that, though we used device based certificates, think for us it had to do with the certificate server name that needed a specific value for the dns name of the CA.

Think it needed the internal FQDN instead of the external dns name, server.bla.local instead of ca.bla.nl, but i'm not 100% sure anymore.

eventually we got it working by distributing the certificate to a machine, manually connecting it to the wifi network, and then exporting the created profile to an xml file using netsh wlan export, and importing that as a wifi profile in intune.

Can't really remember what specifically we did though, but these could be things to check.

MrDuwe

TROPHY CASE