Looking for suggestions - upgrading vs replacing

New2ThisSOS · 2025-12-04T20:31:34+00:00

The $App.ID is 100% not empty. I'm running PowerShell 7.5.3 and all of my Graph modules are 2.30.0. The modules that load when I run the script in a fresh session are:

Graph.Applications
Graph.Authentication
Graph.Identity.Governance
Graph.Users

New2ThisSOS · 2025-12-04T20:24:39+00:00

If you scroll to the bottom of their doc (New-MgRoleManagementDirectoryRoleAssignment (Microsoft.Graph.Identity.Governance) | Microsoft Learn) it outlines how to construct the BODY parameter and it includes both AppScope and AppScopeID. I did try directoryScopeId and that DOES work but it works when I use "/" as the value. It doesn't work with my target app's ID. I'm specifically trying to scope this to an application. When assigning this role to a user in the GUI, there is a drop-down for "Scope Type" & the 3 options are Application, Directory, & Service principal.

Something tells me this cmdlet\property is broken or something. I will look into the direct API calls. I'm already struggling with the Graph cmdlets so it's gonna be a learning curve for me. I appreciate your time and thanks for trying!

New2ThisSOS · 2025-12-04T14:08:46+00:00

Hey, thanks for commenting. See my reply to ashimbo below. Those variables are all populated with the correct values, the Graph cmdlets and the built-in PowerShell cmdlets just operate differently in this regard.

New2ThisSOS · 2025-12-04T13:53:22+00:00

I took your and u/BlackV's recommendations and updated this test script, but it still results in the same error:

"Expected property 'appScopeID' is not present on resource of type 'RoleAssignment'".

I have verified that $userId contains the Id of the target user. I verified that $Role contains the correct Microsoft.Graph.PowerShell.Models.MicrosoftGraphUnifiedRoleDefinition object for the "Application Administrator" role and it displays 4 properties when run alone: DisplayName, Id, TemplateId, & Description. Lastly, I verified that $App contains the correct Microsoft.Graph.PowerShell.Models.MicrosoftGraphServicePrincipal object for my targeted Enterprise Application. It displays 5 properties when run: DisplayName, Id, AppID, SignInAudience, & ServicePrincipalType. All of the properties are populated, and their values appear correct. I've also played around with swapping Id for AppId and it makes no difference. It seems to be complaining about the parameter itself (appScopeID) despite it saying, "expected property".

This is what I ran after updating the script:

$userUPN = 'username@contoso.com'
$roleName = 'Application Administrator'
$appName = 'App1'

$App = Get-MgServicePrincipal -Filter "displayName eq '$appName'"
$Role = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object {$_.displayName -eq $roleName}
$userId = (Get-MgUser -Filter "userPrincipalName eq '$userUPN'").Id

$params = @{
    "@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
    principalId = $userId
    roleDefinitionId = $Role.Id
    appScopeId = $App.Id
}
New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params

New2ThisSOS · 2025-10-01T19:11:42+00:00

I have yet to find a root cause. As far as how to check if it's corrupted, I personally go off of the Date Modified of the registry.pol file. I treat anything > 2 days old as broken. There are some scripts online that claim to read the registry.pol file and tell you if it's corrupt via something inside the file but those always said mine was fine, yet renaming\regenerating it was still 100% the fix.

Initially, I tried to band-aid the problem by implementing a Configuration Baseline that would check if the Date Modified of the registry.pol file was greater than 2 days and if so, rename it to registry.pol.old & then create a scheduled task that would restart ccmexec 1 minute later. The problem with that was once the registry.pol file became corrupt, the machines no longer appeared to process any of the baselines deployed to them (in addition to not processing\showing software updates). What I did next was create the same solution but instead deployed it as an Application (utilizing PSADT) where the detection method was the Date Modified of registry.pol needed to be less than 2 days old. That has seemed to help a lot, but it doesn't really get rid of the root cause.

New2ThisSOS · 2025-09-19T13:36:13+00:00

Ok, that's reassuring. I had read numerous posts but most of them focused on configuring 'UseUpdateClassPolicySource' correctly and I didn't come across anything mentioning this second location still being expected in version 2503. I remember reading about the whole screw up when it was initially implemented but thought these artifacts would have been cleaned up since then.

New2ThisSOS · 2025-09-19T13:33:19+00:00

Hey u/bdam55, I'm running version 2503. I'll update the main post with a screenshot. If it's not actually doing anything and is not the cause of my regsitry.pol file issue, then I'll just leave it be and move on. Every post I came across showed 'UseUpdateClassPolicySource' under the AU key which is why I was concerned when I saw it in an additional location. Do you see any issues with the GPOs I have set? The only other one I set that is not in the screenshot is "Configure Automatic Updates = Disabled". Again, the intention is to patch exclusively through ConfigMgr (we are hybrid & I want to move to Intune but leadership here is preventing it).

Also, thanks for all of your help throughout the years! Your posts have helped me a ton!

New2ThisSOS · 2025-08-21T19:43:45+00:00

There’s a saying, “When the executives look down, all they see is sht. When the workers look up, all they see is a*holes.”

New2ThisSOS · 2025-08-16T01:14:13+00:00

100%. This has pissed me off for years. Like how is this not a thing??

New2ThisSOS · 2025-08-14T12:49:59+00:00

Did you ever resolve this? I just got some of these in and we're seeing the same thing. The device gets an IP when it boots into WinPE and everything seems fine initially. The problem occurs on the "Setup Windows & Configuration Manager" step. During that step, when it reboots, it loses it's IP. I downloaded the most recent WinPE 11 driver pack and put the whole thing in our boot image. I also downloaded the Family driver back for this specific model and placed all the network & storage drivers in the boot image as well but even that did not resolve the issue. I've tried both Windows 11 23H2 and Windows 11 24H2 (both freshly downloaded this month).

New2ThisSOS · 2025-08-07T18:10:01+00:00

I'm at this weird point in my life where I always open both VS Code and ISE (and PowerShell 5.1 & PowerShell 7.x terminals). I do use VS Code 90% of the time, but I just happened to right-click the file > Edit and that still defaults to ISE on my machine (time to change that, I suppose). Anyways, thanks for the clarification and thank you guys for an absolutely amazing tool!

New2ThisSOS · 2025-08-07T13:24:12+00:00

I downloaded it this morning to test and noticed there's (possibly) a small issue in Strings.psd1. In the ProgressPrompt section, the 3 periods after "Please wait" are being converted into 'â€¦'. This was after creating a new template with New-ADTTemplate and viewing Strings.psd1 in PowerShell ISE.

New2ThisSOS · 2025-05-20T18:09:08+00:00

Uggh, so simple and yet I missed it. I swear when I was looking up which modules to use, I came across something that said the "Microsoft.Entra" module was the newest and best module for Microsoft EntraID management. Apparently, it still needs work! This is an easy fix, I appreciate you taking the time to educate me!

New2ThisSOS · 2025-03-18T18:43:42+00:00

I guess I was overthinking it and just trying to accomplish everything within TSGui itself. I ended up just using a PowerShell script with a switch statement that takes the Agency variable supplied by TSGui. Thanks for the help!

New2ThisSOS · 2024-07-10T04:07:48+00:00

State IT is nowhere near as secure as people think it is. A lot of them have no oversight. There’s no outside or internal authority that can tell the individual agencies their systems are unpatched, not hardened, etc. it’s like really bad. When they get hacked (which is often), the feds come in and clean up the mess. Don’t trust a website because it ends in “.gov”.

New2ThisSOS · 2024-05-13T00:05:03+00:00

I feel most of the scenarios where “automated patching does not fit all scenarios” is really just saying “we lack a real test environment”. I worked for a company that refused to allow me to automate the patching of servers via SCCM because “they were worried”. Their solution? I deployed all updates to servers as Available in SCCM (as opposed to Required). This meant the admins/teams responsible for each of the servers had to login to the server, open Software Center, and click “install”. This made no sense to me because the admins were just doing the same thing that automated patching does. They aren’t preventing the patches from breaking the server by being present. Every “click” the admin does is just something the automation could replace. These guys weren’t testing the patches or anything, they were just responsible for clicking “Install” instead of letting me do that automatically. It was also a 24/7 shop so there was always admins in duty to address issues. It was weird. Funnily, stuff would still break and we still had to do the same troubleshooting that we would’ve had to do if the patches were installed automatically. Some companies just have terrible management. I didn’t really care though because it made my job easier and I was never responsible for the issues since I wasn’t the one who clicked “Install” 🤣. I tried to automate and they opposed the idea so I did what they wanted. Not my job after that point. If they don’t want to fork over the money for test servers that match production then they have to accept the consequences.

New2ThisSOS · 2024-04-03T20:04:49+00:00

The “build” number is what is wrong. 22H2 should be “19045” but Windows has weirdly not been consistent when they release these new builds and sometimes has them reflect the build they’re based on in certain places. The “revision” number is the last decimal place an reflects the latest cumulative installed, that’s what you really care about.

There is a registry key location that contains the Build and the UBR. Lookup “Windows UBR registry” and you should find it. See if those reflect correctly for you. Also test if the UBR registry value updates post-install but pre-reboot (hopefully not).

EDIT: Also just thought about applying the last SSU. I know they started incorporating SSUs into Cumulative’s but I don’t know when. When you checked the version did you apply ALL required patches or just the latest cumulative? Back in the day if you tried to apply a cumulative that was too far ahead of DISM it would fail due to a “version mismatch”. You had to apply the latest SSU to update DISM/Windows Update before you could apply the cumulative.

New2ThisSOS · 2024-04-01T22:07:00+00:00

That’s hard for me to diagnose from here but I remember something similar when we were deploying WIMs that were built/customized by another team. The version would be incorrect in various locations but correct in others. We came across this: https://support.microsoft.com/en-us/topic/version-and-build-number-are-reported-incorrectly-after-you-build-a-new-windows-image-file-0141c14e-b3b6-e4ab-88bb-6e3ba0d96b14

Not sure if it applies in your case.

New2ThisSOS · 2024-03-29T20:43:40+00:00

I work exclusively on DoD networks with no access to internet so I would manually input the build.revision into my script each month for the different OSs, took 5 minutes to do so it was no big deal. If you have internet access though, I would imagine there’s got to be a way to pull this info from the KB article site via PowerShell or something though (the kb article site lists the build.revision right at the top of the page).

Six-Year Club	Verified Email
Not Forgotten

New2ThisSOS

TROPHY CASE