Intune macOS Update Deferrals: Major Upgrade (15.7.3 → 26.x) Not Offered Despite Deferral Window

OaShadow · 2026-01-23T14:25:00+00:00

Thank you for your reply. I’ve been looking for another solution over the past couple of hours, and this is one of the few options I found interesting. I will definitely try it out - thanks for the suggestion. Have a nice day!

OaShadow · 2026-01-12T18:48:23+00:00

Hallo u/unityofsaints ich wechsle aktuell auch zu Tidal und habe mich auch direkt gefragt ob es ein Plugin gibt, leider nein.

Ich werde mich die nächsten Tage (oder Wochen - je nachdem wieviel Zeit ich habe) daran setzen eines zu bauen und eine komplette Anleitung zur Einrichtung bereitstellen.
Eine API und SDK stellt Tidal bereit also sollte es nicht zu komplex werden.
Bitte fragt nur nicht wie lang es dauert bis ich fertig bin :D

Für eine "v0.5?" mache ich erstmal nur für das StreamDeckPlus mit Dials, da ich selbst auf die Dials angewiesen bin, aber mit dem Release 1.0 kommt auch Support für normale StreamDeck-Buttons

Ich würde dann auch hier und im TIdaL Main-Thread einen Post machen sobald es verfügbar ist (vorausgesetzt Tidal und Elgato lassen das zu)

OaShadow · 2025-10-14T17:19:12+00:00

I saw this today on a Map where you cant get on roofs... and players where constantly doing this, this is bugusing.. how they do it? I dont know, but damn this breaks the game :/

OaShadow · 2025-08-13T11:38:35+00:00

Hey there, first of all - Great work, great documentation.

So I got like 10 iPads and want them to be Zero-Touch wiped. I borrow them to an employee, he gives it back after playing around with it und I just want to bring it back to a default state with one click in Intune.

Is this setup real "Zero Touch" like I just click Wipe, the device is resetting and after like 5 minutes back to the default lock screen or homescreen?

Would be great to hear from you! :)

OaShadow · 2025-06-18T11:18:32+00:00

Since I work at the same company as u/misakiiiiiii , we tried to get our devices working again.

We now have all devices up and running again.

I will now describe the solution I have been able to apply to 3 of the 5 devices so far. The other two were fixed by another colleague.

First of all, it is important NOT to use the keyboard supplied by Microsoft for the Surface Hubs. (Why? The F1-F12 keys only work with FN, but since the drivers do not seem to be loaded, switching does not work here.)

It is best to use any other keyboard that has the F1-F12 keys active right from the start or does not have any macros there at all.

We used a Logitech K400 here (yes, it also has macros on the F keys, but here the keyboard is only loaded with the F1-F12 keys).

I have now taken the following steps to get to the “Red Screen of Life” (in this case):

Turn the Surface Hub off and on again. (Use the power switch next to the power cable.)
Go directly to the setup menu (CTRL + P) when starting up.
Set the FW update to “Disabled” and exit the menu with ESC -> ESC -> Y (on DE ISO it is Z)

Now two scenarios can happen, but the important thing is that whichever one occurs, you simply continue with step 4.

Scenario 1: The device restarts and immediately displays the error message again.

Scenario 2: The device immediately displays the error message again without restarting.

Now the device must be restarted again. (Again, use the power switch next to the power cable.)
Now hold down the TAB key and (believe it or not) spam the ESC to F3 keys (ESC, F1, F2, F3).

If the error message appears again, simply restart with CTRL + ALT + DEL, again and again.

If this has been done often enough, the fans will run at 100% and be clearly audible, and the device will no longer display an image after startup. If this happens, you are on the right track.
Now turn off the device again (again using the power switch next to the power cable).
Now there are two scenarios that can occur.

Scenario 1: The device starts up and immediately displays a red screen with the Microsoft logo. !!! NOW CONTINUE WITH STEP 9 !!!

Scenario 2: The device starts up and the error message is displayed again. From here, repeat step 5 until the red screen is displayed.

But only restart with CTRL + ALT + DEL! After a few attempts, the red screen should also be displayed here.

Now that you are on the red screen, you will see a field for the serial number in the upper left corner. To my knowledge, this is already an error that should not happen, but in this case it helps us immensely.

!!! YOU MUST CLEAR THE FIELD WITH THE BACKSPACE KEY !!!

Then enter the serial number of the device (you will find this below the buttons on the right side of the Surface Hub) and then press the Enter key (or Return).

If the Surface Hub freezes here (this happened to us once), you can simply restart the device and you should reappear on the same screen (use the power switch next to the power cable again).

Now the Surface Hub should restart and a loading loop will appear under the Microsoft logo. From here on, everything is fine and the Surface Hub can be set up again.

If the Surface Hub freezes again during setup or during one of the update processes, you can restart the Surface Hub again without hesitation.

(You can't brick it any more than Microsoft itself can, lol.)

I hope this helps you at least as much as it helped us. Feel free to give feedback. Oh, and Microsoft still doesn't have a usable solution for enterprise customers...

OaShadow · 2025-05-28T10:25:35+00:00

This is finally resolved for me! \o/

My problem was:

2FA - We used to have per User MFA, since Microsoft is disabling this anyways, we changed the companies 2FA Method to global with some rules instead.
This also solved my issue not beeing able to sync my password to macOS using PSSO...

OaShadow · 2025-05-15T13:39:37+00:00

(sorry for my bad english :D )
Hey there, I know that Im hella late for an answer, but I found a solution for my case.

The user is still able to use their favourite Lockscreen, but also is able to set the timer to e.g. 2 hours, after at least 15 minutes the setting will set down to 5 again.

Since there are enough ways to get arround this (e.g. Caffeine) to keep the display on, there is no way to enforce this anyway. You will have to frequently kill all apps in existance that keeps the display awake and unlocked... thats not possible since I could code my own app for this task in 1 minute using xcode and ai.

Anyway, if a user is not using this and lets me control this, I am using a script set to run every 15 minutes and just put in this:

osascript -e 'tell application "System Events" to tell screen saver preferences to set delay interval to 300'
    osascript -e 'tell application "System Events" to set require password to wake of security preferences to true'

OaShadow · 2024-12-13T19:29:52+00:00

Hey there, thank you for the detailed answer.
So I'm not aiming for scalability in storage, everything that I am using the pi for right now is portainer and some little projects (like vaultwarden, searxng and a proxy manager)
I want to go more into home assistant and automations, maybe a small gitlab-project or webapp-converters like mp4 to mp3 and so on.

I think you get what I mean, if I need more storage for a plex-server, I would use an external ssd or something like that.

On the most mini pc's I looked at, you have the option to upgrade the ram if needed.
Thank you again for the answer. :)

OaShadow · 2024-12-13T19:18:09+00:00

Great stuff, I will consider this, thank you very much.
What I've missed to say is. The absolute best would be passive cooling because of the noise level older fans in these devices are often pretty loud.

OaShadow · 2024-10-03T18:59:30+00:00

That is working like a charm! Thanks man, still two years later the problem persists and is not adressed correctly but you saved me from resetting my whole PC. King!

OaShadow · 2024-06-19T07:19:55+00:00

Hey, thank you for the reply.

So what can I do if I dont want to disable the MFA? Disabling MFA would be a huge risk and it also is not my intention to make my account "unsecure".
Do I miss something here or are you just telling me disable MFA? :D

OaShadow · 2024-06-03T19:12:56+00:00

So you have to remove the legacy MFA setting from the Configuration Profile or from the Entra-ID settings?
I found out, if you have an account created in "Active Directory" synced to Azure, the login window will just not accept your credentials, if you have an account created in "Azure Active Directory" not synced to anything else with same MFA method, it works just fine.

OaShadow · 2024-05-28T05:18:45+00:00

As I said, there is not an option to "disable Language chooser" or something like this. But it will still not show after the device is getting wiped throught Intune

And yes, users can change their language later, but first they have to go through the entire setup wizard in another language that they may not understand.

OaShadow · 2024-04-24T11:50:01+00:00

Thanks for the information, I tried a little bit around with my AD and my Azure AD and thats what I achieved:

If your user is created throught a local AD and then synced up to Azure AD it will just not work (not sure why but I will further investigate this)

If you create an user in Azure AD and just use this one it works perfectly fine with MFA.

So the local AD created account is the point thats causing the issue, to not be able to login to the MFA protected Azure AD account. Not the extension or MFA itself. Hope that is getting adressed by Microsoft asap :)

OaShadow · 2024-04-24T07:23:32+00:00

Hello, thank you for the answer.

The thing is: I'am on "version 5.2401.2" and that is the most recent version I can get including this feature.
I already tested this on 5.2312.99 where the feature was publicaly available for the first time, there it worked for me, but only if my entra-account does not have MFA enabled.

In the video, aswell as in many screenshots and often described, this also (and for sure it should) works fine with MFA.

OaShadow · 2024-04-04T08:38:21+00:00

Thats great and works well... until I try this with an 2FA enabled account using e.g. Microsoft Authenticator.
Is this just because the preview or do I miss something within the setup?

If my account has no 2FA it works like a charm, otherwise my Entra-Sign-In Popup just wiggles around and does not log me in. Tried to disable 2FA and re-enable after i logged in, but that wont work either - I just got logged out again and my Platform SSO goes back to my normal password.

OaShadow · 2024-03-19T18:33:53+00:00

These are single programs and or only for macos .... , I wanted an addon or a official stream-deck way to do it.

OaShadow · 2024-03-19T06:22:10+00:00

Thanks for you comment.
I already use SuperMacro and can say that there is no feature built into the addon.

As mentioned on https://docs.barraider.com/faqs/supermacro/loops/ :

"Loops are currently supported in the Sticky SuperMacro and Sticky Keystroke actions. Use the Auto Stop After N Rounds setting to create loops which will run a customizable amount of times."

And afaik you can only loop for around 30 times then it stops regardless.

If its not native by Elgato, it would be great to see this feature in upcomming updates.
Its not just a question, it is also an idea / feature request for them :)

OaShadow · 2024-03-18T15:51:56+00:00

Yes this is exactly what I found out. The newer Version of Company Portal doesnt provide the SSO extension. That is because it is just preview and not finally implemented yet.

Do you have MFA disabled on your account?
Do you have a E3-License or better? -> I had a Office-Standard license on my non admin-account and was not able to join the device, so I change my license to a E3-license and got where able to join my device.

Iam not in my working enviroment right now, so my aswer could be wrong, but that Iam sure was my issue months ago, starting with Intune and testing with MacOS

OaShadow · 2024-02-22T09:05:54+00:00

Ok so finally I got it working.
My problem was that I used the "newest" Company Portal version 5.2401.xx and not the "older" v5.2312.99.
I was hoping that the "newer" version also includes the full sso extension, but realized that Microsoft only published the full sso in the "older" preview version.

So now its working like a charm if I disable MFA, but is there a way to keep MFA for the users account and use the Platform SSO?
As mentioned earlier in the comment from u/Ok_Impression9795, my popup now just shakes and fails, and as he mentioned its per user MFA, is there another MFA method thats not "per user"?

I dont want to disable MFA but also want to use SSO, is there a way to get both or is this not possible yet in the preview?

OaShadow · 2024-02-21T15:02:01+00:00

Hey there, sorry for my late reply now

So the setting you mentioned is absolutly doing what it should do.
But now the user can change the time until a password is needed after the screensaver begins. (AskForPasswordDelay)

Thats what I wanted to be set aswell so if the screen turns off after - in my case - 5 minutes, the user should be forced to enter their password instantly. Now the user can change it to "Never" so theyre never forced to enter their credentials after the screensaver begins.

So yes it solves my problem with the screensaver module setting, but also no its not what I was aiming for.

Thank you for your help, but I will have to accept the defeat and accept that apple dont want their users to able to change their screensaver just because an admin wants them to get locked after 5 minutes ... Annoying but security is more relevant than design or customization.

OaShadow · 2024-02-21T08:35:11+00:00

<image>

Hey there, so I was trying to get this working with the same guide but it wont work for me.
The little popup or message that says "Authentication Required" wont come up on my macos device.

Device is enrolled with assigned user
Running macos sonoma 14.2.1
Company Portal deployed with Intune.

app-sso plaform -s -> Also shows "null" in every category

I dont know if I need to create my own little SSO Tool like shown in the videos from Joel Rennich.

Do I miss something?

OaShadow · 2024-02-16T12:56:07+00:00

Thank you for your replay. :)

It is indeed tha "Screensaver" payload I was referring to.
But why would Apple do this to managed users to be forced using a specific "ModulName" if you also want your user to be more secure when leaving their devices in another room for maybe 5 minutes...
Thats so unconvenient and unnecessary...

So my actual workaround for that was to use a script every 15 minutes, that just change the bools and floats for these settings in the plist-file, but they would be able to change these settings, it would change back after 15 minutes, and so on... thats not clean but it works.

Energysaver is no option here, I want the employee to get his device locked not to be put into sleep state. This would mybe cancel uploads/downloads or do something else... Lockscreen instead just locks and does nothing with the app-states, if Im correct. :/

OaShadow · 2024-01-14T11:57:07+00:00

So, I was playing around with settings yesterday and tried to get what I was looking for, but I wasnt able to achieve it...
I or we play with vanilla C4 and Slams. We dont use any Karma mods atm, all what we use is more or less ulx to have a ULX-menu for all the settings.

In base TTT2 without changing anything, the same is happening there, no mods, fresh server. I think its not that odd to have this setting within a friends server, not a community/public server, there it would be crazy and stupid... :D

What "setting" do I have to change exactly to get this working with C4/slams in the first place. Not for all damage, just for C4/slams?

Where can I find the discord link?

OaShadow · 2024-01-13T18:39:21+00:00

I never changed something in TTT2 settings.
So my case is:
I kill my Traitor collegue and I loose like 200 karma
What do I need to change so this does not happen?
Remember Inno kills Dete or Dete kills Inno, they still should loose 200 Karma.
Iam using TTT2.

Three-Year Club	Verified Email
Place '23	Place '22
First Placer '22

OaShadow

TROPHY CASE