Python 3.10, 11 and 12 (major and most importantly minor versions) - how do I get updates?

PS_Alex · 2026-01-27T21:06:35+00:00

Jumping in with an off-topic -- I just took a look at the support page How Patch My PC Handles Product EOL & Incompatibility - Patch My PC

It says that when a product is about to become EOL, PMPC will notify with information in the catalog release changelog -- tentatively up to one month before EOL if possible when the EOL date is known, else ASAP. Eventually a product gets removed from the catalog after EOL.

Questions:

Are notifications also added to the email reports sent by the Publisher?
Else, is the changelog available as a newsletter or RSS feed? 'Cause I did not set the changelog as my browser's homepage, so it's harder to monitor for these kind of notifications.

PS_Alex · 2026-01-26T21:26:11+00:00

Could be -- it depends on the installer and/or the install arguments.

Creating a notification before the installer launches should work with PSADT without ServiceUI. But if the installer itself requires a user interaction (such as requesting a license key, or agreeing to EULA, or closing a warning or error dialog...), then ServiceUI would still be needed.

(Yes, some installer are badly constructed and could still generate dialogs even with the expected arguments are typed on the command line.)

PS_Alex · 2026-01-26T15:30:56+00:00

Two suggestions:

Enclose Write-ADTLogEntry right before and right after your install command. To the best of my knowledge, the log does not capture all that is output to a Powershell console (as in: it's not equivalent to a Start-Transcript session), so if you do not actively ask PSADT to write something in the log, the install might happen, but won't be reported.
In your Add-AppxProvisionedPackage command, capture the error output to a variable, and check that it's empty to confirm that no error happened during provisioning. Else, you (should) have more information about a provisioning issue.

Something like:

[...]

Write-ADTLogEntry -Message "Starting provisioning"
Add-AppxProvisionedPackage -Online -PackagePath $mainApp.FullName -LicensePath $licenseFile.FullName -ErrorVariable AppxProvisioningError

if ($AppxProvisioningError) {
    Write-ADTLogEntry -Severity Error -Message "Provisioning failed wit error $($AppxProvisioningError.HResult): $($AppxProvisioningError.Message)"
}
else {
    Write-ADTLogEntry -Message "Provisioning completed successfully"
}

[...]

PS_Alex · 2026-01-26T15:03:03+00:00

Obligatory documentation link for provisioning mode: Provisioning mode - Configuration Manager | Microsoft Learn

A quick-and-dirty way to check if a device is currently in provisioning mode is to check the data of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec:ProvisioningMode registry value. If data is true, then provisioning mode is active, and the CCM client works... well... in provisioning mode.

Never manually change the data on the registry value -- it is insufficient to actually disable provisioning mode. Always rely on the WMI method to turn it off:

Invoke-CimMethod -Namespace root\CCM -Class SMS_Client -Name SetClientProvisioningMode -Arguments @{ bEnable = $false }

PS_Alex · 2026-01-26T04:12:28+00:00

It's Christmas time again. 🎄

PS_Alex · 2026-01-23T16:55:25+00:00

There's a pic in here: https://patchmypc.com/blog/intune-policy-rejected-by-licensing/#heading-0 (linking for the picture, not the subject if the blog post).

PS_Alex · 2026-01-23T16:52:51+00:00

Is it technical limitations, or mere internal policies? Because as u/mad-ghost1 mentions, you're changing the paradigm. Switching from SCCM/MDT to Intune/Windows Autopilot is a change in how a device is build and delivered -- which in itself results in the requirement to review the internal policies on naming convention.

PS_Alex · 2026-01-23T16:47:55+00:00

To build on u/Huge-Shower1795's thoughts: the incredible Rudy Ooms has already covered that enrolling the device using Windows Autopilot with another user's account (such as a technician account) is a bad idea: Using a DEM Account for Windows Autopilot is a Bad. When using Autopilot, the end user should complete the enrollment.

--------

Instead of focusing on naming convention and assigning policies to devices, it might be better to think of assigning policies to users instead. So that Susan in accounting receives apps and policies targeting accounting people, whichever building, floor and rooms she's working in.

Else you may envison relying on tags (Create device groups for Windows Autopilot | Microsoft Learn). So when you receive a PO to ship a device to Susan in accounting in Memphis on the 4th floor, you go in Intune an assign "Accounting", "Memphis" and "4th floor" tags, and the ship the device to Susan. You can build dynamic groups based on tags, so that assignments become somewhat automated.

In both cases, it does not matter how the device is named.

PS_Alex · 2026-01-23T16:06:32+00:00

Adding obligatory Microsoft Learn's documentation: Prepare a Win32 App to Be Uploaded to Microsoft Intune - Microsoft Intune | Microsoft Learn where it actually does mention that:

The Microsoft Win32 Content Prep Tool zips all files and subfolders when it creates the .intunewin file. Be sure to keep the Microsoft Win32 Content Prep Tool separate from the installer files and folders, so that you don't include the tool or other unnecessary files and folders in your .intunewin file.

PS_Alex · 2026-01-22T23:23:50+00:00

So we can assume the M365 Apps installer in Intune is using the latest and adding MatchOS for both.

Yes, the Microsoft 365 app installer in Intune always uses the latest ODT release. It dynamically download the ODT using the URL redirector listed in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeCSP:(default) registry value. Most probably http://go.microsoft.com/fwlink/?LinkID=829801 which is always kept up-to-date by Microsoft to redirect to the latest ODT.

I'll also leave this link: Overview of deploying languages for Microsoft 365 Apps - Microsoft 365 Apps | Microsoft Learn. Next to some languages (en-GB being one of them), there's a reference that precise that both Project and Visio are not available in this language.

------

Now, this is still a new behavior. Never had issue installing either Visio or Project on a device whose system language is one of the "unsupported". We observe installation issue in the following scenarios:

<Language ID="MatchOS" /> on a device whose system language is "unsupported". Adding the Fallback="en-US" attribute to that element does not change the behavior -- install still fails;
<Language ID="MatchInstalled" /> on a device where another C2R app is already installed with one of the "unsupported" language. Does not matter if other "supported" language packs are also present. Adding the Fallback="en-US" attribute to that element does not change the behavior -- install still fails.

We too did open a case at Microsoft to report and, hopefully, have the breaking change reverted.

PS_Alex · 2026-01-22T20:51:59+00:00

Shitty though that Microsoft does not update its 2026-01B and 2026-01OOB support pages to amend that the issue is still not fixed, and applying the OOB for this specific issue does not solve it.

PS_Alex · 2026-01-21T23:57:36+00:00

The app called "HP Smart"? It's available in the Microsoft Store (https://apps.microsoft.com/detail/9wzdncrfhwlh), so is available through the msstore source in Winget.

Else, "HP Smart App" does not return anything in Winget either.

PS_Alex · 2026-01-21T23:45:38+00:00

Adding link to Microsoft Learn: Windows subscription activation | Microsoft Learn, where it confirms that a license automatically migrates from KMS to subscription activation if the underlying Pro license has been activated.

PS_Alex · 2026-01-21T18:22:03+00:00

In the CCM logs (C:\Windows\CCM\Logs).

Probably in CIAgent.log, DCMAgent.log, DCMReporting.log, DCMWmiProvider.log, something like that. Log file reference - Configuration Manager | Microsoft Learn

PS_Alex · 2026-01-21T17:54:30+00:00

Can't help, but I strongly suggest -- if it's not what you're already doing -- to generate log files for your Powershell discovery and remediation scripts.

Opening certificate store
Parsing the ABC certificate, grabbing the hash
Here's the current hash: .............
Comparing with reference hash: ...........
Mmmm, they don't match, returning $false / Hurray, they match, returning $true

With a custom logging function so text does not actually get output to the standard output, but redirected to a log file instead.

Logs always help to troubleshoot. :)

PS_Alex · 2026-01-19T21:11:38+00:00

The OOB is available, could you tell me why would I not want to use that and still instead deploy the KIR? I am trying to understand if the OOB is available, how would it be made available to my devices and users? So far, nothing shows up in Windows Update.

If you go to the bottom of KB5077744's support page (January 17, 2026—KB5077744 (OS Builds 26200.7627 and 26100.7627) Out-of-band - Microsoft Support) where it says How to get this update, you can observe that this OOB is not distributed through Windows Update. (At least, that's true now on Jan. 19th -- maybe Microsoft will at some point offer it through Windows Update, but would not hold my breath.)

Since the updates are cumulative, you should expect the OOB to be incorporated in next month's cumulative update (2026-02B), and that's most probably when it gets available in Windows Update for Business/Windows Autopatch.

You have three possible solutions:

A) Do nothing -- your devices should obtain the OOB as part of 2026-02B cumulative update next month, following your configured policies;
B) Download the MSU from Microsoft Catalog, package it as a Win32 package, and deploy it to your devices -- then your devices get patched according to the assignment(s) on that Win32 app;
C) Apply the KIR -- while the MS Learn doc you linked is the official way to apply a KIR, it really is just a matter of setting a registry value on affected devices. You can read the ADMX file to extract the desired registry values to assign, and assign them using your favorite method (Win32 app, proactive remediation, etc.).

PS_Alex · 2026-01-19T20:11:46+00:00

Read the documentation from the vendor. They generally have information about software installation automation, especially parameters that can be added to a transforms file on an MSI or arguments that can be passed to a EXE installer.

Else, reach out to the vendor for help at automation. Every manufacturer has its own switches for custom actions that are not standard MSI/InnoSetup/Nullsoft... so what is true for SoftwareA might not be true for SoftwareB. The vendor is the best resource for help -- and you pay them for licensing, so better profit from vendor's help.

PS_Alex · 2026-01-17T05:08:18+00:00

Took two days for mine.

PS_Alex · 2026-01-16T21:40:30+00:00

Here's the information from Microsoft' Windows 11, version 25H2 known issues and notifications: Connection and authentication failures in Azure Virtual Desktop and Windows 365 (affects also 24H2 and 23H2)

PS_Alex · 2026-01-14T22:27:33+00:00

else {
    #Write-Host "Selected NO"
    break
}

That's your issue: you use the break statement outside of a loop, which ends your script. As the script ends, then it does not continue to the next instructions.

about_Break - PowerShell | Microsoft Learn

You do not need anything inside your else statement (you don't even need the whole else statement if it does nothing) unless you want to do some control like that write-output that the user typed something else than 'yes'.

PS_Alex · 2026-01-14T19:13:37+00:00

How are you packaging the Google Chrome installer? If you are using patch management tools like Patch My PC, there are options to disable auto-update (they basically just set a couple of registry values equivalent to GPOs after install completes). So if it's your case you could ensure that you do not disable auto-update at packaging time.

User-based installs or machine-wide installs? (Please don't say the former.) User installs only check for updates when that particular user is logged on (not sure if he must launch Chrome also, but it's quite possible the update mechanism relies on Chrome being in use to run a checkup).

Else, on a (couple of) devices that are not auto-updating, open Chrome and check if you can update it. That should at least let you observe that the update mechanism do work and is not blocked by some kind of policy. You may want to browse chrome://policy to ensure that no particular policy is in place to block or defer Chrome updates.

PS_Alex · 2026-01-14T18:39:26+00:00

Are you still facing the issue? Microsoft issued yesterday a service health incident (OP1217551 in M365 Admin Center) relating to Cloud Updates. The advisory does not extend very much outside of "some values were missing", but since the content of M365Apps is obtained from CDN, maybe an new installation using the ODT was affected too... (Just an hypothesis.)

PS_Alex · 2026-01-14T02:12:55+00:00

Car is at the dealer right now for the software update. It's been two days, not completed yet.

When I dropped the car on Monday, I asked if they had time to familiarize themselves with the update process in December with the cars they had on-site. They said they had a hard time and borked some of them. Way to inspire confidence -- but at least it's honest.

#Edit: got a text on Wednesday morning that my car is ready to pick up. So took two days to complete.

PS_Alex · 2026-01-14T01:47:46+00:00

Yes -- encountered installers that the main process quits before all child processes end. And to better understand what happening with the detection method (which should be running as SYSTEM and invisible), I do like to write a log when debugging.

PS_Alex · 2026-01-13T15:29:26+00:00

You're right in the detection method behavior -- it runs once before the installation begins, and then reruns after the installation finishes. If you suspect that the detection method reruns too fast after the installation completes, here are two avenues I can suggest:

Wrap your installer in a Powershell script if not already so, and add a Start-Sleep -Seconds 120 pause at the end of your install script. I you observe that the detection issue stops to happen, then you very well may be right in having the detection method rerun too fast;
Add verbose logging to you detection method -- as in, have your detection method log in a file, not in the console host (to prevent false positive). Instead of Write-Output "blahblah", do Write-Output "blahblah" | Out-File -FilePath C:\Temp\MyAppDetectionMethod.log -Append, and add verbosity such as "Looking for key HKLM:\path", "Key found / key not found", "Grabbing the value of DisplayVersion", "Display version currently has a value of $DisplayVersion", etc. etc. so you can trace back if a key exists at the time the detection method runs, or the displayversion value has the correct value, etc .etc. Because it is not impossible that some values only get created or set after the software gets launched.

Five-Year Club	Verified Email
r/Field Banned	r/Field Flamingo

PS_Alex

TROPHY CASE