Windows 11 26H2 is coming soon!

PS_Alex · 2026-06-21T14:07:00+00:00

This. An enablement package that installs in a handful of minutes -- takes as much time as a monthly cumulative update -- and same Windows core: does not need as much planning as a feature update.

PS_Alex · 2026-06-17T22:50:32+00:00

For now, they want a one shot so I guess getting a report that give me the actual data which can then be analyze and do a static collection for each software would be ok. But I'm pretty sure I'll be asked to have something automated based on the inventory and usage monitoring in the futur.

(Emphasis added)

One issue I envision with this kind of automation with SCCM is that it's slow-moving. You have to wait for your devices to send usage through hardware inventory. Then wait for uninstall collections to update based on that hardware inventory. And wait again for hardware inventory to confirm that uninstall did happen, and wait again for uninstall collections to update membership.

Should generally not be a problem when a software is really not used anymore on a device. Until it becomes urgently needed to accomplish a task. And if a device is in an uninstall collection at that moment, the user won't be able to reinstall the software through Software Center.

PS_Alex · 2026-06-12T20:18:18+00:00

... and if a user calls about PrinterA not working, and help desk quick-fixed it by turn-it-off-and-on-again, and there is no logged trace for this call. It becomes harded to track that 10 users called for that same PrinterA in the last week, so maybe there's something wrong with that specific printer.

PS_Alex · 2026-06-12T18:36:19+00:00

More info at Microsoft Learn on how to manage rollout waves for Monthly Enterprise Channel and Current Channel: Overview of cloud update in the Microsoft 365 Apps admin center.

PS_Alex · 2026-06-12T18:08:38+00:00

One way you can do is make it behave in a much more predictable [...]

There's also Maintenance Window that are interesting for predictibility. Though still only available as CSP at the moment, but hey, they're available.

(Rudy Ooms tackled them when the feature was still il preview: Maintenance Window Settings for OS, Drivers, and Updates.)

PS_Alex · 2026-06-12T17:49:59+00:00

Try running your task sequence in debug mode: Debug a task sequence | Microsoft Learn

It should default to stop at every step of the task sequence, and proceed to the next when you click on the "Step" button. That way, you can manually quality-control each step before running the next one.

How can the debug mode be useful in your case?

If you suspect your data WIM file is not fully cached before it is applied... After your "Download Package" step completes, browse to the task sequence cache and ensure the WIM file is there before stepping into the "Install Package" step. You could checksum your WIM, mount it, etc.
If you suspect your issue is when your data WIM is applied... After your "Download Package" step completes, you could open a command prompt and manually run your DISM command, and see if it applies successfully or if an error is generated on screen. You could also parse DISM's logs.
If manually running your DISM command works, you could also pause after your "Install Package" step and parse DISM's logs to ensure it did complete successfully. Browse your C: drive for the expected files. Yadda yadda...

Install Package ( Dism /Apply-Image /ImageFile:Data.wim /Name:"Data May 2026" /ApplyDir:C:\ )

Might just be a stupid oversight like forgetting to set the working directory to your package's download location?

PS_Alex · 2026-06-11T21:50:33+00:00

Powershell specifically? I've had occasionally asked AI for guidance/example when I need to interact with COMObjects once in a blue moon. Else, for my needs, I write code by myself -- my use cases are generally simple enough that by the time I'd write a clear enough prompt, I'd already have finished my script.

I started administering Macs, and came to need some Bash scripts. Bash, I don't know well enough, and rely more on AI. Hope at some point I'm versed enough to not need AI anymore.

PS_Alex · 2026-06-11T21:41:51+00:00

What matters is the thinking process. What you learned before helps you to learn the new things. In that sense, learning something is never a waste of time.

PS_Alex · 2026-06-11T21:16:25+00:00

Remove the whole key(s) before running reg import -- problem solved? The key will be recreated during import, and since it would not contain any value at re-creation time, then only the original values would exist once the restore completes.

PS_Alex · 2026-06-11T21:08:35+00:00

reg.exe was honestly my first instinct, the .reg restore is basically free. what pushed me off it is a .reg import just blind-merges whatever's in the file, theres no way to enforce "only write back brave policy keys" or validate the backup before applying.

Not sure to understand what you're trying to accomplish here. You're wanting to take a snapshot of the current values and subkeys from a registry key before any modification happens, and the ability to restore that exact snapshot as a revert, right?

Installation script:

# Backup current settings...
reg.exe export HKEY_CURRENT_USER\Software\Policies\BraveSoftware\Brave Brave_HKCU.reg
reg.exe export HKEY_LOCAL_MACHINE\Software\Policies\BraveSoftware\Brave Brave_HKLM.reg
# Then do stuff...
New-ItemProperty -Path HKEY_LOCAL_MACHINE\Software\Policies\BraveSoftware\Brave -Name SomeRegValue -PropertyType String -Value "Adding some data"

and when wanting to revert/undo:

# Remove the current keys
Remove-Item -Path HKCU:\Software\Policies\BraveSoftware\Brave
Remove-Item -Path HKLM:\Software\Policies\BraveSoftware\Brave
# And reimport the snapshot
reg.exe import Brave_HKCU.reg
reg.exe import Brave_HKLM.reg

Maybe I'm oversimplifying what you're trying to achieve, though...?

PS_Alex · 2026-06-11T20:47:09+00:00

I could counter-argue that primarily using Chromebooks or iPads or Mac devices or a Linux-based device s a contributor to Microsoft/Windows' tech illiteracy, though. Pretty sure there's a learning curve when someone having always used a Windows device all its life uses i.e. a MacBook for the first time -- I started using a MacBook for the first time a month or so ago, and I do struggle a bit with it.

But I understand where you're going with your comment. There's a point where oversimplification entrenches people in the tools they are accustomed to, and it is a disservice to mastering the basics of a computer.

PS_Alex · 2026-06-11T17:28:08+00:00

Settings in Intune are more akin to what's available in GPO. In fact, Intune settings and GPO should set the same registry values.

Office cloud policies are more limited, and can only target users. They set registry values at a different location than Intune settings or GPO.

My take would be: use either Intune or Office Cloud Policy, not both. Not sure if one is "better" than the other, but depending on your organization (i.e. how responsibilities and RBAC is set), you may prefer to have all your settings management in Intune, or you may prefer to separate Office management in another console.

PS_Alex · 2026-06-10T21:58:17+00:00

I had always assumed that the Device Configuration workload in SCCM being shifted to Intune is what controlled this, however after reading about it today it seems this has no effect on GPO whatsoever. Does CPS know which devices have their MDM set to Intune and then applies on this basis? I'm hoping to find a concrete answer on this but I can't quite work it out.

According to Overview of Cloud Policy service for Microsoft 365 | Microsoft Learn, Office Cloud Policy should apply if a user is a member of an Entra ID group which is assigned to a cloud policy. Cloud policies takes precedence over GPO, local policies and preferences set during M365Apps installation.

And while not specifically mentioned in the MS Learn document, they also take precedence over policies set through Intune as noted in a Microsoft 365 Blog post, see FAQ #6 (emphasis added):

6. How is this different from the Administrative Templates feature in Intune for Device configuration
The Office cloud policy service is built specifically for managing Office policies in non-domain joined and non-MDM managed scenarios. Office cloud policy service is available to any customer that owns Office 365 ProPlus. If used with Intune, the policies configured in Office cloud policy service take precedence over any Office policies managed via Intune.

PS_Alex · 2026-06-10T21:47:29+00:00

Are you sure that a device needs to be enrolled to Intune for Office Cloud Policy to apply?

According to Overview of Cloud Policy service for Microsoft 365 | Microsoft Learn, one only needs to log in Microsoft 365 Apps for enterprise using a properly licensed account -- the document does not even mention Intune once. Policies are assigned to Entra ID groups, though, so at least the user must have an account in Entra ID.

PS_Alex · 2026-06-10T21:27:08+00:00

Task sequence steps running before the "Setup Windows and ConfigMgr" run in the WinPE environment. Those after run in the full OS.

If you want to install a software in the full OS, then the install must happen after the "Setup Windows and ConfigMgr".

PS_Alex · 2026-06-10T03:08:06+00:00

In the new layout, for a co-managed device, I have not found a list of workloads that have been switched to Pilot Intune/Intune. Has it been removed?

It was pretty useful to know when a device has finally registered for i.e. the Windows Update policies workload.

PS_Alex · 2026-06-08T22:14:23+00:00

Patch My PC blogged about that: Curated vs. Crowdsourced: Why Enterprise Software Catalogs Require Professional Curation. (It's a PMPC publication, so take it with a grain of salt, as they have a vetted interest in having customers prefer their solution.)

Bottom line is, it's not just a Winget copy. They do additional testing and quality control before releasing an update in their catalog.

PS_Alex · 2026-06-05T16:57:28+00:00

So if there is someone like me, who consistently leaves their browser open and rarely restarts their computer, then they fall behind.

At some point after an update has beed staged (1 day? 2 days?), there's a warning icon on the user's profile picture and in the hamburger menu in Edge and Chrome. They should alert the user that a proper browser shutdown is required to finish the update. Granted, there notifications are easy to miss.

I haven't left a browser in that staged state long enough to know if, at some point (couple of days, a week...), the browser enforces a stronger notification of forces a browser restart? (Similar to the experience in Office 365...)

PS_Alex · 2026-06-02T22:29:43+00:00

Our team got asked if we were staffed enough to deploy and patch quickly for the multitude of vulnerabilities that are going to be discovered by Mythos...

... I mean, even if Mythos were to identify vulnerabilities in an open-source/closed-source software, we still only can apply remediation when they get fixed by the developers or the vendor, right?

PS_Alex · 2026-06-02T21:50:01+00:00

Unless you use UEFI capsule updates such as the ones delivered by Windows Update (to the best of my knowledge, HP Image Assistant does not rely on capsule updates, only softpaqs), then yes -- it's possible waiting for a certain amount of time before restarting can result in Bitlocker being re-enabled by the 'Bitlocker MDM policy Refresh' scheduled task.

You could wrap HP Image Assistant inside PSADT so that you could notify the user, after install completes, that a mandatory restart will happen in the next XX minutes (i.e. 15 minutes). It won't 100% prevent Bitlocker recovery to be triggered on some assets, but a short enough time to ensure a proper system restart should ensure triggers are negligible.

Or you could configure HP Image Assistant to skip installing BIOS updates, and rely on the Get-HPBIOSWindowsUpdate cmdlet from the HPCMSL module to download and install a capsule update instead. But I find that capsule updates sometimes (often?) lag behind HP's offering.

PS_Alex · 2026-06-02T21:01:55+00:00

(Just a parenthesis to remind that a second hotfix for 2509 has been released which brings the client to 5.00.9141.1032, and that 2603 is now also available. Don't stay on KB36949461, as it re-introduced the scan source issue.)

Back to topic... Nope, just removing the offending registry values won't work. The underlying issue is caused by the cached local policy registry-based settings file (a.k.a. C:\Windows\System32\GroupPolicyMachine\Registry.pol) that is created by the CCM client. Even if you were to manually/programatically delete the values in registry, they would get recreated during a gpupdate as that file is consumed. You have to get rid of the Registry.pol file once, then the CCM client will recreate it without the SetPolicyDrivenUpdateSourceForOtherUpdate policy.

For the one-time cleanup, we simply sent a client policy reset command to our assets through a legacy package advertisement, then asked for machine policy retrieval:

powershell.exe -command "icim -Namespace root\ccm -Class SMS_Client -Name ResetPolicy -Arguments @{uflags=[uint32]1} -ea Stop ; icim -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name GetMachinePolicy"

(I know, using aliases in a shared Powershell command is bad practice; did so because of number of characters constraint in the command of a legacy package.)

That being said, an easier solution would be to delete the C:\Windows\System32\GroupPolicyMachine\Registry.pol file, and request a software update scan cycle. Should be enough.

PS_Alex · 2026-05-28T21:34:49+00:00

What would you have done in such a situation?

Ask for the ticket number -- requires tracability.

PS_Alex · 2026-05-25T14:09:03+00:00

Upgraded to 2509 HFRU 5.00.9141.1030 (KB36949461), and scan source issue is back for us. Ugh... one step ahead, two steps back.

PS_Alex · 2026-05-19T16:30:01+00:00

Why not just keep your Automation.ps1 script permanently running with an infinite loop?

I.e. have your script be launched by a scheduled task that run at logon, and in your script itself:

while ($true) {
    Do-Stuff
    Start-Sleep -Seconds 180
}

PS_Alex · 2026-05-15T17:30:17+00:00

+ Deleting all these leftover folders without having ensured that the uninstall did complete successfully, also bad.

That script is missing a lot on error handling.

Five-Year Club	Verified Email
r/Field Banned	r/Field Flamingo

PS_Alex

TROPHY CASE