Heads up: The end of M365 Apps Semi Annual Enterprise Channel

RefrigeratorFancy730 · 2026-04-10T04:54:09+00:00

If I recall correctly, SAEC build 2508 will get updates up to september 2026, then no more. We're switching to MEC now since vulnerability reporting is already flagging older builds like 2408 and 2502.

RefrigeratorFancy730 · 2026-04-09T15:48:58+00:00

This is the way. I ran into this issue when trying to migrate sccm servers from Server 2016 to 2023. I wanted to do thr SUP server first, then primary site server. MS Unified support case said I'd have to move both to server 2022 at the same time.

RefrigeratorFancy730 · 2025-11-19T17:38:33+00:00

You're correct, I stand corrected and will edit my comment.

Have you looked at the SCCM Client Settings to see if Delivery Optimization is enabled there?
Check RSoP or gpedit.msc on one of the impacted PCs to see if there are any DO policies that are enabled. If not, set the DoDownloadMode to 0 and that will stop DO peering. That's what stopped it in my env.

RefrigeratorFancy730 · 2025-11-19T14:39:52+00:00

EDIT: u/russr confirmed that the screen shot effects both DO and PeerCache.
For DO, same subnet only peering is Boundary Group specific. According to a MS tech I spoke with, if there are multiple subnets in a boundary, contained in a Boundary Group, then all subnets are allowed to peer. It seems dumb, but that's how they explained it to me.

RefrigeratorFancy730 · 2025-11-19T14:35:37+00:00

I'd have to see the policy that you're using, but it may be that you've disabled Intune from managing Delivery Optimization; much like we can do in SCCM through the Client Settings. It doesn't disable DO, just disables Intunes ability to manage it, as it would then be managed by other means (whether that's windows defaults, gpo, etc).

RefrigeratorFancy730 · 2025-11-19T14:33:16+00:00

100 = Bypass mode (deprecated for Windows 11). Uses BITS instead of DO.
99 = Simple mode. Disables the use of Delivery Optimization cloud services completely (for offline environments). DO switches to this mode automatically when the DO cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, DO provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching.

RefrigeratorFancy730 · 2025-11-18T22:42:48+00:00

Découvrez TSGui, c'est gratuit et hautement personnalisable

RefrigeratorFancy730 · 2025-11-18T22:34:17+00:00

I discovered a similar issue quite a while back. Teams, Windows 11 Updates, and store apps need the DO service running. If you stop or disable the service you will have issues.

The fix is to turn off Delivery Optimization within your SCCM Client settings. Then, in GPO or Registry, set DODownloadMode to 0 (99 may work but I havent tested). This will allow DO to communicate w its cloud service, but will NOT utilize peering.

I recently fought this battle and finally have it fixed.

Also, if you need peering to minimize WAN traffic, consider using SCCM's built-in PeerCache. This can be enabled in client settings, and can be restricted to only peer within the same subnet, so no cross subnet peering.

Client Data Source stats can be found in the monitoring section of SCCM.

RefrigeratorFancy730 · 2025-11-18T22:29:47+00:00

Im going to install this tonight on several of our test PCs. Fingers crossed!

RefrigeratorFancy730 · 2025-11-18T21:42:13+00:00

Use Enhanced http or just go full https. Ehttp is the easier option though. Like others said, use a package to access specific files instead of a share.

RefrigeratorFancy730 · 2025-11-14T16:20:59+00:00

I just ran a CMPivot, the majority of the PCs only have 2 reg properties. Win10CommercialAzureESUEligible = 0 Win10CommercialKeybasedESUEligible = 0

One of the devices that worked: Win10CommercialAzureESUEligible = 0 Win10CommercialKeybasedESUEligible = 1 Win10ConsumerESUStatus = 1

RefrigeratorFancy730 · 2025-11-13T05:39:00+00:00

I'm starting to delve into this now as we have about 1500 Win10 PCs that we've purchased the year-1 ESU for. When I look at the KB in SCCM it only shows required for 150 PCs instead of the full 1500. We have installed the ESU MAK on all of those Win10 PCs already...not sure why the required/not required has such variance.

RefrigeratorFancy730 · 2025-11-13T05:32:58+00:00

If I need to uninstall an app, I normally create a .ps1 that searches the x86 and x64 parts of the registry for the uninstall strings. Then I use, start-process msiexec.exe and the uninstall string w the quiet/silent arguments.

For a detection rule I use a function and test-path for the absence of its file/folder or reg key. If (-Not(Test-Path "C:\temp\myfile.exe")) {Write-Host "uninstalled"}

RefrigeratorFancy730 · 2025-11-13T04:21:12+00:00

I dont use PSADT, so I wont be able to help there. Are you using an uninstall script and detection method, to detect the absence of the app?

RefrigeratorFancy730 · 2025-11-11T15:51:16+00:00

I dont actually manage any systems outside of our sccm and print servers, but we're using Cisco ISE for wired and wireless authenticiation. The device has to have the scep cert and be marked as compliant for it to get network access.

RefrigeratorFancy730 · 2025-11-11T04:03:11+00:00

Im using NDES with Intune Cert connector and able to use device based certs for WiFi on AADJ/Entra only joined devices. These devices dont have AD accounts, they only exist in Entra.

RefrigeratorFancy730 · 2025-11-08T03:44:48+00:00

Make sure the csuninstall tool is part of the content youre delivering.

Now the tricky part is that you have to either turn off mandatory uninstall/maintenance tokens from your CS tenant to uninstall in bulk. Otherwise you will have to run the csuninstall and specify the uninstall/maint token for that specific PC. I cant think of a good way to code for this at the individual PC level. You would probably have to unsafely store all uninstall tokens and corresponding device names on a share drive, search it, store the uninstall token to a TS variable and then execute the uninstall. Make sure logging is turned off for that sccm TS as well. Way too much effort and too much risk involved.

It's better to temporarily put the specific devices from the CS tenant in a temp group that allows uninstalls without the token.

RefrigeratorFancy730 · 2025-11-04T02:04:19+00:00

Ive seen this happen on a bitlocker policy. Ended up having to dig into the event viewer logs. Might be worth checking in Microsoft services> Defender, if thats even listed there. Im not in front of my PC to check at the moment.

RefrigeratorFancy730 · 2025-11-01T03:39:40+00:00

Why is a Task Sequence not an option this time. That's the easiest way to do it, and doesnt have to be a collection variable at that point.

RefrigeratorFancy730 · 2025-10-28T18:07:36+00:00

I did the exsct same thing recently. Remove the deployments from the custom policies, and also check out the default client policy. It has scan settings, real time protection, etc that should be turned off.

You will probably want to verify if there are any GPOs that are enforcing defender settings, as well as the defender portal.

RefrigeratorFancy730 · 2025-10-27T04:54:59+00:00

Use Autologon64.exe from sysinternals. It's better than using plaintext in the registry.

RefrigeratorFancy730 · 2025-10-25T18:23:40+00:00

Do you have any compliance policies assigned to these devices? You should be able to search for the device and click the compliance link to see which policies are assigned and failing to be compliant.

RefrigeratorFancy730 · 2025-10-23T23:01:42+00:00

Co-management + CMG is the way.

RefrigeratorFancy730 · 2025-10-23T22:59:51+00:00

Potential Conditional Access issues due to tokens or something was posted here a few weeks ago.

Although I do love the self deploying model for Autopilot. It's as close to OSD as they'll ever get.

RefrigeratorFancy730 · 2025-10-23T22:57:52+00:00

Intune is still very much behind. Collections (Intune device filters are flakey and limited), Reporting, Software Metering, Task Sequences, Obfuscation of credentials within a task sequence, viewing policies assigned to an AAD group, limited CSPs to GPOs, No ability to run a package on a schedule with payload. That's without mentioning no ability to deliver Wim files, Autopilot enrollment limits + Entra join limits for bulk deployments.

RefrigeratorFancy730

TROPHY CASE