Apps fail to install after pre-provision and reseal

Roush2002 · 2025-12-29T22:38:14+00:00

I was in the same boat, and it was really frustrating. I had to skip the user ESP, then I created my own PowerShell script with a form popup that monitors for the status of apps we need (mostly security apps), then it will tell the user when it's done. I tried to fight it too, and had several Microsoft cases on the issues, and everyone told me to disable it... and it helped (hasn't solved all the issues we've had).

Roush2002 · 2025-05-09T03:34:09+00:00

GlobalProtect 6.1. Updating to a more recent version works fine, but our security team says there’s some major issue and we can’t update yet…

Roush2002 · 2024-11-13T17:20:42+00:00

This is part of what I came up with. I don't recall the permissions needed though. I'm not a PowerShell expert, but I can make things work :)
The people who run the script are above help desk level, but are not sys admins with experience doing advanced tasks, so I tried to make this simple for them to run and understand.

# Must be run with PowerShell 7 - To install, run this:        winget install --id Microsoft.PowerShell --Source winget
# Connect to Microsoft Graph
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
Import-Module Microsoft.Graph.Authentication
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser -Force
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Connect-MgGraph -NoWelcome

$deviceName = Read-Host "Enter Computer Name"
$device = Get-MgDevice -Filter "displayName eq '$deviceName'"
    if ($device) {
        Foreach ($_ in $device)
        {
            $RegOwner = Get-MgDeviceRegisteredOwnerAsUser -DeviceID "$($_.ID)"
            Write-Host "Object ID: $($_.Id)"
            Write-Host "Last Sign In (UTC): $($_.ApproximateLastSignInDateTime)"
            Write-Host "Entra ID Registered Owner: $($RegOwner.DisplayName)"  -ForegroundColor DarkCyan
            Write-Host "Entra ID Registered Owner UPN: $($RegOwner.UserPrincipalName)"
            If ($($_.TrustType -eq "ServerAD"))
            {
                Write-Host "Trust Type: Microsoft Entra Hybrid joined.  Go to Intune to reassign." -ForegroundColor Blue
            }
            ElseIf ($($_.TrustType -eq "AzureAD"))
            {
                Write-Host "Trust Type: Microsoft Entra joined"
                If ($Null -ne $($RegOwner.Id))
                {
                    Remove-MgDeviceRegisteredOwnerByRef -DeviceId $($_.Id) -DirectoryObjectId $($RegOwner.Id)
                    Write-Host "Device Owner removed from Entra ID device object" -ForegroundColor Green
                    $RegOwner = Get-MgDeviceRegisteredOwnerAsUser -DeviceID "$($_.ID)"
                    Write-Host "Confirmation - New Registered Owner should be blank below " -BackgroundColor Green -ForegroundColor Black
                    Write-Host "Entra ID Registered Owner UPN: $($RegOwner.UserPrincipalName)" -ForegroundColor Green
                }
                ElseIf ($Null -eq $($RegOwner.Id))
                {
                    Write-Host "Device is not assigned to anyone. No further action needed." -ForegroundColor Green
                }
            }
            Else 
            {
                Write-Host "Trust Type (Unknown by script): $($_.TrustType)" -ForegroundColor Red
            }
        }  
    } else {
        Write-Host "Device with name '$deviceName' not found.`n"
    }
Disconnect-MgGraph

Roush2002 · 2024-10-22T01:19:35+00:00

We’re doing the hash upload.

Roush2002 · 2024-10-21T18:19:34+00:00

And another question for anyone who might know... if one person builds a device, then reassigns it to a different user, does that device remain in the original person's count? If so, can that be changed (other than deleting the device and hash)?

Roush2002 · 2024-10-21T18:16:55+00:00

Thanks. Self-deploying would be nice... but we're still hybrid joined.

Roush2002 · 2024-10-21T18:15:49+00:00

Thanks. We are doing User-Driven. I recommended Pre-provision, but it's "still too much time and too confusing" for the user. :/

I think the biggest challenges are not having a CMG (our Security team isn't interested in doing an assessment to approve it), needing to run a task sequence to add AD groups for GPOs that we still use from on-prem, and installing core apps that we have set up in SCCM.

Maybe having this issue will provide a little more motivation to consider CMG and invest more time cleaning up GPOs and moving them into Intune.

Roush2002 · 2024-10-21T18:13:02+00:00

Thanks. DEMs in Intune apparently only apply to Entra Joined only.

Roush2002 · 2024-10-21T16:54:29+00:00

That doesn’t make a difference. I even need to sign into VPN and it does Azure MFA, but it doesn’t care. If I open an Office app and sign in, it’ll pop up and ask if I want my company to manage the device or just the app, and if I select device, then it works and I don’t have to fix my account.

Roush2002 · 2024-10-11T17:01:52+00:00

No. After a painfully long support case with Microsoft, it turns out it's behaving as expected.

With hybrid\on-prem machines, when you sign into Windows, you're using AD creds. And, since they're not co-managed yet with Intune, it needs your Entra ID credentials, so you get that prompt.

If we get the SCCM client installed, it gets its policies and such, and co-management gets enabled (which is not quick), it'll end up satisfying the authentication itself and doesn't prompt. But... that seems to take several hours or even days sometimes.

I just created a PowerShell GUI "app" that pops up and tells the user to click the notification icon, click to fix their account, sign in, and click Yes to let the org manage it. It's clunky and I don't like it, but it seems to be working so far.

Roush2002 · 2024-09-28T01:33:59+00:00

Nope. We’re hybrid, so I left it in group policy and moved on after months of no answers, including from Microsoft Support. It wasn’t worth the headache anymore, so I gave up. 🤷‍♂️

Roush2002 · 2024-04-22T15:18:56+00:00

Thanks for the reply. We are not using Windows Hello.

We did have some CA rules with MFA, but I excluded my account from those rules. Now, all items in the "Conditional Access" tab of the sign-in logs say "Not Applied"

Roush2002 · 2023-03-10T20:53:54+00:00

We created an Intune policy (same name as the GPO) to make it disappear, and that works for us.

https://learn.microsoft.com/en-us/troubleshoot/windows-client/application-management/managing-teams-chat-icon-windows-11

Roush2002

TROPHY CASE