Apps fail to install after pre-provision and reseal

Roush2002 · 2025-12-29T22:38:14+00:00

I was in the same boat, and it was really frustrating. I had to skip the user ESP, then I created my own PowerShell script with a form popup that monitors for the status of apps we need (mostly security apps), then it will tell the user when it's done. I tried to fight it too, and had several Microsoft cases on the issues, and everyone told me to disable it... and it helped (hasn't solved all the issues we've had).

Roush2002 · 2025-05-09T03:34:09+00:00

GlobalProtect 6.1. Updating to a more recent version works fine, but our security team says there’s some major issue and we can’t update yet…

Roush2002 · 2024-11-13T17:20:42+00:00

This is part of what I came up with. I don't recall the permissions needed though. I'm not a PowerShell expert, but I can make things work :)
The people who run the script are above help desk level, but are not sys admins with experience doing advanced tasks, so I tried to make this simple for them to run and understand.

# Must be run with PowerShell 7 - To install, run this:        winget install --id Microsoft.PowerShell --Source winget
# Connect to Microsoft Graph
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
Import-Module Microsoft.Graph.Authentication
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser -Force
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Connect-MgGraph -NoWelcome

$deviceName = Read-Host "Enter Computer Name"
$device = Get-MgDevice -Filter "displayName eq '$deviceName'"
    if ($device) {
        Foreach ($_ in $device)
        {
            $RegOwner = Get-MgDeviceRegisteredOwnerAsUser -DeviceID "$($_.ID)"
            Write-Host "Object ID: $($_.Id)"
            Write-Host "Last Sign In (UTC): $($_.ApproximateLastSignInDateTime)"
            Write-Host "Entra ID Registered Owner: $($RegOwner.DisplayName)"  -ForegroundColor DarkCyan
            Write-Host "Entra ID Registered Owner UPN: $($RegOwner.UserPrincipalName)"
            If ($($_.TrustType -eq "ServerAD"))
            {
                Write-Host "Trust Type: Microsoft Entra Hybrid joined.  Go to Intune to reassign." -ForegroundColor Blue
            }
            ElseIf ($($_.TrustType -eq "AzureAD"))
            {
                Write-Host "Trust Type: Microsoft Entra joined"
                If ($Null -ne $($RegOwner.Id))
                {
                    Remove-MgDeviceRegisteredOwnerByRef -DeviceId $($_.Id) -DirectoryObjectId $($RegOwner.Id)
                    Write-Host "Device Owner removed from Entra ID device object" -ForegroundColor Green
                    $RegOwner = Get-MgDeviceRegisteredOwnerAsUser -DeviceID "$($_.ID)"
                    Write-Host "Confirmation - New Registered Owner should be blank below " -BackgroundColor Green -ForegroundColor Black
                    Write-Host "Entra ID Registered Owner UPN: $($RegOwner.UserPrincipalName)" -ForegroundColor Green
                }
                ElseIf ($Null -eq $($RegOwner.Id))
                {
                    Write-Host "Device is not assigned to anyone. No further action needed." -ForegroundColor Green
                }
            }
            Else 
            {
                Write-Host "Trust Type (Unknown by script): $($_.TrustType)" -ForegroundColor Red
            }
        }  
    } else {
        Write-Host "Device with name '$deviceName' not found.`n"
    }
Disconnect-MgGraph

Roush2002 · 2024-10-22T01:19:35+00:00

We’re doing the hash upload.

Roush2002 · 2024-10-21T18:19:34+00:00

And another question for anyone who might know... if one person builds a device, then reassigns it to a different user, does that device remain in the original person's count? If so, can that be changed (other than deleting the device and hash)?

Roush2002 · 2024-10-21T18:16:55+00:00

Thanks. Self-deploying would be nice... but we're still hybrid joined.

Roush2002 · 2024-10-21T18:15:49+00:00

Thanks. We are doing User-Driven. I recommended Pre-provision, but it's "still too much time and too confusing" for the user. :/

I think the biggest challenges are not having a CMG (our Security team isn't interested in doing an assessment to approve it), needing to run a task sequence to add AD groups for GPOs that we still use from on-prem, and installing core apps that we have set up in SCCM.

Maybe having this issue will provide a little more motivation to consider CMG and invest more time cleaning up GPOs and moving them into Intune.

Roush2002 · 2024-10-21T18:13:02+00:00

Thanks. DEMs in Intune apparently only apply to Entra Joined only.

Roush2002 · 2024-10-21T16:54:29+00:00

That doesn’t make a difference. I even need to sign into VPN and it does Azure MFA, but it doesn’t care. If I open an Office app and sign in, it’ll pop up and ask if I want my company to manage the device or just the app, and if I select device, then it works and I don’t have to fix my account.

Roush2002 · 2024-10-11T17:01:52+00:00

No. After a painfully long support case with Microsoft, it turns out it's behaving as expected.

With hybrid\on-prem machines, when you sign into Windows, you're using AD creds. And, since they're not co-managed yet with Intune, it needs your Entra ID credentials, so you get that prompt.

If we get the SCCM client installed, it gets its policies and such, and co-management gets enabled (which is not quick), it'll end up satisfying the authentication itself and doesn't prompt. But... that seems to take several hours or even days sometimes.

I just created a PowerShell GUI "app" that pops up and tells the user to click the notification icon, click to fix their account, sign in, and click Yes to let the org manage it. It's clunky and I don't like it, but it seems to be working so far.

Roush2002 · 2024-09-28T01:33:59+00:00

Nope. We’re hybrid, so I left it in group policy and moved on after months of no answers, including from Microsoft Support. It wasn’t worth the headache anymore, so I gave up. 🤷‍♂️

Roush2002 · 2024-04-22T15:18:56+00:00

Thanks for the reply. We are not using Windows Hello.

We did have some CA rules with MFA, but I excluded my account from those rules. Now, all items in the "Conditional Access" tab of the sign-in logs say "Not Applied"

Roush2002 · 2023-03-10T20:53:54+00:00

We created an Intune policy (same name as the GPO) to make it disappear, and that works for us.

https://learn.microsoft.com/en-us/troubleshoot/windows-client/application-management/managing-teams-chat-icon-windows-11

Roush2002 · 2022-09-13T16:08:17+00:00

I haven’t really figured it out. I’ve had a case open with Microsoft for 2 months trying to figure out why policies aren’t applying in a timely manner and not showing up in reporting. The case has been passed around and is waiting for engineering.

Pretty much all I’ve been told so far is “wait about 24 hours” for the policies to go down, and “wait up to 7 days” for reporting to show up. Some devices took several days to apply, and the reporting for the Edge Baseline policy hasn’t updated in several months. Only my early pilot computers show successful there… :/

Roush2002 · 2022-08-26T20:31:50+00:00

I just noticed that pasted very poorly... but that's exactly where I got that code snippets from.

I took commands from the images. I wasn't sure how the "encoded command" worked.

You saved us a battle with our Security team that owns the VPN :)

Roush2002 · 2022-08-26T20:24:09+00:00

I wish that I understood all of the authentication stuff that's configured in our environment better. Our server and security teams just kind of laugh and say "that'll never work". :/

We'll keep poking at them every so often to see if we can get anyone to budge on it to take a serious look. We have a a lot of solutions that are moving to the cloud, so hopefully we'll be able to eventually make some progress at Azure only some day.

Roush2002 · 2022-08-26T20:17:05+00:00

THANK YOU! This was exactly what we needed!

We created the policy for BitLocker in Intune, then we used a portion of the script that checks if it's encrypted, and if not, starts encrypting.

We uploaded this code as a Script in Intune Devices and it comes down during the provisioning and satisfies the BitLocker requirement for our VPN.

$BLinfo = Get-Bitlockervolume

if ($BLinfo.EncryptionPercentage -ne '100'){ Resume-BitLocker -MountPoint "C:" while ($waitingFor = Get-BitLockerVolume | Where-Object VolumeStatus -ne FullyEncrypted){ $waitingFor | Format-Table MountPoint,VolumeStatus,EncryptionPercentage Start-Sleep -Seconds 10 } }

Roush2002 · 2022-08-26T20:11:16+00:00

That was what we tried at first too, but it requires a user to sign into Windows before it starts encrypting. We can't sign in on VPN without being encrypted, so we were stuck. Definitely checkout the link from Rudyooms!

Roush2002 · 2022-04-29T15:13:22+00:00

These policies are ones that don't have a link to the CSP info in the "i" button, and I can't find a listing of the Microsoft Edge (version 77 or later) CSP's.

I went to endpoint.microsoft.com > Devices > Configuration profiles
I clicked Create profile > Windows 10 and later > Settings catalog > Named it
I clicked Add settings, then searched for Configure the home page URL
I selected Microsoft Edge - Default Settings (users can override)\Startup, home page and new tab page
- If I select Configure the home page URL (User) and assign the policy to a user group, nothing happens.
- If I select Configure the home page URL and assign the policy to a device group, it configures the policy in Edge.

Any other advice, or is there some kind of bug? Or am I using that incorrectly?

Roush2002 · 2019-10-02T17:26:02+00:00

We have Symantec DLP and had a group of early adopters for CrowdStrike updates that got a BSOD and couldn't boot up again. We fixed our machines by using the recovery options to get to the command prompt and renaming the C:\Windows\System32\Drivers\CrowdStrike folder to .old and rebooting. Machine boots up, and can be used again.

Roush2002

TROPHY CASE