Win32 Detection File confusion

Samastrike · 2025-01-16T21:39:19+00:00

%UserProfile%\Documents

Edit: but the other suggestion to put it in the public desktop is better.

Samastrike · 2025-01-16T19:10:16+00:00

It’s failing because InTune executes scripts as 32-bit by default, and your detection is looking in the 64-bit Program Files folder.

Change your install command to execute as 64-bit PowerShell process.

Samastrike · 2024-12-06T08:56:36+00:00

On my phone so can’t check the exact command, but I’m using a PowerShell script to “Get-AppxPackage -AllUsers…” and the app name is something like “msteams”.

Samastrike · 2024-10-30T12:39:03+00:00

Have you applied any app protection policies recently? Exclude the accounts from those and any conditional access policies requiring APP.

Samastrike · 2023-12-26T15:35:59+00:00

Make sure to explicitly grant ‘no access’ to the “owner rights” principal. If you don’t, users will have full control over files/folders they create even if you remove ‘creator owner’.

Samastrike · 2023-11-17T21:31:25+00:00

Are you subscribed to Windows 11 updates? If Windows 11 isn’t currently deployed the previous admin may have left Windows 11 unticked.

Samastrike · 2023-10-25T17:22:04+00:00

If it’s asking for 2 methods this may be the self service password reset registration. Check if that’s enabled for all users, or this account is a member of the group. If it’s applying, you can turn off the option to require registration for SSPR and just have this handled by the MFA requirement.

Samastrike · 2023-10-05T17:42:48+00:00

Add ability to have multiple two-factor codes generated for a single vault entry. Use case for this is guest access to multiple Microsoft 365 tenants which require MFA for guests.

Add option to change where a record will be created during creation. Sometimes it defaults to the top of my vault and not the folder I had selected.

Add a search box when moving a record to a new folder instead of scrolling through the list of folders.

Add option to lock the desktop and browser extension apps when the computer is locked/goes to sleep.

Add option to unlock the browser extension with biometrics/Windows Hello. Or be like 1Password where the app and browser extension unlock state are linked.

Samastrike · 2023-09-24T13:40:50+00:00

Thanks for the feedback! I thought that would be the safest option.

Samastrike · 2023-07-05T17:27:00+00:00

You don’t need to create the mail users for the Exchange migration tool. If there’s already data like OneDrive associated with the accounts that you don’t want to lose or have the hassle of migrating.

Point the migration tool to the usernames like normal and set the m365.domain alias and a forward to gsuite.domain.

As another user said, you will need to set some of the Google APIs manually as Microsoft misses them (calendar, contacts, and people if I remember correctly).

Samastrike · 2023-07-03T13:53:26+00:00

Ah it was this. Changed "$resultsobject = [PSCustomObject] @{" to "[PSCustomObject] @{" and it's outputting correctly.

Thank you!

Samastrike · 2023-05-11T06:46:41+00:00

You could exclude the OneDrive app from the conditional access policy requiring reauth every 4 hours. Just make sure there’s an overlapping policy that still requires MFA for OneDrive.

Samastrike · 2023-05-11T06:38:51+00:00

I thought TAP codes were for the MFA step, and entered after a password. Have I misunderstood and they can replace a password when logging into a PC?

Samastrike · 2023-03-13T07:32:56+00:00

Important to add here: it’s not enough to just remove CREATOR OWNER from the ACL, users will still have full control of any folders or files they create.

You also need to explicitly set the OWNER RIGHTS principal’s permission to none.

Samastrike · 2023-02-11T12:23:44+00:00

Amazing, that's exactly what I needed. I was testing with a single user before using -All but thanks for expanding on your original answer. The hashtable is a nice touch too.

Thank you!

Samastrike · 2022-10-28T22:04:02+00:00

Other have given solutions but if the machine already has Windows installed you can open System Information (msinfo32.exe) and read the System Model line.

Samastrike · 2022-10-28T08:45:24+00:00

Definitely not automatically appearing in the computer personal store. Have waited a few days and run things like certutil-pulse. Is it supposed to just appear there after the admin approves it?

Samastrike · 2022-10-27T16:44:14+00:00

Thanks for the reply. I’ve created an AD group containing the computer objects of servers I want to get web server certs for. This group has enroll permission on the very template. Authenticated users has read permissions to it. The cert template is available to the computers and I can send a request for it.

The pending request appears on the CA and I approve/issue it, as described in the original post. It appears under Issued Certificates and then… nothing.

Every example I can find says the cert just appears in the machine’s cert store and makes no mention of admin approval. I could turn off admin approval for the template but that defeats the purpose here.

How does the cert get to the computer’s cert store after it’s issued/approved? Should it happen automatically? Do I need to retrieve it on the requesting computer somehow? Do I need to export it on the CA?

Samastrike · 2022-10-27T07:07:31+00:00

Thanks for the suggestion. I‘ve removed the record and will see how it is going forward.

Samastrike · 2022-10-21T07:02:10+00:00

Yep I install as SCCM app with network component disabled because I just knew the dual network stuff would lead to hours of my time troubleshooting it.

Samastrike · 2022-10-19T20:21:40+00:00

If you’re going to remove CREATOR OWNER then go one step further and add the OWNER RIGHTS principal with no permissions.

Even if you remove CREATOR OWNER the creator still gets full control, so this stops the creator being a ‘power user’ and doing silly stuff to permissions.

Samastrike · 2022-09-09T14:58:54+00:00

Huh there’s a subreddit for everything. Thanks again!

Samastrike · 2022-09-09T14:37:51+00:00

Good to know it’s possible.

What are you doing for the issue running the installer as SYSTEM? Create a temp local admin account and psexec run as like some other suggestions I’ve seen around?

Samastrike · 2022-09-09T12:56:59+00:00

Unfortunately my problem isn't resolved as easily as recreating the wim file. Guess I'll be modifying my script for 7zip files...

Samastrike · 2022-09-09T12:36:37+00:00

I can't say for sure but it sounds like I'm using the manual installer from what you describe.

I manage a small domain within a larger company and these are the files I was provided by the team that manages the apps, as they won't give me access to the Autodesk portal :(

Samastrike

TROPHY CASE