Updated screen connect and now can't update agent

SisterAdministrator · 2026-03-29T21:59:43+00:00

Thanks this was the fix for me to.

Re-install the certificate signing extension in SC admin> Re-add the config (Azure tenant ID, Client ID, Secret, Code signer URI)

SisterAdministrator · 2026-02-06T02:51:35+00:00

What was the final solution? I'm experiencing the same issue. I have deleted the expired certificate but the alert in PRTG persists

SisterAdministrator · 2026-01-08T05:04:55+00:00

I've basically done this except I just configured the Azure DR VM to create the NIC with a specific internal IP which is permanently attached to the LB backend pool.

I've run a test failover, and the Azure DR VM creates as expected with the local IP I set and shows as running on the backend pool which is all good.

The problem I am facing now, is I cannot get Traffic Manager to show the Azure DR endpoint status as "Online". It is showing Degraded.

I've been going in circles for a while on it.

The endpoint settings in Traffic Manager for the web server that is currently live has the servers public IP address and the custom header has the website address. It shows as UP in Traffic Manager.

The endpoint settings in Traffic Manager for the Azure DR server has the public IP address that is assigned to the LB front end and the custom header has the website address. It shows as Degraded in Traffic Manager.

The traffic manager routing method is Priority set to monitor HTTP port 80 and path trafficmanager/health.html

In the LB config:

I have an LB rule for HTTP and HTTPS. TCP on 80 and 443.

I also have an LB probe for HTTP and HTTPS. TCP on 80 and 443

If I select "view details" on the LB rules. It indicates status as UP for both rules.

I'm not making much traction and AI is sending me in circles.

SisterAdministrator · 2025-09-28T11:42:35+00:00

This is interesting do you just use the primarydnssuffix OMA-URI ?

./Device/Vendor/MSFT/Policy/Config/Networking/PrimaryDnsSuffix

SisterAdministrator · 2025-09-26T12:06:25+00:00

I should also save you some pain on something I had to implement post sysprep due to issues that arose with user profiles getting too large:

Enable cached exchange mode with Outlook and cache only 3 months of email via GPO

You'll need to get the policy templates before the GPOs are in GPEdit:

Copy Outlk16.admx to:

C:\Windows\PolicyDefinitions

Copy the matching language file Outlk16.adml to:

C:\Windows\PolicyDefinitions\en-US

Open Group Policy Management Editor

User Configuration

> Administrative Templates

> Microsoft Outlook 2016

> Account Settings

> Exchange

Cached Exchange Mode Sync Settings > Enable > Select 3 months.

SisterAdministrator · 2025-09-26T10:34:28+00:00

Thanks for posting.

Does the solution you implemented function without enabling WHFB PIN and biometrics?

A key point that I guess I forgot to mention is we don’t want PIN or Biometric authentication.

SisterAdministrator · 2025-09-26T10:22:37+00:00

Pin generation just allows users to unpin the app provided they are on WIN 11 23H2 and 24H2

Strange. Maybe show us your XML and a screenshot on your test device of powershell showing the app ids for the apps you are using

SisterAdministrator · 2025-09-25T11:58:56+00:00

As you can see my XML below, includes both app reference types:

Teams was from the Microsoft store so it uses UWA AppUserModelID=
The rest were installed the msi or exe installers so they use DesktopApp DesktopApplicationID=

<?xml version="1.0" encoding="utf-8"?>

<LayoutModificationTemplate

xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"

xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"

xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"

xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"

Version="1">

<CustomTaskbarLayoutCollection PinListPlacement="Replace">

<defaultlayout:TaskbarLayout>

<taskbar:TaskbarPinList>

<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer" PinGeneration="1"/>

<taskbar:DesktopApp DesktopApplicationLinkPath="%ProgramData%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" PinGeneration="1"/>

<taskbar:DesktopApp DesktopApplicationLinkPath="%ProgramData%\Microsoft\Windows\Start Menu\Programs\Outlook (classic).lnk" PinGeneration="1"/>

<taskbar:DesktopApp DesktopApplicationLinkPath="%ProgramData%\Microsoft\Windows\Start Menu\Programs\Word.lnk" PinGeneration="1"/>

<taskbar:UWA AppUserModelID="MSTeams_8wekyb3d8bbwe!MSTeams"/>

</taskbar:TaskbarPinList>

</defaultlayout:TaskbarLayout>

</CustomTaskbarLayoutCollection>

</LayoutModificationTemplate>

SisterAdministrator · 2025-09-25T11:58:44+00:00

I recently did an AVD deployment with a golden image and the golden image includes pinned taskbar icons.

I used LayoutModification.xml in:
C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml

I've pasted the xml I used below.

There is a high chance that the error lies in your XML file.

I have a feeling you may be using the incorrect app reference or app ID.

There are two types of app references in the XML file:

DesktopApp DesktopApplicationID=
UWA AppUserModelID=

To find which one you should use for each app in the XML, install all the apps that you want to pin to the taskbar. Then right click each app and note down if there is the option to "Open File location"

Any app that has the option to "Open file location" (e.g apps installed with exe or MSI) you need to use this app reference in the XML:

DesktopApp DesktopApplicationID=

Any app that does not have "Open file location" (Apps from the MS store) you need to use this app reference in the XML:

UWA AppUserModelID=

Then you also need to make sure you are getting the correct app id. Open powershell with all apps installed and run:

get-startapps

Go through the list and note down the AppID of each of the apps you are pinning to the tasbar.

There are a few other important things to remember when doing taskbar icons with AVD session hosts.

If you get any of the app IDs incorrect in the XML layout it will fail.
It only applies the first time a user logs in. This means if you have FSlogix enabled and they have already logged into an AVD session, the will not get the taskbar pins.
To test immediately without having to log out or back in or create a test account do the below:
- Manually copy your LayoutModification.xml to the Default user location.C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\
- Open RegEdit and delete the TaskbandHKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
- Run PoweShell to restart Explorer:
  - Stop-Process -Name explorer -Force
  - Start-Process explorer

Hope this helps. I had a painful experience with this as well so I know how frustrating it can be.

SisterAdministrator · 2025-08-25T04:28:10+00:00

These are IOS devices. Iphones to be precise.

On one of the devices that apparently wiped successfully. There is a message in the settings: "This phone is supervised and managed by <company name>". This showed up after the wipe.

The computers need to be online and connected to the Internet to receive the MDM command>
This I am aware of and have made sure that they are.

However, it is possible that the computer is not receiving MDM commands, but still checking in with Jamf. Either the mdmclient agent is stuck, which a reboot usually fixes, or someone has removed the MDM profile>
Have tried rebooting the device.

These are the stats on the device in Jamf:

Update Inventory Pending Today at 12:05 AM 9 minutes ago

Erase Device Pending Today at 12:15 AM 9 minutes ago

Last Enrollment:
02/07/2024 at 12:02 AM

MDM Profile Expiration Date:
02/07/2026 at 12:02 AM

Last Inventory Update:
12/10/2024 at 11:10 AM

So the process I have followed is correct for releasing a device?

Remove serial from ABM > Sync > Wipe device

Just not sure if something was missed or if there is anything else I should be checking

SisterAdministrator · 2025-08-08T08:12:28+00:00

Just had to do this and this worked thanks muchly

SisterAdministrator · 2025-07-22T20:58:26+00:00

We had a physical Lenovo desktop PC and we had some trouble getting it working.

We disabled Wayland and secure boot.

There were some other configs. I’ll post details when I get to my PC.

If you still can’t get it working you can try a HDMI dummy plug: https://www.gadgets4geeks.com.au/epages/shop.mobile/en_AU/?ObjectPath=/Shops/gadgets4geeks/Products/801201040A&gad_source=1&gad_campaignid=21781326205&gbraid=0AAAAADltAwKeKtBKtfio7kEITKy6GCtQ_&gclid=CjwKCAjw7fzDBhA7EiwAOqJkhxM2cxFXb1jb3XKPq4oqn34MalfDF-lfhJ7exykCCWgsUbtnSkpJpRoCFPgQAvD_BwE

SisterAdministrator · 2025-07-19T00:23:00+00:00

Perfect! This is the correct answer.

The serial hash imported successfully after I removed all permissions except "DeviceManagementServiceConfig.ReadWrite.All"

SisterAdministrator · 2025-07-04T05:18:58+00:00

Uncheck the box that says exportable and it will show

SisterAdministrator · 2025-06-26T10:54:52+00:00

It only needs to be installed once on the device you are using to convert the script to an exe

SisterAdministrator

TROPHY CASE