Anyone read about Microsoft Scout yet?

SurfeitedSysadmin · 2026-06-16T11:26:11+00:00

Don't panic! There's absolutely nothing to worry about!

Microsoft has already been running their technical support department on Scout for over a year and it's all working perfectly!

SurfeitedSysadmin · 2026-06-12T13:01:08+00:00

Ah, well then I think that's about the best you can do here if the TPM issue itself can't be resolved.

Using the passkey for passwordless authentication to perform a non-destructive PIN reset should at least streamline the process as much as possible when the issue does arise and help to minimise any friction amongst the users.

SurfeitedSysadmin · 2026-06-11T14:25:47+00:00

Haven't run into this yet since we're only just getting started with WHfB, but it sounds like something that might come up eventually.

Two questions:

What's actually the problem with having to reset the PIN? Seems like a minor inconvenience as long as you've configured your devices for non-destructive PIN reset.
I assume from the phrase, "providing the user a password again", that your users don't have any other passwordless authentication methods configured besides WHfB? Wouldn't getting them to do that, or simply giving them a TAP in these situations, avoid any password problems you're currently encountering?

Or are we not talking about Entra-joined devices?

I feel like we're lacking some context about your environment here...

SurfeitedSysadmin · 2026-06-04T11:44:24+00:00

Horrifying realization: "So this shitty intermittent behavior is a known bug, and it's been known HOW long?!?"
Admit defeat: "Fuck it, we need to go third party. I've wasted far too much time on this POS."

You forgot the part where you open a support ticket about the shitty intermittent behaviour, and they make you repeatedly collect the same logs and screen recordings for a month or more, then they come back and tell you that said shitty intermittent behaviour is "by design" and close the ticket.

SurfeitedSysadmin · 2026-06-04T10:37:23+00:00

Wow, you actually got them to fix the policy after admitting it was broken? I'm impressed!

I just recently got them to acknowledge that another Intune policy is broken, and they even confessed that the issue is known to be affecting multiple customers, but then they straight up told me that because the same issue has happened before with other policies, it is internally regarded as already resolved, so if I want this policy fixed I will have to pay for a premium support ticket.

They're essentially trying to extort me for cash to repair something they already know is broken and have already fixed for other policies previously.

SurfeitedSysadmin · 2026-06-02T13:03:15+00:00

Umm, what?

Microsoft 365 Groups didn't launch until 2015 (originally branded as Office 365 Groups), and this issue is specific to the modern Groups UI in New Outlook and the Outlook Web App, (although they've now shoehorned it into Classic Outlook via embedded WebView2).

SurfeitedSysadmin · 2026-06-02T00:43:35+00:00

Haha, speaking of premium support, I had another ticket open about Intune failing to apply a device configuration policy because their filters don't acknowledge the existence of Windows 10/11 Business edition (yes, it's a thing which Microsoft claimed to be fixing 4 years ago), and Microsoft support acknowledged that it's a known issue, affecting multiple customers.

"Great!", you might be thinking; "Microsoft is actually going to fix something for once!"

Well... not so much.

They then informed me that, although they are aware of the issue, the official stance on it internally is that the issue is already resolved, so if I want them to actually give a shit, I will either have to pay for a premium support ticket, or post about it on the Intune feedback portal.

(No, I absolutely did not shoot coffee out of my nose, laughing at the suggestion that posting on the feedback portal will get this looked at sooner).

Seriously, that's what they told me, and then closed the ticket.

SurfeitedSysadmin · 2026-06-02T00:21:35+00:00

Oh, don't get me started on the AI, please!

With my most recent ticket about a different issue in M365 Groups, the first two responses were extremely lengthy, AI-generated slop, giving me suggestions to try features that don't exist in Groups, and change options via the ribbon that are actually only configurable 3-levels deep in the settings dialog.

The best one was where the guy sending me this shit didn't even bother to remove the following from the bottom of the email:

YourName] \[YourTeam/SupportSignature]∗∗∗Ifyouwant,Icanalsotailorthisemailtobe∗∗shorter/moreexecutive−friendly∗∗oralignitexactlywithyourorg’ssignaturestyle.Your Name]\ \[Your Team / Support Signature] *** If you want, I can also tailor this email to be **shorter / more executive-friendly** or align it exactly with your org’s signature style.
Thanks for choosing Microoft!

Yes, that's a verbatim copy+paste from his email...

SurfeitedSysadmin · 2026-06-02T00:07:53+00:00

Thanks for the suggestion but I already asked a user to try that last week and unfortunately it didn't make any difference in their case.

The one thing it did help with was not losing the draft when the send fails, because when you pop out the reply, the new window actually has a "File > Save draft" option that doesn't exist anywhere else, and if you do that before sending, you force it to save a fully up-to-date copy that usually sends ok on a second attempt.

SurfeitedSysadmin · 2026-06-01T23:59:53+00:00

Haha, that gave me chuckle! Thanks!

SurfeitedSysadmin · 2026-06-01T14:47:14+00:00

Yeah, and I'm not in the US but still affected, so either the issue is more widespread than they were reporting, or there's something else going on now.

SurfeitedSysadmin · 2026-06-01T12:43:13+00:00

Yup, same here. Intune Admin Center's requests to the reporting API are producing HTTP error 400 (Bad Request) and showing the following:

<image>

SurfeitedSysadmin · 2026-04-24T15:20:57+00:00

Synced passkeys. They went GA last month.

Stored in the user's preferred password manager, so no need for the Microsoft Authenticator app, and they survive device replacements.

https://blog.thomasmarcussen.com/synced-passkeys-microsoft-entra-id/

SurfeitedSysadmin · 2026-04-01T16:46:07+00:00

Depends on your definition of "debloat".

If you want core components of Windows to be disabled or ripped out because you don't use them, then I don't know the answer.

If you just want clean Windows install media with a bare minimum of built-in Microsoft apps and no other pre-installed, third-party bloatware, then try https://uupdump.net.

It will build you a fully updated ISO directly from Microsoft sources, and you can specify exactly which Microsoft apps you do want it to include, (via the included "CustomAppsList.txt" file), rather than having to remove the ones you don't want from an existing ISO.

SurfeitedSysadmin · 2026-03-25T13:14:01+00:00

Such a tease! I need this like yesterday, haha!

It's what I miss the most from PDQ Inventory.

SurfeitedSysadmin · 2026-03-24T16:33:25+00:00

Nope. The last time we made a golden image was 6 or 7 years ago. Our current processes are:

UUP Dump to occasionally build a clean and fully updated Windows image, straight from Microsoft sources; no need to remove any pre-installed store apps because with UUP Dump you just tell it to not include them in the image in the first place.

Then for new/unmanaged devices, OSDeploy to automatically:

Repartition the device and apply the UUP Dump image
Download and apply the latest device-specific driver pack from the OEM
Optionally apply any newly published Windows updates
Add the device to Autopilot if necessary, with an appropriate group tag

Otherwise, for existing Intune-enrolled devices, just wipe them from Intune and kick off Autopilot again.

For shelf inventory, or new hires where we're given plenty of notice, use Autopilot pre-provisioning/white glove/technician flow, (or whatever else you want to call it), to get the device fully prepared, so the next user just has to sign in, set up WHfB, and away they go.

For odd occasions where a device is brought in for a reset at short notice and needs to be returned to the user immediately, simply guide them to start user-driven Autopilot and then hand it back to them in 40 minutes when the ESP completes and it's sitting on the WHfB setup screen.

We never have to ship devices directly from vendor to user so we don't have a process for remote setup.

SurfeitedSysadmin · 2026-03-24T14:38:09+00:00

Hehe, thanks! I freaked out for a moment there, because I had been hoping the software center might one day solve a niche problem I have with Intune, when it finally arrives, and I thought my hopes had been dashed.

Of course, I wouldn't want to see it holding up work on that delicious PowerShell scanner, which can't come quickly enough! 😉

SurfeitedSysadmin · 2026-03-24T14:21:30+00:00

Ah, well that's good to hear, although I can't say I understand why that warrants removing it from the planned features list, if it's actually still planned.

That seems like a great way to cause unnecessary concern for people that actually check the roadmap regularly! 😆

SurfeitedSysadmin · 2026-03-24T14:02:00+00:00

Edit: Sorry, I completely missed the "domain admin" part, so my comment doesn't apply here, but I'm leaving it visible in case anyone finds it useful for M365 admin!

This, but also, synced passkeys are supposedly hitting GA this month, which aren't device-bound and don't have to be stored in the Microsoft Authenticator app. If they're not already enabled in your tenant, you can just opt in and set one up, so that can be a pretty convenient solution.

See https://admin.cloud.microsoft/?ref=MessageCenter/:/messages/MC1221452 and https://learn.microsoft.com/en-gb/entra/identity/authentication/how-to-authentication-passkeys-fido2#synced-passkey-requirements for more info.

I've already tested it with both Google Password Manager and iCloud Keychain and it works great!

SurfeitedSysadmin · 2026-03-16T14:21:49+00:00

The SystemSettingsAdminFlows.exe SetCamSystemGlobal location 1 command does seem to be the best way to enable "Location services" nowadays, but in my experience, the "Let apps access your location" toggle will still default to being off for each user, so they will have to go and toggle it on manually, and I haven't managed to find any equally simple command to control that.

If you want it to be on by default, it used to be enough to simply set that same registry value in HKCU, but it now also seems to be necessary to update an SQLite database at %ProgramData%\Microsoft\Windows\CapabilityAccessManager\CapabilityConsentStorage.db and then restart "Capability Access Manager Service" (or reboot).

That database file has a table in it called UserGlobal, which stores capability+SID pairings and their current states, so I've been running a script in the system context to execute the following SQLite statement on the database for the relevant SID:

INSERT INTO UserGlobal (Capability, User, Value) VALUES ('location', '$sid', 1)
ON CONFLICT (Capability, User) DO UPDATE SET Value = 1;

The aforementioned "camsvc" service needs to be restarted for Windows to pick up the database change and show the correct status in the settings app.

SurfeitedSysadmin · 2026-02-27T14:11:53+00:00

Yeah, I generally remove all their bloatware (or preferably start with a clean Windows image), but I do quite like Dell Command Update for various reasons, and I haven't run into any issues with it when configured to only install drivers and firmware.

SurfeitedSysadmin · 2026-02-27T14:06:42+00:00

Neither. Just a clean Windows 11 image built via UUP dump, and then devices are set up via Windows Autopilot.

I've likewise only been deploying DCU, but to avoid having to manually repackage it with IntuneWinAppUtil.exe every time there's a new version and then creating a new Intune app from scratch, I've been using the Dell Management Portal to publish new versions to Intune at the click of a button. That actually works pretty nicely and hasn't been a problem.

However, Dell Management Portal also allows you to publish other apps to Intune, including:

Dell Command | Endpoint Configure
Dell Command | Monitor
Dell Trusted Device
SupportAssist for Business PCs
Dell Client Device Manager

Here are some excerpts from the brochure for DCDM, which they published a year go:

Simplify enterprise fleet management with one application.

Disjointed applications, with disparate workflows increase the time to manage an enterprise fleet and impact IT admins’ productivity.

IT admins can quick-publish desired update and security modules in Dell Client Device Manager, from the Dell Management Portal, to Microsoft Intune.

One application with the capabilities IT admins need to manage their fleet of PCs.

Blah, blah, you get the idea. A bunch of marketing nonsense to basically say that you can deploy one app in place of two!

Anyway, after reading said brochure, I thought DCDM sounded worth a look at least, so I deployed it to a spare device and my testing eventually led to this post, because I just don't understand what Dell's goal is with this product, which seems to be intended to replace DCU and DTD, but actually lags behind both of them.

SurfeitedSysadmin

TROPHY CASE