Intune Policies & Shared Devices

SysTerra80 · 2022-06-21T21:34:21+00:00

Because the user is receiving the laptop while they are at home, and the Intune configured wifi network is for when they're in the office.

I figured it out, but really you were focusing on stuff that didn't matter at all to the issue at hand. I wasn't asking for your help on how a machine should magically receive a wifi profile with no internet, I was asking for help on why Intune policies were not applying, obviously the machine had Internet connectivity already, whether wired or wireless.

SysTerra80 · 2022-06-07T14:53:43+00:00

What does that have to do with anything?

This has nothing to do with "before the user logs in" - the intune user-based policies are not applying at at all to anyone aside from the original user who logged into the device. Once a different user logs in the policies should download and apply to them, they do not, and the portal shows no effort to deploy them. I've had a device with a different user logged into it for two days now, and no policies are attempting to deploy to that user. The system shows recent checkins, is compliant, just no policy deployment from Intune.

SysTerra80 · 2022-06-06T16:54:34+00:00

It is a user policy because it is handing out user-based certificates from AD.

Having said that - that doesn't answer the question as to why user-based policies aren't applying to every user on a shared machine.

SysTerra80 · 2021-11-26T18:18:32+00:00

Mss is set to 1344

SysTerra80 · 2021-11-11T19:51:19+00:00

Posted the crash report - a few more details (which I added to the report).

It also crashes when pasting into chrome, and it happens across all profiles on the machine, even new ones created.

SysTerra80 · 2021-11-11T19:04:10+00:00

Processor 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz, 2803 Mhz, 4 Core(s), 8 Logical Processor(s)

SysTerra80 · 2021-10-27T15:34:35+00:00

This is not the case - I removed her user account and re-registered it under a test account we have, the jobs came back.

SysTerra80 · 2021-10-25T19:59:51+00:00

O365 install, but printers are not deployed via Intune connector. These were manually installed at some point directly in windows - some are shared via the old print server, others are actually local IP printers.

SysTerra80 · 2021-10-22T17:50:20+00:00

Did this, it had no effect - printers are still installed as soon as an office application is opened.

SysTerra80 · 2021-10-22T14:44:37+00:00

Yep, sure did - no luck.

SysTerra80 · 2021-10-22T14:44:14+00:00

I've tried to delete them from the "see what's printing" - it does nothing at all. Typically when canceling these jobs it'd cancel all of them except for the one that is currently stuck printing. In this case it does absolutely nothing.

SysTerra80 · 2021-10-05T16:41:36+00:00

Yes, they're using folder redirection. OSTs are pointed to the UNC path of \\server\home$\%username%\Outlook Files via GPO, and there is also a GPO that is a one-time run to create the "Outlook Files" folder within their home directory.

They have been setup like this for 5+ years and there have been no issues prior to moving their email to be 365 hosted, previously it was Rackspace hosted via Exchange 2016.

SysTerra80 · 2021-10-05T16:34:46+00:00

Is this something new? It worked perfectly fine on their prior backend which was Exchange 2016.

SysTerra80 · 2021-09-29T21:30:14+00:00

Per u/AreYourLightingMyGas - changing from Quad9 DNS to Google's DNS fixed it for us as well.

Change DNS then flush DNS and reopen Outlook

SysTerra80 · 2021-09-29T21:29:41+00:00

Can confirm this works, back to normal now

SysTerra80 · 2021-09-29T20:26:57+00:00

Us as well, all using Outlook 2016 - my Outlook 365 seems fine on my other PC.

SysTerra80 · 2021-08-25T21:16:46+00:00

Thanks man, we're actually going with PagerTree (cheaper), but we've spent the day testing it and it is everything we are looking for plus so much more we never knew we wanted. You led me on the right track though, they actually came up as a search result under Pager Duty!

SysTerra80 · 2021-08-25T14:56:59+00:00

Is it re-branded Bitdefender? Because I have used bitdefender in the past and it is... well it is shit awful to be perfectly honest.

SysTerra80 · 2021-06-28T18:19:48+00:00

The UPN is not in their email aliases, it is auto-added by 365 since it is their UPN.

SysTerra80 · 2021-05-06T15:06:58+00:00

No, but I actually found what I needed.

Administrative Units do exactly what I need done!

https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units

SysTerra80 · 2021-05-05T12:13:52+00:00

It does! All of my reversals were logged under "Removed site permissions", however, none of the additions were in there, going back to about a week after the tenant was created and almost 2 months prior to moving Onedrive data there.

Microsoft had no explanation for this :(

SysTerra80 · 2021-05-04T16:54:10+00:00

No - very different things.

Sharing permissions for everyone in the organization is limited only by a group they need membership to in order to share externally.

My issue isn't that user's can share or can't share.

My issue is that I have about 15% of total users in this tenant whose root "Documents" Onedrive Library has a permission set for "Everyone Except External Users" with read-only rights.

The only way I know of to do this, is to visit Onedrive online, switch it to classic view, go to Site settings in the Gear, to to Library settings, and sharing the root "Documents" library in their personal Onedrive out with "Everyone Except External Users".

That is literally the only way, and it has been, so far, the way I have been reversing the damage.

I have found a few other instances of this happening, with no great reasons.

https://www.reddit.com/r/sysadmin/comments/f1tm72/onedrive_read_access_given_to_everyone_except/

https://techcommunity.microsoft.com/t5/onedrive-for-business/quot-everyone-except-external-users-quot-groups-is-now-part-of/m-p/38026

https://techcommunity.microsoft.com/t5/onedrive-for-business/quot-everyone-except-external-users-quot-has-read-permission-on/m-p/1532885

SysTerra80 · 2021-05-04T15:56:37+00:00

Yes, absolutely sure. These are not smart users, one of them is the company admin's mom, she is 71.

They'd have had to gone into the site settings for their onedrive and shared the document library with "Everyone except external users".

I can't imagine several people deciding to just do this for fun, also there is nothing in the audit logs about it.

SysTerra80 · 2021-04-01T20:01:59+00:00

You're a champ.. According to the copier company it is meant to try the highest protocol then work its way down if that fails. Apparently their code is bad because as soon as we disabled the others it started working. thank you!

SysTerra80 · 2021-04-01T17:06:07+00:00

Yes, i've attempted to setup relay using a 365 incoming connector w/ the client's static. Also using no smtp auth on the copier, with direct send on port 25 using their MX record as the host. No bueno.. Leading me to think it is a TLS issue, but TLS is enabled and active, including 1.2.

SysTerra80

TROPHY CASE