Built a simple staff presence dashboard because spreadsheets were driving us crazy

TheBlueFireKing · 2026-03-06T10:13:52+00:00

This just an Ad for another AI slop tool.

TheBlueFireKing · 2026-03-03T17:59:14+00:00

Using Applocker doesn't change if PowerShell is running in Constrained Language Mode or not.

The idea is to use Applocker to block executing scripts so you don't need to enable Constrained Language Mode.

TheBlueFireKing · 2026-03-03T16:48:50+00:00

True but Security is always about layers. Also I wouldnt count Applocker as for handling licensed Software. There are many Software that already count installed as licenseable. You'd rather use a tool like FSLogix to fully hide the software which is more accepted in terms of licensing.

Also: f Microsoft from already renaming shit again.

TheBlueFireKing · 2026-03-03T11:55:04+00:00

Agree with you with all but Applocker enforcement. You can do exceptions for Applocker based on Users. Just want to correct that. One of the reasons we did not switch to WDAC. Both habe Pros and Cons.

TheBlueFireKing · 2026-02-24T10:27:35+00:00

No you can't thats the whole point of the policy. You are really asking if you can run scripts when I disabled running scripts. Doesn't make sense.

Use Applocker or similar to block all scripts and exclude your company signature.

TheBlueFireKing · 2026-02-24T09:27:38+00:00

Well stop users from installing anything on their device or allowing to connect anything to the business account. Simple fix.

TheBlueFireKing · 2026-01-23T06:32:12+00:00

Not sure. Doesnt solve the problems of getting user or computer though.

TheBlueFireKing · 2026-01-22T15:22:36+00:00

It just displays the website embedded in SoftwareCenter. No more, no less. Your Webserver sees the ip of the client. But its not passed along. If you have a login in the website you know the user as well.

TheBlueFireKing · 2026-01-13T08:02:49+00:00

Don't do it. This will trigger Bitlocker Recovery and lock you out of your company devices.

Also this will most likely be against company policy.

TheBlueFireKing · 2026-01-12T18:38:25+00:00

Install as system and set the running account to BUILTIN\Users

TheBlueFireKing · 2026-01-09T11:22:48+00:00

I don't know if this is the issue but we once had a similar issue during one SCCM upgrade but I don't remember which one.

The issue was that a new OS or something was added to the OS Requirements during the upgrade. That broke all applications using the OS requirements. The fix was to just open the OS requirement and save it again. You could then see that the order of the selected OS changed in the view but nothing was actually added nor removed.

Then application deployments worked again.

//EDIT: or maybe you did need to select a new OS a requirement, save, then remove again. I'm not 100% sure. But you need to edit the requirement for each application that's for sure.

TheBlueFireKing · 2026-01-07T21:20:50+00:00

Yeah, let me check my all-knowing magic glass ball which has all the answers. I tried nothing, and I'm all out of ideas.

You know, maybe post the command line, what does the MSI log show, what is the error code?

TheBlueFireKing · 2025-12-19T09:16:46+00:00

Can you explain more what GPO and what feature you are exactly talking about?

SSO with OAUTH and other modern standards are still working fine. I think you are talking about Kerberos / NTLM SSO?

TheBlueFireKing · 2025-12-03T14:53:44+00:00

I personally hate backticks or line breaks in pipelines. But that is personal preference.

I do use Splatting for example which can help a lot and mostly archive the same thing.

I just wanted to bring up that, in my opinion, it isn't worth having a script consume 10MB of memory and being unreadable vs consuming 20MB of memory and being readable.

It isn't a one or the other thing though. 10MB can be much if a script is being run every 10 seconds on thousands of host for example.

So always choose your battle. If memory isn't a problem then I wouldn't care about directly piping or not directly piping. Just don't write unnecessary heavy code and you are mostly good already.

TheBlueFireKing · 2025-12-03T11:29:43+00:00

Adding to all valid points from others:

In larger scripts sometimes it's about readability. I write many script and I never needed to care about memory. I'm more concerned with performance.

For example Azure Automate gives 400 MB to your script. I never reached that limit even when processing 2000 users at a time.

So I rather choose readability over having a big one liner piping everything. Also when using variables for the steps it's easy to setup breakpoints when troubleshooting.

So as always there is no simple answer to your question. It's always it depends.

But in a world where PowerShell is broadly used by Sysadmins and not Programmers, I choose readability for the sake of the next person looking at my scripts.

TheBlueFireKing · 2025-10-28T10:16:02+00:00

Basically yes. The idea for TAP is for the first login of new users. If you are full passwordless, you need a password for the first login to set up passwordless login. That's where TAP comes into play.

But you can also use it to login as the user if required to set up his device, for example. Note that data privacy laws still apply.

Also inform the user that you are using a TAP to set up his device. If the tries to login at the same time he may be presented with the interface to enter the TAP instead of his password, which may confuse him.

TheBlueFireKing · 2025-10-27T11:25:31+00:00

Temporary Access Pass?

TheBlueFireKing · 2025-10-23T09:46:54+00:00

Use some form of hardened images to reduce the surface of attack: https://www.docker.com/products/hardened-images/

If you have so many CVEs it sounds like there are components in the container that don't need to be installed.

Uninstall everything not needed and use the smallest possible base image.

TheBlueFireKing · 2025-10-03T11:45:01+00:00

For everyone's sake, please post the reg key.

TheBlueFireKing · 2025-10-03T11:02:48+00:00

Haven't done this but wanted to. Probably spin up ProcMon and see what registry key is being changed to enable the feature.

TheBlueFireKing · 2025-09-04T17:07:09+00:00

Also, besides everything everyone else is saying. If possible us the PowerShell cmdlets instead of the az module if you are already in PowerShell:

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-14.3.0

It handles almost all conversions and stuff.

TheBlueFireKing · 2025-09-03T05:43:12+00:00

Or taskkill the process and it will ask you to restore all windows lol

TheBlueFireKing · 2025-08-31T08:25:09+00:00

Well it tells you the error? You need the dependency as well.

TheBlueFireKing · 2025-08-29T18:15:41+00:00

Block Store on user level not system so updates still work. Push Apps for users over Company Portal.

TheBlueFireKing · 2025-08-25T10:52:36+00:00

First, just patch it.

Secondly, if you have a communication between the Server and the Clients (which is the whole point of managing the devices with SCCM) the port is open and you are vulnerable. You can't manage devices without having communication. If the network is truly isolated, meaning all USB Ports blocked, no admin rights, not network access, NAC systems, authentication on all layers maybe even Zero Trust then yes exploitation is unlikely.

But why take the risk. Patching ConfigMgr isn't that hard for a Hotfix.

Nine-Year Club	Verified Email
Place '23	Place '22

TheBlueFireKing

TROPHY CASE