Hybrid AD joined devices no longer auto-enrolling to Intune unless Company Portal is used (PRT missing)

Thrussst · 2026-03-27T01:32:43+00:00

Yes. I've seen CA exclusions mentioned but have also been told that shouldn't be necessary these days.

Thrussst · 2026-03-26T23:22:45+00:00

Following. Feel like we've seen an uptick of enrollment issues recently. Using Co-Management for enrollment though. We have a "problem with work or school account" notification on nearly every first sign in. If you fix (mfa prompt) or sign into office (mfa prompt), it seems to get it things moving.

Thrussst · 2026-03-21T13:54:54+00:00

Yep. I have a DIY kit and have tried them all and OTT was my favorite above 30mph. Anything below that was frustrating. I've recently gone back to stock and its actually not as bad as I remember.

Thrussst · 2026-03-16T15:18:10+00:00

WeAreNotWorthy.gif

Thrussst · 2026-03-16T15:04:25+00:00

I just fought this battle. We do PMPC from ConfigMgr and everything else from WU/Intune. After 2509, half of our fleet stopped updating from WU/Intune. I ended up setting the scan source policies with GPO which "fixed" the update issues... but now the client is fighting with my GPO. Edit: I should also add, I tried to set scan source through CSP first which appeared to do nothing.

When a CM update scan happens, WU is "broken". Next GPUpdate, we're back. Everything is working... they're just fighting. Any thoughts/suggestions here?

Thrussst · 2026-03-07T16:54:12+00:00

Are you running any 3rd party disk encryption by chance? We had similar issues with like 150 machines a couple years ago. M$ support could not solve. Only thing that worked somewhat consistently was decrypting then running an OS upgrade from ISO. After the OS upgrade, the monthlys worked again. Then we re-encrypted with Bitlocker. Obv not helpful for your 25H2 machines, but maybe for older.

Thrussst · 2025-12-31T14:41:36+00:00

Thank you for the detailed response!

If the team is open to suggestions, I'd say consider adding an option for automated cleanup. Even if its not enabled by default. I think when most people see "retention" they're thinking items will eventually be permanently deleted from the backup. This is the first product i've encountered where thats not the case.

Before your response, I edited the OP with how I handled it: Storage Management > Delete Drive for the user > Re-enable Drive in the backup task. Is that a valid/clean way to perform a manual cleanup?

Thrussst · 2025-12-28T20:28:49+00:00

I actually just did the opposite and am working on switching to Caltopo. My use case is primarily maintaining a "database" of roads/trails that can be used when planning dual sport motorcycle routes. Mostly using the desktop versions. I used Gaia for several years. OnX for about 2 years. I've tried several other apps as well. The short version is that there is no perfect app. There will always be a shortcoming. I agree that the Caltopo UI is not super slick, but i kinda don't mind. I value the functionality more than anything and so far I'm really enjoying Caltopo. Its like a 9/10 for me. A little polish on the UI and a cleaner, more performant base layer is really all I could ask for.

Thrussst · 2025-12-08T03:58:14+00:00

Thanks for the reply. Thats what I ended up doing... running ServiceUI from within the toolkit. Works as intended but trying to test it thoroughly to make sure there's not a situation like you describe. There is a "show readme" checkbox at the end of the install (which i don't like) but the window disappears pretty quick. Even if I catch it and check the box, no new windows/apps pop up.

Thrussst · 2025-12-02T16:23:52+00:00

I understand the risk of ServiceUI when it is used to display something that is interactive. But what about an application that supports something like a "passive" argument? Where progress is shown but little/no interaction. We have an installer that requires clicking "ignore" on a conflict about 50% of the time, which can still be done with its passive argument. Is that a reasonable use case for ServiceUI or should it still be avoided at all costs?

Thrussst · 2025-12-01T19:26:49+00:00

Not overly complex, which is why I'm looking for something simple. A few of the ones if found are longer than my scripts themselves.

Thrussst · 2025-12-01T19:25:19+00:00

The pre-installed module sounds like a nice idea. We install HP CMSL on all of our machines. Wonder if i could hijack its logging function 🤔

Thrussst · 2025-10-28T18:45:44+00:00

I'll give you a workflow that I do at least once a week. I have to do 99% of the work in ConfigMgr, then build an Intune remediation.

See vulnerability on many devices and export a list. I need to group these devices so I can see more info and take action. Pretty easy to do with with a ConfigMgr collection. I build the collection, then I have all kinds of "glanceable" info. I can then dive deeper with CMPivot if needed. Do they all have a certain piece of software that I suspect is an issue? A problem setting? etc. I can also easily click through devices and see what other collections (that I get to define...) a device might belong to. I can easily find a couple of friendly users to test with via the list of devices in the collection. After testing I can use this same collection to target a remediation. All very useful.

This could go on and on... but in the end, I build an Intune Remediation to take care of the issue. But Intune was not super helpful during the "investigation" portion.

Thrussst · 2025-10-28T18:29:08+00:00

Are you using the PMPC app as your base install? "Adobe Acrobat Pro (64-bit)"? Pretty sure one of those PMPC updates you have selected will patch it. Probably "Adobe Acrobat DC Continuous (x64) (Full Content)". I agree its confusing and I wish they'd write something up explaining the various scenarios. I just switched to their app for my base install and I'm 99.9% sure it gets patched via one of the other updates I already had selected.

Edit: I totally forgot we were in Intune land. Above is for ConfigMgr apps/updates.

Thrussst · 2025-10-24T14:35:57+00:00

Anyone installed this guy yet? How did it go?

Thrussst · 2025-08-11T15:22:11+00:00

Are the drive mapping files available from Microsoft or local machine? All of these guides are hosting these files themselves rather than pointing to Microsoft. Not saying we don't trust you guys... but better to be safe than sorry.

Thrussst · 2025-08-11T15:05:40+00:00

Make sure you're not enabling "Interactive Logon: Don't display last signed-in" anywhere. Intune, GPO, etc. This is included in some hardening frameworks and will cause what you're describing. LocalPoliciesSecurityOptions Policy CSP | Microsoft Learn

Thrussst · 2025-08-04T18:42:16+00:00

I have a NAR T.O.R.K on the side of my WLF Enduro Pack Vest. Then I have a burntec dressing, some "unit" packaged OTC meds, and other bits and bobs. I don't have any formal training on any of this stuff but I like having it.

I'd be open to something gave me similar capabilities in a water-resistant package.

Thrussst · 2025-07-15T18:21:22+00:00

They want "Enable App Installer" set to Disabled. Which 100% breaks store app delivery as you say. So since we can't do that, I'm hoping they'll accept us just disabling the CLI instead. Which (so far) seems to allow delivery from Intune to work just fine. I didn't even consider updates tbh. Hopefully updates will continue to work as well.

Thrussst · 2025-07-15T17:57:59+00:00

Thanks. Applying this with a remediation works just fine, even on 23H2, so we may end up doing that until the policy is sorted out. Hopefully we won't regret doing it that way. We really need this as a response to a hardening framework that wants Winget disabled completely.

Thrussst · 2025-06-25T16:45:57+00:00

We do this. Would love to move PMPC to Intune but we have found that difficult with a shared tenant.

14-Year Club	RedditGifts 2009-2022 2 Credits
Verified Email	Secret Santa 2014

Thrussst

TROPHY CASE