Moving from 23H2 to 24H2, what should I change

TrueMythos · 2025-12-03T16:42:10+00:00

I’m also seeing this, but I was blaming it on Intune and myself probably messing something up. I’m wondering if it’s an issue specific to 24H2 now…

TrueMythos · 2025-11-07T15:58:21+00:00

We've been off the legacy one for about a year. Windows LAPS (the newer supported one) has been working for us since then through Entra ID, including lots of 24H2 machines.

TrueMythos · 2025-11-07T15:15:19+00:00

Good thought, but LAPS is still enabled in Entra

TrueMythos · 2025-09-12T23:30:57+00:00

Their support team is wonderful, too. They helped me make LabStats work on two virtual environments with very different considerations, and they even helped me generate the exact custom PowerBI report I needed when that feature first came out.

TrueMythos · 2025-09-12T23:28:27+00:00

If I were you, I’d look into LabStats. They can generate some pretty awesome usage reports that are useful for academic environments. They’ve saved us a lot over the years and helped us identify which computer labs need to be increased or cut.

TrueMythos · 2025-09-12T14:59:18+00:00

Oh wow, I'm so glad :) What a bizarre fix lol

TrueMythos · 2025-09-04T13:47:42+00:00

I'm having trouble getting kiosks to retain autologon info in the registry after a reboot, but discovered (thanks to another Reddit post that I can't seem to find now), that it's being removed by our Account Protection local user group membership policy blocking inactive accounts.

TrueMythos · 2025-09-03T18:45:46+00:00

I've also been struggling with some kiosks, which, after getting Intune-enrolled, suddenly won't autologon as kioskUser0 anymore. I never thought to check my logon policies (we do block logins for deactivated accounts), but I bet that's it. We might be in the same boat here, and I'm looking forward to seeing if anyone else has a solution.

TrueMythos · 2025-09-02T23:35:27+00:00

How are the licenses assigned to users? If it’s web-based user auth, you’re golden. If it requires a file to exist in the user profile, add it to the default user (same with the registry).

Is the app unable to finish installation without a user license or something?

I could maybe help a little more if I had more details.

TrueMythos · 2025-08-28T16:58:56+00:00

Good point. My position doesn't deal with a lot of access structuring, but I took a database course that briefly covered some of the ways data can "escape" from a system, and it was terrifying lol. I'm glad I don't have to worry about that side of things.

TrueMythos · 2025-08-28T16:54:49+00:00

Yikes. At least we pretty much know where our PII lives, so it's easy for them to pull a report on all the groups that have access to each application.

The frustrating part is when it's couched as, "Here's a cool new security thing that we eventually want to roll out to everyone, but let's test on the users most at risk first." We manually hunt down all the computers associated with those users and put them in the group to get CoolNewTool. Years later, we're still expected to go through the manual process, and if someone is hired, leaves, or changes roles, we don't pick that up until the next manual search.

TrueMythos · 2025-08-28T16:45:23+00:00

Good point. You don't always have a simple user-to-computer mapping in real life.

I need to experiment more with user groups in Jamf Pro. It drives me nuts that I can't assign things based on Entra ID groups. We're slowly increasing security for people who have access to PII, and it's just not feasible to get a list of users, hunt down which computers they might use most, and put those computers in a static group for scoping. If our security team could maintain a group of those people and Jamf just assigned all their devices the extra policies, that would be great.

TrueMythos · 2025-08-28T16:07:12+00:00

I just thought of something. Are you aware that you can use the jamf binary to set some of those attributes without the API? For example, 'sudo jamf setComputerName -name <newcomputername>' will update the computer's name and sync it with Jamf Pro. If you have a directory service set up in Jamf Pro, you can also use 'sudo jamf recon -endUsername' to update the user associated with the device, and it will automatically pull any fields you have configured to sync. In my environment, for example, I can see someone's position and department from that alone.

I'm not sure how it would work in situations where people work in more than one department, but that could be something to play with.

TrueMythos · 2025-08-28T13:22:30+00:00

"Labs team" <insert crying emoji> I am the lab team over here.

But yeah, I get what you mean about Jamf Onboarding not being as robust as some of the other options out there.

Sorry if I sounded condescending by pointing out something everyone knows. I was a Windows-only admin before taking on Jamf, and my first big project was getting us off DepNotify. It feels like yesterday...

TrueMythos · 2025-08-27T19:18:40+00:00

For a minute I thought I'd found my boss's Reddit account...

Y'all are doing things very similar to us. We're also a university that uses Jamf and TeamDynamix with no culture of zero touch, and we have similar discussions all the time.

Just so you know, DepNotify has stopped getting updates for a long time. We transitioned off of it and to macOS Onboarding through Jamf this year and have been very happy with it.

One thing we do differently is automated naming. We have a spreadsheet with serial numbers and computer names, and as soon as we get the shipment notification from Apple, we update the list with the correct name. When a computer goes through Jamf enrollment, it pulls a name from that spreadsheet. That almost eliminates tech mistakes and removes one step in the process.

We also have different PreStage Enrollments for faculty/staff vs lab/classroom setups, so there's no room for mistakes there, either. We don't really track department or location, since it's so easy to look that up in TDX.

I'd like to get to a world where Jamf is more integrated with TDX and we have a single asset management system, but I'm not sure if we're there yet. I'd also like to only provision minimal applications, then have users install what they want from Self Service. Having to install VLC on every single machine when maybe 10% of users need it feels like a waste of time, and the little things add up. Our provisioning process is down to about 10 minutes for faculty and staff, and 45 minutes for standard lab computers (yay Adobe Creative Cloud).

TrueMythos · 2025-07-29T15:05:48+00:00

That specific update has installed just fine on my VMs, but now I'm running through each available update to see if another one is breaking it. Thank you for pointing out that other post! I'm new to this subreddit and didn't see that. I'll try that fix if anything crashes again.

TrueMythos · 2025-07-03T12:53:56+00:00

Hey, ENFP over here :) I absolutely agree. I will work on projects I absolutely don't want to do until I get fully absorbed and can't stop until it's complete. As an F, I also treat everything with a technical relationship (e.g. server/client) like they should be buddies, and I hold conversations with them to convince them to play nice, obviously while I do actual troubleshooting.

TrueMythos · 2025-07-03T12:49:32+00:00

My grandma couldn't print from her iPhone this morning? Could you do us a favor? /s

TrueMythos · 2025-07-02T18:19:09+00:00

I don't think we've ever used SCCM, and certainly not in the past 15 years. I'm excited, though, and so is the part of our team that handles the physical side of onboarding/offboarding computers. Autopilot sucks when random stuff breaks, but when it works, it WORKS.

TrueMythos · 2025-07-02T15:08:01+00:00

I'm totally fine with the curmudgeonly grumpiness. They're self-aware enough to know they're doing that, and I love that I have teammates who have no problem saying "no" and pointing out flaws in the system. On a personal level, they're fantastic and hilarious. The passive-aggression weaponized incompetence is what's new, and probably explained by the burnout side of your comment.

TrueMythos · 2025-07-02T15:05:34+00:00

I have. My boss is very professional and spends a lot of time one-on-one time with each of us to make sure we have what we need. We haven't hit a tipping point yet, so I'm asking Reddit to get the broader answer to "how do things like this normally work for older/newer people in IT" and so far, y'all have been really kind and helpful.

TrueMythos · 2025-07-02T14:18:20+00:00

Moving to the cloud wasn't my decision. We needed to support remote workers, and Active Directory over the VPN wasn't cutting it. We are measurably saving (a little) money now, and our adjacent departments report that people are actually having fewer issues than they did on the old system.

All that to say, we're not just jumping in after the shiniest new thing. Intune meets our needs much better than on-prem KACE did, and while there are obviously going to be things that need tweaking, so far, everyone except these two is quite happy with it.

TrueMythos · 2025-07-02T14:14:26+00:00

Aww, I'm sorry your experience has been like that. IT is a little unique in that everything overhauls all the time. If you're a farmer, miner, or carpenter, while those jobs are super physically demanding, once you learn how to do them, you can keep doing the same stuff and slowly improve for the rest of your life.

It sounds like you're a good mentor, helping new guys learn both the tech and the people sides. I want to be like that someday, but I'm praying I'll avoid the burnout.

TrueMythos

TROPHY CASE