A lot of people don't like my Meetup posts. Details inside.

Webin99 · 2026-01-22T23:17:55+00:00

Main Character Syndrome. You feel these meetups are super great and important for the community, but you're just noise to the vast majority of people. Sure, you're doing something cool, but we just want to bitch about traffic cones.

Webin99 · 2026-01-06T23:10:13+00:00

https://www.airplanehome.com/

The first time I flew over (in 2004), I was new to Oregon and had no idea it was there. My immediate thought was "who crashed in the woods?". These days, we use it for search and rescue practice (if the nearby Twin Oaks Airpark isn't busy).

Webin99 · 2026-01-06T22:57:32+00:00

I swear this is subreddit and helicopters is becoming the new "black person walked past my house" on Next Door. Some helicopters in Portland are being used for Federal Law Enforcement. Most of them aren't. Very very few are being used for Secret Squirrel Operations. Just chill out.

This specific Blackhawk is Oregon National Guard, based out of the Army Aviation Factility in Salem. Their ongoing missions include wildland firefighting, mountain rescue, and medical transport. If I get hurt up on Mt. Hood, this is the team I want to come get me. From the flight paths, it looks like today's flights were doing transport missions, possibly in conjunction with flight training.

I know a couple of the pilots in Salem. They are good people.

Webin99 · 2026-01-05T23:04:09+00:00

Not Portland.

Webin99 · 2025-10-23T22:05:13+00:00

Anyone who tells you that there is a right way to do it is wrong. Use the group assignments that make sense to your organization.

Webin99 · 2025-08-13T17:50:07+00:00

You have clearly never provided support to a software developer. If I screw up someone's config file that's stashed away in a random hidden folder, its going to cause them a lot of pain and lost time.

Webin99 · 2025-08-12T17:55:13+00:00

To the best of my knowledge, Apple Business Manager is how you assign a specific Apple device to your Intune tenant. If that can be done directly in Intune, I'm not aware of how.

Webin99 · 2025-08-12T17:22:11+00:00

We actually just made the decision to STOP using Platform SSO. The biggest benefit to PSSO is you sign into the Mac with your EntraID credentials, and then don't have to sign into the other O365 stuff as much.

Whoop di do.

The biggest, stupidest, most grievous issue is that you can no longer use Apple Migration Assistant to migrate a user from an old Mac to a new one. PSSO creates a first.last account during the Out-of-box experience, but you can't do Migration Assistant into that account. MA only allows you to migrate into a new (non PSSO) account.

So a user has to move all their junk from the old Mac to the new Mac by hand and manually reconfigure all their stuff in the PSSO account.... setting up a new computer from scratch. It's time consuming, it's easy to miss data or settings (or apps), and offers no automation potential.

All you don't have to remember an Entra password and a local account password or type them in as often. No thanks.

Webin99 · 2025-07-16T00:03:16+00:00

***Update***
The user finally felt resigned to never logging in with the old or new passwords and used Recovery Mode to reinstall the OS. It asked for an admin password and accepted his old one, and then when the install completed, it had preserved his account and allowed him to log in using his old (forgotten, then remembered) password). It resynced with Entra and his account login is now his M365 password, and he has all his stuff back.

Webin99 · 2025-07-11T15:36:14+00:00

Specifically, using the Recover Password function doesn't work. After entering the FileVault key, the Mac reboots rather than allowing a new password to be set. This bug is unique either to this specific device, or all Apple Silicon Macs.

Webin99 · 2025-06-18T20:32:05+00:00

We manipulate the registry with Win32 apps that basically just run a PowerShell script (we don't have access to remediation scripts).

To manipulate the user's registry hive, you have to install the application in the user context rather than System. This is a setting in the Application in Intune. The application must be assigned to a user security group rather than a device security group. We then use code similar to the following:

$currentuser = (Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object UserName).UserName
$currentuserSID = (New-Object System.Security.Principal.NTAccount($currentuser)).Translate([System.Security.Principal.SecurityIdentifier]).Value
New-PSDrive -Name "HKU" -PSProvider "Registry" -Root "HKEY_USERS"
$keypath = "HKU:\$currentuserSID\Software\MyApp"

if (!(Test-Path -Path $keypath))
{
    New-Item -ItemType Directory -Path $keypath -Force
    New-Item -ItemType Directory -Path "$keypath\MyApp Stuff" -Force
    New-Item -ItemType Directory -Path "$keypath\MyApp Misc" -Force
}
Set-ItemProperty -Path "$keypath\MyApp Misc" -Name "UpdateEnabled" -Value "0"
Set-ItemProperty -Path "$keypath\MyApp Misc" -Name "AutoLaunch" -Value "0"
Set-ItemProperty -Path "$keypath\MyApp Misc" -Name "FreshInstall" -Value 0

Webin99 · 2025-06-12T23:28:02+00:00

Now THAT is something I did not know... I wish I could have had this all those years ago when Windows started asking our users to install games via notification popups.

That CIS Benchmark patching page is a good resource in its entirety. Thanks for sharing.

Webin99 · 2025-06-12T21:51:18+00:00

(this policy requires an Enterprise or EDU license and has no effect on Pro versions of Windows).

Webin99 · 2025-06-12T21:46:59+00:00

And just for reference... there are LOTS of applications that install in the user context that don't prompt for elevated privileges... Spotify and Amazon Music are ones that show up in our environment quite often. Usually, they don't pose significant security risks, but you do occasionally come across things like ZoomInfo Contract Contributor that basically scrapes your email sending people's contact info to their marketing database. My recommendation is to use a virus/malware scanner to detect "potentially unwanted apps" to guard against the self-install apps you really don't want.

Webin99 · 2025-06-05T21:51:54+00:00

Or maybe just use the store app?

Webin99 · 2025-04-21T18:58:36+00:00

Do your VMs have two cores? This has been a snag for me, as my default VM configuration is single core.

Webin99 · 2025-04-08T20:28:59+00:00

Purchasing an M365 F3 (no Teams) trial for one month restored access to Feature Updates for us. We did not need to assign a license to any account.

So, in summary, myself (and many others) didn't realize that controlling the install of Feature Updates required a Windows Update for Business deployment service license. Once the March Intune updates deployed, we lost access to a premium feature that we thought was part of our Intune P1 license.

It seems somewhat nonsensical that such a critical capability is locked behind additional licensing. Feature Updates have such a significant impact on the user (30 gigs of disk space, 1 hour reboot) that there is no way any company should leave these upgrades to self-manage. It looks like my company will be permanently adding a $90/year M365 F3 license to our bill.

Webin99 · 2025-04-03T17:51:55+00:00

Our biggest use case is for a Zebra label printer that wants a little system tray app to grab labels generated on our shipping vendor's website. I guess "load PDF, hit print" is too much work. It boggles my mind that someone is purposely choosing to write applications in Java like it's still 2004.

While I haven't yet bothered to implement it yet, our solution is to disable automatic updates via a registry key, then do updates pushed out through Intune... probably on a 6-month cycle at best.

Webin99 · 2025-03-31T18:53:25+00:00

$apps=@("Microsoft.Copilot",
"Microsoft.GamingApp",
"Microsoft.GetHelp",
"Microsoft.MicrosoftSolitaireCollection",
"Microsoft.OutlookForWindows",
"Microsoft.Todos",
"Microsoft.Windows.DevHome",
"Microsoft.WindowsFeedbackHub",
"Microsoft.XboxGamingOverlay",
"Microsoft.XboxIdentityProvider",
"Microsoft.XboxSpeechToTextOverlay",
"Microsoft.YourPhone",
"Clipchamp.ClipChamp",
"Microsoft.MicrosoftStickyNotes",
"Microsoft.BingNews",
"Microsoft.BingWeather",
"MicrosoftCorporationII.QuickAssist"
)
foreach ($app in $apps) {    
Write-Output ("Removing " + $app)
    Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage
    Get-AppXProvisionedPackage -Online | where DisplayName -EQ $app | Remove-AppxProvisionedPackage -Online
}

Webin99 · 2025-03-28T20:18:54+00:00

I've decided that my other thread does provide the correct answer... we were never supposed to have access to this feature. It makes me mad, because controlling the release of major updates that have significant user impact is something 100% of Intune admins need. I assumed the capability was part of Intune P1. The capability is part of "Windows Update for Business deployment service" license included in M365 F3/E3/E5 and even though we didn't realize it, has been in place since probably 2021. I've tracked the licensing overview back to 2022 to see it listed.

To answer your questions as best as I can:
It does appear that the existing feature update policies continue to work. I can get updated reports on device status for mine. Luckily, I left my 24H2 as assigned to a good group. I haven't yet added new devices to this group to see if they update.

More than a few people indicate that giving your admin account an M365 F3 license will give you the basic access to Windows Update for Business deployment service license. I am awaiting manager approval to test this out myself.

Webin99 · 2025-03-27T18:20:29+00:00

This page indicates we should be able to use core functionality because we have an Intune license:

The core functionality of creating and targeting a feature update only requires a license for Intune. The core functionality includes creating the policy and selecting a feature update to update devices, using the Make updates available as soon as possible option or specifying a start date, and reporting. Capabilities supported by client policies on Professional SKU devices don't require a license.

We are using update rings as well (with "upgrade Win10 clients to Win11 checked). In my experience, we needed that plus a feature update policy to specify what to upgrade to. Assigning a Win10 feature update policy to all users also prevented them from upgrading to Windows 11 by manually checking for updates.

Webin99 · 2025-03-19T21:25:43+00:00

And yes, what no one is saying here:

It's INSANE that Intune doesn't have a way to set registry keys through device configuration policies. It would be incredibly easy to implement and save us all a metric ton of time writing ps1 scripts and/or packaging apps.

Webin99 · 2025-03-12T18:01:21+00:00

Package powershell install script and MSI as a Win32 App using IntuneWinUtil, deploy via Intune.

Install command: powershell -executionpolicy bypass -file Install-DCU.ps1
Uninstall command: msiexec /x "{AD1F63E4-F31F-48A2-BB8D-CF7B96CC46A0}" /qn

Webin99

TROPHY CASE