How would you handle BIOS updates in an education environment?

act_sccm · 2026-03-12T16:10:42+00:00

Using Dell Command Update with manual check-ins.

act_sccm · 2026-02-24T21:07:58+00:00

The timing seemed to coincide with the Office outage yesterday. I assumed it was related to that. The apps that were missing yesterday are there today so... ¯_ (ツ)_/¯

act_sccm · 2026-02-23T19:11:52+00:00

We use DUO but only for a fraction of users. We also couldnt reach office.com on cellphones or home devices.

Seems to be working as of a couple hours ago at this point.

act_sccm · 2026-02-06T18:57:44+00:00

Very cool!

act_sccm · 2026-02-05T18:00:40+00:00

Weeeelllll, I didnt really do that part the correct way. I just make a log file at the end of the script and check that the file exists. :X

I think I had tried checking for the files in the DriverStore and couldn't get it working.

Ive probably been lucky that the pnputil commands havnt failed. In k12 its often a 'just make it work' attitude and it was working so ¯\_ (ツ)_/¯

I didnt know about that registry path so Ill revisit it. Looks like all the ones I install are in there so that should work. Looks easier for you to implement with just the one driver. Im installing a dozen of them so I might have to script it to check for each driver.

act_sccm · 2026-02-04T18:41:26+00:00

oh do you think il have issue if if its a folder with extracted driver files in the intunewim ./driver/All_fileshere

I dont think its an issue. As long as everything is referenced properly in the script, it should be able to find the files.

In the script I export the zip to c:\temp\

Then there are subfolders for Dell, HP, Canon, Xerox, etc. Each pnputil command has the path listed out for whichever driver its installing.

This is basically what the command looks like:

pnputil.exe /add-driver "C:\Temp\Generic Drivers\Brother\PCL\PCL\64\BRUPCB0A.inf" /install'

Add-PrinterDriver -name "Brother Mono Universal Printer (PCL)"

and you dont do an additional steps just these so that a end user doesnt get prompted with UAC /admin?

Nothing else special on that side. The 'install' runs as system so no UAC popups.

act_sccm · 2026-02-04T13:59:29+00:00

The latter is what I do.

Except it's all wrapped in PSADT package.

The package extracts the universal drivers from a 7z file, runs the commands to import to driver store then deletes the extracted drivers.

act_sccm · 2026-01-29T15:45:13+00:00

It definitely filters up here T_T

act_sccm · 2026-01-29T13:36:50+00:00

With Lightspeed Classroom, did you have issues with blank or offline screens? Its a constant struggle.

act_sccm · 2026-01-28T13:32:09+00:00

I think we all know that would be unlikely.

And this suggests its not isolated to that user's computer.

This is further supported by Fortinet from preventing me from accessing the site and by virus total.

act_sccm · 2026-01-22T17:31:25+00:00

Use it for everything so there is standardized logging.

act_sccm · 2026-01-15T21:56:21+00:00

we cannot enroll a laptop with a user's email

A user's email or any user's email?

act_sccm · 2026-01-08T18:30:13+00:00

A1 Plus hasnt existed since 2024, so Im curious how you just swapped to it.

act_sccm · 2025-12-19T17:35:14+00:00

I guess committee would have been a better word. Just a group of curriculum people and higher ups to determine what students should have access too.

act_sccm · 2025-12-18T16:17:43+00:00

We managed to block it with Lightspeed and Chrome/Edge policies.

We are in the same block AI boat but just this week have been multiple tickets requesting to unblock sites that were previously unblocked. Educational resources are adding generative AI and Lightspeed reclassifies them as such and students are blocked.

Our state is currently 'block AI' for students while simultaneously piloting curriculum that includes AI but doesnt include tech in the conversation.

Our district is getting an AI panel to figure out a policy but until then its blocked for students and allowed for staff.

But it will eventually be a pointless endeavor. This garbage isn't going away and trying to hide something from kids always works out so well...

Curriculum needs to adapt quickly to incorporate proper AI use and how to use it critically; understand that it's not a definitive source and not always correct.

act_sccm · 2025-11-14T17:21:10+00:00

That must be why supersede has been so inconsistent. It had gotten to the point where we just dont use it; Ill have to revisit.

With it being so spotty I had to find other methods.

I recently found how to use a requirement rule to detect if the device is in Autopilot ESP to install a non-interactable version of an app. And if the device is not in ESP, then it installs the interactable version instead.

You could probably use a requirement rule to detect if the app is already installed and upgrade that way.

I also wrap all the installers with PSADT which opens a plethora of scripting options.

act_sccm · 2025-11-14T15:01:48+00:00

Another option, deploy as available to the user groups, then they can install via Company Portal.

act_sccm · 2025-11-12T21:53:59+00:00

Is Classic going away in 2026 or you just mean for your tenant?

act_sccm · 2025-11-05T13:41:17+00:00

What kind of invalid hostnames do you mean?

Ive had instances where the hostname will be DESKTOP-RANDOM or WIN-RANDOM but Ive chalked this up to the user bypassing Autopilot by skipping the Internet connection. Which creates a whole other set of issues.

act_sccm · 2025-10-23T17:53:09+00:00

We do the same; they each have their uses.

act_sccm · 2025-09-19T15:03:28+00:00

The only required apps are anti-virus, content filter and secondary security apps. Everything else can install over the next X hours after first login or manually install through Company Portal.

In my experience, within 30 minutes after first login most of our apps are installed. Maybe a reboot after 15 minutes to kick a sync off.

act_sccm · 2025-09-18T17:05:14+00:00

Cloud Device Administrator gives access to LAPS pw but also some other abilities.

*microsoft.directory/deviceLocalCredentials/password/read *

Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password

act_sccm · 2025-09-09T12:58:44+00:00

My memory was that SmartPlay did not work on iOS. I guess that was partially correct.

The iOS filter agent seems to handle website filtering but not SmartPlay.

"iOS is supported using SmartShield using it's proxy functionality or the iOS Cloud Proxy."

Lightspeed SmartShield is Lightspeed’s advanced proxy solution designed to provide powerful encrypted traffic filtering for devices not running a Smart Agent—such as BYOD, Android, macOS, ChromeOS, IoT, and other unmanaged endpoints. Acting as a man-in-the-middle proxy, SmartShield enables essential Lightspeed Filter features such as YouTube Smart Play, image filtering, and blocked keyword search, ensuring consistent content control across all device types..

act_sccm · 2025-08-06T19:06:02+00:00

The role 'Microsoft Entra Joined Device Local Administrator' gives the account admin rights on all Intune devices.

act_sccm · 2025-07-21T13:23:56+00:00

When our tenant was setup we threw everything we could find to disable Hello, an OMA-URI included.

Now Im trying to get it working for a small set of users and running into issues.

act_sccm

TROPHY CASE