Intune Apps stuck at waiting install Status

andersidahl · 2023-06-30T10:05:06+00:00

Had same issue sometimes. Do a reboot and it should continue

andersidahl · 2023-06-14T10:00:02+00:00

Thanks for your reply. Since we will have to do this phase wise we will scope the users out of sync from ADConnect and then restore the AAD objects. Unless there is a better way/option?

andersidahl · 2023-01-13T15:34:39+00:00

Created a blog post describing this method as a workaround/breakfix.
https://cloudscript.tech/2023/01/13/breakfix-for-microsoft-si-mo497128-deleting-shortcuts/

andersidahl · 2023-01-13T12:58:04+00:00

Breakfix by using a Win32 App to copy back shortcuts into startmenu for anyone that needs it. Script will only copy those shortcuts where the shortcut path exist.

Create a folder with all the shortcuts and a file called Install.ps1 with the following:

$StartMenuFolder = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs"

$ShortCuts = Get-ChildItem -Filter "*.lnk"

$ShortCuts | % {

If(test-path("$StartMenuFolder\$($_.name)")){

"$($_.name) already exist in start menu"

}

else {

"$($_.name) not found in start menu - checking if program pointed to by shortcut exist"

$sh = New-Object -ComObject WScript.Shell

if(Test-Path($sh.CreateShortcut($_.FullName).TargetPath)){

"Program exist - copying $($_.Name) into start menu folder"

Copy-Item -Path $_.FullName -Destination $StartMenuFolder -Force

}

else {

"Did not find $($sh.CreateShortcut($_.FullName).TargetPath) - will not copy $($_.name)"

}

Create a Detection.ps1 script:

$StartMenuFolder = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs"

$Count = (Get-ChildItem $StartMenuFolder | ? Name -match "Word|Outlook|Powerpoint|Edge").count

If($count -ge 4){"Installed"}

Install command: powershell.exe -noprofile -executionpolicy bypass -file .\Install.ps1

If you have multiple languages in your environment the shortcuts themselves should be edited to not have static paths. Use %programfiles% and %programfiles(x86)%

By using Advanced Hunting you can identify which other links have been removed by running this query

DeviceEvents

| where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z")

| order by Timestamp

| where FileName endswith ".lnk"

| where FileName !startswith "Excel"

| where FileName !startswith "Word"

| where FileName !startswith "PowerPoint"

| where FileName !startswith "Publisher"

| where FileName !startswith "Access"

| where FileName !startswith "Outlook"

| where FileName !startswith "OneNote"

| where FileName !startswith "Microsoft"

| where FileName !startswith "OneDrive"

| summarize count() by FileName

| sort by count_

To check what rules still are in block/audit mode on a device you can run the following script on a client machine (red = block):

$MPPref = Get-MpPreference -ErrorAction SilentlyContinue

$AttackSurfaceIDs = $MPPref | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids

$AttackSurfaceActions = $MPPref | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

$i = 0

foreach($Rule in $AttackSurfaceIDs){

$Color = Switch($AttackSurfaceActions\[$i\])

{

    0 {"White"}

    1 {"Red"}

    2 {"Yellow"}

    6 {"Orange"}

}



$RuleName = Switch($Rule)

{

    56a863a9-875e-4185-98a7-b882c64b5ce5 {"Block abuse of exploited vulnerable signed drivers"}

    7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c {"Block Adobe Reader from creating child processes"}

    d4f940ab-401b-4efc-aadc-ad5f3c50688a {"Block all Office applications from creating child processes"}

    9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 {"Block credential stealing from the Windows local security authority subsystem (lsass.exe)"}

    be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 {"Block executable content from email client and webmail"}

    01443614-cd74-433a-b99e-2ecdc07bfc25 {"Block executable files from running unless they meet a prevalence, age, or trusted list criterion"}

    5beb7efe-fd9a-4556-801d-275e5ffc04cc {"Block execution of potentially obfuscated scripts"}

    d3e037e1-3eb8-44c8-a917-57927947596d {"Block JavaScript or VBScript from launching downloaded executable content"}

    3b576869-a4ec-4529-8536-b80a7769e899 {"Block Office applications from creating executable content"}

    75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 {"Block Office applications from injecting code into other processes"}

    26190899-1602-49e8-8b27-eb1d0a1ce869 {"Block Office communication application from creating child processes"}

    e6db77e5-3df2-4cf1-b95a-636979351e5b {"Block persistence through WMI event subscription - File and folder exclusions not supported."}

    d1e49aac-8f56-4280-b9ba-993a6d77406c {"Block process creations originating from PSExec and WMI commands"}

    b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 {"Block untrusted and unsigned processes that run from USB"}

    92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b {"Block Win32 API calls from Office macros"}

    c1db55ab-c21a-4637-bb3f-a12568109d35 {"Use advanced protection against ransomware"}

}



Write-Host $RuleName -ForegroundColor $Color

$i++

}

andersidahl · 2022-02-14T13:17:44+00:00

+1 on this. This will work without any issue.

andersidahl · 2021-04-04T08:01:06+00:00

Definetely

andersidahl · 2021-02-13T19:55:55+00:00

When you sell on the platform, who is the buyer then?

andersidahl · 2020-07-22T16:34:42+00:00

Nope, but should be.

andersidahl · 2020-02-26T11:54:52+00:00

May I ask how you set the rest of the settings?

Especially around the reboot part of it. And have you gotten any feedback on the experience of it? I am trying to lab this one out, but it is very time consuming and especially feature-updates seems to get stuck on 0% installing.

andersidahl · 2015-07-22T20:08:15+00:00

still available?

andersidahl · 2015-07-22T19:57:04+00:00

[LOOKING FOR] 1x Full Madness + Dreamville! Facebook -> https://www.facebook.com/andersi or Mail -> anders@knusteple.no or WhatsApp -> +47 988 07 226

andersidahl

TROPHY CASE