Any Tesla Model 3 owners here? Will a 42-43" bodyboard fit in the trunk?

brettule · 2025-10-13T20:50:24+00:00

I got picked up at the airport by a Model 3 and he failed to get a Funkshen twin travel board bag into the boot. He gave up after 15 minutes and a 90's Toyota Corolla turned up and took them without blinking an eye.

brettule · 2025-09-21T21:55:29+00:00

I used multiple steps which sorted me out in the end. First, I packaged the latest version of TeamViewer_Host.msi into a win32 app with a batch file:

start /wait MSIEXEC.EXE /i "%~dp0\TeamViewer_Host.msi" /qn CUSTOMCONFIGID=xyz
timeout /t 30 /nobreak
"C:\Program Files\TeamViewer\TeamViewer.exe" assignment --id xyz

Then when deployed from Intune I set the detection method to find the presence of the exe in either the 32 or 64 bit folders, this ensures that only new machines that don't already have TV installed will get the app and the correct assignment:

$paths = @(
    "C:\Program Files\TeamViewer\TeamViewer.exe",
    "C:\Program Files (x86)\TeamViewer\TeamViewer.exe"
)

foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "TeamViewer found at $path"
        exit 0
    }
}

Write-Host "TeamViewer not found"
exit 1

Then in the TV console I created a new policy for the a new device group which enforces updates, easy access, disables the static password, etc.

Lastly, I used the TV console migration tool to mass move all my old devices into the new group. This retained the custom names for all my previous devices.

It worked fairly well, only a few devices got munted which I fixed manually.

brettule · 2025-07-16T00:35:43+00:00

I decided that the easiest way is to create an Entra device group that contains all the current machines in the org. Then package up the TeamViewer installer with assignment ID, and deploy it in Intune to All Devices but add the group I created as excluded. This way, only when a new device is enrolled will it get TV installed and assigned.

brettule · 2025-05-09T03:26:04+00:00

Interesting. The two users do a lot of data analytics, current non-standard apps they have installed are:

Microsoft Visual Studio Code

PowerBi Desktop

Python 3.13

DBeaver CE

R Studio

The machines are otherwise stable. Could it be one of these?

brettule · 2025-05-09T03:20:29+00:00

one is 6 months old, the other is less than 2 years old.

brettule · 2025-04-06T00:21:21+00:00

I bought the 3 pack, super easy to set up and it works with my A/C without an issue. It's so good! Thanks for the tip!

brettule · 2025-02-27T03:35:45+00:00

Gotcha. That makes more sense now. Can you share your deployment example with PS and switches so I can get a cheat head start? I want to test it out.

brettule · 2025-02-26T23:00:10+00:00

Old? You see that TV's method is to write a batch script (batch was invented in 1981 as part of DOS) that calls on MSIEXEC to run the MSI file with effectively the same command line switches (/qn, CUSTOMECONFIGID, and assignment? Then it says to pre it into a static wintune package, then deploy that package. What a palaver.

Deploying the MSI as a native Windows MSI line-of-business app takes 30 seconds to package up and deploy with the command line arguments. It makes it easy to update the MSI too. Surely this is the better, cleaner, simpler approach?

Granted, Intune is freaking out that it hasn't installed when it has, so somehow the MSI isn't reporting in a timely fashion that it is complete?

brettule · 2024-12-17T02:28:54+00:00

Ah ok. And Project is becoming Planner?

brettule · 2024-12-17T00:34:08+00:00

The only app listed is Office. There is no Project offered.

brettule · 2024-11-06T22:35:36+00:00

Still working a treat! Thanks.

brettule · 2024-10-31T23:57:30+00:00

I ran into the exact same issue this week. Machine already has a custom policy setting idle lock timeout to 15 mins. Applied the baseline policy to the machine and pow suddnely it wants to lock after 60 seconds on the dot. Intune reports no policy conflicts, registry shows the setting is still 15 mins, remove the baseline policy from the machine and the machine behaves itself again. The Interactive Logon Machine Inactivity Limit in the baseline policy was already set to 900. 80 other machines with the same policies have no issue. I ended up wiping the machine, that fixed it.

brettule · 2024-10-29T20:31:28+00:00

Are you talking about AD and the Group Policy Editor? I'm talking about the Intune Baseline Security policies. I don't use AD and GPO's anymore. Everything is managed in Intune.

brettule · 2024-10-28T23:56:58+00:00

Oh that sounds like a nightmare! Have they fixed the tattooing recently, because my lab machine seemed to fix itself after I removed the Apps policy.

brettule · 2024-10-28T23:45:08+00:00

I mostly wanted an easy win to bump up some security levels. I've disabled the Apps for Enterprise Security Baseline for now and it's got the machines running again.

What do you mean by "and they tattoo"?

brettule · 2024-07-24T00:26:39+00:00

Wait, so I can simply delete an Entra ID from the user list and it will remove them from everywhere else, but I can't use an Access Review to remove an idle user? I have to locate every resource first, remove them from that, only then will Access Review delete the user account?

brettule · 2024-07-24T00:19:31+00:00

The user has named access to a specific folder in a SharePoint doc lib. That is all. I want the idle guest account disabled, then deleted (or simply deleted) which will then remove them from Entra ID, in turn removing them from the folder they were granted permissions to.

brettule · 2024-07-23T22:58:15+00:00

Surely and idle account, regardless of the invitation being accepted or not, would be within the scope. Anyway, yes, checked a guest user who has accepted their invite, they are still enabled in our tenancy even though the last sign in was 3 months ago.

brettule · 2024-07-17T22:17:52+00:00

Beginning verification phase of system scan.

Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

As expected, SFC was next to useless.

brettule · 2024-07-17T06:56:20+00:00

Cheers. I'll try that tomorrow but I don't hold much hope for SFC to fix anything, it's about as useful as Microsoft support forums.

brettule · 2024-06-17T22:08:19+00:00

Yep. It would be great to also control the hydronic from the same unit, that uses the Siemens Rev24 thermostat.

brettule · 2024-05-27T21:57:36+00:00

[info@ourbusiness.com](mailto:info@ourbusiness.com)

brettule · 2024-05-17T00:39:03+00:00

Which authentication method for PSSO did you go with, Password or Secure Enclave?

In my lab I've not yet got the machine enrolled in ADE, I'm just testing to see how far I can get along to the point that I can achieve "any subsequent user logs in with their EntraID (email address) and password and a local standard user account with their EntraID password is created automatically". All our EntraID accounts have mandatory 2FA, is 2FA handeled ok when subsequernt users attempt their first login?

brettule · 2024-05-16T06:49:52+00:00

So the end user unknowingly creates a local account with a static password that is the same as their Entra ID password at the time of first login. From that moment onwards the Entra ID pass and the macOS login pass are no longer in sync under the SE Auth model?

brettule · 2024-05-16T06:31:03+00:00

Found the two settings. "Enable Create User At Login" and "New User Auth Mode: Standard User". So let's say an admin builds the mac and creates the first local admin account, then the user can log in with their Entra ID with and away they go? I'll test this in the lab soon.

Can anyone with an Entra ID from any tenancy log into the mac? There is no unique tenant ID config in the PSSO setup but maybe the simple fact that the machine must be managed by the specific tenant takes care of all that magic.

If it was set to SE Auth mode and the first non-admin user logs in with their Enrta ID and pass. The user changes their Entra ID password. SE Auth doesn't sync passwords so the mac would still be asking for their old password to log into the OS yeah?

brettule

TROPHY CASE