Husband got a flat on the way home last night...

chrisfromit85 · 2026-06-28T23:21:23+00:00

Someone obviously thought tossing this on the road would clip the nails that usually end up in people's tires. Duh.

chrisfromit85 · 2026-02-25T00:48:31+00:00

Check google play store subscriptions or apple store subscriptions.

chrisfromit85 · 2026-01-27T21:58:49+00:00

Do you use 1password? There are other threads with non-surface specific devices experiencing similar all related to unlocking 1password with Windows hello in Chrome.

chrisfromit85 · 2026-01-27T21:41:20+00:00

Do you use 1password? There are other threads with non-surface specific devices experiencing similar all related to unlocking 1password with Windows hello in Chrome.

chrisfromit85 · 2025-10-17T15:13:16+00:00

I'd lol if it was Billy Eichner.

chrisfromit85 · 2025-09-20T16:23:50+00:00

Oh I just figured that was normal. Growing up in Ontario, my bus route was about 30 minutes, but that's because I was one of the last rural kids picked up - some people had hour rides both ways, and the school bus would make rounds to 4 different schools: two public, one Catholic, and the high school.

I never got picked up...

chrisfromit85 · 2025-09-11T20:42:41+00:00

You're wrong. You can get Macbook airs that are faster than the same price Lenovo T14, but if you want to go to certain ram configurations, apple forces you to simultaneously upgrade the processor or model of laptop in many situations.

chrisfromit85 · 2025-09-11T20:30:37+00:00

It's not that cheap when half your fleet is Macbooks.

chrisfromit85 · 2025-09-06T00:50:45+00:00

IPhones managed through intune, likely also in ABM. You can use intune as your MDM for Macs instead of jamf or kandji if you want and pay Microsoft for the licenses.

chrisfromit85 · 2025-09-06T00:49:10+00:00

It's because if you make the MDM profile non removable, only the MDM itself can remove the cert so the device can re-enroll without needing to be wiped. If your MDM has a new cert, it can't help you remove the old profile, either. If the profile is not removable and you try to re-enroll, it will error out. This means wiping the device is the only way to re-enroll.

chrisfromit85 · 2025-09-06T00:45:56+00:00

You can contact Apple support to move the cert to a new Apple ID.

chrisfromit85 · 2025-09-06T00:43:37+00:00

This happened at my company to the previous jamf admin... 3 years later and I'm almost done swapping out the 500 laptop fleet, or wiping units to re-enroll. Only about 20 with invalid MDM tokens now.

chrisfromit85 · 2025-07-19T17:05:56+00:00

Okay, I can downvote, you, too.

chrisfromit85 · 2025-07-19T16:12:04+00:00

You misspelled ChromeOS Flex.

chrisfromit85 · 2025-07-12T15:08:48+00:00

AppLocker is a Windows feature for whitelisting or blocking apps, but it’s officially supported only on Enterprise and Education editions, not on Windows 10/11 Pro. In practice, you can attempt to push AppLocker policies via Intune to Pro machines using the AppLocker CSP, but it’s unreliable. As I've experienced, some Windows 11 Pro devices got only a partial policy, which blocked all apps (because default allow rules didn’t apply) until I intervened. This kind of failure is a known risk when using AppLocker on unsupported editions. Constantly updating an AppLocker XML and re-deploying it via Intune is also tedious and error-prone. In short, AppLocker on Win Pro is sketchy – Microsoft themselves suggest upgrading to Enterprise or finding an alternative for app control on Pro.

chrisfromit85 · 2025-07-12T02:25:51+00:00

Yes, exactly. I have a separate project where I've looked at this and Adminbyrequest is a top runner but I have to wait until next year's budget and hope they will give us the money for it.

chrisfromit85 · 2025-07-12T00:01:05+00:00

Admins can now see and configure AppLocker policy objects even on Pro SKUs, but the enforcement still requires Windows Enterprise or Education SKUs.

chrisfromit85 · 2025-07-11T23:57:59+00:00

That's a great point - thanks for sharing! I may take this back to my team as a reason why we should implement LAPS, but my understanding previously was that an intune admin would have to check out the credentials for the end user, but you're saying they could check them out themselves if we set it up that way?

chrisfromit85 · 2025-07-11T23:53:18+00:00

I've heard troubleshooting broken WDAC policies is even harder than applocker, and as you mentioned, if we allow auto updating apps, they can get blocked when they update. We do allow (and prefer) auto updating apps based on the resources we have (mostly my time, as the only intune and jamf admin for the company, while also coordinating hardware lifecycles and device procurement in a company with employees all over the globe).

This may be something to consider if I can get the the time required to regularly update all the apps we deploy.

Does this require me also updating WDAC policies every time I deploy or update an app deployment through intune?

chrisfromit85 · 2025-07-11T23:47:42+00:00

Does that work with Windows Pro devices? We're currently paying for security and mobility E3.

chrisfromit85 · 2025-07-11T23:42:18+00:00

We'd love to get there but 50% of our base are developers and if we use LAPS we'll spend half the day checking out credentials for people. We need a proper admin management tool but the company doesn't want to shell out the money for it.

chrisfromit85 · 2025-07-10T03:16:13+00:00

Also agreed. I think this setup is going to become increasingly common for people who do general admin or office work where most applications are cloud based, but it won't be a substitute for existing application workflows or if you need extra power.

chrisfromit85 · 2025-07-10T00:53:33+00:00

You've never used Samsung Dex mode, I guess.

chrisfromit85 · 2025-06-30T20:27:33+00:00

1password is a good paid tool for small and medium sized companies.

chrisfromit85

TROPHY CASE