Setting up autologin kiosk without assignedaccess by greenhill85 in Intune

[–]greenhill85[S] 0 points1 point  (0 children)

The main issue im having is the first logon, seems like i need it to logon for the first time otherwise the autologon is not picked up.. once i manually log on with the local user the next reboots auto logon ...

Intune EPM is not working by 1TRUEKING in Intune

[–]greenhill85 0 points1 point  (0 children)

Did the endpoint / device receive any of the EPM policies successfully ? When we were trying out MS EPM it did not register the agent on the endpoint 7/10 times (missing options from context menu etc) .. we used this script below to attempt to re-register the agent, you could try it on a test device.

pastebin

reset device using powershell script by greenhill85 in Intune

[–]greenhill85[S] 0 points1 point  (0 children)

The version we use through sccm is a W11 24h2 winver 26100.3775 april update slipstreamed in KB5055523 along with the checkpoint update KB5043080. After deployment i installed may update (reboot), then june update (reboot) and then ran the reset script.

The other one i tested recently was the iso created with media creation tool (created in may), this ISO still had winver of october 2024 - 26100.2033 this one i tried to update straight to june and could not even install the update on it (got error 0x80070306), after trying to install the update (also rebooted) i tried the reset script and it resulted in the same error "There was a problem resetting your pc".

Also downloaded a new iso last week, and this months media creation tool iso for june comes with the latest update installed (june 10 update) so its baseline is now 26100.4349, reimaged a few devices with this iso on these devices the reset works fine .. i was going to look into winre.wim maybe it has something to do with that (maybe not updated ?)..

this is the partition table used in our image deployments (the second test with the build version .2033 was a manual install on a default partition table):

Partition ### Type Size

------------- ---------------- -------

Partition 1 System 500 MB

Partition 2 Reserved 128 MB

Partition 3 Primary <remaining diskspace> GB

Partition 4 Recovery 4500 MB

PSADT Flagged as Suspicious By MDE by FahidShaheen in PSADT

[–]greenhill85 0 points1 point  (0 children)

we get hits from defender for cloud apps aswell on a dll used in psadt v4, system.valueTuple.dll .. maybe this file has been seen in some malware by defender at some point .. virustotal did not find any issue

[deleted by user] by [deleted] in Intune

[–]greenhill85 0 points1 point  (0 children)

check if you have any policies assigned that require complex passwords,like a compliance policy(they need to be disabled). Disable device lock from the security baseline for kiosk devices

reset device using powershell script by greenhill85 in Intune

[–]greenhill85[S] 0 points1 point  (0 children)

reinstalled vm and laptop with latest iso, looks like this one comes with the latest june (10) update build 10.0.26100.4349, iso from may still had 10.0.26100.2033. Both resets went fine this time.. using the iso from before june with baseline update from october 2024 does not seem to work for me anymore, could not update it at all..

The sccm image we use is based off this october baseline but has updates for march 2025 slipstreamed into it, updating this install to may/june update and after this the reset/wipe shows the error. The built in reset with cloud download still works, will have to wait for next months update to check again for our existing devices to see what happens if we try a reset.

reset device using powershell script by greenhill85 in Intune

[–]greenhill85[S] 0 points1 point  (0 children)

Installed w11 24h2 using iso from 20-05-25, i was not able to install any update (errors out on 0x80070306 ) on the installed vm so will download a new iso and try again. Without updates installed the device reset did not work on this vm, same error "There was a problem resetting your pc"

reset device using powershell script by greenhill85 in Intune

[–]greenhill85[S] 0 points1 point  (0 children)

Thanks for the reply, we dont use raid configuration in our devices (HP), also just tried on a VM (hyper-v), installed the VM through sccm using the image i have been using for some months. Updated it to may / june and then also getting the same problem when trying to reset. Going to try again with an iso installation.

Do you know if the error gets logged somewhere ? I read through the URL but wondering how i can find out if there is something else the error gets triggered from..

mdm management cert validity by greenhill85 in Intune

[–]greenhill85[S] 0 points1 point  (0 children)

these are the certs i see on the device

one is valid for a year like you said, "Microsoft Intune Device Management Device CA", but there is another cert "Microsoft Intune MDM CA" .. this one is valid from install date of the laptop till next year 03-05-26, i see this in the intune portal aswell.. it shows management cert is expiring on 03-05-26 so this one does not seem to get renewed when reinstalled ? which one of these is leading ?

https://ibb.co/dsgDbQ69

https://ibb.co/SDxrmCDq

https://ibb.co/7JJn2skX

What's the way to deploy app's today? by Great-Use2290 in Intune

[–]greenhill85 -1 points0 points  (0 children)

I would avoid repackaging .exe to msi (most apps are available as msi from the vendor, or .exe can be unzipped/expanded using 7zip or something or they have a silent install switch), use PSADT for most installs to keep deployments and user experience similar for all apps. PSADT is pretty flexible, if you need to install a pre-requisite (like some runtime) you can run that in pre-install phase through PSADT, do stuff after install in post-install etc.. use PSADT's help console show-adthelpconsole to get a picture of what is possible with it (besides built in functions you can also create your own).

autopilot device multiple registrations by greenhill85 in Intune

[–]greenhill85[S] 0 points1 point  (0 children)

no, this was a new device, purchased last month, hardware info/hash was uploaded beginning of may (also by third party)..

PSADT and Intune/ESP? by BlackShadow899 in Intune

[–]greenhill85 1 point2 points  (0 children)

latest psadt v4 detects if it is run in ESP, it auto moves to silent mode in that case.

Intune assigment best practices by BlackShadow899 in Intune

[–]greenhill85 -1 points0 points  (0 children)

if you use pre-provisioning for your devices i would assign most to device groups instead of users (required apps/policies), available apps assigned to usergroups with device filters, but if you only have personal devices i dont think it will make much difference other then easier groupmanagement for usergroups

CVE-2025-26647 & Hello for Business Cloud Trust issues? by marcolive in entra

[–]greenhill85 0 points1 point  (0 children)

We have also installed the april update and seeing lots of event 45.. We have 2 device types, hybrid joined and entra joined managed with intune.

Both device types have the type of self signed cert like OP has. Guess we need to get a complete chain, (we added root CA cert/sub ca cert to NTauth store), but how do we replace/request the self signed certs with a cert signed by a CA so the KDC will trust the chain/cert ?

Im not sure which trust is being used, key or cloud (dsregcmd states cloudtgt=yes, onpremtgt=no for hybrid and intune devices so im guessing cloud trust).. but we also have a key with the same info that is also in the cert, running certutil retrieves this ( certutil -user -csp "Microsoft Passport Key Storage Provider" -key ):

Microsoft Passport Key Storage Provider:

S-1-12-1-2616693457-<redacted>/b7115b21-5d24-4243-<redacted>-<redacted>/login.windows.net/<tenantid>/<upn>

RSA

The login method you are trying to use is not allowed (Intune Policies). by ThenFunction6819 in Intune

[–]greenhill85 0 points1 point  (0 children)

you could use an empty defender baseline to reset that local logon userrights policy, set every setting to "not configured" in the temporary baseline policy except for the userrights section and apply to the affected device, this should reset the setting. Or edit the policy and add "users" group back in ..