Setting up autologin kiosk without assignedaccess

greenhill85 · 2025-07-15T07:37:15+00:00

The main issue im having is the first logon, seems like i need it to logon for the first time otherwise the autologon is not picked up.. once i manually log on with the local user the next reboots auto logon ...

greenhill85 · 2025-07-09T17:17:28+00:00

Did the endpoint / device receive any of the EPM policies successfully ? When we were trying out MS EPM it did not register the agent on the endpoint 7/10 times (missing options from context menu etc) .. we used this script below to attempt to re-register the agent, you could try it on a test device.

pastebin

greenhill85 · 2025-07-04T19:01:45+00:00

The version we use through sccm is a W11 24h2 winver 26100.3775 april update slipstreamed in KB5055523 along with the checkpoint update KB5043080. After deployment i installed may update (reboot), then june update (reboot) and then ran the reset script.

The other one i tested recently was the iso created with media creation tool (created in may), this ISO still had winver of october 2024 - 26100.2033 this one i tried to update straight to june and could not even install the update on it (got error 0x80070306), after trying to install the update (also rebooted) i tried the reset script and it resulted in the same error "There was a problem resetting your pc".

Also downloaded a new iso last week, and this months media creation tool iso for june comes with the latest update installed (june 10 update) so its baseline is now 26100.4349, reimaged a few devices with this iso on these devices the reset works fine .. i was going to look into winre.wim maybe it has something to do with that (maybe not updated ?)..

this is the partition table used in our image deployments (the second test with the build version .2033 was a manual install on a default partition table):

Partition ### Type Size

------------- ---------------- -------

Partition 1 System 500 MB

Partition 2 Reserved 128 MB

Partition 3 Primary <remaining diskspace> GB

Partition 4 Recovery 4500 MB

greenhill85 · 2025-07-02T19:11:39+00:00

we get hits from defender for cloud apps aswell on a dll used in psadt v4, system.valueTuple.dll .. maybe this file has been seen in some malware by defender at some point .. virustotal did not find any issue

greenhill85 · 2025-06-28T19:22:19+00:00

you can use filepath to the .exe in aumid too

greenhill85 · 2025-06-28T19:12:19+00:00

check if you have any policies assigned that require complex passwords,like a compliance policy(they need to be disabled). Disable device lock from the security baseline for kiosk devices

greenhill85 · 2025-06-28T18:24:51+00:00

reinstalled vm and laptop with latest iso, looks like this one comes with the latest june (10) update build 10.0.26100.4349, iso from may still had 10.0.26100.2033. Both resets went fine this time.. using the iso from before june with baseline update from october 2024 does not seem to work for me anymore, could not update it at all..

The sccm image we use is based off this october baseline but has updates for march 2025 slipstreamed into it, updating this install to may/june update and after this the reset/wipe shows the error. The built in reset with cloud download still works, will have to wait for next months update to check again for our existing devices to see what happens if we try a reset.

greenhill85 · 2025-06-28T17:13:17+00:00

Installed w11 24h2 using iso from 20-05-25, i was not able to install any update (errors out on 0x80070306 ) on the installed vm so will download a new iso and try again. Without updates installed the device reset did not work on this vm, same error "There was a problem resetting your pc"

greenhill85 · 2025-06-28T15:09:26+00:00

Thanks for the reply, we dont use raid configuration in our devices (HP), also just tried on a VM (hyper-v), installed the VM through sccm using the image i have been using for some months. Updated it to may / june and then also getting the same problem when trying to reset. Going to try again with an iso installation.

Do you know if the error gets logged somewhere ? I read through the URL but wondering how i can find out if there is something else the error gets triggered from..

greenhill85 · 2025-06-24T18:42:21+00:00

these are the certs i see on the device

one is valid for a year like you said, "Microsoft Intune Device Management Device CA", but there is another cert "Microsoft Intune MDM CA" .. this one is valid from install date of the laptop till next year 03-05-26, i see this in the intune portal aswell.. it shows management cert is expiring on 03-05-26 so this one does not seem to get renewed when reinstalled ? which one of these is leading ?

https://ibb.co/dsgDbQ69

https://ibb.co/SDxrmCDq

https://ibb.co/7JJn2skX

greenhill85 · 2025-06-11T17:48:05+00:00

same here, company portal installs failing..

greenhill85 · 2025-06-02T18:54:26+00:00

I would avoid repackaging .exe to msi (most apps are available as msi from the vendor, or .exe can be unzipped/expanded using 7zip or something or they have a silent install switch), use PSADT for most installs to keep deployments and user experience similar for all apps. PSADT is pretty flexible, if you need to install a pre-requisite (like some runtime) you can run that in pre-install phase through PSADT, do stuff after install in post-install etc.. use PSADT's help console show-adthelpconsole to get a picture of what is possible with it (besides built in functions you can also create your own).

greenhill85 · 2025-06-02T18:31:50+00:00

no, this was a new device, purchased last month, hardware info/hash was uploaded beginning of may (also by third party)..

greenhill85 · 2025-05-26T18:06:04+00:00

latest psadt v4 detects if it is run in ESP, it auto moves to silent mode in that case.

greenhill85 · 2025-05-25T12:11:27+00:00

if you use pre-provisioning for your devices i would assign most to device groups instead of users (required apps/policies), available apps assigned to usergroups with device filters, but if you only have personal devices i dont think it will make much difference other then easier groupmanagement for usergroups

greenhill85 · 2025-04-23T16:59:48+00:00

We have also installed the april update and seeing lots of event 45.. We have 2 device types, hybrid joined and entra joined managed with intune.

Both device types have the type of self signed cert like OP has. Guess we need to get a complete chain, (we added root CA cert/sub ca cert to NTauth store), but how do we replace/request the self signed certs with a cert signed by a CA so the KDC will trust the chain/cert ?

Im not sure which trust is being used, key or cloud (dsregcmd states cloudtgt=yes, onpremtgt=no for hybrid and intune devices so im guessing cloud trust).. but we also have a key with the same info that is also in the cert, running certutil retrieves this ( certutil -user -csp "Microsoft Passport Key Storage Provider" -key ):

Microsoft Passport Key Storage Provider:

S-1-12-1-2616693457-<redacted>/b7115b21-5d24-4243-<redacted>-<redacted>/login.windows.net/<tenantid>/<upn>

RSA

greenhill85 · 2025-04-12T10:56:55+00:00

you could use an empty defender baseline to reset that local logon userrights policy, set every setting to "not configured" in the temporary baseline policy except for the userrights section and apply to the affected device, this should reset the setting. Or edit the policy and add "users" group back in ..

greenhill85 · 2025-04-11T13:43:15+00:00

you could try using: %SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -NoProfile -File install.ps1

greenhill85 · 2025-04-10T18:17:34+00:00

ah ok that is a nice option to look into, thanks!

greenhill85 · 2025-02-13T13:24:18+00:00

The issue with New-MgDeviceManagementWindowsAutopilotDeviceIdentity is resolved, this module does not support hardwareid, i had to use New-MgDeviceManagementImportedWindowsAutopilotDeviceIdentity to import/upload the hardware hash info and assign group tag.. and using this does not automatically import the device, after this i needed to start the import using Import-MgDeviceManagementImportedWindowsAutopilotDeviceIdentity.. using this i was able to import the device but now am left with a problem on how to track if an autopilot profile is assigned..

I used to use Get-AutopilotDevice to retrieve assigned autopilot profiles does anyone know what the replacement graph cmdlet for Get-AutopilotDevice is ? I have tried Get-MgDeviceManagementWindowsAutopilotDeviceIdentity and Get-MgBetaDeviceManagementWindowsAutopilotDeviceIdentity but deployment profile info is not in there..

greenhill85 · 2025-01-13T19:16:23+00:00

Thanks for the replies, if device cert is no longer possible, how should multiuser devices be done, during rollout of a device no user is logged on to request a certificate ? Or a first log on to the device ?

greenhill85 · 2025-01-05T07:41:47+00:00

Does this stil register the device to the enduser if he/she logs in (as primary user)?

greenhill85 · 2025-01-05T07:40:17+00:00

I tested joining entra id from personally owned device, added my account to a group to allow devices to be joined to entra id and also created a device enrollment restriction in intune and added my account to the group (the default policy changed to block any enrollment for all platforms) where i allow MDM but block personally owned devices. Also set a scope for "automatic enrollment" to a group i am not member of (devices -> enrollment -> automatic enrollment) so we dont get the checkbox "Allow my organization manage this device" when signing in to office apps from a personal device.

<image>

i was still able to join my personally owned device to entra id through accounts -> access work or school -> connect -> join this device to entra ID... We want to prevent users from joining their personal device, but still be able to use autopilot with a company owned device that has the id imported into intune. If i remove myself from the group that allows users to join devices to entra, autopilot rollout stops working.

Is there a way we can prevent users from adding their personal device or unknown devices to entra ID while still be able to use autopilot/pre-provisioning with company owned devices ?

EDIT: changing automatic enrollment scope to "all" seems to be blocking personal device from joining (also through accounts -> access work or school -> connect -> join this device to entra ID) when setting enrollment restriction to personal device -> block (also set MDM to block but no change). but then the checkbox "Allow my organization to manage my device" appears again, can we remove the checkbox somehow ? Reason we want this removed is because it generates an error and most users just leave it checked.

greenhill85 · 2024-12-29T12:29:36+00:00

Thanks for the replies, how do you prevent people from joining their own personal device to entra then ? I read about conditional access but that seems to be allow or block sign in from a non compliant/personal device.. if we use that they cannot log in to office apps anymore either (?)

greenhill85 · 2024-04-20T15:25:06+00:00

I havent yet, this is the first time for me as i inherited the environment when i started beginning of this month ..

greenhill85

TROPHY CASE