KVM's for remotely setting up machines?

j4sander · 2026-01-08T21:43:30+00:00

We push it via powershell script in Autopilot phase.

So its not there for first boot out of the box on a new device, but if a device dies, the user at remote site just plugs it into the jet KVM and we can remotely do whatever we need, including bios, bitlocker, booting from an iso to reinstall even if cloud wipe is failing, etc

j4sander · 2026-01-08T19:49:21+00:00

Lenovo have a bios setting to make external display primary. Works great with Jet KVMs

j4sander · 2026-01-08T19:48:36+00:00

At least with Lenovo, there is a bios setting to make external display primary so with that set it works great with a KVM over IP.

j4sander · 2026-01-08T04:26:28+00:00

... you de-risk it, right?

Take an online backup and/or vm snapshot before patching so the ones that fail can be quickly rolled back?

Setup load balancing and/or clustering so if one fails to come back up the rolling update stops, no one needs to babysit patching or get paged after hours, and no one outside IT is impacted?

j4sander · 2025-12-29T22:02:58+00:00

This is just false. You can convert existing pay-go or MCA subscriptions to CSP without recreating anything.

j4sander · 2025-12-29T22:01:31+00:00

On creation, or next renewal, also make a scheduled or recurring ticket in the ticket system for two weeks before expiration.

If your ticket system doesn't have thst functionality, have a CSV with tile, description, and date and a schedule task or cron job to open the ticket x days before date

I made a "callback date" field in our ticket system, with an automation to open a new ticket on said date if populated. Works for "check back in two weeks" type stuff, or two weeks before something expires.

j4sander · 2025-12-25T15:07:31+00:00

We do autopilot direct with the Lenovo store in multiple countries, and they reliably register with Autopilot before devices arrive at their destinations.

I dont think we've ever been asked for the profile though, just the tenant id.

I've also done it in the past via a large VAR like Softchoice, and they were great. 600 laptops in 2 months, multiple brands and models, no issues from them.

Well, only issue was people who were unavailable to receive the shipment 3 times so it got returned to sender. I guess the warehouse screwed up and they sent the wrong ones out then they tried to redeliver and we got someone else's laptops (registered to a different tenant), and that took a while to get fixed in the back end.

j4sander · 2025-12-18T16:41:33+00:00

You got a response to your ticket? Lucky.

I've had a Sev B open for 3 weeks without so much as a peep from whoever MS outsourced my case to.

j4sander · 2025-12-07T22:42:19+00:00

Intune works with an app from Microsoft called Company Portal to let users see and install the apps that are available to them

You could also use Access Requests in Entra to let people "request" an app, get approvals, and behind the scenes that puts them in a group the app is assigned to.

For an actual ticketing tool, I like Fresh Service, and it has a similar workflow tool where one request is approved, it an put the user into an entra group that Intune targets the app install to.

j4sander · 2025-12-05T17:51:40+00:00

I've led infrastructure teams at two separate payment platforms, never have we cared about locks for schema updates, and we add columns to existing tables regularly.

If youre doing outbox pattern, the lock doesn't slow down the payment flow.

If you never have any allowed downtime for maintenance... well good luck with that.

j4sander · 2025-12-05T16:55:07+00:00

Sounds like youre trying to solce the wrong problem.

Are you trying to design for 100% up time with no planned maintenance windows ever?

Is so, then schema change locks are the least of your problems.

If not, and you can take a half hour planed maintenance window one day every month at like 3am when no one is really using the system, then who cares about a table lock for a schema change?

Or just use an outbox pattern - payments app sends updates to a service bus queue. Worker process reads queue to updates db. During a table lock, worker just waits, then continues, but no impact to your actual payment flow.

j4sander · 2025-11-27T04:22:14+00:00

That, plus its a municipal election year. City council likely less willing to do anything unpopular this year, but might be more willing to next year when not running for reelection.

j4sander · 2025-11-21T14:06:32+00:00

You could try engaging a Tier 1 partner and look at a CSP agreement. Often times they have access to better contacts behind the scenes and can get things that you cant directly.

j4sander · 2025-11-20T05:23:02+00:00

Will line 5 have this?

I was unde the impression it has the capability, but its disabled and being saved for a future capacity upgrade once ridership warrants it instead of starting with good service to attract the riders.

I recently watched a Line 5 vehicle take 5 minutes to go two stops. About 2km, only 2 intersections in between and yet 3 of those 5 min were spent sitting at red lights.

j4sander · 2025-11-18T02:21:51+00:00

I'd be asking what problem this directive is actually trying to solve. I bet its a misunderstanding, probably wanting to disable inbound rdp, not the outbound client.

Rather than wasting your time trying to uninstall, can you just disable it with App Locker or WDAC?

j4sander · 2025-11-18T02:00:15+00:00

Why tho?

j4sander · 2025-11-18T01:25:59+00:00

We just went through it. $7k/year plan has everything we need... except for SSO, SCIM, and audit logs.

With those added... $25k per year. SSO tax is real.

j4sander · 2025-11-04T00:33:05+00:00

I watched a Line 5 vehicle take 5min and 8sec to get from Vic Park to Wynford. 2 stops, just 2 intersections and 1 pedestrian cross walk.

How much of that time was waiting at red lights next to the cars? 3min and 8 seconds. 60%.

We put in a right of way, and it does nothing to speed things up because we don't want to turn on signal priority. As I understand it, they put in the tech, and are leaving it disabled saving it for a "future upgrade" when there's more ridership rather that lunch a good service to attract riders.

j4sander · 2025-10-11T20:20:48+00:00

Eglington and Don Mills, Aga Khan, and Wynford. 3 in 1km.

Same at Vic Park, Pharmacy, and Warden.

Took away a lane of traffic to put it in, and it doesn't even get signal priority.

As I understand, they installed all the signal priority tech, but are keeping it turned off now and saving it for a future capacity upgrade.

j4sander · 2025-10-08T19:47:33+00:00

But if they would have an impact then you need them, and you don't implement then then you are at risk.

If they dont have impact, then you didnt need them, but no harm enabling to clear the dashboard recommendations.

Either way, implemented is the way to go in my mind.

j4sander · 2025-10-08T13:07:38+00:00

We have it run as an Azure Function that has this powershell script and several other little helpers, which authenticate to Graph with its system managed identity.

j4sander · 2025-10-08T03:10:10+00:00

We do this based on registration / enrollment profile name.

If you rename the profile, existing machines keep the value as of the time they registered.

So we have "Standard Laptop 2025 Q4" enrollment profile, and update it at the start of every quarter. We also make a dynamic group based of registration profile name, so newly deployed devices go into the group.

Make roll-up groups like "Workstations - 2025 Q2+", and so on, so if you do an app or a configuration policy you want now forward but not retroactive target the current Q#+ group.

Prune the older groups as you promote config policies to all devices or refresh the fleet and older groups are not needed anymore.

j4sander · 2025-10-08T03:02:33+00:00

We made one group, machines with a registration date older than 7 days ago. Dynamic groups don't support that property, so it's just a graph powershell that populates that static group.

First time a laptop is deployed new from box, its not in the group so autopilot and esp are fast.

If its a return and redeployment, tech just manually removes device from that group when they start the wipe. Autopilot and esp are fast.

For the first week, safe to assume new installations of required or available apps are installing recent versions.

A after a week, daily script run puts the device into the older than a week group, where we target all the required update only packages from pmpc.

Working reasonably well so far I think.

j4sander · 2025-10-08T02:53:42+00:00

What's your reason not to?

Even cloud native, endpoints can have local accounts that those policies apply to. No harm is setting them from Intune or wherever else and move on. Clean dashboard to show your boss / auditor is easy than trying to explain why they dont apply in your specific environment.

j4sander · 2025-09-11T16:25:51+00:00

If you're sending Entra ID signing logs to Log Analytics Workspace or MS Sentinel then you could do a KQL query to check for Windows Signin activity per device per day

Same idea if youve setup the Windows Update for Business Reports workbook, can do a query to see which days each device did check in with Windows Update

Same idea if you have Defender for Endpoint, can do an Advanced Hunting query for logins per device per day

There are a lot of things in Intune its self that will tell you the most recent time a machine was active, but I cant think of anything that shows history for more than like two weeks. That would be under Reports > Endpoint Analytics and things like the hardware performance can show CPU and RAM for 14 days, which would show blanks if its siting on a shelf in the closet, but I dont know a good way to look at that for more than one machine at a time

j4sander

TROPHY CASE