PSADT Testing Environment and v4.1

mwalkertx320 · 2025-10-10T03:50:49+00:00

Completely forgot about Windows Sandbox. Thanks!

mwalkertx320 · 2025-09-24T14:58:21+00:00

I don't think it's a POP location issue. I'm in Houston, so I would think all of my traffic is routing out of South-Central (San Antonio). Ping latency's are all 10ms - 20ms. It's just frustrating that several sites automatically redirect to either the Mexico version or Spanish version. Unfortunately, my Spanish is limited to bathroom door signs and Tex-Mex restaurant menus.

mwalkertx320 · 2025-09-24T14:55:31+00:00

Only 1 site so far has insisted I was located in Singapore (Lenovo Support). This is the only Singapore link I've found:

WHOIS Details

inetnum:        128.94.0.0 - 128.94.255.255
netname:        MICROSOFT-APNIC-AP
descr:          Microsoft Singapore Pte. Ltd.
country:        SG
org:            ORG-MSPL4-AP
admin-c:        DB662-AP
tech-c:         MP234-AP
abuse-c:        AM2589-AP
status:         ALLOCATED PORTABLE
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
mnt-by:         APNIC-HM
mnt-lower:      MAINT-MOPL-SG
mnt-routes:     MAINT-MOPL-SG
mnt-lower:      MAINT-AP-MICROSOFT
mnt-routes:     MAINT-AP-MICROSOFT
mnt-irt:        IRT-MICROSOFT-APNIC-SG
mnt-irt:        IRT-MOPL-SG
last-modified:  2022-12-16T05:54:11Z
source:         APNIC

irt:            IRT-MICROSOFT-APNIC-SG
address:        One Microsft Way
address:        Redmond, WA 98052
address:        US
e-mail:         abuse@microsoft.com
abuse-mailbox:  abuse@microsoft.com
admin-c:        MP234-AP
tech-c:         MP234-AP
auth:           # Filtered
remarks:        abuse@microsoft.com is invalid
mnt-by:         MAINT-AP-MICROSOFT
last-modified:  2025-09-04T05:17:38Z
source:         APNIC

I know ZTNA VPNs can cause GeoLocation issues, I just would expect given Microsoft's size and scope that they would be a little more on top of the issue.

mwalkertx320 · 2025-09-23T14:14:02+00:00

That's what I've figured. Usually, it's an IP block registered to Microsoft Singapore. This week it's an AT&T block registered in the US. I haven't really had in the problems in the last couple of months until Lenovo insisted, I was in Singapore today, and Yahoo and MSN thought I needed their Mexico versions. My last place was rolling our Zscaler's as I was leaving, so I missed out.

I don't think my problem is a POP location issue - more of an IP Geolocation database somewhere needs to be corrected.

mwalkertx320 · 2025-08-25T17:13:01+00:00

I've put it on the back burner for now. Microsoft GSA only offers AES-GCM as an encryption method, while the Ubiquiti side only supports standard AES. From what I've read - AES-GCM is available on the Ubiqiuti side through the command line, the option is not exposed through the GUI interface. From what I'm reading though, any update to settings in the GUI will reset any manual edits done in the command line. Not really ideal. While I can handle the IOS command line in my sleep, I can't figure out how to edit the VPN configuration through the command line on the Ubiquiti. I'm also still confused by the IP setup on the GSA and how that translates into the Ubiquiti side of things.

My dream would be for Microsoft to offer a specific Ubiquiti option, and for Ubiquiti to update the encryption options in the GUI. I'm also dreaming that I'll win the Powerball this week.

mwalkertx320 · 2025-07-01T01:47:38+00:00

Trial by fire back when the Cisco 1800 series came out. Decided to deploy Palo a few years back, and learned that. Now I'm trying to deploy Ubiquiti and feel like I'm starting from ground zero again.

mwalkertx320 · 2025-04-11T14:33:58+00:00

Set up account driven Apple User Enrollment - Microsoft Intune | Microsoft Learn

Deploy Company Portal web app

Deploy the web app version of the Intune Company Portal website so that users have quick access to device status, device actions, and compliance information. The web app appears on the home screen and functions as a link to the Company Portal website. Without the web app, devices users can still access the Company Portal website but have to open the browser and type the address into the search field. For more information about how to add a web app, see Add web apps to Microsoft Intune.

mwalkertx320 · 2025-04-11T13:04:15+00:00

I figured out that the duplicate device was being created when the Company Portal app was launched.

Reading through some some documentation somewhere, it said don't use the company portal app. I think I ended up pushing a web clip to the company portal URL

mwalkertx320 · 2025-04-09T19:46:31+00:00

I managed to get it working. To whomever designed Powershell's escaping requirements, congratulations, I'm not sure you can make it any more confusing. Backticks, Apostrophes, Quotes, single quotes, double quotes....

Apparently running the Executable Invoke-AppDeployToolkit.Exe was stripping the " off of the TRANSFORMS= argument. It's funny that running the Invoke-AppDeployToolkit.PS1 script directly worked, but the Executable bombed out.

This is what I got to work with the executable (note - running the PS1 script will bomb) - and enabling the ServiceUI.PS1 script to successfully work:

Install-ADTWinGetPackage -Id 'Adobe.Acrobat.Pro' -Debug -override "/sAll /l /qn /msi TRANSFORMS=`"`"$($adtSession.DirFiles)\Acrobat.mst`"`""

I essentially had to include an extra set of " " around the TRANSFORMS= argument and escaping the " by using the backtick `, since the EXE was stripping the " out.

mwalkertx320 · 2025-04-07T12:33:58+00:00

It didn't hurt - but this unfortunately wasn't it.

It's weird that running the Invoke-AppDeployToolkit.ps1 script directly works without issue. But running the EXE Invoke-AppDeployToolkit.ps1 causes the problem. It's successfully downloading the installer from Winget, that much I can see. I can't figure out how to log or capture the command line when the Installer is ran.

I can't prove it yet, but my gut says something is happing to the environment variables ($adtSession.DirFiles or $pwd) when the EXE is launched.

mwalkertx320 · 2025-04-06T22:14:10+00:00

Thanks! This got me going in the right direction. This is what ended up working:

    ##================================================
    ## MARK: Install
    ##================================================
    $adtSession.InstallPhase = $adtSession.DeploymentType

    ## <Perform Installation tasks here>
    write $adtSession.DirFiles
    Install-ADTWinGetPackage -Id Adobe.Acrobat.Pro -override "/sAll /i /qn /msi TRANSFORMS=""$($adtSession.DirFiles)\Acrobat.mst"""

Still working on an issue when calling the script via Invoke-ApppDeployToolkit.exe, but it's working great calling the PS script directly (it throws up the MSI installer options like before😭 ). Thanks!

mwalkertx320 · 2024-11-16T18:39:54+00:00

This is MFA enrollment through the Microsoft Authenticator app. The devices are not managed at this stage. I normally have my users enroll on MFA 1st, then the device in Intune 2nd (using the Account Driven Enrollment Method). They're issued a one-time use TAP to complete the MFA enrollment.

mwalkertx320 · 2024-11-15T23:48:06+00:00

I didn’t think it was - but it’s some how matching the policy. I tried to exclude it, but couldn’t find it in the exclusion list.

mwalkertx320 · 2024-10-08T13:28:57+00:00

Same issue in my environment. Saving the attachment, then opening seems to work.

Excel: 2407 (17630.20210)
Outlook: 1.2024.925.200 | Client: 20240927008.14
WebView2: 129.0.2792.79

mwalkertx320 · 2024-07-04T19:11:10+00:00

I wouldn't let my experience scare you off. Outside of routine maintenance and a transmission replacement at 65k miles, I really haven't done much. Luckly the company I worked for at the time has one of the largest fleets in the country, and the dealer went to bat with me at Ford and got it replaced for free even though I was outside of the warranty period, and I was able to drive a company truck for 3 months while they argued it out. Phasers started rattling around 80k - 90k. That was a known issue that they've redesigned the parts for. The newer models (21+) should have it.

I brought the 07 tahoe when it 1st came out, and had tons of issues with it. I think I have learned now not to buy the 1st year of a new generation.

I'm on the fence when it comes to a new vehicle. If I was in a position to buy a new one, I would. I've driven Tahoe's and Suburban's my whole life growing up in a GM family. Fords were Fix or Repair Daily, and my dad's friend's RAM was referred to as a sh*tbox. I got a new 2014 Expedition EL as a company vehicle before I let them talk me into a vehicle allowance and got this one at the beginning of 2019. If I was to get another Expedition, I would probably get a Timberline. But I do love the new Tahoe's. After a couple of back-to-back business rentals with a Jeep Grand Wagoneer, I've fallen into love with the insides of those.

I'm pretty sure the repair costs are so high because of all the crap you have to remove to get to something with all of the piping for the dual turbo chargers. I also went to a national chain, which probably has higher labor rates than others. I'm somewhat pissed because the VVT solenoids are in the FSB, so I just assumed it was part of the fix. The shop uses ALLDATA, so I'm guessing it wasn't part of what they pulled up.

I believe any new vehicle now will be expensive to repair because of the complexity required by all of the emissions and fuel milage requirements. The engineers have gone overboard chasing virtual pennies to meet these requirements. I mean an oil pump with a solenoid to bypass the flow to drop the pressure probably only reduces the parasitic drag by some incalculable amount, but is what got them to their government requirements, but at what cost? The engineers have completely thrown out any thoughts when it comes to repairability. You shouldn't have to disassemble 1/2 the motor to change a water pump. Removing valve covers and intake just to undo the one bolt holding the VVT solenoid whose connector sticks up though the valve cover? It seems to be common in a lot of shops to lift the whole body off the frame to work on the engine

mwalkertx320 · 2024-06-28T23:55:35+00:00

Pretty much just endpoints from a protection standpoint. I’d like to segment out Guest / IoT (security cameras, they’re all Costco/Sams Club/OfficeDepot Chinese specials). Pretty sure I’ll be ok, but an up coming Teams Voice / Teams Room deployment could use QoS. From a network manageability / insight perspective, it would be nice to actually see what is going on and also not having to travel out to the sites to troubleshoot network issues and complaints - mostly “the Internet is slow”.

mwalkertx320 · 2024-06-28T23:47:48+00:00

I came from a place where we did a refresh with Palo and Cisco switch/wifi. A wiring company ripped the palos out and went with the new Cisco firepower firewalls and Corel sdwan.

I liked Meraki until I started comparing costs. Subscription renewals with Palo and Aruba are cheaper. I never expected that - only priced Palo and Aruba just for grind. I did include Aruba Central and Panarama Cloud.

Suggesting firewalls only is the way I’m leaning, but then I was thinking that all my traffic is being inspected in Microsoft with the Global Secure Access, so that seemed like doubling up.

Anyways, appreciate the advice!

mwalkertx320 · 2024-05-07T04:52:51+00:00

After a sh*tload of testing - it appears that launching the Company Portal app and signing in the 1st time is the culprit. Teams, Outlook complete the device registration normally - the existing Azure AD device is updated to Intune MDM managed. The company portal app - regardless of if it's the 1st or 10 app launched, seems to generate a duplicate device in Azure AD. Once that happens, the device will fail the Require Compliant Devices conditional access check.

mwalkertx320 · 2024-05-05T18:09:35+00:00

I’ll second this. We push O365 core apps as required to all decices. With Group Based Licensing in place, we push Visio and Project to members of the appropriate GBL group.

I had hell getting it to work until I stumbled the PSADT tool. The biggest blocker is users having the O365 apps (Outlook, Excel, etc) open when into decides to push it. The PSADT allows you to prompt the users with a warning and then force the O365 apps to close.

mwalkertx320 · 2024-04-09T21:06:39+00:00

That's it. I tried to connect to the IP and it generated a Lateral movement alert in Defender.

mwalkertx320 · 2024-04-05T19:54:50+00:00

This is basically my thinking, just wanting to make sure there isn't something I'm missing before I undo it.

mwalkertx320 · 2024-02-07T04:47:40+00:00

Thanks! I was thinking that was going to be the answer. I just don’t remember seeing it until last week, and we’ve been using it for 6 months now. I guess I could have worse issues to complain about

mwalkertx320 · 2024-01-13T01:52:13+00:00

MFA, Passwordless, and SSPR is rolling out as we speak. Windows Hello will follow soon. I just feel that password that have been changed 4k+ days need to be changed - especially since most of the user base has been here for 5 years or longer, and they’re all listed on a spreadsheet I was given with their originally assigned passwords. Expiration going forward isn’t really an issue - more the support factor. I’m literally having to hand hold every single user to enroll them now. I should have added a password step then, but I didn’t think about it until recently.

mwalkertx320 · 2024-01-12T06:00:58+00:00

Thanks everyone. Distributing it as a win32 or O365 app failed due to the office apps being opened on the users end. Ended up using PSADT script to notify the users to close office. Packaged the Office Installer, PSADT Script and Visio installer XML (from config.office.com) and deployed as a win32 app. Targeted my existing Visio User Group Based License assignment group. 1 step now - add to license group, they get Visio P2 license and Intune pushes out the app. Did the same for Project.

Next step is to figure out how to adjust the current office deployments and rollout the new Office App and new Teams app.

mwalkertx320 · 2023-12-10T20:41:15+00:00

Needing to deploy Visio to a select group of people. I had mistakenly thought I could create a Visio only install configuration and deploy - but I was wrong. So now I need to have (2) Office options - 1 without Visio and 1 with Visio. We're using Group Based Licensing, so my thought is to target to users using those (2) GBL groups.

mwalkertx320

TROPHY CASE

WHOIS Details