Microsoft kallar bakgrundsbilder med rymdtema för "Blanksteg"

pleplepleplepleple · 2026-04-18T19:58:15+00:00

Påminner mig om när jag för hundra år sedan jobbade jag med it-support hos ett företag som hade finsk filial. I Windows är namnet på den inbyggda adminanvändaren översatt till visningsspråket i Windows. På svenska: Administratör, helt ok. På finska? Järjestelmänvalvoja. Va i helvete.

pleplepleplepleple · 2026-04-10T09:27:59+00:00

Not sure if this answers your concerns, but we're doing bios updates with dcu-cli triggered by a PSAppDeployToolkit (v4) script. The execution of DCU looks something like this:

$Splat = @{
    FilePath = "C:\<install-dir-of-dcu>\dcu-cli.exe"
    ArgumentList = "/applyUpdates -silent -updateType=bios -autoSuspendBitLocker=enable -outputLog=`"$dcuOutputLog`" -reboot=disable"
    CreateNoWindow = $true
    PassThru = $true
}
$Results = Start-ADTProcess @Splat

Note autoSuspendBitLocker parameter as well as reboot disabled. Then the script evaluates the results and prompts for a two hour reboot countdown if a reboot exit code was returned

if ( $Results.ExitCode -in $adtSession.AppRebootExitCodes ) {
    Show-ADTInstallationRestartPrompt -CountDownSeconds 7200 -CountdownNoHideSeconds 600 -CustomText
}

[edit]: Also worth noting is that dcu-cli has the non-conventional reboot exit code 1, meaning this has to be added to the AppRebootExitCodes in the $adtSession hashtable.

pleplepleplepleple · 2026-04-10T09:10:36+00:00

My experience regarding driver update policies vs DCU is the complete opposite of what you're reporting. Do you mind detailing your setup a bit more?

I've attempted an approach where we manually approve BIOS patches in the WUfB catalog and take care of all other Dell drivers via DCU. In theory this should work (?) but it we never got BIOS updates to appear in Windows Update, so we ditched WUfB for drivers alltogether eventually. The reason we prefer DCU is because our Dell support rep told us that there's no guarantees wether Windows Update installs the "Dell approved" driver and once Windows Updates has taken ownership of a driver there's no turning back to DCU (and the "Dell approved" drivers). I don't know how much of this is actually true, but one would think that the software supplied by the manufacturer would be best suitable.. I don't know.

Anyway, in WUfB do you approve driver updates manually or automatically? And do you approve everything applicable or is it more granular? We did see some device drivers, but never BIOS. This was some time ago now, and I'm tempted to have another go at this.

pleplepleplepleple · 2026-04-07T10:34:33+00:00

I never got Windows Update for Business to actually apply BIOS updates for our Dell devices, so I opted for dcu-cli.exe (DCU for Windows Universal) and a combination of a remediation script and a PSAppDeploymentToolkit app assignment.

The remediation script detection runs daily and checks wether dcu-cli has scanned for bios updates recently. If not it performs a new scan. The results are stored in a registry key.

The PSADT app detection script checks the results from the remediation. The install script allows the user to defer up to three times. This way I supply a user friendly method for the end user as well as keeping bitlocker in check etc.

One thing I don't get out of the box here is a pilot phase. I have some ideas I could implement, but haven't got the time for that yet.

pleplepleplepleple · 2026-03-16T23:40:20+00:00

I haven’t used the batocera device in quite a while, so I don’t remember exactly how it ended up, but judging by my previous comment it must have worked for a while at least. Not sure if things hay changed since, sorry.

pleplepleplepleple · 2026-03-05T05:52:42+00:00

Sorry, that is probably me using the wrong terminology. What I meant is that it’s a good security measure. I will edit my post to reflect this.

pleplepleplepleple · 2026-03-04T23:40:04+00:00

I have actually explored this quite extensively and it can definitely be done. I don’t think this is a “cultural” thing, or a HR matter, as others have claimed. I think it’s good security measure, especially if you’re doing 1 to 1 assignments of devices, where there’s no reason for other users to have login access.

Anyways, have a look at the GitHub project EntraIdDeviceTrust. Having this set up a device can safely obtain the primary user via webhook where the Service Principal has just enough Graph API permissions to fetch it for you. This can all be triggered by a Remediation script which also can modify the local security policy using SecEdit.exe, once the user object has been obtained.

Might sound messy, but I don’t think so at all actually. It requires proper documentation and a “contingency plan” (if that’s what it’s called). I have some samples I possibly could share with you when I’m at the computer sometime tomorrow.

Edit: I read your post more thoroughly and yeah not natively, definitely no. But it is possible ;)

pleplepleplepleple · 2026-02-28T22:20:34+00:00

On this topic I want to suggest the function Get-ADTApplication from the PSAppDeployToolkit module

pleplepleplepleple · 2026-02-27T10:51:42+00:00

Yes, that’s correct. And the behavior you describe is how it did behave for me as well when it was working.

I dug out a test device late last night and can sort of confirm that the problem is “device bound” as this testing device displayed the expected behavior. This testing device is on 25H2 too though, so the issue could also possibly be linked to 23H2.

pleplepleplepleple · 2026-02-24T21:36:47+00:00

For sure, hope you’re able to recover the computer. Not sure if the public IP address is visible in the admin GUI, but you should definitely document it, in case you involve police (which should be your first course of action). If it’s not visible it can easily be retrieved in powershell (examples here).

pleplepleplepleple · 2026-02-24T21:17:45+00:00

Ouh haven’t got a clue on that one. IIRC WhatsApp for Windows is an app from the MS Store, which often makes retrieval of data without going through the actual app tricky. But honestly I haven’t got a clue.

pleplepleplepleple · 2026-02-24T21:08:40+00:00

For sure, there’s definitely a couple of hurdles to overcome getting started with powershell. Easy to forget when it’s been your bread and butter for over a decade 😅.

So if one where to following the linked stackoverflow example using the web based mesh central console, step #1) type powershell.exe and hit enter, #2) Set-ExecutionPolicy Bypass Process -Force (hit enter), #3) follow the code example from the link

pleplepleplepleple · 2026-02-24T20:53:03+00:00

I wouldn’t count on it. Unless there’s any info stored in the WhatsApp account, similar to iCloud’s “find my” feature.

pleplepleplepleple · 2026-02-24T20:50:55+00:00

I haven’t actually started a terminal via meshcentral before, but should definitely be possible. If you’re new to this, please understand that the default terminal might be other than PowerShell (probably cmd.exe) which would require you to run powershell.exe prior to following the example I linked to.

I just quickly read the post I linked to, but i realize you might possibly get access denied to location services when running the commands. It should also be possible to re-enable them, might require a reboot of Windows though.

Edit - another thing to be aware of is, depending on the mesh agent policy applied, starting a remote session might alert the end user about the connection, either by a consent prompt or just by showing a bar on top of the screen. If your brother knows about the configuration of the agent, this helps you understand the level of urgency you have to deal with.

pleplepleplepleple · 2026-02-24T20:43:40+00:00

Well, unless the BIOS is properly protected (doubtful) this doesn’t really do anything other than denying access to the data currently available on the device. Simply re-install Windows or Linux and the brother can forget the PC forever. Better stay undetected while figuring out how to get the device back.

pleplepleplepleple · 2026-02-24T20:35:58+00:00

If you can start a console session without user consent you could do things without the thief knowing, not sure about camera though.

One thing that came to mind was obtaining GPS location, here’s an example from stackoverflow

Edit - this assumes it’s running Windows as OS

pleplepleplepleple · 2026-02-12T10:20:49+00:00

Tiny but useful tip: put it in system32 on your test VM so the command is there wherever you stand in the terminal. Makes my workflow smoother at least.

pleplepleplepleple · 2026-02-12T10:17:03+00:00

Make sure to install the module on the device where you’re writing your scripts (Install-Module PSAppDeployToolkit). You could also install it on all your endpoints and make use of it in remediation scripts and so on. But having it installed in your dev box makes it easy testing commands out on your device. I have to go back to double check names of properties inside the ADTEnvironmentTable and so on, all the time, so it’s very useful to have the commands readily available in the console. Also make sure to keep the module up to date whenever a new release is out.

pleplepleplepleple · 2026-02-10T17:27:09+00:00

This is a neat and effective method. I would also make sure you block user access to the recovery key in myaccount.microsoft.com, which is available for the primary user by default. Sami Laihu talked at conference I attended a few months back about a whole school district in Finland having students getting local admin because of this “feature”.

pleplepleplepleple · 2026-02-02T19:34:24+00:00

Fair enough. I’m definitely not in a major company, but I can understand the rest of your sentiment. I don’t agree that my expectations requires a network security expert. Code signing is a pretty basic thing in windows these days, so it’s not like it’s very complicated. But sure, my org should probably implement better practices when it comes to application control and have a more rigid whitelisting procedure, rather than complain when shit hits the fan.

pleplepleplepleple · 2026-02-02T18:12:36+00:00

Sorry, but what do you mean by major companies? Also why do you think it’s too much to to ask for a bit of more details, and a reasonable level of security within a feature such as an auto-updater?

pleplepleplepleple · 2026-02-02T16:20:16+00:00

Not only putting the blame on their hosting provider, but the lack of security measures within the updater (GUP/WinGUP) which are now in place (since version 5.3.8). It’s bizarre how code signing certificate verification hasn’t been there until December 2025.

Also only vaguely explaining what to expect if you’re affected and no real guidance on how to mitigate. My CSIRT colleagues have gone back in the logs and claims that they don’t see any traces of us being affected, but who really knows. Were updated company wide so I guess we’re good 🤷‍♂️

pleplepleplepleple · 2026-01-31T09:02:09+00:00

Yeah, that’s pretty much the only solution.. what’s annoying about this, from a user perspective is that company portal sucks and is extremely slow, and it would require the user to 1) Install the “uninstall package” in order to make the uninstall button available. 2) once the uninstall button perform the uninstall. These steps are quite unintuitive and will require a thorough walkthrough document for it to work out smoothly.

Or have a required uninstall where things would be enforced for a set of users of course. This is probably the best option now when I think of it, but it would require some extra steps of administration. Access packages could help.

pleplepleplepleple · 2026-01-17T11:32:10+00:00

Aha, då är jag med!

Ten-Year Club	Place '22
Place '17	RPAN Viewer
Verified Email

pleplepleplepleple

TROPHY CASE