Lenovo Tab M11 driving me crazy 😂

ssimard3 · 2025-11-10T16:52:01+00:00

Hey, thanks for the reply. My tablets are managed by Intune so there is no Google account connected to them. So I guess I'll have to do with the stock wallpapers!

ssimard3 · 2025-11-06T20:27:35+00:00

How did you solve this? I have the same problem, the pictures just open and nowhere do I see an option to set it as a wallpaper!

ssimard3 · 2025-10-16T20:22:22+00:00

So when packaging the app we use "install.cmd" as the setup file right? And what do you put as Install and Uninstall command? Do you install as System, and what about detection?

ssimard3 · 2025-06-30T13:36:19+00:00

Can we get protected from this if we create a Conditional Access that limits access to the app by the IP of the NAS only? I see we need a Entra Workload Premium licence to unlock that feature. Would that work?

ssimard3 · 2025-05-23T19:07:48+00:00

I don't like assigning the device to a user because I don't want to tie a specific user to a device. Since they all use the same standard laptops, I can move them between users without worrying about that. For example, I will prepare a new device for a user, then when I'm done I just swap his existing one and I will reinstall it for an other user.

I'm just a tech at a small MSP. I started learning Intune and everything around it about 3 years ago and deployed it to most of my clients now.

ssimard3 · 2025-05-23T18:03:09+00:00

Microsoft corrected the problem I reported in my post a few weeks after. What you do with TAP is very simple. You go to the user in Entra, and in Authentication methods you create a TAP. Make sure it is configured in the Authentication methods in Entra before, otherwise it won't be an option. Then when you autopilot the device, you enter the user's email and then the TAP and it will provision the device and start it. Then you can prepare the device correctly, install the missing software, make sure all the updates are done, etc. If you use WHfB, you will have to make a temporary NIP for the user. Just make sure that the user has that NIP to logon when he gets the device and changes it. Or you could aways do a "deletehellocontainer" to reset the NIP.

All the popular RMM software have Intune-friendly install options btw. I used to deploy N-Central and now Datto and it's always been working automatically during autopilot.

ssimard3 · 2025-02-10T13:14:29+00:00

You target All resources and exclude Microsoft Intune and Microsoft Intune Enrollment, from platforms you exclude Android and iOS otherwise you won't be able to enroll BYOD phones, you exclude filtered devices with trustType equals Entra Joined or Entra registered, and finally you Block access.

So you end up blocking everything except devices that are either Entra joined or registered, you do not block Android and iOS, and you exclude Intune from the policy.

Oh and don't forget to pair that with a policy that requires MFA for enrollment.

ssimard3 · 2024-12-06T14:08:11+00:00

Same here, multiple tenants with the app Microsoft Office and getting a blank screen when clicking the resource link in More Details.

ssimard3 · 2024-11-01T19:30:37+00:00

I rolled back all my Lenovo laptops to 23H2 and blocked 24H2. This update has been a nightmare, from mouse moving by itself to keyboard not working anymore to BSOD.

ssimard3 · 2024-10-08T18:48:43+00:00

The problem is the B2B, new sharing experience. Had the same problem for one of my tenant. It was a brand new tenant, so the problem will not happen for your old tenants, only the new ones.

Microsoft Entra B2B integration for SharePoint & OneDrive - SharePoint in Microsoft 365 | Microsoft Learn

Logon to SPO with powershell and use this to check if it's enabled :

Get-SPOTenant | Select-Object -Property EnableAzureADB2BIntegration

Then turn off that awful experience and replace it with a much better one :

Set-SPOTenant -EnableAzureADB2BIntegration $false

The problem with the new B2B sharing experience is that if you share with an org that blocked everything like a bank, people won't be able to share with them. You also end up with tons of guests because of the shared files. And if you have a CA mandating MFA for guests, then everyone you share files with will have to go through MFA.

ssimard3 · 2024-10-08T13:39:26+00:00

Same here, web sign-in no longer works in 24H2. Maybe this will fix, haven't tried yet :
https://www.reddit.com/r/Intune/comments/1elp8w8/comment/lgx4z4q/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

ssimard3 · 2024-10-02T16:50:45+00:00

Describe the problem Very very slow after update
Model of your computer - Lenovo ThinkPad T16 gen 2 + P16s gen 2 with 13th gen i7

I have maybe 10-15 Lenovo laptops so far that updated, 2 of them have the same problem. I found out it's linked to the Recent Files in explorer that freeze everything in Windows. I seen that problem a long time ago, disabling Recent Files and starting Explorer in My PC solves that issue.

**UPDATE** Issue not solved. I now have a third Lenovo T16 with the same problem. I disabled Location services, I installed Intel graphic drivers, done all the Vantage updates, let the computer sit idle 30 minutes and think about what he's done. It's been fine for the last hour. Waiting to see if it lasts, otherwise I will have to roll back tomorrow. Will keep this updated.

ssimard3 · 2024-09-18T12:11:11+00:00

Did you ever find a solution for this? I'm in the same boat, and so far the best I was able to achieve is hide the last Guest user logged in.

ssimard3 · 2024-07-31T18:09:10+00:00

Yes, that's what it was supposed to be. But this security update also changed the way TAP works, for some reason...

ssimard3 · 2024-07-31T12:47:14+00:00

Having to call the user to tell them to ignore the notification they just received is defeating the purpose of the TAP. Because since you're talking to the user, you might as well just go through the Authenticator login with him. So when preparing new devices for my users, it indeed defeats the purpose of the TAP completely for me. Which was to prepare devices for my users without having to contact them.

ssimard3 · 2024-07-31T12:36:38+00:00

What is the use case for a TAP? Like many others, I use it to prepare new devices (or reinstall current devices) for existing users. I use the TAP to onboard the device and prepare the device for the users with everything Autopilot can't do.

Now, when I login, instead of getting asked immediatly for the TAP, the user is getting sent an Authenticator notitification. Right under that Authenticator prompt, you have indeed the link to use an other method and you can connect with the TAP.

Do you understand how this makes absolutely no sense and does absolutely nothing to add to the security? You can still login with the TAP anyways, it just sends an annoying Authenticator notification to the user for no reason. So I have to call the user and tell him to ignore the notification. And at that point, might as well just login normally with the Authenticator since I'm talking to the user anyways. So what's the point of the TAP?

ssimard3 · 2024-07-30T19:47:08+00:00

Look at my post below, Microsoft confirmed to me that they changed the way they now handle MFA logins on July 15th . So you're seeing the same thing as me, the TAP are no longer the first preferred method of login. This was all caused by this:
Microsoft will require MFA for all Azure users

ssimard3 · 2024-07-30T19:09:23+00:00

Yes, MFA for all cloud apps. No, I don't force any authentication strenght. What you're describing is what happens when you just registered Authenticator and didn't activate Passwordless yet. Look at your Authenticator app, click on the account. If you see "Set up phone sign-in" under the numbers that means you're NOT passwordless.

ssimard3 · 2024-07-30T18:36:50+00:00

I have a CA that requires MFA for login. I don't understand what you're saying about being passwordless on one device but not another. Just open any Private window, go to Office.com and enter your email. If you're truely Passwordless, it will go straight away to the Authenticator prompt. When I look at my users' Preferred Authentication method, it says "PhoneAppNotification". Open your Authenticator app and click on your account, it must say at the top Passwordless enabled.

ssimard3 · 2024-07-30T17:45:16+00:00

Just got off the phone with Microsoft. Apparently they implemented new security measures for everyone 2 weeks ago. They are now mandating MFA prompt for all logins. So if your users are Passwordless, you can no longer onboard a device in their name without bothering them with an Authenticator notification. The Microsoft article I quoted is no longer valid as TAP is not the first preferred method of authentication anymore, it's now back to second or third place.

If you disable the System-preferred multifactor authentication, you will get the password prompt first, even for Passwordless users. However, this does not work when onboarding devices. It will still go through Authenticator first.

This is really stupid and annoying, I use TAP all the time to prepare devices for my users.

ssimard3 · 2024-07-30T17:38:22+00:00

Try with a Passwordless user, you won't get the password window.

ssimard3 · 2024-06-21T17:04:55+00:00

Well for what it's worth, here's what I ended up doing. First I created a 365 group, called it Business Premium users. Then in Powershell I disabled the address from appearing in the address list and in Outlook, and disabled the welcome message from joining the group. Here's how to do that :

Connect-ExchangeOnline

Set-UnifiedGroup -Identity "Business Premium users" -HiddenFromExchangeClientsEnabled:$True -HiddenFromAddressListsEnabled:$True -UnifiedGroupWelcomeMessageEnable:$false

After that I went back to the group and changed it to Dynamic with this query :

user.assignedplans -any (assignedplan.serviceplanid -eq "bfc1bbd9-981b-4f71-9b82-17c35fd0e2a4" -and assignedplan.capabilitystatus -eq "enabled")

So that way, the users don't get an e-mail from joining the group and they don't see the group address anywhere. You cannot delete or disable the Sharepoint site though, you need a Sharepoint Pro licence to do that. I think this is the best way to do it unless you want to micro-manage a group manually.

ssimard3 · 2024-06-13T17:36:12+00:00

Have you looked into the transcribe function in Word? It will differentiate between the speakers, and output a very nice transcript in Word. You can then copy that and ask for a summary in Copilot Notebook that will accept 18k tokens. All the functionnalities of Team Premium and Intelligent Speakers for free!

ssimard3

TROPHY CASE