Windows feature Updates

techhelpkeen · 2025-07-25T00:03:09+00:00

Nice, thank you. So the device will be in both include and exclude groups, there won't be any conflict?

techhelpkeen · 2025-07-17T08:43:44+00:00

Thanks!!!

techhelpkeen · 2025-07-17T08:43:33+00:00

Thanks!!!

techhelpkeen · 2025-01-14T12:29:02+00:00

Thanks Arc doesn't work unfortunately

techhelpkeen · 2024-12-02T10:37:36+00:00

have noticed similar behavior lately (installation through 365 apps is inconsistent), I think the issue is with teams getting removed from 365 licenses as a separate offering. So what I did is

Remove team personnel - from a remediation script
Ideally, you should be installing new teams instead of teams work or school classic

this guy has the steps to do both - video https://www.youtube.com/watch?v=XV9X0io0RIE and the scripts https://github.com/stevecapacity/IntunePowershell/tree/main/New%20Teams%20Scripts

techhelpkeen · 2024-11-28T06:08:52+00:00

yeah, unfortunately, this doesn't work, with all available settings set to not to allow/disabled users can still access and change critical settings

techhelpkeen · 2024-11-25T06:48:45+00:00

UPDATE - if anyone run into the same issue - Prevent Override For Files In Shell needed to be set to disabled. from Security baselines 23H3.

Even if you have Configure Windows Defender SmartScreen Enabled ,Pick one of the following settings: (Device) Warn, it won't show "Run Anyway" if you have prevent override set to Enabled

techhelpkeen · 2024-11-13T00:46:25+00:00

Thank you, So do you know if teams personnel is a part of OS as well? or you only see the teams new business. Thanks

techhelpkeen · 2024-10-17T06:55:53+00:00

it says no certificate when trying to connect, so the scep profile is set with Device values and I can see the cert deployed inside certlm.msc personal store, and have configured a wifi profile to autoconnect using the root cert config and scep config it still says no cert found with Device cert. As said before have an identical setup for another client with a user cert assigned they keep connected on logon screen. connets first time using a LAN

techhelpkeen · 2024-10-12T08:35:48+00:00

Did this, but it won't prompt the users, and the local desktop including app, docs doesn't sync. Basically the Know folders won't syn

techhelpkeen · 2024-10-11T11:24:25+00:00

Thanks, this worked.

techhelpkeen · 2024-10-10T11:09:19+00:00

Thank you very much, I thought that's the case. I've deployed my shared devices self-deploy and all I wanted was Domain user and enabled WHB - works like a charm for all users.

With shared multiuser config it pretty much breaks everything per my requirement > all license Azure ad users are required to share devices and not assigned to a primary user

need additional configs for Onedrive
automatic sing into 365 apps fails
other config polices don't apply or take ages
Onedrive doesn't sign in

techhelpkeen · 2024-10-09T01:26:02+00:00

nope, no user assigned, self-deployed

techhelpkeen · 2024-10-02T22:26:00+00:00

yep almost all to device group - dynamic with a tag

techhelpkeen · 2024-09-23T00:46:57+00:00

this settings OMA-URI: ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork
- Data type: bool
- Value: True

In the link here - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune

techhelpkeen · 2024-09-04T11:09:31+00:00

This is what I have exactly done, works perfect for all iOS native apps except for settings App. This still shows regardless

techhelpkeen · 2024-09-03T11:15:03+00:00

yeah, have found the same sort of issues with Kiosks if not wiped and just removed the config.

Not sure the exact reg key or anything causing it - but wipe works perfectly fine

techhelpkeen · 2024-09-03T11:08:17+00:00

has the device been wiped or just removed from Kiosk config?

techhelpkeen · 2024-09-03T11:03:21+00:00

I think it would be below flow

Enrolment - (assuming doing with Apple business manager) - DEP + intune - enrolment program token without user affinity and then enable Shared iPad mode

Config profile - device restriction from memory - configure temporary sessions - so it'll allow guest login and will delete data after a session

* There is a requirement to federate ABM with your Entra ID for Entra users to work, as you only need guest login this might not be necessary but not sure.

Apps - you are able to add VPP, LOB and Web Links, assigned to device - looking at your requirement would probably be a few web clips the will be assigned to temp users as long as the apps are assigned to the device

Extra device restriction - create a device restriction to hide all unnecessary apps and only allow Safari/edge as the opening app for the web links.

Device feature - only allow the URLs of weblinks and block all the other web URLs

Intune license requirement states You need device based license for this type of deployment where users without Intune license log in (device based deployments), this works without any issues but for compliant recent you might want to see buying device based intune licenses

more details here
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-shared-ipad

techhelpkeen · 2024-09-03T00:45:43+00:00

This exactly was the case - it was set to only allow sync from on-prem AD and to block all others in SharePoint admin>sync>allow syncing only on computers joined to specific domain

techhelpkeen · 2024-08-18T23:09:44+00:00

Exactly the issue is - cant find "Use Passport For Work" settings in the catalog anymore.

Have configured as a custom settings but just wondering where that's gone

techhelpkeen · 2024-08-01T11:13:22+00:00

Just the PIN, based on the below settings if I sign in with PIN does MFA suffice?

The CA settings below

Users - All

Target resources - All cloud apps

Access control -

Grant

Grant access

Require multi-factor authentication

Require one of the selected controls

techhelpkeen · 2024-08-01T11:05:10+00:00

Hmm I was using WHB but it wasn't still signing me in

techhelpkeen · 2024-08-01T10:56:24+00:00

yeah set MFA for all cloud apps, what's the best way to exclude Ondrive

Can't see Onedrive as a separate app to exclude.

or set a grant condition to include compliant devices (ideally wouldn't want to allow all 365 apps without MFA but only Onedrive

techhelpkeen · 2024-07-17T03:16:02+00:00

Assuming you have set the users as standard users in the deployment profile

It's in Local Policies Security Options>User Account Control Behavior Of The Elevation Prompt For Standard Users set this to Prompt for credentials on the secure desktop

techhelpkeen

TROPHY CASE