Відео

Amazing content, I recently had to use applocker to block apps, but I started learning that wdac is the future, although still using applocker for some simpler cases

awesome

Awesome video! Testing this out and able to add the Adobe Creative Cloud and Teams. Think this will come in very handy. Really appreciate the content you've been sharing.

7:28

Does this work for apps that are on winget? An example, iCloud has a store version, but iTunes is winget only.

Hello! I have a question regarding Autopilot V1 and V2. Autopilot V1 I have to enter information into Intune, such as hardware hash. In the case of Autopilot V2, I no longer need to execute the process. How should I proceed with the acquisition of new devices with Dell, since there is no longer a need to have the hardware hash. Just ask the manufacturer to send the devices and that's it?

if you have Autopilot V1 and Autopilot V2 configure which will intune use?

is there a builtin power-shell command to get the corporate device identifier in csv to manually upload it?

Thanks for another great video Steve!

Hi, after implementing this, have there been any changes to the Defender portal?

I appreciate shedding light on applocker, as it’s a very underutilzied tool. I do think the scenario you are showcasing is not the correct way of going about it though. If an application is spotted that should not be allowed to run, it should simply just be uninstalled remotely. Applocker policies should restrict anything not whitelisted from being installed. To take it a step further i would only do explicit blocks on LOLBINs to prevent misuse of the default allow policies for malicious use. Also, doing path level blocks/allows is silly. Whos to say the path isnt different than specified? Any user can see what policies are deployed if they know how to look. File hashes and publishers are the way to go

Can't find "Microsoft Intune" in the exclusion list. "Microsoft Intune Enrollment" is available. When i would add "Microsoft Intune" via Powershell it says, that it's allready assigned. Do i need intune?

When you created the Applocker default rules all executables in the Program Files and Windows folders are allowed by default. What about MS Teams?, that application executable is stored in the User folder or ProgramData folder? Can you still open Teams? and check that in your lab environment? And maybe it is a good idea to make an allow rule to run all signed Microsoft executables, just in case there are Microsoft executables in ProgramData that needs to run.

Haven't had a need for this (yet), but your video makes it quite clear how to implement this if/when we need to do so. Much appreciated!

So when you added Thunderbird to the policy, you just appended it to the end of the value in Intune?

I love you. That's all.

Thanks for another great video Steve!! I definitely will be using this AppLocker Method! Thank you for saving the day! Very Helpful and much needed!!

Hey Steve My Friend! Another great video! With the Autopilot pre-visioning configurations setup, what makes this method different from this New Windows Autopilot device preparation method?

brilliant - here's something - PC's that are hybrid will I have to remove them from intune and Entra first

Have you ever seen an error where one file share occasionally has a connection issue, but none of the others do? I followed your instructions and it works, except one of the file shares (which is configured exactly the same way in GSA as the others) occasionally will give an error: networksharename is not accessible. You might not have permission to this network resource. We only run into this with one share, the other 5 work perfectly, all using same SMB share app in Entra and group access.

Thanks for this . I created a configuration profile in Intune with this trick and it worked really well on most of the devices . But I was reported that only 2 users were unable to open MS outlook, Teams , Company portal apps once the policy is applied . And when I removed the policy from these 2 users , they can access the MS apps again . Can you please check this and let me know why this happened ? Note - I did exactly what you shared.

I had turn off Pre-Provisioning. Every time we let our workstations sit for a day or more after reseal, it would forget that it was in the middle of the Autopilot process and skip past the user provisioning part causing all kinds of issues.

Thanks for the video, do you have the diagram anywhere? :)

Thanks for the video. It might be a stupid question, but is this already with Autopilot V2? because it had the classic ESP layout. And can we monitor the install process in Intune?

Very helpful and good video 👍

It looks completly different in my Intune ...Windows365 is not accessable despite the fact that we have all the necessary licences and admin roles.

any soution for the N-able client :)

Does apps automatically update using the new win store method including ones like creative cloud?

Amazing content again! I can’t believe how you are able to provide so much unique content that every Intune admin is looking for.

I have so many apps in my list to add to Company Portal that aren't "ready" yet. Not ready to do it this way but cool to see that it's possible. I wonder why it doesn't like the version code for that example? One of the apps that's annoying right now is Notepad++. Shows up with winget search and it's in the winget repo but the Add App in Intune comes back with 0 results. 🤷‍♂

Amazing

What would be the advantage of using the remediation script for removing Personal Teams vs using a Configuration Profile? I have a configuration profile that removes the Chat icon from the taskbar and that also seems to remove Teams Personal.

Thank you!

If I'm understanding this correctly, I need to setup a connector on each server that I want to have accessed in this method. I then control the ports available through the enterprise applications. However, this doesn't limit the physical server access on those ports right? If another device was on the same network as a server on this platform, it could communicate and access that device as normal?

Hey thanks so much for the tutorial...How about if someone wants to migrate their devices from a RMM platform like Ninjaone to Intune..how can we do that without performing a reset on the devices

I agree with you re: self service.. but you haven't met my users clearly, I've been trying to build self service first policy for a few years lol

Hi, Thank you so much for making this video. Can you please also make a video on how to automate the corp identifier upload using Azure Functions as well.

I find that using a Windows VM, 10 or 11, Workgroup and not joined to any tenant/domain to create PPKGs works the best. I have used PPKGs to migrate devices using Forensit Profile Migration tool for many clients as well as adding the Forensit tool to CP to do tenant to tenant migrations. Sometimes I would get a failure on the tenant enroll side and produced the following to force the device into the new tenant. Sorry, this is a bit messy, but it works. Run as system and I would use a tool like ConnectWise Screen connect to backstage into a remote PC and run these #Sometimes the device failed to leave the old tenant, running as system this should kick it off join dsregcmd /debug /leave #The following cleans up the registry, when the PPKG fails to join the PC it can be due to the old tenant enrollments. This data is not purged when a device is unjoined from UI or cmd. $EnrollmentsKey = Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments -Exclude Context,OwnerShip,Status,ValidNodePaths | Where {$_.Property -contains "UPN"} foreach ($Key in $EnrollmentsKey){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\$KeyToDelete" -Force -Recurse} $EnrollmentsKey1 = Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status | Where {$_.Property -contains "LifecycleNotificationHResult"} foreach ($Key in $EnrollmentsKey1){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\$KeyToDelete" -Force -Recurse} $EnrollmentsKey2 = Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\Diagnostics\Enrollment -Exclude Context,OwnerShip,Status,ValidNodePaths | Where {$_.Property -contains "Time"} foreach ($Key in $EnrollmentsKey2){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\Diagnostics\Enrollment\$KeyToDelete" -Force -Recurse} $EnrollmentsKey3 = Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger | Where {$_.Property -contains "OmaDmPrc"} foreach ($Key in $EnrollmentsKey3){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\$KeyToDelete" -Force -Recurse} Remove-ItemProperty "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger" -Name CurrentEnrollmentId -Force Remove-ItemProperty "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\Provisioning" -Name OmaDmSession -Force Remove-ItemProperty "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\MDMDeviceID" -Name DeviceClientId -Force $EnrollmentsKey4 = Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions foreach ($Key in $EnrollmentsKey4){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\$KeyToDelete" -Force -Recurse} $EnrollmentsKey5 = Get-ChildItem "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\EnterpriseMgmt" foreach ($Key in $EnrollmentsKey5){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\EnterpriseMgmt\$KeyToDelete" -Force -Recurse} $EnrollmentsKey6 = Get-ChildItem "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status" foreach ($Key in $EnrollmentsKey6){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\$KeyToDelete" -Force -Recurse} $EnrollmentsKey7 = Get-ChildItem "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault" foreach ($Key in $EnrollmentsKey7){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\$KeyToDelete" -Force -Recurse} $EnrollmentsKey8 = Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts | Where {$_.Property -contains "RoamingCount"} foreach ($Key in $EnrollmentsKey8){$KeyToDelete = $Key.PSChildName;Remove-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\$KeyToDelete" -Force -Recurse} #Other commands to have at the ready Get-ProvisioningPackage dsregcmd /join dsregcmd /status gpupdate /force Write-Host Join One last note, adding logging to your PPKG install. Add the date when the bulk token will expire, so you know not to use it after that date. Have the PPKG install a remote tool, like ConnectWise Control. Powershell.exe Install-ProvisioningPackage -PackagePath C:\Users\defaultuser0\Documents\ConnectWiseControl\Files\Company_PPKG_8AUG_atOOBE_noWIFI_wCWC_EXP03FEB2024.ppkg" -ForceInstall -QuietInstall -LogsDirectoryPath C:\PPKG_Install.log

Hello I am getting following error during the export package. PS C:\WINDOWS\system32> winget-intune package 7zip.7zip --package-folder C:\WinGet winget-intune : The term 'winget-intune' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + winget-intune package 7zip.7zip --package-folder C:\WinGet + ~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (winget-intune:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

Manually joining to Entra ID, after restarting clients are going to the Windows autopilot screen instead of logging directly, what does it cause?

Always i learn new things. Thanks alot and keep doing the good job!

Once it is done it asks me to login with my new tenant account but when I try it tells me. The user name or password is incorrect. Has anyone seen this before?

Appreciate the great video! Actually just working on setting up the ESP, after having it simply disabled for a long while. Love the idea of skipping the user section and going to test that out! One thing I'll add - been trying to include just Office 365 apps and Company Portal (deployed in system context) as required, but CP seems to be hit or miss on it actually appearing when reaching the desktop.

Your video says the OMA-URI is ./Vendor/MSFT/DMClient/Providers/...... but should it be ./Vendor/MSFT/DMClient/Provider/......

That shirt is a smack of nostalgia at 6 in the morning! Thank you for that sir!

Thanks Steve... line 3 of Remdiate.ps1 , I'de put -AllUsers in on the Remove-AppxPackage line ... and your detect script has 2 messages saying found teams :)

Question? - will it rotate all drives or just system?

I thought this new user-centric deployment would be cool. I can have separate user groups that would put their machines in different device groups and the big thing for me was a device naming standard. Users at different sites would have machines with a different prefix, easy-peasy. I go to demo this out and realize you CAN'T set the device name (yet) in the OOBE profile. I'm going to test pushing a script to rename the computer and hopefully it will only rename the computer once after a reboot.

Hi .. i am getting error opening new teams app.. i made sure the app exists by running appx command in PS. The error is Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item

How do you handle granular file/folder permissions say giving access to file, five folders down the SMB share to a user or group