Forum Widgets
Latest Discussions
Blue screen crashes caused by April updates KB5055523
Hy, I have some test devices afected from installing KB5055523, the update will not install with an error code 0x800f081f. I have just stopped/uninstall this deployment under updates ring for QU and am wondering if I resume it will probably go to the latest quality update with this issue 2025.04 B one or will just go to the 2025.4 OOB... W11 release and KB issue: https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information https://www.windowslatest.com/2025/04/11/windows-11-microsoft-warns-do-not-delete-inetpub-folder-after-causing-confusion/ Regards, Bogdan
WHFB non destructive PIN
Hello, I've configured Windows Hello for Business and applied the Non-Destructive PIN Reset policy via Intune. However, after resetting the PIN, when I run dscmdreg /status in the User State, it still shows DestructiveOnly. Additionally, Event Viewer logs Event ID 7060 – PIN Recovery Error 0x83750007. Could you please help me troubleshoot this?
Intune Firewall Policies Left Behind - Creation but No Deletion
I've been building out firewall policies for our device types and through some accidental experimentation, found that firewall policies never seem to be removed from the firewall once the Intune config is unassigned or changed. I have a couple examples of this: In case #1, I created a firewall rule in Intune and first limited it to domain and private network profiles. This created a firewall rule as expected with "Domain, Private" shown in the profile column for the rule. I then found that this firewall rule was not working (unrelated problem) so I removed the Domain and Private checkboxes to make the rule apply to all network profiles. It's easier that way anyway since Windows sometimes gets confused about what type of network it's on (another unrelated but common issue) But now I have both sets of rules from the original and modified Intune policy: In case #2, I had two firewall rule sets applied from Intune with identical RDP rules. I fixed the issue by unassigning the redundant Intune rule but the rule remained in the firewall config. I'm just now discovering this so I could be missing something or not understanding how these firewall rules work but was wondering if anyone else could repro or has run into this? thanks, Dan
Moving from MDT/WDS to Autopilot – Real-World Lessons, Wins & Gotchas
Hi all, We’ve been moving away from an ageing WDS + MDT setup and over to Windows Autopilot, and I thought I’d share a few key lessons and experiences from the journey. In case anyone else is working through the same transition (...or about to). Why the change? MDT was becoming unreliable, drivers/apps would randomly fail to install, WDS is on the way out, and we needed a more remote-friendly approach. We also wanted to simplify things for our small IT team and shift from Hybrid Azure AD Join to Azure AD Join only. We’re doing this as a phased rollout. I harvested existing device hashes using a script from a central server, and manually added machines that weren’t online at the time (most of which were just unused spares, we haven't introduced new hardware yet). If you want a copy of this auto-harvest, please see my next post, this script is useful as it'll just go off and import the hardware hashes into Intune, and can run against multiple computers at a time. (I will add the link to the post once made). Some of the biggest hurdles: • 0x80070002 / 0x80070643 errors (typically due to incomplete registration or app deployment failures) • Enrollment Status Page (ESP) hangs due to app targeting issues (user vs device) and BitLocker config conflicts • Wi-Fi setup with RADIUS (NPS) was complex, Enterprise Certificates and we're still using internal AD for authentication, so user accounts exist there and sync over to Azure. • Legacy GPOs had to be rebuilt manually in Intune, lots of trial and error • Some software (like SolidWorks) wouldn’t install silently via Intune, so I used NinjaOne to handle these, along with remediation scripts in Intune where needed We also moved from WSUS to Windows Autopatch, which improved update reliability and even helped with driver delivery via Windows Update. What’s gone well: Device provisioning is more consistent, updates are more reliable, build time per machine has dropped, and remote users get systems faster. It’s also reduced our reliance on legacy infrastructure. What I’m still working on: Tightening up compliance and reporting, improving detection/remediation coverage, figuring out new errors that may occur, and automating as much manual processes as possible. Ask me anything or share your own experience! I’m happy to help anyone dealing with similar issues or just curious about the move. Feel free to reply here or message me. Always happy to trade lessons learned, especially if you’re in the middle of an Autopilot project yourself. Cheers, Timothy JeensAutomated import of Hardware Hashes into Intune
Hi everyone, So, here is the script I used to pre-seed the hardware hashes into my Intune environment. Please check it over before just running it.. You'll need to create a csv called: computernamelist.csv In this file, you'll need a list of all your computer names like this: "ComputerName" "SID-1234" "SID-4345" You can use a the Get-ADComputer command to gather all your computers and output to a CSV. Features: It will run through 10 computers at a time. It will remove computers that it has confirmed as being updated in Intune. Pings a computer first to speed it up. Only for devices on your network or on the VPN. You can schedule it to run, or I just re-ran it a bunch of times over a few weeks. # Path to the CSV file $csvPath = "C:\scripts\computernamelist.csv" # Import the CSV file $computers = Import-Csv -Path $csvPath # Number of concurrent jobs (adjust as needed) $maxConcurrentJobs = 10 # Array to store the job references $jobs = @() # Ensure the required settings and script are set up [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force Install-Script -Name Get-WindowsAutopilotInfo -Force # Authenticate with Microsoft Graph (Office 365 / Azure AD) Connect-MGGraph # Function to remove a computer from the CSV after successful import function Remove-ComputerFromCSV { param ( [string]$computerName, [string]$csvPath ) $computers = Import-Csv -Path $csvPath $computers = $computers | Where-Object { $_.ComputerName -ne $computerName } $computers | Export-Csv -Path $csvPath -NoTypeInformation Write-Host "Removed $computerName from CSV." } # Loop through each computer in the CSV foreach ($computer in $computers) { $computerName = $computer.ComputerName # Start a new background job for each computer $job = Start-Job -ScriptBlock { param($computerName, $csvPath) # Check if the computer is reachable (ping check) if (Test-Connection -ComputerName $computerName -Count 1 -Quiet) { Write-Host "$computerName is online. Retrieving Autopilot info..." # Ensure TLS 1.2 is used and execution policy is set for the job [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force # Run the Autopilot info command and capture the output $output = Get-WindowsAutopilotInfo -Online -Name $computerName # Check if the output contains the success or error messages if ($output -like "*devices imported successfully*") { Write-Host "Success: $computerName - Autopilot info imported successfully." # Remove the computer from the CSV after successful import Remove-ComputerFromCSV -computerName $computerName -csvPath $csvPath } elseif ($output -like "*error 806 ZtdDeviceAlreadyAssigned*") { Write-Host "Error: $computerName - Device already assigned." } else { Write-Host "Error: $computerName - Unknown issue during import." } } else { Write-Host "$computerName is offline. Skipping." } } -ArgumentList $computerName, $csvPath # Add the job to the list $jobs += $job # Monitor job status Write-Host "Started job for $computerName with Job ID $($job.Id)." # If the number of jobs reaches the limit, wait for them to complete if ($jobs.Count -ge $maxConcurrentJobs) { # Wait for all current jobs to complete before starting new ones $jobs | ForEach-Object { Write-Host "Waiting for Job ID $($_.Id) ($($_.State)) to complete..." $_ | Wait-Job Write-Host "Job ID $($_.Id) has completed." } # Check job output and clean up completed jobs $jobs | ForEach-Object { if ($_.State -eq 'Completed') { $output = Receive-Job -Job $_ Write-Host "Output for Job ID $($_.Id): $output" Remove-Job $_ } elseif ($_.State -eq 'Failed') { Write-Host "Job ID $($_.Id) failed." } } # Reset the jobs array $jobs = @() } } # Wait for any remaining jobs to complete $jobs | ForEach-Object { Write-Host "Waiting for Job ID $($_.Id) ($($_.State)) to complete..." $_ | Wait-Job Write-Host "Job ID $($_.Id) has completed." } # Check job output for remaining jobs $jobs | ForEach-Object { if ($_.State -eq 'Completed') { $output = Receive-Job -Job $_ Write-Host "Output for Job ID $($_.Id): $output" Remove-Job $_ } elseif ($_.State -eq 'Failed') { Write-Host "Job ID $($_.Id) failed." } } This is all derived from: https://learn.microsoft.com/en-us/autopilot/add-devices "Get-WindowsAutopilotInfo" is from this link. Hope this helps someone. Thanks, Tim JeensMoving from MDT/WDS to Autopilot part 2
Hi everyone Following up on my previous post about moving from MDT/WDS to Windows Autopilot, I wanted to share some of the more detailed parts of the deployment and config that might help others working through similar issues. Wi-Fi (RADIUS + NPS + Azure AD Join): This was hands-down one of the trickiest bits. We use a local RADIUS server (Windows NPS) with certificates for EAP authentication, and users authenticate using local AD credentials, despite Autopilot devices being Azure AD joined. I had to build a custom Wi-Fi configuration profile in Intune that handled certificate trust, proper targeting, and worked with our existing NPS policies. If anyone needs help with this scenario, I’m happy to share more details. I’ll be posting the full configuration soon. BitLocker Conflicts: BitLocker generally worked but only after cleaning up overlapping configurations. Intune allows BitLocker settings to be applied via multiple paths (Device Configuration, Endpoint Security, Encryption, even legacy GPOs via ADMX). I found they MUST be aligned across all sources — otherwise, ESP fails or encryption doesn’t trigger. My fix: consolidate BitLocker settings under Endpoint Security and Windows Configurations and ensure nothing else contradicts them, they give different options hence the need for the two. App Deployment + Detection Scripts: Some software just doesn’t play nice with Intune alone. We had issues with SolidWorks and other legacy tools. For these, I used NinjaOne to run custom silent installers and Intune detection scripts to track success and reapply if needed. For complex installs, I had to fall back on Proactive Remediation scripts to detect and fix problems. Compliance Baselines & Settings: We're gradually shifting to Intune-based compliance. I ported over our core GPO baselines and rebuilt them using Configuration Profiles, Settings Catalog, and Security Baselines. Compliance policies then reference these, so non-conformant machines are flagged. Still evolving this as we onboard more devices. Licensing Requirements: For anyone wondering, some of these capabilities require specific licensing. We're running "Microsoft 365 E3" + "Enterprise Mobility + Security E3", which gives us access to: Proactive Remediations Intune-based compliance management Scripted deployments and reporting Note, only 1 user in the tenant needs these two licences to enable the features. Summary This move to Autopilot wasn’t just a deployment change, it pushed us to rethink how we handle security, authentication, app installs, and policy enforcement. There’s still more to do, but we’ve built a solid foundation that’s scalable and more resilient than our old MDT-based approach. If you’re dealing with similar challenges or stuck on something like Wi-Fi, BitLocker or app installs, feel free to reach out. I’ve probably hit the same wall and am happy to compare notes or share scripts/settings if it helps. Cheers, Timothy JeensKiosk profile with Azure AD user
Setting User logon type to "Azure AD user or group" does nothing. Event viewer states "No mapping between account names and SIDs was done". Hovering over the Logon Name column info icon states To configure an AAD account for kiosk mode, use this format: AzureAD\email address removed for privacy reasons. I can only pick from a list, so unsure what this is referencing.
Intune tenant migration
Hi, I could use some help about an Intune tenant migration. The company I work at acquired a company last year, and they have an Intune environment already that needs to be migrated to our organization's tenant. I found some information how I could possibly do this with Windows Autopilot, and going for a wipe and re-deploy. Their domain isn't migrated yet, and they are still using their own accounts and license. They have a 2nd and separate account from our company domain. What would be the right order? Do the domain migration first? Or assign licenses and policies to our accounts, and when the domain migration is done and the accounts are synced as one do the Intune tenant migration? Some advice would be very appreciated!Did expediting the 2024-08 Quality Updates fail for anyone else?
I posted this question yesterday on the Windows Servicing board, but there isn't much activity there. I hope it's okay to re-post it here. Due to the CVE-2024-38063 vulnerability, we attempted to use the Expedited Quality Updates feature to enforce the immediate installation of the 2024-08 security updates. Unfortunately, the feature simply did not work. Even a couple weeks after deploying the expedited update profile, we had about 25% of our Windows endpoints still in "Pending" status, most of which were powered on 24/7. We still have ConfigMgr in our environment, so I used CMPivot to run a query for events in the System log with "2024-08" in the message. This showed me that rather than installing the update and forcing a restart one day later as configured, the update was being installed, then reverted about ten hours later, then immediately re-installed again, over and over: If I manually initiated a restart on any of the affected machines, the update was successfully finalized, so the issue wasn't a failure to install the update. I've opened a case with Microsoft Support, but it is progressing slowly. If nobody else is seeing the issue, I will throw in the towel, but if it's more widespread, I think it is worth fighting to get this fixed (assuming that Microsoft isn't already aware and has simply chosen not to publicize it — for example, in the Windows release health blade in the Microsoft 365 Admin Center).
