Enable Windows 10 Extended Security Update
Hi All, We are managing our Windows 10 workstation fleet using SCCM, with activation handled via KMS. Since we have not yet transitioned to Windows 11, we’ve purchased ESU licenses. Microsoft provides detailed guidance on activating ESU through various methods — including Intune, phone, Internet, and the Volume Activation Management Tool (VMAT) for clients without Internet access — which is very helpful. https://learn.microsoft.com/en-us/windows/whats-new/enable-extended-security-updates Does anyone know the best method to enable ESU for enterprise workstations using SCCM/KMS, or through any alternative approach? Thank you in advance.
Task Sequence Failing - Installing Application
I have an application that I'm trying to install, which requires license files to be copied over from a network share after installation. I have successfully done this by creating two separate applications within MECM and deployed them separately. However, I'd like to deploy this utilizing a task sequence so I can deploy the software application, and once completed, run the file copy to move over the license files I need. When doing this via a task sequence, it doesn't seem to work. The message in the console reads "The task sequence manager could not successfully complete execution of the task sequence". The messages I see in the Asset Message screen on the Deployment Status show a variety of messages: "The task sequence execution engine started execution of a task sequence" "The task sequence execution engine failed to install application that was specified in the 'Install Application' action" "The task sequence execution engine failed executing an action" "The task sequence execution engine aborted execution for a failure of an action" "The task sequence execution engine failed execution of a task sequence" I took a look at the SMTS log, and not much is really standing out to me that's helpful. I do see a couple of failure messages, but searching on this yields a lot of results, which don't appear to be related to my issue. I assume the messages are too generic to get me any great understanding: "<![LOG[Failed to create an instance of COM progress UI object. Error code 0x8000401a]LOG]!><time="16:14:35.364+240" date="04-28-2025" component="InstallApplication" context="" type="2" thread="2988" file="clientui.cpp:336">" "<![LOG[Install application action failed: 'SALT 20'. Error Code 0x80004005]LOG]!><time="16:14:42.863+240" date="04-28-2025" component="InstallApplication" context="" type="3" thread="2988" file="installapplication.cpp:974">" "<![LOG[Sending error status message]LOG]!><time="16:14:42.863+240" date="04-28-2025" component="InstallApplication" context="" type="1" thread="2988" file="installapplication.cpp:978">" "<![LOG[ Setting URL = https://naz-cmmpdp1.nazareth.internal, Ports = 80,443, CRL = false]LOG]!><time="16:14:42.863+240" date="04-28-2025" component="InstallApplication" context="" type="0" thread="2988" file="utils.cpp:7351">" "<![LOG[ Setting Server Certificates.]LOG]!><time="16:14:42.863+240" date="04-28-2025" component="InstallApplication" context="" type="0" thread="2988" file="utils.cpp:7379">" "<![LOG[ Setting Authenticator.]LOG]!><time="16:14:42.863+240" date="04-28-2025" component="InstallApplication" context="" type="0" thread="2988" file="utils.cpp:7395">" I checked the cas, contenttransfermanager and locationservices logs as well. The only failure/error messages I'm seeing appear to be benign I believe. One such is a failure to determine if the client is a peer source, failure to delete a directory in cache, which I believe has to do with peer cache not being enabled. I also see a message in the contentransfer log about failure to find or get a reg value for content, but again, not able to really determine what this means or how to continue tracking that. I've attached all relevant log files for reference.
HAADJ and Intune with OKTA
My question is the following, Is it possible to use OKTA(Third party) as an authentication/Identity provider with Hybrid Azure ID join tenant and enroll devices to Intune? We need to adjust our environment to be able to utilize Intune. To elaborate, Please find the below: -In this environment, We can run AD Sync and sync devices to Azure as Hybrid Azure ID joined. Same steps required here: https://help.okta.com/en-us/content/topics/provisioning/azure/haad-join/configure-hybrid-join.htm - Sign in Settings in AD(Entra) Connect to "Do not configure" as recommended by Microsoft for Third party federation scenarios (Confirm if this the preferred scenario for AD connect with OKTA). -Hybrid Entra ID join is currently being achieved with GPOs and not using SCP (Targeted deployment) -Autoenrollment to MDM is enabled via GPO and correctly distributed to device/user. Behavior: -Devices show up in Azure however according to MS Intune pre-requisites, UPN in cloud and on-premises should match and mobility license should be assigned in cloud. The situation currently is the domain on-premises is contoso.com and users are provisioned via OKTA to cloud to have contosocorp.com, So upon login they get redirected to contosocorp.com thus having a mismatch in credentials. (in a test environment(without Okta), alternate UPN suffix in domains and trusts is added and UPN is changed to match cloud ---> this worked). -In order for Intune to enroll devices, The login credential should match and a login event to the windows device must appear in Azure Sign in logs(This is confirmed as a pre-requisite by Microsoft), Which is not the case here. -Okta is set to Universal Sync which is not recommended by Okta as not compatible with AD sync according to the following https://help.okta.com/en-us/content/topics/provisioning/azure/haad-join/prereqs-haad.htm#Prerequi2. -If we do use both Okta and AD connect, a user will be provisioned twice in cloud, Once with the contoso.com(without Okta) and once using contosocorp.com(using Okta - will include licensing). -Questions are as following: 1-Any workarounds to use Intune to enroll devices without UPN matching in the current scenarios. 2-If we are to UPN match on Prem and cloud -> How can this be achieved without deprovisioning OKTA(Or removing Provisioning type: Universal sync)? 3-How can we avoid duplications (since both Okta and AD sync will provision users in 365) 4- Perhaps there could be a way to enroll the devices only to Intune but not the users?? Guidance will be very much appreciated. Thank you.
