A customer reached out this article that was sent: https://www.techspot.com/news/112309-google-chrome-has-silently-pushing-4gb-ai-model.html, where they have identified that Google Chrome silently downloads 4GB AI model file (weights.bin) to user devices without explicit user consent. The file is stored at: %LOCALAPPDATA%\Google\Chrome\User Data\OptGuideOnDeviceModel Customer requested to the following to configured: chrome://flags Enables optimization guide on device Prompt

A customer who was wanting to implement Essential 8 wanted to trial out some settings and wanted the following to be disabled from running "Run Command (Windows + R keys), PowerShell and Command Prompt. I attempted to re-try with using https://soeintunedevice.wixsite.com/home/post/103-microsoft-intune-blocking-powershell-for-standard-users and https://soeintunedevice.wixsite.com/home/post/104-microsoft-intune-blocking-powershell-7-for-standard-users which didn't give me luck,

Been working with a greenfield customer who I have been helping over the last few months, and of late they wanted to implement 'Grave Accent' with 'Thai Kedmanee'. Keyboard: "Thai Kedmanee" Advanced Key Setting: - To turn off Caps Lock: "Press the CAPS LOCK key" - Hot keys for input languages: Action: "Between input languages", Key sequence: "Grave Accent" As the current build deploys en-US as the default language for their user driven and self-deployment builds which is cove

Had a customer who reached out last week around how to get a log for all devices that have the following: List of devices/users who have browser extensions List of devices/users who have a personal account logged in List of devices/users who have browsers set to sync on List of devices/users who have VSCode extensions installed The only viable way was to deploy as 'Remediation' script just using the detection option. All the detection scripts can be found in my github repo.

A customer wanted to ensure staff and students have no default search engine in place. If you have your search engine set to 'Google (default)' as per an Intune policy, you will see something like this: To ensure that there is no default search provider, create a new Settings Cataog profile with: Configure the new tab page search box experience = Disabled Default search provider name = Disabled Default search provider search URL = Disabled Enable the default search provide

Microsoft is retiring the original Secure Boot certificates introduced in 2011; they expire throughout 2026. Every Windows device that uses Secure Boot depends on these certificates, so IT must prepare managed fleets in advance. Secure Boot checks that boot components are signed and trusted before the OS starts; that trust is based on certificates in the device’s UEFI firmware. When the 2011 certificates expire, devices that have not transitioned to the new 2023 certificate c

Claude have changed the way they intially rolled out where the free installer that is available for download cannot be used for enterprise deployment, needs to sign up and then use MSIX installer from the dashboard. The current msix which is downloaded without sign up does not silent install, if you were to follow the instructions provided by https://support.claude.com/en/articles/12622703-deploy-claude-desktop-for-windows this will do the job. Prepare the following: Install

Been working with a customer on building out their personas for: Corporate (User Driven deployment) where it is 1 to 1 Kiosk Shared PC Where they have requested to have the 'RDP' shortcuts pinned to the start menu, I remember in Windows 10 we could this but in Windows 11 it doesn't allow it BUT I have managed to find a way. Preparation: Create a folder like C:\RDP Create a Remote Desktop and save it somewhere, call it whatever you want and customise it like RDPTEST.rdp In the

When default browser is enabled, web browsers like Google Chrome, Microsoft Edge and others trigger a notification after successful SAML authentication. Two notifications are presented, one for the portal and one for the gateway. When the notification is presented, it requires the end user's manual attention to complete the GlobalProtect connection. To avoid having the manual selection, the article describes how to modify the Windows Registry to suppress the notification a

A customer reached out to me last night where one of their higher executives were having difficulity connecting to the the mapped drives, and she discovered that ' Network discovery is turned off. Network computers and devices are not visible. Click to change... ' The easiest would to deploy a PowerShell script with the following: Apply to all network profiles: Set-NetFirewallRule -Group '*-32752*' -Enabled 'True' Apply to 'Domain' network profile: Get-NetFirewallRule -Group

A customer that I have been helping build their numerous of personas wanted to block write access to "Desktop", you would think that using the 'Shared PC' setting: Restrict Local Storage would do the job, unfortunately that restricts any access to all disks excepts 'Downloads' which isn't what the customer wanted. Managed to get it working with PowerShell or Proactive remediations which I will cover below: To target just a current user: # Define the Desktop path for the curre

Previous posts I have covered with setting a hostname or prompt for computer name . Manually renaming a single device is simple, but managing a large fleet requires automation for efficiency. While the standard CSP method exists, it can be inconsistent—especially regarding console reporting. To solve this, I’m sharing a PowerShell script that integrates with Microsoft Intune to streamline and automate your device renaming process. This script detects the type of device used f

Customer has kiosk builds as one part of their personas that I did for them, they had this request where "USB selective suspend settings" is showing as "Enabled", but the customer wants it set to 'Disabled' as the USB scanners use it for power. Before it was like this: I attempted using powercfg command, which unfortunately didn't do anything. powercfg /SETACVALUEINDEX SCHEME_CURRENT 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0 Next I was thinki

Applications like GlobalProtect when installed will deploy Root CA certificates (when setup properly), what if a customer wants to remove the Root CA certificates along with an uninstall of GlobalProtect then re-install with another version of GlobalProtect, this is what can be done to achieve this. What the application will do overall: Kills GlobalProtect process Run fast reference package to uninstall Remove certs based on thumbprints Sleeps for 30 seconds Then installs Glo

Download and run the installer on an HP machine: HP BIOS Configuration Utility | HP Client Management Solutions Then run HpqPsw64.exe. Then to create a BIOS password - enter twice for the password to be encrypted and save the location. You can save it to whatever you like, in this case I have saved as HPBIOSPassword.bin Prepare the scripts: Install.ps1 Uninstall.ps1 BiosConfigUtility64.exe HPBIOSPassword.bin Detect.ps1 Prepare the Install.ps1 script: # Script sets the BIO

Standard wallpaper and lock screen customization via Intune is technically restricted to Windows Enterprise editions. If you’re on Microsoft 365 Business Premium, the Settings Catalog won't work for this. However, you can bypass this limitation by deploying a Win32 package . Not only does this solve the licensing hurdle, but it also simplifies deployment since the image file is bundled right into the package rather than hosted online. Prepare the following: wallpaper.jpg is t

This recently happened late last year in December to one of our customers, as well it happened earlier yesterday for another customer. Gathering the logs, my initial thoughts it was an application matter as you know most customers don't give enough detail and simply say "Autopilot is not working since 6/01/206" which honestly doesn't give me much transparency on what is happening. From the logs I gathered from only showed: "[StatusService] Downloading app (id = 5bd17f11-2c60-

Been working on this persona for this customer which is a multi-app kiosk build, the .html is not hosted anywhere on any websites but installed locally as part of the build process. Using assigned access, similar to my previous post: https://soeintunedevice.wixsite.com/home/post/155-microsoft-intune-kiosk-assigned-access In the XML below, you may have noticed that I have added <App DesktopAppPath="C:\Windows\SystemApps\MicrosoftWindows.Client.CBS\_cw5n1h2txyewy\CrossDeviceRes

This issue has been bugging me for awhile, at first I thought it was the 'Phone Link', which was wrong, till I grabbed the logs and eventually found it what was the cause of it. As I was viewing the logs for (52) Events Microsoft-Windows-AppLocker_Packaged_app-Execution Events.evtx, I found the issue. I updated the XML for the Kiosk Assigned Access profile, which I allowed <App DesktopAppPath="C:\Windows\SystemApps\MicrosoftWindows.Client.CBS\_cw5n1h2txyewy\CrossDeviceResume.

My colleague had some issues around this persona build for a customer, my colleauge reached out to me to have a look. I enrolled a physical device and all checked out, when clicking on 'Photos' and 'Paint' on the start menu - it would try to load but never worked. My colleague confirmed that he had whitelisted the XML to: <App AppUserModelId="Microsoft.Paint_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> Which didn't work, till I did

A customer reached out with wanting to set an initial start menu layout for their Windows 11 23H2 fleet, unfortunately for them if they were on Windows 11 24H2, we could use the .json and simply use the settings catalog option. In this case, I attempted with start2.bi n option as a win32 app which didn't give me the best success till I attempted using a remediation script. What you will need to do first is: Customise your start menu what you like to show up Run PowerShell ISE

Microsoft deprecated Wordpad as of 1st Sept 2023 https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features#:~:text=WordPad,deprecated%20features which applies to Windows 11 24H2 and above. An education customer who requires Wordpad to be reinstated reach out to me to get it reinstalled as they were on Windows 11 25H2. What I needed to do is setup a VM with Windows 11 23H2, navigated to C:\Program Files\Windows NT\Accessories\ - copied the files over where the p

A customer reached out to me as they wanted to prevent shortcuts (*.lnk) from appearing on their student devices. Easiest I could think of is a detect and remediation script. Detect.ps 1 $Shortcuts2Remove = "Google Chrome.lnk", "VLC media player.lnk", "Audacity.lnk", "Firefox.lnk", "Google Chrome.lnk", "Microsoft Edge.lnk", "Vivi.lnk" $DesktopPath = "C:\Users\Public\Desktop" # Public and User Desktop: "C:\Users\*\Desktop\*", for Public Desktop shortcuts only: "C:\Users\Public

Late last year I posted about a 'Custom Power Plan (Win32 app)' , I decided to revisit this again. Create a Power Plan: Call whatever name you like, in this I have called it 'Devicie Power Plan' Then customize your power plan as you need. Start Command Prompt as Administrator, and run the following: This will list out your current plans: powercfg /L Then in the same command prompt, run: powercfg -export "C:\Temp\DeviciePowerPlan.pow" 9044f02c-182b-4a85-955c-567522ab795b wher