Tech Trends and Insights

What does this policy do? This policy removes the “Recommended” section from the Windows 11 Start menu, leaving only pinned apps visible. Why use this on kiosk computers? Improves privacy – no recently opened files or apps are shown Cleaner interface – easier for public users to understand Prevents confusion – avoids showing content users can’t access This is best practice for shared or public kiosks . Supported Windows 11 Microsoft Intune Works with Assigned Access (single‑app and multi‑app kiosks) Intune Configuration (OMA‑URI) Create a Custom profile and add: Setting Value OMA‑URI /Vendor/MSFT/Policy/Config/Start/HideRecommendedSection Data type Integer Value 1 (Enabled) Assign the profile to a device group for kiosk computers. Result Start menu shows only pinned apps No Recommended apps or files Consistent experience for all kiosk users

🚀 Secure Windows Kiosk Deployment with Assigned Access & Intune This configuration demonstrates how to build a secure and controlled Windows kiosk environment using Assigned Access (Kiosk Mode) together with modern deployment tools like Windows Autopilot and Microsoft Intune . 📌 What This Script Does Before applying the Assigned Access XML, you must run the following PowerShell script. The script is a fully local, Intune remediation‑optimized wallpaper and lockscreen manager . It guarantees that the kiosk device always uses the correct background and lockscreen images — stored locally on the system. It is designed to work reliably even in offline , restricted , or library/public kiosk environments where cloud‑based personalization policies may fail. 🛡️ Key Capabilities (Summary) Creates/maintains the folder C:\Kiosk Uses two image files : background.jpg → Desktop wallpaper kiosk_lockscreen.jpg → Lock screen Applies both i...

  🚀 Secure Windows Kiosk Deployment with Assigned Access & Intune This configuration demonstrates how to build a secure and controlled Windows kiosk environment using Assigned Access (Kiosk Mode) together with modern deployment tools like Windows Autopilot and Microsoft Intune . ⚠️ Prerequisite – Required Before Assigned Access Before applying the Assigned Access XML, you must run the following PowerShell script . This step creates the required Start Menu shortcut used in the configuration. If skipped, Assigned Access may fail or not apply correctly . PowerShell – Create File Explorer Shortcut $pinFolder = "$env:PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\Kiosk" New-Item -Path $pinFolder -ItemType Directory -Force | Out-Null $lnkPath = Join-Path $pinFolder "FileExplorer.lnk" $target = "$env:WINDIR\explorer.exe" $ws = New-Object -ComObject WScript.Shell $sc = $ws.CreateShortcut($lnkPath) $sc...

The built-in local Administrator account (SID ending in -500 ) is a well-known target for attackers. Even in environments where Microsoft LAPS is deployed, this account can still be manually enabled, abused temporarily, and then disabled again — often without immediate visibility. This PowerShell solution adds an extra defensive layer by continuously monitoring and disabling the SID-500 account if it becomes active. 📌 Key Points Continuously monitors the built-in Administrator account (SID-500) Automatically disables the account if it becomes active Runs silently in the background as SYSTEM Complements Microsoft LAPS — does not replace it ⭐ What This Script Does 1️⃣ Creates a Persistent Monitor Script Writes DisableSID500Monitor.ps1 to C:\ProgramData Checks the SID-500 account state on every execution 2️⃣ Creates a Scheduled Task Task name: DisableSID500Monitor Execution in...

Guide: Preventing the Windows OOBE Update Loop Caused by ESP and Update Rings in Microsoft Intune Overview Microsoft recently enabled a new behavior in Windows Autopilot where devices may attempt to install Windows Updates during OOBE (Out-of-Box Experience). This is controlled by the ESP (Enrollment Status Page) setting: Install Windows updates (might restart the device) If this setting is enabled , and the device is also targeted by a Windows Update Ring , the two systems may conflict. This often results in an OOBE update loop , where the device repeatedly restarts during setup and displays messages like the screen below: Why was my PC restarted? This loop continues indefinitely unless configuration is corrected. Symptoms Devices show the following behavior during Autopilot enrollment: Windows attempts to install updates during OOBE (triggered by ESP). The Update Ring simultaneously enforces updates. The device restarts unexpectedly. OOBE fails to continue because updates are pendin...

This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: 🔹 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling 🔹 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...