Tech Trends and Insights

  🚀 Secure Windows Kiosk Deployment with Assigned Access & Intune This configuration demonstrates how to build a secure and controlled Windows kiosk environment using Assigned Access (Kiosk Mode) together with modern deployment tools like Windows Autopilot and Microsoft Intune . ⚠️ Prerequisite – Required Before Assigned Access Before applying the Assigned Access XML, you must run the following PowerShell script . This step creates the required Start Menu shortcut used in the configuration. If skipped, Assigned Access may fail or not apply correctly . PowerShell – Create File Explorer Shortcut $pinFolder = "$env:PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\Kiosk" New-Item -Path $pinFolder -ItemType Directory -Force | Out-Null $lnkPath = Join-Path $pinFolder "FileExplorer.lnk" $target = "$env:WINDIR\explorer.exe" $ws = New-Object -ComObject WScript.Shell $sc = $ws.CreateShortcut($lnkPath) $sc...

The built-in local Administrator account (SID ending in -500 ) is a well-known target for attackers. Even in environments where Microsoft LAPS is deployed, this account can still be manually enabled, abused temporarily, and then disabled again — often without immediate visibility. This PowerShell solution adds an extra defensive layer by continuously monitoring and disabling the SID-500 account if it becomes active. 📌 Key Points Continuously monitors the built-in Administrator account (SID-500) Automatically disables the account if it becomes active Runs silently in the background as SYSTEM Complements Microsoft LAPS — does not replace it ⭐ What This Script Does 1️⃣ Creates a Persistent Monitor Script Writes DisableSID500Monitor.ps1 to C:\ProgramData Checks the SID-500 account state on every execution 2️⃣ Creates a Scheduled Task Task name: DisableSID500Monitor Execution in...

Guide: Preventing the Windows OOBE Update Loop Caused by ESP and Update Rings in Microsoft Intune Overview Microsoft recently enabled a new behavior in Windows Autopilot where devices may attempt to install Windows Updates during OOBE (Out-of-Box Experience). This is controlled by the ESP (Enrollment Status Page) setting: Install Windows updates (might restart the device) If this setting is enabled , and the device is also targeted by a Windows Update Ring , the two systems may conflict. This often results in an OOBE update loop , where the device repeatedly restarts during setup and displays messages like the screen below: Why was my PC restarted? This loop continues indefinitely unless configuration is corrected. Symptoms Devices show the following behavior during Autopilot enrollment: Windows attempts to install updates during OOBE (triggered by ESP). The Update Ring simultaneously enforces updates. The device restarts unexpectedly. OOBE fails to continue because updates are pendin...

This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: 🔹 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling 🔹 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...

  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...

  When deploying kiosk or shared devices with Windows Autopilot , having a consistent and secure local administrator account is essential for maintenance and troubleshooting. This PowerShell script is designed for use with Microsoft Intune Remediations and automatically creates (or updates) a predefined admin account during or after device provisioning. 📌 Key points to consider: The account is created only if missing, or updated if it already exists. It enforces a secure password policy (minimum 12 characters). The account is automatically added to the correct localized Administrators group , regardless of OS language. It writes an event entry in Windows Event Viewer for audit tracking. 💡 Note: Using Intune Remediations for local admin provisioning ensures consistent configurations across all Autopilot-enrolled devices. This approach eliminates manual steps during deployment and keeps your kiosk endpoints secure, standardized, and easy to manage. This script is a ...