Tech Trends and Insights

Guide: Preventing the Windows OOBE Update Loop Caused by ESP and Update Rings in Microsoft Intune Overview Microsoft recently enabled a new behavior in Windows Autopilot where devices may attempt to install Windows Updates during OOBE (Out-of-Box Experience). This is controlled by the ESP (Enrollment Status Page) setting: Install Windows updates (might restart the device) If this setting is enabled , and the device is also targeted by a Windows Update Ring , the two systems may conflict. This often results in an OOBE update loop , where the device repeatedly restarts during setup and displays messages like the screen below: Why was my PC restarted? This loop continues indefinitely unless configuration is corrected. Symptoms Devices show the following behavior during Autopilot enrollment: Windows attempts to install updates during OOBE (triggered by ESP). The Update Ring simultaneously enforces updates. The device restarts unexpectedly. OOBE fails to continue because updates are pendin...

This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: 🔹 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling 🔹 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...

  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...

  When deploying kiosk or shared devices with Windows Autopilot , having a consistent and secure local administrator account is essential for maintenance and troubleshooting. This PowerShell script is designed for use with Microsoft Intune Remediations and automatically creates (or updates) a predefined admin account during or after device provisioning. 📌 Key points to consider: The account is created only if missing, or updated if it already exists. It enforces a secure password policy (minimum 12 characters). The account is automatically added to the correct localized Administrators group , regardless of OS language. It writes an event entry in Windows Event Viewer for audit tracking. 💡 Note: Using Intune Remediations for local admin provisioning ensures consistent configurations across all Autopilot-enrolled devices. This approach eliminates manual steps during deployment and keeps your kiosk endpoints secure, standardized, and easy to manage. This script is a ...

Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...

  What Is It? The Enable Windows Backup policy in Intune allows organizations to back up user settings and certain app data to the cloud. When a user signs in on a new or freshly reset device, their settings can be restored automatically—making onboarding faster and smoother. 🛠️ How to Enable It in Intune Sign in to Microsoft Intune Admin Center Go to  https://intune.microsoft.com Create a New Configuration Profile Navigate to Devices > Configuration profiles > Create profile . Platform: Windows 10 and later Profile type: Templates > Administrative Templates Find the Setting In the settings picker, search for: Administrative Templates > Windows Components > Sync your settings > Enable Windows Backup Configure the Policy Set it to Enabled . Assign the profile to the device groups or user groups you want. Deploy and Monitor Save and deploy the profile. Monitor compliance and backup activity in the Intune portal. 🌟 Why It’s Great Faster Onboarding : Users ...

  What is "Elevate as Current User"? "Elevate as Current User" is a new elevation rule in Microsoft Intune's Endpoint Privilege Management (EPM), introduced in October 2025. It allows processes to run with elevated privileges (like admin rights) under the logged-in user's own account, rather than an isolated virtual account. This improves compatibility for apps that need access to user-specific settings, profiles, or variables, while maintaining security. It's ideal for IT admins reducing unnecessary admin rights in organizations, ensuring better auditing and fewer compatibility issues. Step-by-Step Guide to Configure and Use "Elevate as Current User" This guide covers prerequisites, configuration options (automatic and manual), testing, and best practices. Ensure your Intune environment is updated to service release 2510 or later. Prerequisites Before setting up the rule: Intune Suite Access : You need the Intune Suite add-on for EPM fe...

 Role-Based Access Control (RBAC) in Microsoft Intune lets you define who can view and manage specific configurations, policies and devices. This guide shows how to locate, review and assign roles in the Microsoft Endpoint Manager admin center . Where to find roles Sign in to Microsoft Endpoint Manager admin center . From the left menu, select Tenant administration . Open Roles → Roles by permission to filter by category or permission. Use the search box and column filters to quickly find a role or permission. View roles by permission In Roles by permission , set Category (e.g. ServiceNow ) to view related roles. Set Permission (e.g. View Incidents ) to list roles that include that permission. Review the results shown: Role display name Role assignment type (built-in or custom) Role name Filtering by permission helps identify which roles grant access to specific features or integrations. Review role properties & assign roles Click a role...