The Trials and Tribulations of InTune Auto-Enrollment – Tips and Tricks

The Trials and Tribulations of InTune Auto-Enrollment – Tips and Tricks

Navigating the complexities of InTune auto-enrollment errors might feel like trying to find your way through a maze without guidance. However, there’s no need to fret. We’re equipped to offer you the navigational aids and the tools required to master this challenge. By breaking down these prevalent errors and outlining clear solutions, we aim to simplify your InTune enrollment process, transforming a potentially overwhelming experience into a manageable task.

(Yeah, I know, show me your script.)

Identifying Common Enrollment Errors:

  • Error with Auto MDM Enroll: Device Credential (0x0), Failed: This error, indicated by an Unknown Win32 Error code: 0x8018002a, often puzzles users.
  • Toast Notification Failure during Auto MDM Enrollment: Encountered as “DmRaiseToastNotificationAndWait Failure” with the same Unknown Win32 Error code: 0x8018002a.
  • OMA-DM Message Delivery Failures: These are signified by unauthorized messages (401) or failed attempts to obtain AAD Tokens, marked by Unknown Win32 Error codes: 0xcaa2000c for user tokens and a successful operation message for device tokens.
  • ConfigurationManager Caller Issues: Specified by a lack of user impersonation and a NULL targeted user SID, resulting in an Unknown Win32 Error code: 0x86000022.
  • Spurious Background Task Activation: This Event ID 76 Error signifies a failed Auto MDM Enroll with Device Credential (0x0).

Diagnostic Toolkit for Error Analysis:

To uncover the root of these issues, engaging in a bit of detective work is essential:

  • Investigate Scheduled Tasks: Utilize schtasks /query /fo LIST /v | findstr /i "InTune MDM Enroll" to identify potential enrollment tasks.
  • Registry Exploration: Delve into HKLM:\SOFTWARE\Microsoft\Enrollments with Get-ChildItem to locate outdated registrations.
  • Event Log Examination: Use Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" -MaxEvents 100 | sort TimeCreated | ft -AutoSize -Wrap for a detailed analysis of event logs.

Strategic Solutions for Error Resolution:

  • Eliminate Old Registrations: Start by purging obsolete device registrations in Azure AD under Identity -> Devices to prevent conflicts.
  • Implement the Cleanup Script: Execute a specialized script to remove residual UPNs from the system. Typically, this doesn’t require a system restart.
  • Force Direct Enrollment: Apply direct enrollment commands as the InTune-entitled user via Business Premium or an InTune plan. Use gpupdate /force and %windir%\system32\deviceenroller.exe /c /AutoEnrollMDMUsingAADDeviceCredential followed by %windir%\system32\deviceenroller.exe /c /AutoEnrollMDM. Post-execution, monitor device activity logs, restart, and attempt the enrollment again.

Post-Intervention Evaluation:

After implementing the suggested fixes, it’s crucial to review the event logs again to verify that the errors have been resolved and no new issues have emerged.

Salesforce – Rebranding Tenants

Salesforce – Rebranding Tenants

No Comments

Ongoing documentation for this process and gotchas.

API Scripts (Python):

Change Login/Email – Single User

Change Login/Email – All Users (Multiple Legacy Domains)

  • Changing a user’s email sends a confirmation message to the account email. We made a rule to hold these in the inbound spam queue, intercepted them, and acknowledged each using Incognito mode since it doesn’t require a login.

Office365 – Rebranding Tenants

Office365 – Rebranding Tenants

No Comments

Issue: Rebranding in an existing Office365 tenant is a process that requires a lot of testing and mapping out dependencies. We’ve done this several times and are building a repository of scripts and helpful tips to guide you through the user experience and admin impacts on the back end.

 

Overview:

  • Renaming the user’s primary login name (UPN) in a pure O365 environment with no AD sync or on-prem isn’t all that bad. When you make the change, it does not force you to create a new Outlook profile or reconfigure mobile devices, nor does it break activation on joined/non-joined machines. Outbound emails almost immediately start coming from the new domain. Outlook will continue to show @olddomain.com at the top of the mailbox tree unless a new profile is generated to handle the aesthetic elements.

 

  • OneDrive breaks on Desktop/Mobile, and it’s not very obvious. In some cases, we saw an infinite ‘Signing In,’ but otherwise, the device would say, ‘All files are synced,’ unless you uploaded a file and watched it get stuck in the queue, there aren’t any indicators there is a problem. Logging out/in fixes the issue, but the concern is that it doesn’t kick them out. See the script below for ‘Reset OneDrive’ you can publish this to the end user’s Desktop, and tools like Datto RMM can run it in the user’s profile which helped our efforts to automate the fix.

 

  • OneDrive links take around ~15 minutes to change but once they do it breaks all previous shared links. Check the HTML file below that converts those links from the old domain to the new one. It’s simple, and we put it on the user’s desktops to help them work through shared file linking issues.

 

  • OneNote users will see syncing issues that don’t recover until they log out/back into Office365 local application. For some reason it doesn’t seem to grab the new file locations that move with OneDrive’s location.

 

  • Updates are ongoing!

 

Scripts (PS):

O365 – Change Single User (Testing)

O365 – Change All Users (Execution)

O365 – Change All Groups and Distribution (Execution)

OneDrive – Reset (User)

Rewrite OneDrive Shared Links

Errors when clicking SharePoint links in Outlook

Errors when clicking SharePoint links in Outlook

No Comments

Issue: On January 17th, users on Dell XPS 9300/9310/9320/9370 using both Windows 10/11 laptops started complaining of multiple errors from Office365 applications. This would happen if they clicked a link to a SharePoint file or location but not manually pasting the same URL to that location in a browser.

One error was, “The server you are trying to access is using an authentication protocol not supported by this version of Office,” and the other was, “We’re having trouble connecting to the server. Please try again later.” finally, “An internet connection is required to open this file. Try again after connecting.

Solution: No amount of reinstalling Office, updating drivers, disabling DNSFilter, or other actions fixed this issue for my users. What did work? Disabling IPv6 on the Wireless interface immediately fixed the problem. So, I pushed this PowerShell script below using an RMM tool:

Disable-NetAdapterBinding -Name ‘Wireless’ -ComponentID ‘ms_tcpip6’
Disable-NetAdapterBinding -Name ‘Wi-Fi’ -ComponentID ‘ms_tcpip6’

Anyone find the root-cause, or see this issue on non-Dell XPS devices?

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

 

Audit Weak Local Passwords in Windows using PowerShell

Audit Weak Local Passwords in Windows using PowerShell

Issue: Devices not joined to Active Directory may not have Group Policies or other settings applied to enforce password complexity. For example, they may be managed by Okta, Datto RMM, and other tools. In this case, auditing for weak or blank passwords on local accounts can be challenging.

Solution:  WeakPassword.ps1 (below) + your custom passwordlist.txt in the same directory will produce output with the lousy password if there’s a match on the local host. It’s also configured to test for blank passwords, which would immediately drop the user at the desktop:

(Datto RMM with custom Post-Conditions)

View the Script

 

Note: A custom rule I had in my NGAV Firewall blocking inbound TCP/445 broke the script by displaying this error:  Exception calling “Validate Credentials” with “2” arguement(s): The network path was not found. (Script location). I temporarily turned that off for long enough to let the script execute and promptly enabled the policy.

I haven’t included a password list right now. I’d recommend starting with the classic ‘password’ ‘letmein’ ‘123456…’ and others versus loading an entire dictionary, though a large list doesn’t appear to slow the process down by much, so it’s extensible.

 

 

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

Migrate Box via API to SharePoint

Migrate Box via API to SharePoint

Issue: As part of a Box migration, tools like ShareGate, and Kernel Migrator can miscopy files at 0KB or have other problems. Admins may also need a lean way to migrate lists of Box files into SharePoint without using third-party tools.

Solution: Custom script to migrate from Box API to SharePoint. It uses a source/destination list of files from Box to the SharePoint site collection. Note that files with ‘[ ]’ have issues with this method due to API/script limitations.

Download the Script – BoxAPI_to_SharePoint

Create folder structure:
a. Logs – to keep the logs created by the PowerShell script.
b. Scan – to keep all CSV files from where the PowerShell script will read the file path.
c. Temp – A folder to temporarily keep the downloaded files from Box API. Those files will be uploaded to SharePoint.

Access Token:
Copy the Access Token and use in PowerShell script. This token is valid for next 60 minutes. You should follow the steps again to generate a new token.

CSV Format:
SiteCollectinURL FilePath

 

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

0KB Files in SharePoint Online – ShareGate Migration

0KB Files in SharePoint Online – ShareGate Migration

Issue: Opening a 0KB file in Excel produces the error “The workbook cannot be opened” via Web. On Desktop, it says, “Excel cannot open the file X because the file format or file extension is not valid,” Other files like Docx and PPTx appear blank when opened for the first time and don’t throw errors but will save the file and update the size.

The file Size in SharePoint is blank for these files:

Solution: In our scenario, the problem was caused by copying with ShareGate. Every piece of file migration software has some issues, some worse than others, but you should never fully trust this kind of software without testing the results. Unfortunately, this copy job in ‘Insane’ mode seems to have created 0KB empty files, and since the file now exists, and the timestamps align, other copy jobs aren’t looking at the hash or size of the files and skipping them. This is a nightmare, given there are many files and sub-folders to go through, so I’ve devised an amateur scripting solution to recursively identify these 0KB files within all Document Libraries in a Site Collection.

Download: Scan0KBFiles  (PowerShell)

You’ll end up with a randomly named CSV file with all of the 0KB files listed when the scan completes. Ignore what’s on the console unless you want to keep an eye on things, but capturing that data won’t be necessary as it scrolls in PowerShell.

If you get errors, make sure you have done Install-Module MSOnline, AzureAD, and Microsoft.Online.SharePoint.PowerShell, SharePointPnPPowerShellOnline, and all modules are on the latest versions if they already exist on the box.

How to Install the PnP PowerShell Module

If you’re seeing Throttling, I do have a version of this script that works as an AzureAD registered app, versus using credential authentication.

I tried testing other migration tools, all the ones you’d find on Google, and it’s pretty bad out there right now. If they can even hook into your tenant, the UIs are wonky, and you get none of the visibility or configurability in other tools. But, now, amongst many other bugs, you can see that in the case of ShareGate, that 5k gets you problems like this one, which admittedly, are a nightmare considering there are over 1/4 million files to search through looking for these 0KB stubs that have replaced valid data due to the bug.

 

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

SharePoint Online – Last Modified

SharePoint Online – Last Modified

Issue: By default, SharePoint Online document libraries don’t float up the ‘Last Modified’ time when you make changes within a folder hierarchy. This will bring hate mail from your users, especially if they’ve moved from Box.com, where it works this way for helping to identify and sort by recent changes deep in the structure. Many old online articles try to cover this, but the solution has been evasive until I spent the better half of a day trying to figure it out in PowerApp. *flips Cray hat backward*

Solution: Screenshots of the PowerApp are below. The one major limitation of this solution is that if you put an empty folder within a folder structure, it doesn’t trigger the update but instead shows a failed run, which isn’t actually a problem. Only files within folders will successfully start and run the job. That applies to folder -> folder -> folder  -> folder -> folder -> file or as deep as you need to go, and it works very quickly, usually within a minute.

    1. Create a new automated app named ‘FolderModified.

When a file is created or modified (properties only)

 

2. ‘CFileName

{
    "inputs": "@{triggerOutputs()?['body/{FilenameWithExtension}']}-@{equals(triggerOutputs()?['body/IsFolder'],false)}",
    "metadata": {
        "operationMetadataId": "c697bc2a-8bcd-44ad-80bf-87f29e9b4455"
    }

 

3. ‘CFolderPath

{
    "inputs": "@triggerOutputs()?['body/{Path}']",
    "metadata": {
        "operationMetadataId": "ebace1b1-1fa1-4f76-8e97-4344ffe8c11b"
    }
}

 

4. ‘VArrFolderPath
{
    "inputs": {
        "variables": [
            {
                "name": "VArrFolderPath",
                "type": "array",
                "value": "@split(outputs('CFolderPath'),'/')"
            }
        ]
    },
    "metadata": {
        "operationMetadataId": "c4aa6183-5a4c-4451-b045-97a8c020a83f"
    }
}

 

5. ‘VPath
{
    "inputs": {
        "variables": [
            {
                "name": "VPath",
                "type": "string"
            }
        ]
    },
    "metadata": {
        "operationMetadataId": "9f50d26d-5624-4ef0-b02a-b98a41957d54"
    }
}

 

6. ‘CUser
{
    "inputs": [
        {
            "Key": "@{triggerOutputs()?['body/Editor/Claims']}"
        }
    ],
    "metadata": {
        "operationMetadataId": "e80df3fb-feec-4ea5-a683-ad7a5d9b5c65"
    }
}

 

7. ‘CModified
{
    "inputs": "@formatDateTime(triggerOutputs()?['body/Modified'],'g')",
    "metadata": {
        "operationMetadataId": "beb03772-baf0-4615-bc04-7fd5650f46f9"
    }
}

 

8. ‘CProperties’
{
    "inputs": [
        {
            "FieldName": "Editor",
            "FieldValue": "@{string(outputs('CUser'))}"
        }
    ],
    "metadata": {
        "operationMetadataId": "178a3d12-1338-456d-ab40-c9d1f4214bea"
    }
}

'

 

9. ‘VFilterFolderPath
{
    "inputs": {
        "from": "@variables('VArrFolderPath')",
        "where": "@equals(empty(item()), false)"
    },
    "metadata": {
        "operationMetadataId": "4a001a83-8073-4ff1-9e81-5e3a7073b027"
    }
}

 

10. ‘IFolders

 

10.1. ‘Append to VPath’

 

10.2. ‘IGFPath’

 

10.3. ‘CValid’

 

Now edit the ‘HTTP‘ request to SharePoint:

 

{
    "inputs": {
        "host": {
            "connectionName": "shared_sharepointonline_1",
            "operationId": "HttpRequest",
            "apiId": "/providers/Microsoft.PowerApps/apis/shared_sharepointonline"
        },
        "parameters": {
            "dataset": "https://yoursite.sharepoint.com/sites/SITE",
            "parameters/method": "POST",
            "parameters/uri": "_api/web/lists/getbytitle('Documents')/items(@{outputs('IGFPath')?['body/ItemId']})/validateUpdateListItem",
            "parameters/body": "{\n\"formValues\": @{outputs('CProperties')},\n\"bNewDocumentUpdate\": false\n}"
        },
        "authentication": "@parameters('$authentication')"
    },
    "metadata": {
        "operationMetadataId": "5c59f1f4-cd00-4bd9-aa59-bde4deaa317d"
    }
}

 

*** Note: getbytitle('Documents') refers to the name of the Document Library. '/Shared Documents/ (Default) = Documents', or your 'Custom Name' for it.***

 

Success!

 

  • Top-level Folder will show activity within, not just when it was created:

 

  • Objects within or within the sub-folders shown in the Last Modified above:

 

  • Short runtimes:

 

Just so you know, you should DISABLE this before migrating large amounts of data. The jobs tend to trigger 422 throttling errors in bulk and jam up with performance issues in the queue that hang up jobs. This forces you to recreate the object or copy it to a new version and delete the old one to flush the job queue.

 

Note #2: I’ve also noticed that copying files as the same user that the PowerApp is running under can create a loop that says the account keeps touching files/folders long after you’ve completed the job. I keep this account stable because activating MFA breaks all those permissions, and you have to go back into each Flow to repair it.

 

Note #3: The easiest way to duplicate this is by creating a template and using the ‘Save As’ feature to clone another copy. You’ll have to run these on each Document Library, and if you’ve got a large Intranet, that can be quite a few jobs. Just so you know, you have to edit 2-3 locations within the job to tune it for the new destination.

 

Note #4: You may receive ‘Failed’ notifications about these Apps from Microsoft. These are from folders being created and expected behavior, not indicating that the app itself is broken or not functioning correctly. I have it running on 35+ sites with minimal overhead or issues, other than a job that doesn’t run for a certain period can be automatically disabled by Microsoft. Still, you get an email warning about it.

 

Have a better way to do this? Let me know!
Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with an empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

Create contact failed. Please enter unique email address for the Contact.

Create contact failed. Please enter unique email address for the Contact.

No Comments

Issue: O365 may produce an error ‘Create Contact failed. Please enter a unique email address for the Contact.’ when you create a contact that does not exist in the ‘Contacts’ window.

Solution: You have this user listed as a ‘Guest’ in AzureAD. You CAN have a Guest and Contact match, but you have to create the Contact FIRST and then invite them to AzureAD afterward, in that exact order. Delete the Azure invite and rerun it by doing the Contact in O365 user management first.

 

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

 

Outlook Authn Error – Can’t connect to the server then recovers itself

Outlook Authn Error – Can’t connect to the server then recovers itself

No Comments

Problem: Outlook will hang when the client is first opened, saying “Connecting to server…” and then “Can’t connect to the server.”, finally recovering all on its own and working fine. In the Connection Status window with my situation, there was an Authn error ‘ERROR‘ that seems to be blocking the connection.

Solution: None of the traditional rip & replace steps worked to fix this problem. Current, Semi-Annual, Repairs, Clean Wipes, FixIT, and the kitchen sink. Turned off IPv6, and this problem went away instantly.

(Using DNSFilter on Lenovo E14 Laptop.)

 

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

Windows Login asking for Temporary Access Pass

Windows Login asking for Temporary Access Pass

No Comments

Problem: Windows Azure may prompt a user to provide an ‘Access Pass’ when it’s not been configured in O365 settings. This will trigger after MOBO replacements from on-site techs when the device comes back up.

Solution: Login as an O365 Admin using RMM tools or accessing the console. AzureAD should start to rejoin automatically, but if it doesn’t, go ahead and do that now. If you reboot, the user should be able to log in to the device with no other changes needed. PS: The correct C:\Users\ folder was used when getting back into the user profile, and it did not create a new one.

 

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

Teams Needs an Update Loop

Teams Needs an Update Loop

No Comments

Issue: Teams version 1.5.0.17656 was installed using an exe file from the Teams Download site. No matter how often you update, uninstall, or reinstall, there seems to be no change in the behavior at launch. Teams 1.2.x is present on the machine and keeps looping.

  1. Tried to remove it using RevoUninstaller, and all artifacts
  2. Manually scavenged any temporary folders and blew them away

Solution:  The device originally came with ‘Teams System-Wide Installer,’ which was removed manually from add/remove as bloatware in past years. Reintroducing the ‘ Teams Machine-Wide Installer‘ fixed it instantly with no other changes to the machine.

Reboot the device now.

Have you run into any other fixes for this issue? Let me know. I threw the kitchen sink at it and could only get this to work by reintroducing the baseline installer in the image.

 

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!

OneDrive Right-Click Options Not Showing

OneDrive Right-Click Options Not Showing

No Comments

Issue: OneDrive right-clicks context menus may fail to appear in Windows File Explorer if UAC is disabled or WinRAR is installed.

At times these icons weren’t showing correctly in the Win32 Explorer.exe Shell:

Solution #1:  If installed, go into WinRAR and turn off ‘Integrate WinRAR into Shell‘ via the ‘Integration‘ options. Otherwise, try to identify other applications in the context menu that could be causing a similar issue.

Solution #2: UAC may be turned off on this machine. You will never see these options if you don’t enable them again, even under the local administrator account.

 

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!