[{"content":"","date":"21 November 2025","externalUrl":null,"permalink":"/tags/autopilot/","section":"Tags","summary":"","title":"Autopilot","type":"tags"},{"content":"","date":"21 November 2025","externalUrl":null,"permalink":"/","section":"Ben Cole","summary":"","title":"Ben Cole","type":"page"},{"content":"","date":"21 November 2025","externalUrl":null,"permalink":"/tags/intune/","section":"Tags","summary":"","title":"Intune","type":"tags"},{"content":"","date":"21 November 2025","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"21 November 2025","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":" Configure Virtual Machines with Autopilot - Windows 11 # This week I pieced together a test Virtual Machine on VMWare. Microsoft have several limitations that can be found posted on MS Learn.\nLet\u0026rsquo;s go through each of these limitations and dive in a bit more about the specifics of them. After that I will take you through my build process and learnings so far.\nIntune does not support using a cloned image of a computer that is already enrolled. # This is fairly straight forward the hash used by devices is unique and when a new VM is created it generates a new hash, not much here and pretty easy to navigate. My recommendation capture your snapshot after installing Windows 11, then enroll your devices. This could probably be easily automated and then let OOBE do the rest.\nWindows Autopilot Self-deploying and pre-provisioning deployment types aren\u0026rsquo;t supported because they require a physical Trusted Platform Module (TPM). # Let\u0026rsquo;s break this up a little bit, the Self-deploying and pre-provisioning deployment follow much the same path. This fails straight away as the TPM cannot pass validation due to the lack of credentials, this is intentional by Microsoft as it posses a pretty serious security risk. Thank you for the wisdom from the WinAdmins discord who explained this to me in more detail. So the physical TPM module is quite literal.\nWe recommend that you don\u0026rsquo;t use Intune to manage on-demand, session-host virtual machines, also known as non-persistent virtual desktop infrastructure (VDI). # Out of Box Experience (OOBE) enrollment isn\u0026rsquo;t supported on non-persistent VMs that can only be accessed by using RDP (such as VMs that are hosted on Azure). This restriction means: Windows Autopilot and Commercial OOBE aren\u0026rsquo;t supported. Enrollment Status Page isn\u0026rsquo;t supported.\nThese limitations/requirements are all related and tie back to the cloned image. Each time a new VM is spun up that Hash is going to change and your intune envrionment will start to be populated with bad data of devices that no longer exist. If your in an envrionment like me, you may have already seen this occuring a bit when devices have synced across from SCCM.\nVirtual Machine Build. # So what did I end up doing? For me it was a requirement to have these VMs shared across multiple users, which also means I needed the device to be recognised as shared and not hold a primary user. In our envrionment we use the primary user as a reporting data source for our ITSM and Endpoint asset management so this was key to keep that data accurate.\nThe steps I followed are as follows:\nSpin up the Virutal Machine. Install Windows 11 25H2. Take a snapshot of the VM, incase we need to fallback or build another later on. Begin the hash process using the Get-WindowsAutopilotInfo Script with the -Online -Assign parameters. Start the Autopilot using User-Drive deployment and let it complete. (More on the intune Configuration Later) Once the device has completed I then removed the primary user and Synced the VM. Removing the Primary user forces the machine into shared mode, any user logging in after this will be able to install apps and the machine will not revert back and assign a user. So this was a quick and easy Win.\nIntune Configuration # In my envrionment I use a series of Dynamic device entra groups and assign them to different profiles, my default profile simply looks for any device with a Hash. Each time I create a new SOE build I add to this rule and exclude based on group tag. If I was to redo this in the future I would probably change this as each build means I need to revisit this rule and change it, which can be quite tempremental.\nOnce the Entra group is created I begin the Windows \u0026gt; Enrollment setup creating an ESP (Enrollment Status Page), Deployment Profile and assign them to the group. Assign them to the group and away you go.\n","date":"21 November 2025","externalUrl":null,"permalink":"/posts/1763688794791-virtual-machine-autopilot/","section":"Posts","summary":"","title":"Virtual Machine Autopilot","type":"posts"},{"content":"","date":"16 November 2025","externalUrl":null,"permalink":"/tags/windows-11/","section":"Tags","summary":"","title":"Windows 11","type":"tags"},{"content":"I\u0026rsquo;ve made available the script that I use to position the start menu on the left side of the taskbar. Github\nUsing the Intune Content Prep Tool, package the script and deploy as a Win32 application, ensure that you sign the script depending on your organsisations policies for powershell. The application deployment has been tested in Autopilot OOBE, ensure this is assigned to a user group. You can deploy this at the device level however the experience changes for shared devices. Due to the registery change being made modifies the HKCU.\nThis is lightweight change that you can make to ease the Windows 11 transition for your users, especially if you have older users. The other option is to begin educating your users on the new start menu location.\nIf I decide to revist this script there are some changes I could make for example writing out a registry key for a better detection method and including an \u0026ldquo;uninstall\u0026rdquo; script to remove the registery change should it be required at some point in the future. However for now this is stable.\nSpecial thanks to Roger Zander who\u0026rsquo;s Registry to powershell converter came in handy when building this one. I highly recommend this tool for anyone who is building scripts with registry changes.\nI\u0026rsquo;ll make edits to this page if we get a new settings configuration from Microsoft to change the start menu location as this would be the most stable and preffered option.\nBest of Luck, Ben\n","date":"16 November 2025","externalUrl":null,"permalink":"/posts/1763279226288-start-menu-left/","section":"Posts","summary":"","title":"Windows 11 Start Menu on Left","type":"posts"},{"content":"I work in IT across service delivery, endpoint management, and technical support. My experience in the Australian local government sector spans day-to-day support, Intune and Configuration Manager administration, PowerShell automation, and occasional server management. I focus on ensuring IT systems are reliable, efficient, and well-maintained, streamlining processes and improving operational consistency.\nIn addition to Windows, I manage iOS and Android devices through Intune, maintaining consistent configuration and security across mixed device environments. This site provides scripts, notes, and practical insights drawn from my real-world experience that may be useful to others in this area.\nAs well as managing all iOS, Android \u0026amp; Windows endpoints I manage the Audio Visual devices via Teams drawing on my experience in broadcast from experience in Broadcast so the occasional article may appear from that also.\n","date":"14 November 2025","externalUrl":null,"permalink":"/about/","section":"Ben Cole","summary":"","title":"About Me","type":"page"},{"content":"","date":"14 November 2025","externalUrl":null,"permalink":"/tags/about-me/","section":"Tags","summary":"","title":"About Me","type":"tags"},{"content":"","date":"14 November 2025","externalUrl":null,"permalink":"/tags/tag/","section":"Tags","summary":"","title":"Tag","type":"tags"},{"content":" Welcome # Over the course of this week I will begin publishing my application packages starting with the most commmon such as Chrome, Adobe, Autodesk, 7zip \u0026amp; the like. I feel a common repo of Intune application packages is needed when the windows Store deployment falls short of its offerings. Of course there are tools that are on offer such as PMPC or Robopack a new offering in the market for application management.\nEven with the existance of these tools there are still many envrionments that are being managed manually without these automated tools and there will always be a need for the LOB applications to be packaged manually due to installs not being publically available.\nMany in the Australian local government might find a lot of these app packages useful as several agencies \u0026amp; organisations recycle the same pieces of software such as Content Manger by OpenText. I feel its needed to save us all a couple of hours building and testing deployments.\nMy goal overtime is to build up this repo and allow others to also contribute, I\u0026rsquo;ll aim to include useful items like SHA \u0026amp; Publish rules for application control which should aid in managing WDAC the replacement for applocker.\nWDAC (Windows Defender Application Control) is included with the E5 license which many larger organisations leverage but it falls short on the mark and in my opinion is quite difficult to admister although is quite easy to achieve Level 3 compliance with the Essential 8 framework.\nIn my next article I will publish the link to the repo which will be located on my github providing a simple readme for each package with the required install, Uninstall \u0026amp; detection methods for the application. In the future I hopefully can find sometime to circle back to these and also put in the WDAC rules I will aim to use the Publisher rule where possible however many applications still fall short on the mark for signing there apps. This also means that fewer changes to WDAC should be required as newer versions should be signed by the same publisher certificate.\nIf you are interested in contributing to this repo please do so via github and I will review pull requests as quickly as possible. Please ensure all packages are made generic and with things like organisational details and license keys excluded and replaced with placeholders.\nBenColeAu/Intune Coming Soon\u0026hellip; null 0 0 Best of luck. Ben\n","date":"14 November 2025","externalUrl":null,"permalink":"/posts/welcome/","section":"Posts","summary":"","title":"Welcome","type":"posts"},{"content":"","date":"14 November 2025","externalUrl":null,"permalink":"/tags/welcome/","section":"Tags","summary":"","title":"Welcome","type":"tags"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]