Out of Office Hours

Powered by
WordPress

  • Disable Shift-F10 in OOBE

    The ability to press Shift-F10 to open a command prompt during the out-of-box experience (OOBE) in Windows has been around for many years.  But if you want to turn that off, there are two ways you can do it: Buy a device that ships with Windows 10 in S Mode.  When Windows 10 is running…

  • Azure AD won’t let you delete device objects associated with Windows Autopilot

    When you register a device with Windows Autopilot, an Azure AD device object will be created corresponding to that Azure AD device.  That device objects is important for Windows Autopilot and should never be deleted without also removing the Windows Autopilot device.  To support that, the Azure AD team has added an additional validation that…

  • Supercharge the Hybrid Azure AD Join device registration process

    I’ve written a few blogs about Hybrid Azure AD Join, and I’ve explained that there are two major pieces to this: What Windows Autopilot and Intune do to orchestrate the process of getting a new device joined to Active Directory.  You can read more about that process in this blog post, and more troubleshooting details…

  • Intune makes it easy to deploy an Always On VPN device tunnel profile

    A new feature was announced today for Intune:  You can create an Always On VPN device tunnel profile directly in Intune, without any of the gymnastics that were previously required.  All you need to do is create a VPN profile: For an Always On VPN device tunnel, just choose the appropriate options: Connection type:  IKEv2…

  • Troubleshooting Windows Autopilot Hybrid Azure AD Join

    It feels like I’ve written this blog before – many times actually.  But given the amount of interest recently, it’s time to cover the topic again:  How to troubleshoot Windows Autopilot Hybrid Azure AD Join.  This process involves the following steps: Here’s a description of those numbered steps: So what can possibly go wrong?  There…

  • More improvements to the Get-WindowsAutopilotInfo script

    Yesterday’s changes (described in this blog) were probably bigger, but after a couple of suggestions in response to that update have caused me to publish another new version. For the first change, you can now build a CSV file with the UPN of the user that should be assigned to the device.  Just specify the…

  • Automating the Windows Autopilot device hash import and profile assignment process

    I posted a blog a back in March that talked about a new “-online” option that I added to the Get-WindowsAutopilotInfo script which will grab the hardware hash from a device and add it to Windows Autopilot using the Graph API.  I’ve made some further enhancements to that process to provide a few additional options. …

  • Windows Autopilot diagnostics: Digging deeper

    2025-05-02: I have an updated blog that you may want to start with: https://oofhours.com/2025/05/01/next-generation-autopilot-troubleshooting/ I’ve posted quite a few blogs talking about troubleshooting Windows Autopilot (such as this one), with some additional posts (three separate ones here, here, and here) talking about a script named Get-AutopilotESPStatus that can help display information about what went on…

  • The https://OofHours.com one-year anniversary

    The first post on the new https://oofhours.com website was exactly one year ago today.  Since then, I’ve done 125 posts amounting to a total of 82,000 words, with 600,000 views in total.  Given an average of 500 words per printed page and adding in the images and screenshots, I wrote the equivalent of a 400-page…

  • Using Windows 10 2004 with MDT and installing updates during a task sequence?

    There have been some reports from people who are creating their Windows 10 2004 image using MDT and running into an interesting issue:  The MDT ZTIWindowsUpdate.wsf script ends up skipping all the updates offered to the machine.  If you look at the BDD.LOG, you’ll see something like this: But why is MDT skipping all the…

  • You can now target ESP profiles to devices

    While the Hybrid Azure AD Join over VPN process probably gets people more excited, another change went live in Intune at the same time:  The ability to target enrollment status page (ESP) profiles to groups of devices.  Prior to this change, you could target groups containing users, and you could use the default ESP profile…

  • Windows Autopilot user-driven Hybrid Azure AD Join: Which VPN clients work?

    In my previous post, I talked about the new VPN support for user-driven Hybrid Azure AD Join.  I described the key VPN requirements: The VPN connection either needs to be automatically established (e.g. “always on”) or it needs to be one that the user can manually initiate from the Windows logon screen.  For the “manually…

  • Windows Autopilot user-driven Hybrid Azure AD Join over the internet using a VPN

    It has taken a long time, and there have been plenty of bumps along the way, but it’s finally available in public preview:  You can perform a user-driven Hybrid Azure AD Join deployment over the internet, using a VPN connection to establish connectivity so the user can sign into the device.  Before we get into…

  • Hacking or useful IT tool? You decide.

    In my job I tend to do a reasonable amount of research.  (And by research, I don’t mean searching for a term in your favorite search engine and clicking on the first five non-advertising links in the result.)  As part of that research, I came across a reference in the Google Chrome Enterprise documentation that…

  • Make ESP look better by disabling FSIA

    Leave it to Microsoft to turn everything into an acronym.  So let me start with definitions: ESP = Enrollment Status Page.  This shows the progress of the Windows Autopilot device provisioning process, in two different phases:  device ESP, which tracks the device configuration, and user ESP, which tracks the user configuration after the user is…

  • Do not clone an Azure AD-joined or MDM-enrolled Windows 10 OS

    The Windows guidance goes back many years: Before you can duplicate or clone a Windows installation (whether physically duplicating the disk drive or using some sort of VM-based snapshot or differencing disk technique), it is absolutely essential that the system be generalized using Sysprep.exe.  That’s also called out in KB 314828: When you deploy a…

  • Creating a kiosk or digital sign using Windows Autopilot, Intune, and Edge (Chromium)

    Way back when (two years ago to the day actually), I posted a blog that described how to use Windows Autopilot self-deploying mode to create a kiosk that displayed a web page using the Kiosk Browser app.  You can refer back to that post for the basics of the scenario. Later on, I set up…

  • MDT build 8456 needs an update for Windows 10 2004

    There is a new update available for MDT to address an issue that arises from Windows 10 2004 and the corresponding ADK release: https://support.microsoft.com/en-us/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit The issue would only be encountered if you are using non-UEFI devices (physical or VMs).  Due to a change in underlying API behaviors, MDT then could not determine if the device…

  • New in Windows 10 2004: Better Language Handling

    It might seem like a very long time ago, but at the Microsoft Ignite 2019 conference in Orlando, there was a theater session presented: THR4002:  Solving Windows 10 feature updates in a multilingual deployment You can watch the video for all the details, but I want to focus on one specific slide that talks about…

  • Ensuring you can capture a screenshot from a remote Hyper-V VM

    This should be a trivial exercise.  I should be able to connect to a remote Hyper-V server using Hyper-V Manager, connect to a specific VM, and interact with it as if I were on the server.  Since I typically use Azure AD Join, that’s not as simple as it should be.  Over the years, I’ve…