Syntax Bearror

Top Menu

  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

Main Menu

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

logo

Header Banner

Syntax Bearror

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
IT Fixes
Home›IT Fixes›How to Avoid Frustration With Microsoft Intune MDM on Workstations

How to Avoid Frustration With Microsoft Intune MDM on Workstations

By Christopher
April 6, 2021
2244
0
Share:

As an Intune Administrator and someone who has deployed Intune, you can imagine the trials one undergoes as part of that process. However, there’s one issue that has really knee capped a core function of Microsoft Intune called Fresh Start. Fresh Start is intended to allow you to reset a device to the baseline image for the system, with the option of retaining or removing user files. However, in my experience, we’re finding a huge issue that appears to have two sides to it.

So What’s Going On?

So, the first side of the issue comes down to how Microsoft processes a Fresh Start request. When the request is sent to the system, it receives a confirmation from the system, and then it unenrolls the device from Intune. This is where the problem can start. If let’s say there is something wrong with the OS image, the fresh start will fail. This will then kick the user back to the login screen, where they can login, but now effectively, you can’t manage or have insight into the system.

To make matters worse, if you attempt to re-enroll the device into Intune, it reports that it is “already connected to another organization” and will not allow you to do so. This leads me to believe that there is a defect in the process wherein it either does not evaluate the image’s health before proceeding, confirm that it can successfully begin, or have a rollback function to reconnect it to Intune in the event of failure. This is of course, a worse case scenario. Despite the verbose details to Microsoft Support, they seem uninterested in escalating the matter to the Engineering group.

The second side of this issue appears to result from OEM builds. These builds often contain custom modifications or settings dictated by the manufacturer, which can create a poor experience for the users and for Microsoft Intune in general. I often found that when I used an OEM build, the profiles I built for the systems often failed because of conflicts with OEM software installed. Even when attempting to rebuild the OS from the recovery console, you’d quickly find that the Windows recovery console wouldn’t work properly or even be able to detect properly in some cases.

The replication of the OEM build defect was random, wherein out of 40 systems, around 30% of them had some kind of image defect which imacted the ability of the Fresh Start function, and out of those, about half of them were unable to properly recover via the Windows recovery console with cloud download selected. This OEM build issue did not affect Microsoft-built devices, but did affect our Dell-built devices.

Obviously, a 40% potential rate of losing device control is disastrous from a security and compliance control standpoint. Further, the bloatware from OEMs that often contain outdated drivers that are have little security vetting is concerning for anyone attempting to build a secure baseline. So, in the interest of a clean baseline image, and to avoid our other concerns, we did a clean install using the Windows 10 Media Creation Tool. When we attempted to fresh start systems that were installed with a clean image, they had no issue. When they self-enrolled through AutoPilot and applied their policies, they had no issues, across the board.

So, lesson learned. If Microsoft support changes their tune and begins to seek a resolution to the Fresh Start issue, I’ll write an update accordingly. Until then, save yourself the headache, and do clean image installs before enrolling devices.

 

TagsDellFresh StartMicrosoft Endpoint ManagerMicrosoft Intune
Previous Article

The Growing Issue of Spam for Outlook.com ...

Next Article

Should the EC-Council Remain a Standard in ...

Share:

Christopher

Christopher Clai is a Senior Security Engineer, IT Generalist, and Developer from Chicago, IL with over 20 years of experience in Information Technology ranging from small businesses to Fortune 500's. Chris loves the Pacific Northwest, Sushi, Invader Zim, Rugby, World of Warcraft, raves, and is an avid user of Microsoft and Linux-based technologies.

Related articles More from author

  • Looking Disappointed at a Dell Desktop
    Bear Security

    Bear Security – Security News for Week of May 8th, 2021

    May 8, 2021
    By Christopher
  • Bear Security

    Bear Security – Security News for the Week of July 5th, 2021

    July 5, 2021
    By Christopher
  • IT Fixes

    Fixing APC PowerChute Personal Edition Not Detecting UPS on Windows 10

    March 15, 2021
    By Christopher
  • Microsoft Defender ATP Logo
    IT Fixes

    Fixing Sudden Loss of SIEM Synchronization with Windows Defender ATP

    May 6, 2021
    By Christopher
  • IT Fixes

    Windows 10 Locking Up Intermittently with File Operations

    October 24, 2015
    By Christopher
  • IT Fixes

    Taking Control of Your Netwrix Auditor Services with PowerShell

    September 30, 2019
    By Christopher

Leave a reply Cancel reply

  • Screenshot of Windows Background
    How To's

    Redirecting Profile Folders in Windows 10

  • Reviews

    Review of FutureCon Chicago

  • Blog

    Tips From a Microsoft Ignite First Timer

Follow Us on Social

See the Syntax at These Events

All appearances for 2020 have been cancelled due to COVID-19. Stay safe out there and see you all at events in 2021!

Like This Content?

Help Sytnax Bearror create more content, videos, podcasts, scripts, and more by contributing to our caffiene and technology addictions.

Subscribe to our Patreon

Buy Us a Coffee

Most Popular

IT Fixes

Fixing APC PowerChute Personal Edition Not Detecting UPS on Windows 10

  • Dell Laptops Showing “Press Power Button and Volume Down to Login”

    By Christopher
    September 13, 2019
  • How to Root AT&T Samsung S5 G900A (Up to Lollipop 5.0)

    By Christopher
    May 21, 2015
  • PrintNightmare Part II – Print Spooler Remains Vulnerable Across Windows

    By Christopher
    July 3, 2021
  • Picture of Service Listing with Print Spooler in Center

    Disable Print Spooler on Domain Controllers (If You Can)

    By Christopher
    June 30, 2021

Latest Tweets

  • T

    7 hours ago

Categories

Bear Security Blog Cybersecurity How To's IT Fixes Reviews

Copyright Statement

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
©2014 - 2021 - SyntaxBearror.io. All rights reserved unless otherwise noted.