Some Notes on the Machines

Run this in administrative Powershell:

wmic product where "name like '%ITSPlatform%'" call uninstall /nointeractive
wmic product where "name like '%ITSPlatformManager%'" call uninstall /nointeractive
wmic product where "name like '%ScreenConnect Client%'" call uninstall /nointeractive

Stop-Service -Name "SAAZappr"
Stop-Service -Name "SAAZDPMACTL"
Stop-Service -Name "SAAZRemoteSupport"
Stop-Service -Name "SAAZScheduler"
Stop-Service -Name "SAAZServerPlus"
Stop-Service -Name "SAAZWatchDog"
If (Test-Path "C:\Program Files (x86)\SAAZOD"){
   Remove-Item "C:\Program Files (x86)\SAAZOD" -Force -Recurse
} else {}
If (Test-Path "C:\Program Files (x86)\SAAZODBKP"){
   Remove-Item "C:\Program Files (x86)\SAAZODBKP" -Force -Recurse
} else {}
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Virtual Machine\Guest" -Name "ITSPlatformID" -Force
Remove-Item "HKLM:\SOFTWARE\WOW6432Node\SAAZOD" -Force
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SAAZappr" -Force
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SAAZDPMACTL" -Force
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SAAZRemoteSupport" -Force
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SAAZScheduler" -Force
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SAAZServerPlus" -Force
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SAAZWatchDog" -Force

HP Support Assistant is the oft-default tool, not suitable for automation. It does work, but often misses items, and sometimes just generally coughs. There is also the HP Image Assistant:

ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html

Its primary purpose is maintaining reference images, but it has a great command-line mode for full automatic downloads and updates. Download the installer, complete it, close the GUI tool, open Powershell or CMD, CD to the folder it created in command-line (it’s C:\SWSETUP\something), and run:

.\HPImageAssistant /Operation:Analyze /Category:All,Accessories /selection:All /action:Install /silent /reportFolder:c:\HPIA\Report /softpaqdownloadfolder:c:\HPIA\download

Then monitor its behavior in TASKMGR, and see the downloads piling up in C:\HPIA\download. If it needs a reboot, it will do it automatically. Even if it doesn’t, reboot is recommended, just to keep everything as smooth as possible.

Best I know is Dell Command Update. Can be installed using winget:

winget install Dell.CommandUpdate.Universal

This is a GUI tool, does a very good job.

This sometimes Just Plain Works:

"C:\Program Files (x86)\Webroot\WRSA.exe" –uninstall

and sometimes needs the Webroot admin password. If that password is requested but not available, safe mode activity may be the only option.

Sometimes Windows’ relationship with 365, or a user’s profile, or just a user on a PC or terminal server, will not log into 365. This appears to be the result of corruption of cached credentials.

The most straightforward way is probably to nuke all User/Windows/Azure relationship and recreate. As written, this would probably be very bad on a terminal server, because it will nuke the relationship for all users and all profiles. So far, no per-user commands identified.:

Remove 365 accounts from “Access Work and School”, then run these:

dsregcmd /debug /cleanupaccounts

dsregcmd /debug /leave

from administrative CMD, and also from SYSTEM (paexec or psexec can do this), then reboot, then remove from Access Work and School if still there, then set up user relationship(s) again.

But today we have a report that dsregcmd /status did something, unknown, which fixed one terminal server user. Not sure what. Next time I plan to run many tests with this info:

ss64.com/nt/dsregcmd.html

And if you see error CAA5021, do this:

Search for Manage user certificates in the search bar and open it from Best match. Then navigate to Current User\Personal\Certificates and make sure the MS-Organization-Access and MS-Organization-P2P-Access entries are deleted.

No reboot needed for that last.

Seen it twice now, different audio hardware. After Windows 11 upgrade, audio shows working in Device Manager, but does not actually work. So far, the solution is to get into Device Manager, and delete the driver items for the hardware which should be working, from both “Software Devices” and “Sound, video and game controllers”. Then reboot. After the reboot, both times, it created two new sections at the top for audio, and then sound began working fine. Here’s an example:

This method uses Powershell module PsWindowsUpdate.

First, a complete script which gets the module in and updates everything available from Microsoft, including patches and drivers and firmware:

#begin script
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
	Update-Module -Name PSWindowsUpdate -Force
} Else {
	Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot
# end script

Next, the bits. We do need to install and keep up a module.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
	Update-Module -Name PSWindowsUpdate -Force
} Else {
	Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate

Then we can check the list of available updates:

Get-WindowsUpdate

And then we probably want to actually do updates. There are good reasons and multiple methods to be careful. Alas, thus far, there does not appear to be a way to install updates a given number of days after release, e.g., 30, so as to give Microsoft time to respond to issues. Here is a glancing overview of what we do have:

Install-WindowsUpdate -NotCategory "Drivers","Service Packs","FeaturePacks" -NotTitle "preview" -AcceptAll 

Install-WindowsUpdate -NotCategory "Drivers","Service Packs","FeaturePacks" -NotTitle "preview" -AcceptAll -IgnoreReboot

Install-WindowsUpdate -AcceptAll -AutoReboot

Install-WindowsUpdate -NotKBArticleID KB1234567 -AcceptAll

Install-WindowsUpdate -NotKBArticleID KB1234567 -AcceptAll -IgnoreReboot

Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB1234567,KB7654321"

Reset-WUComponents

Get-Command -Module PSWindowsUpdate

Older hosted Exchange mailboxes, are starting to fail Autodiscover in newer Outlook installs. Below is a registry fix which gets them working. Apply the change and then reboot, then try it again.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeHttpsRootDomain"=dword:00000001
"PreferLocalXML"=dword:00000000
"ExcludeHttpRedirect"=dword:00000000
"ExcludeHttpsAutodiscoverDomain"=dword:00000001
"ExcludeScpLookup"=dword:00000001
"ExcludeSrvRecord"=dword:00000001
"ExcludeExplicitO365Endpoint"=dword:00000001

Try this:

winget install microsoft.edgewebview2runtime --force

For a long time the standard was, contact your S1 support and receive a removal tool. The sweeper can still be found, but only old versions among rare people that held onto it, and it does not always work. This works sometimes:

SentinelOneInstaller_windows_64bit_v22_2_4_558.exe --clean_only --dont_preserve_config_dir --dont_preserve_agent_uid -t xyzpdqxyzpdq

You’ll want the latest .exe, not the above version. And if this is not an agent from your own console, in the place of xyzpdqxyzpdq, try “1”, or omit the -t … altogether. Sometimes works outside of safe mode, sometimes works inside.