Event details
Security and compliance aren’t standing still—and neither is Intune. With new features, enforcement changes, SDK requirements, and evolving security expectations arriving at a rapid pace, IT teams are under constant pressure to stay current without disrupting productivity or overwhelming administrators. Join this Ask Microsoft Anything (AMA) session to discuss the challenges of managing security, compliance, and updates at scale in a fast-moving cloud environment.
This is an interactive event so you guide the discussion. From patching strategies, compliance policies, and app protection to reducing operational overhead while maintaining a strong security posture, we'll be here to answer your questions. Whether you’re navigating changing compliance requirements, trying to simplify policy management, or working to balance security with a seamless user experience, come explore practical approaches for staying secure, compliant, and ready for what’s next with Intune.
I'm in. How do I participate?
Sign in to the Tech Community, select Add to Calendar and Attend to receive event reminders. Post your questions (early and often!) in the Comments below.
|
This session is part of the Tech Community Live: Intune Edition. View the full agenda for more AMAs! This session will also be recorded and available on demand shortly after conclusion of the live event. |
14 Comments
- Dean_GrossSilver Contributor
It gets very frustrating when the MS team does not provide specific, unambiguous guidance. You are the experts, tell us how to do something, instead of always waffling
- C00kieMonsterBrass Contributor
Is there a way to scope policies to just Azure VMs? There doesn't appear to be a way in Intune to create a dynamic group that only picks up Azure VMs for when we have policies that we only want to apply to Azure VMs and none of our physical systems.
- C00kieMonsterBrass Contributor
Which is better to use for managing Edge, Edge Management Service or Intune policy?
- Jai-JaiOccasional Reader
I'd like to block sign-ins from non-Windows 11 devices. I've tried using the Filter for Devices within a CA policy, configuring it to use "operatingsystemversion starts with 10.0.2" and that works for a moment before the sign-in from a Win 11 device is blocked too. Am I missing something? I'd be grateful for any advice.
- SCawedCopper Contributor
We configured compliance policies for windows and iOS separately, and are pretty happy with what we have. We are about to configure compliance policies for android (because we are looking to provide android to our fleet).
We are looking to take this opportunity to streamline.
Are there any compliance policies that can be configured that applies to all devices regardless of device type; or at least a compliance policy that targets both iOS and Android. I foresee an admin configuring an iOS policy and forget to apply it on Android.
Example one policy for minimum PIN/passcode length on both android and ios (and maybe windows).
Thanks
- Dean_GrossSilver Contributor
I think the best practice is to keep the policies separate by OS
- KMigsCopper Contributor
Thanks, will test with edge and try the what if as well to assist.
- dfuellCopper Contributor
Driver / firmware updates via Autopatch when an OEM has a competing tool (e.g., Dell Command Update) — is it recommend to run both, pick one, or a specific hybrid pattern?
Is it possible use filters within AutoPatch rings to target only specific OEM devices?- Andre Della Monica
Microsoft
Great question, dfuell
The overall recommendation is to let Autopatch own drivers and firmware through its ring-based deployment. Start with Manual approval mode for BIOS/firmware so you can review each update and use Automatic mode for standard drivers.
- Autopatch Driver/Firmware vs. OEM Tools (e.g., Dell Command Update)
- The recommended approach is to pick one primary authority per device population for the same driver/firmware categories and avoid running both Autopatch and an OEM tool managing the same content on the same devices simultaneously.
- Running both can cause conflicts: overlapping driver content from Windows Update and the OEM catalog, duplicate reboots, and inconsistent change-control tracking.
That said, a hybrid pattern can work:
- Windows Quality & Feature Updates, use Windows Autopatch
- General drivers (chipset, network, GPU, etc.), use Autopatch Driver Updates (Automatic or Manual mode)
- BIOS: Autopatch does not deploy BIOS updates, this remains an OEM-tool responsibility.
- On Targeting Specific OEM Devices within Autopatch Rings:
- Yes, absolutely. You can achieve OEM-specific targeting through a combination of:
- Intune Assignment Filters: Create a filter using the device.manufacturer property (e.g., device.manufacturer -eq "Dell Inc.") to ensure driver policies or Dell Command Update only apply to Dell devices. You can also use device.model to target specific model families (e.g., Latitude vs. OptiPlex).
- OEM-specific Entra ID groups: Create dynamic device groups per-OEM (manufacturer = Dell, HP, Lenovo), then map those groups to dedicated Autopatch deployment rings.
- Dedicated Autopatch groups per-OEM: You can create separate Autopatch groups for different OEM fleets, each with their own ring topology and driver approval strategy. For example, a Dell-specific group with rings like Test - Ring 1 - Ring 2 - Last.
- Yes, absolutely. You can achieve OEM-specific targeting through a combination of:
Hope this helps!
- KMigsCopper Contributor
our goal is to limit access on Mobile devices for mail to web Mail/O365 or to Outlook app either compliant enrolled device or MAM WE. It seems if we require compliant device or MAM in the Conditional access policy it also blocks WEBMAIL. How would you configure /
enforce this use case?
- AMishra_SYDCopper Contributor
Is phishing-resistant MFA enforced for join/enrollment of new device to Entra and Intune
- dfuellCopper Contributor
For shared-use Windows devices (kiosks, conference rooms, manufacturing workstations), is device-based or user-based compliance the recommendation?
- Andre Della Monica
Microsoft
Another great question, dfuell
Great question, and the short answer is: device-based compliance is the recommendation for shared-use Windows devices. A couple of points:
- There’s no persistent user affinity: Kiosks, conference rooms, and manufacturing workstations don't have a dedicated owner. User-based compliance ties the compliance state to a specific user context, and when that user doesn't log back in, the compliance context becomes stale, leading to devices being flagged as non-compliant and affecting Conditional Access and reporting.
- There are a few Device-level settings are what matter on shared devices, for instance, you're checking things like BitLocker encryption, Secure Boot, OS version, firewall status, and antivirus, all of which are device properties, not user properties. These persist regardless of whom signs in. Not to mention Windows updates.
- Don't mix user and device targeting for the same policy, we’d recommend you to pick one. For shared devices, always go with device group.
- Say you assign a compliance policy to your user group but exclude your Shared-Kiosks (device group). You'd expect kiosks to be excluded, but Intune evaluates group membership asynchronously. The user group inclusion processes first, and by the time the device group exclusion catches up, the policy has already applied. The kiosk gets the policy anyway, potentially marking it non-compliant and blocking access via Conditional Access.
- Instead, you can assign to your user group but add an Intune assignment filter in Exclude mode (e.g., (device.model -contains "Kiosk”). Intune Filters evaluate in real time at check-in.
- Or better yet, create a separate compliance policy assigned directly to your shared devices device group with rules tailored to those devices
- Bottom line: user group + device group exclusion = race condition. Use Intune Filters or separate policies instead.
My Intune friends can add some colors into this.
Hope this helps.