Thanks for the session.

Directionally, will Intune provide business insight into who is a using a computer compared to who enrolled / setup the computer?

Config Man had user device affinity, while Intune does not.

Will this be changed? Many businesses, like mine, need this functionality and the response from MS has been to script it ourselves.

Welcome to Tech Community Live! Let's get started. Post your questions here in the comments.

Are there any plans to bring Adobe Reader and Acrobat apps to the Enterprise App Catalog?

My organization is focused on implementing a robust Configuration as Code (CaC) methodology for Microsoft Intune. Our primary objective is to automate the full lifecycle management of configuration policies, including importing, exporting, comparing, and achieving environment parity (i.e., drift detection and automated backup/restore).

We are also seeking a better means of updating and rapid deployment of frequently changing configurations, similar to the functionality seen with Apple's Declarative Device Management (DDM).

Additionally, there is a need to streamline repetitive operational tasks, specifically around application management such as reliable Win32 application packaging.

We recognize that the community currently relies on workarounds, as we have: utilizing projects on GitHub and attempting to create our own PowerShell scripts executed via GitHub Actions.

We are hoping that Microsoft product experts would weigh in on the ability to support enterprises moving in this direction, discuss the pros and cons of a CaC methodology, and whether there is anything on the Intune product roadmap on this topic. Below are several additional questions for your consideration.

1. Beyond the current Graph API, is Microsoft planning a native declarative Configuration as Code solution (e.g., a declarative JSON model, or state-aware tool) to manage Intune resources? We are looking for a solution that handles state management and idempotency natively, minimizing our need for custom drift detection logic.

2. Recognizing the community's reliance on custom scripting to fill some of these management gaps, are there plans to introduce a native framework or feature set that resolves this complexity? Would such a solution leverage future AI capabilities?

Title: Known issue with macOS LAPS and FileVault recovery key access on user-based supervised devices enrolled via ABM and Intune?

Body:
We have macOS devices enrolled as user-based supervised in combination with Apple Business Manager (ABM) and Intune. These devices have a primary user with a Secure Token, but no admin rights. We want to enforce FileVault disk encryption, which requires local admin rights for initial setup. To handle this, we recently deployed LAPS accounts that are used to activate FileVault, with the recovery key escrowed to Intune and the user's Company Portal.

However, we discovered a security gap: the user can access the recovery key at any time trough the Company Portal, boot the Mac into recovery mode, and use the recovery key to reset the LAPS account password. This effectively bypasses the LAPS process and grants the user local admin access through the LAPS account.

One alternative could be to not export the recovery key to the Company Portal, but currently it is all or nothing; there's no option to manage Intune and user Company Portal separately. A good improvement would be to have separate controls for these escrow locations.

We have tested this behavior under macOS Sequoia15.6.1 and we will test under macOS Tahoe 26 soon. If the situation changes in the newer version, we will update this post accordingly.

Is this issue already known in the community? How is it expected to be addressed in the future to prevent this security loophole?

New features have been great, I’d like see a focus now on optimising what we already have. There has been talk for years now of improving reporting which is most important for me. If I can’t trust the reports it’s difficult to trust everything else. Seeing error counts for “System” is just annoying, seeing app install “error” for iOS apps that simply haven’t updated yet is annoying. Small changes like this would make me happy.

Hi, and thanks for doing the AMA, really appreciate it!

I have a couple of questions:
1/ What is the status on improving compliance policy speed and accuracy, epecially for Windows devices?

There have been talks about moving or re coding it to "Intune fast lane", a modern architecture for Intune. Reason for asking is that sometimes it takes too long time for users to get their devices compliant. Even though they are compliant locally on the device, the time it takes before Intune understands and let's Entra know (which is required due to Conditional access) can be long, resulting in Service Desk calls and tickets, and unproductive users.

2/ When will we see pre-provisioning for Device preparation for physical devices like the standard laptops? We would like to test it and use it, and hopefully move over from current Autopilot solution (which amongst others lacks good insights/reporting). Getting devices more or less ready to use for our users after user driven enrollment, like they are used to from SCCM, is important in our use case. Hence the need for pre-provisioning.
Would also love to see a bit more focus on the enrollment process for Windows devices in general, as from what I have seen is one of the major pain points when going cloud native. There have been to many hickups and potential for hickups (users not connecting power adapter and being informed about it, closing and opening laptop lid/power settings, time zone and so on)