Event banner

Inside Intune: Live AMA with product leaders

in 2 days
Monday, Oct 06, 2025, 08:00 AM PDT
Online

Event details

Kick off Tech Community Live with updates and insights from Microsoft Intune engineering leaders. They’ll walk you through where Microsoft Intune and the Microsoft Intune Suite are today, discuss trends in feedback from customers and partners, and outline the vision for the Intune roadmap.  

Speakers: Maayan Bar-Niv & Jason Roszak

Moderator: Matt Call

 

This event is part of Tech Community Live: Intune edition.

I'm in! How do I sign up? 

Select “Add to calendar” to save the date, then click the “Attend” button to save your spot, receive event reminders, and participate in the Q&A. If you can’t make the live event, don’t worry. You can post your questions in advance and catch up on the answers and insights later in the week. All sessions for this Intune edition of Tech Community Live will be recorded and available on demand immediately after airing.  

This event will feature AI-generated captions during the live broadcast. Human-generated captions and a recap of the Q&A will be available by the end of the week.  

Where do I post my questions? 

Scroll to the bottom of this page, and select “Comment.”  

Heather_Poulsen
Updated Sep 30, 2025
AMA
Tech Community Live

3 Comments

  • TechThil's avatar
    TechThil
    Copper Contributor
    Sep 22, 2025

    Title: Known issue with macOS LAPS and FileVault recovery key access on user-based supervised devices enrolled via ABM and Intune?

    Body:
    We have macOS devices enrolled as user-based supervised in combination with Apple Business Manager (ABM) and Intune. These devices have a primary user with a Secure Token, but no admin rights. We want to enforce FileVault disk encryption, which requires local admin rights for initial setup. To handle this, we recently deployed LAPS accounts that are used to activate FileVault, with the recovery key escrowed to Intune and the user's Company Portal.

    However, we discovered a security gap: the user can access the recovery key at any time trough the Company Portal, boot the Mac into recovery mode, and use the recovery key to reset the LAPS account password. This effectively bypasses the LAPS process and grants the user local admin access through the LAPS account.

    One alternative could be to not export the recovery key to the Company Portal, but currently it is all or nothing; there's no option to manage Intune and user Company Portal separately. A good improvement would be to have separate controls for these escrow locations.

    We have tested this behavior under macOS Sequoia15.6.1 and we will test under macOS Tahoe 26 soon. If the situation changes in the newer version, we will update this post accordingly.

    Is this issue already known in the community? How is it expected to be addressed in the future to prevent this security loophole?

  • Marrkku's avatar
    Marrkku
    Copper Contributor
    Sep 18, 2025

    New features have been great, I’d like see a focus now on optimising what we already have. There has been talk for years now of improving reporting which is most important for me. If I can’t trust the reports it’s difficult to trust everything else. Seeing error counts for “System” is just annoying, seeing app install “error” for iOS apps that simply haven’t updated yet is annoying. Small changes like this would make me happy.

  • PetterHaa's avatar
    PetterHaa
    Copper Contributor
    Sep 16, 2025

    Hi, and thanks for doing the AMA, really appreciate it!

    I have a couple of questions:
    1/ What is the status on improving compliance policy speed and accuracy, epecially for Windows devices?

    There have been talks about moving or re coding it to "Intune fast lane", a modern architecture for Intune. Reason for asking is that sometimes it takes too long time for users to get their devices compliant. Even though they are compliant locally on the device, the time it takes before Intune understands and let's Entra know (which is required due to Conditional access) can be long, resulting in Service Desk calls and tickets, and unproductive users.

    2/ When will we see pre-provisioning for Device preparation for physical devices like the standard laptops? We would like to test it and use it, and hopefully move over from current Autopilot solution (which amongst others lacks good insights/reporting). Getting devices more or less ready to use for our users after user driven enrollment, like they are used to from SCCM, is important in our use case. Hence the need for pre-provisioning.
    Would also love to see a bit more focus on the enrollment process for Windows devices in general, as from what I have seen is one of the major pain points when going cloud native. There have been to many hickups and potential for hickups (users not connecting power adapter and being informed about it, closing and opening laptop lid/power settings, time zone and so on)

Date and Time
Oct 6, 20258:00 AM - 8:30 AM PDT