Thanks everyone, for your participation in this UEM session! Below are the questions the panelists discussed live, along with associated timestamps: 

Question – From a product and engineering perspective, what are the best practices for designing Intune configuration profiles upfront—around scoping, modularity, and ownership—to minimize long‑term technical debt when new or unexpected scenarios emerge after hundreds of profiles are already in production? – answered at 6:17.

Question – Currently there is a nice preview feature to run remediation scripts manually on individual devices. Is there a way to run a remediation script manually to a number of devices, like a bulk action. – answered at 10:18.

Question – What are you most excited about that’s coming soon or has landed recently? – answered at 11:22.

Aria mentioned new Autopatch reports. Where is Autopatch alert and management status data sourced from, and how often is it refreshed? – answered at 13:48.

Question – What are best practices for avoiding policy conflicts and sync delays? – answered at 15:51.

Question – Where can we find the Autopatch report endpoints in Graph? – answered at 18:02.

• For more info, go to this MS Learn article: adminWindowsUpdate resource type. 

Question – What is the best way to manage Win32, Store, and LOB apps together? – answered at 18:37.

• Read Pavan blog recently published: Our commitment to Windows quality | Windows Insider Blog.

I sometimes have a feature update fail to install because of problems with the component store.  Often "DISM /Online /Cleanup-Image /RestoreHealth" can't fix the issue.  Please provide a command line or PowerShell way to start a "Fix Problems using Windows Update" repair which will rebuild the component store.

Secure Boot reporting is useful. It was a bit late to the party, June is coming up fast, but it's appreciated. How can it be we can't filter or sort on the Certificate Status column, which is what tells us the devices we need to action. That seems like a big miss?

Couple of things I'd like to see:
(1) Requirements for an Application has an option for OS version. Still waiting for 25H2 to appear as an option. It's been months. How can this be? You know when 25H2 is launching ahead of time.
(2) Conflict resolution. It's very hard to manage policy without creating conflicts, and it's hard to find them, resolve them. It'd be nice to have the portal help us avoid and fix conflicts.

Will there be a commitment to ensure that when Group Policies are changed by Microsoft (either newly released or updates to existing ones are made) that there will be a matching Intune CSP (or at the least, OMA-URI) published for it? I keep finding fairly new Microsoft policies with GPOs but no CSPs (see 

https://github.com/microsoft/vscode/issues/242922 for an example with VS Code).

Thanks for joining today’s session on “Unpacking Endpoint Management: Live from Tech Takeoff 2026” at Microsoft Technical Takeoff. Q&A will remain open through Friday so keep your comments and questions coming! Up next: Azure Virtual Desktop for hybrid environments.

 

Don't forget Winget to manage apps.

In my environment we have hundreds of computers filled with seasonal employees, so we implemented DEM account; however, the DEM account device limit goes off of Entra device limit setting. 
DEM was used to fix the compliance issue of non active users making the device non compliant (can only change primary user not enrolled user)

Now we have to set Entra to 200 device limit, which is not ideal for security

I want to see that

What's a best practice on Intune managed devices records and Entra ID device records alignment? We found that the devices are removed from Intune but the device records are still in Entra ID and identified as stale devices.