Event details
34 Comments
Hello,
I’m hoping to get some clarification on an issue related to Secure Boot certificate management through Intune. I previously posted a question in a past fforum that may have been missed, so I was hoping this one won't be given the importance and timing of the upcoming SecureBoot expiry.
This may have already been addressed, but we are still seeing inconsistent results and need guidance on the expected behaviour.
We have an Intune policy configured to enable Microsoft’s management of Secure Boot certificates. Historically, when enabling this policy, it failed to apply with error 65000. At the time, the understanding was that this occurred because a large portion of our laptop fleet consists of Windows 11 Pro devices that are upgraded to Enterprise via user-based licensing at sign-in.
We were advised that this limitation was addressed in a January update, and that Pro-based devices should become supported once their Intune subscription refreshed. Guidance also indicated that this refresh could be manually triggered using:
- ClipDLS.exe removesubscription
- ClipRenew.exe
While these commands do refresh the subscription, a significant amount of time has now passed, and we would have expected this issue to resolve organically as devices checked back in. However, we are still seeing limited readiness across our environment. Currently, only 233 out of approximately 700 laptops report as ready for the upcoming Secure Boot certificate expiration in June.
We are aware that this can be addressed via a registry-based workaround, and we have confirmed through testing that this approach is effective. In fact, the reason our compliance numbers are as high as they are today is due to manually applying this registry update on affected devices. However, our leadership would strongly prefer an official, supported Microsoft solution if one exists, rather than relying on a workaround.
At this point, we’re trying to determine whether this issue is still expected to self-resolve through subscription refresh and normal device check-in, or if we should formally proceed with deploying a mitigation across the fleet, given the approaching June deadline.
Any official guidance, confirmation of expected behaviour, or recommended next steps would be greatly appreciated.
Thank you for your time and assistance.
- Jason_Sandys
Microsoft
Hi MaxMatV, In addition to the service side licensing issue addressed by the two commands you pasted above, an additional issue was identified in Windows itself that result in the same challenge. This was addressed recently. From memory, this was address in 2D/3B (3B = the March cumulative update) but it may have been in 3D/4B (4B = April cumulative update).
If after installing the latest April CU you are still experiencing issues, please open a support case as this explicit challenge should now be addressed fully and thus would require additional investigation.
Hi, is it planned to have the possibility to plan a feature update as Available for x days and then enforced?
For Example, deploy 25h2 on devices and let the user install it when they want for 2 weeks and if they haven't enforce it after that 2weeks.
Currently one of the missing features preventing us from moving to AP for feature updates.
thks- EricMoe
You can do this today with Autopatch. When you create a Feature Update rollout, you get gradual rollout groups that have a deadline that you set - so you can set a 2 week deadline, and during the period before the deadline they can install it whenever they want. Windows feature updates overview | Microsoft Learn You can also, at any time, create a new Feature Update Deployment and select the option "make available to users as an optional update" and let them install it on their own without setting any specific deadlines, Configure Windows Feature Update Policies - Microsoft Intune | Microsoft Learn
We are currently trying to migrate our Applocker ruleset from GPO to Intune via OMA-URI's. we have heard there is a size limit of 350Kb for the ruleset size but our applocker gpo size is around 8MB. is it possible to increase that limit or is there another method to ingest the ruleset ?
- Jason_Sandys
Hi admin_mike, To the best of my knowledge, this is correct. There are a handful of approaches you can use here to account for this although keep in mind that GPOs contain a lot of metadata and thus that 8MB is probably not truly indicative of the size of the policy. Also, note that from memory, the limit is a policy size limit for OMA-URI and not directly related to AppLocker.
Options to consider:
- Break up the policy into more granular policies and individually target them.
- Review the rules and get rid of stale/outdated ones and/or duplicate ones.
- Move from hash rules (which take up the most space) to publisher-based rules.
- Move to Application Control for Business (fka WDAC). This is probably the recommended approach here as Application Control for Business provides a much stronger level of protection.
Another possibility here is to review your strategy for rules. The general recommendation is to use an allow listing approach instead of a block listing approach. This may reduce the number of rules needed in an environment. This recommendation goes for both AppLocker and Application Control for Business.
We have enabled Teams Location settings, and are seeing significant volume of devices reporting that Teams requesting location exactly every ONE minute? How can we reduce the constant location requests so it's not every minute?
- Joe_Lurie
BlueSakura Thaks for the questions. Because this group is focused on Windows, Intune, and Windows 365, this question is better asked in the Teams forums. I recommend posting that question here: Microsoft Teams | Microsoft Community Hub.
- Heather_Poulsen
Community Manager
Welcome to April's edition of Office Hours! Let's get started.
With Microsoft Places, does this software work with the Logitech tap room scheduler?
- Heather_Poulsen
Hello ITJMPA - Since our office hours group here is focused on Windows and Intune, I'd recommend that you post this question to the Driving Adoption discussion board.
Is it now supported to enable Smart app control on Windows enterprise managed devices?
Asking because with latest patch, we can now enable it post provision of the device.
thks- Joe_Lurie
lalanc01 Good question and timely with the recent changes! Starting with the April 2026 update for Windows 11 25H2, Microsoft removed the clean-install restriction — Smart App Control (SAC) can now be toggled on/off from Windows Security > App & browser control at any time, without reinstalling.
So the short answer: you can now enable it post-provision on unmanaged devices, but for enterprise-managed devices, App Control for Business is the recommended path.
Is there a way to know which Internet explorer policies are still needed/useful for Edge, like Trusted/local intranet sites/proxy configs and other configs.
We are currently removing legacy IE policies, in order to migrate to Intune Config profiles, but we want to make sure they don't impact current Edge users
thks in advance.- Joe_Lurie
lalanc01 This comes up a lot during IE-to-Edge migration. Here's the quick breakdown:
- Trusted Sites / Security Zones: These are only honored in IE Mode tabs within Edge. Standard Edge (Chromium) tabs do not use Windows Security Zones. So if you have apps running in IE Mode that depend on Trusted Sites, keep those zone policies. For everything else in regular Edge, they can be removed.
- Proxy settings: Transition to Edge-specific proxy policies via Intune Settings Catalog or Administrative
- Templates (Microsoft Edge > Proxy settings). The legacy IE/Windows Internet Options proxy settings only apply to IE Mode.
- General guidance: Audit which apps still need IE Mode using the Enterprise Mode Site List. For those apps, keep the relevant IE policies. For everything else, migrate to native Edge policies in Intune and remove the legacy IE settings.
The Settings Catalog in Intune has comprehensive Edge policy coverage that replaces most legacy IE configuration needs.
Hope this helps.
thks Joe_Lurie
Hi, does the E5 license features like WHFB/AP get removed from devices if no licensed user logs to a device after a specific amount of days?
Asking because we see devices stop to get patched with WUFB/AP when users stops to log on devices for extended amount of time,Thks
- Joe_Lurie
Here's how it works:
- Windows Autopatch and Windows Update Client policies are applied to devices via Intune. As long as the device remains enrolled in Intune and has connectivity, policies continue to apply regardless of how often a user logs in. However, if the device loses connectivity or goes offline for extended periods, it won't check in to receive new policies or updates.
- License assignment: M365 E5 licenses are user-based. If a licensed user is removed or the license is unassigned, the device may lose access to features that require that license (like Autopatch enrollment). Group-based licensing in Entra ID can help automate this.
- The scenario you're describing — devices stopping patch compliance when users stop logging in — is more likely related to the devices going offline/not checking in rather than license removal. Check the last check-in dates in the Intune portal for those devices. Devices that haven't checked in for 30+ days won't receive new update policies.
I'd recommend checking the Intune device compliance and last sync dates to narrow down whether it's a connectivity or licensing issue.
Hello Microsoft Office Hours team,
Is Microsoft anticipating or expecting a higher number of patches going forward due to the emerging threats from Mythos and related advances in AI driven automated vulnerability discovery and exploitation?
Also, where can we find centralized information about out of band patches that are released after patch Tuesday?
Thank you,
- Heather_Poulsen
Hi CyberSec26 - The best place to track out of band updates for Windows would be Windows release health and the Windows message center.
