Event details
34 Comments
- Joe_Lurie
Microsoft
HeyHey16K Great question! Today, Fresh Start resets the device to its current OS version and doesn't automatically pull the latest Feature Update during the provisioning flow. Feature Update policies via Windows Update for Business kick in after enrollment and policy sync, so the upgrade happens post-provisioning rather than inline.
We know this creates a gap — especially compared to the Quality Update improvements you mentioned. I don't have a specific roadmap commitment to share today on making Feature Updates download automatically between Fresh Start and Autopilot build, but it's feedback we're tracking. I'd encourage you to submit/upvote this at https://aka.ms/IntuneFeedback so the team can prioritize it.
In the meantime, you can target devices with a Feature Update policy in Intune so the upgrade begins shortly after enrollment completes.
Hey Joe 👋, nice to see you. Thank you for your update - have logged the feedback as requested 😊.
https://feedbackportal.microsoft.com/feedback/idea/b6fd3e6d-9539-f111-9a91-000d3a05c4f5
Is there anything on your roadmap for an optional setting to automatically download the latest Feature Update somewhere between Intune Fresh Start and Autopilot starting the build (like you have done - thank you - for Quality Updates recently) please?
Hey guys 👋,
Do you have an ETA yet when W11 multi-app Kiosk mode will be natively managed by Intune (instead of just using Intune to deploy the Assigned Access XML) please?- Jason_Sandys
Hi HeyHey16K, This is still in the backlog and has not been prioritized for work in the near future so no, no ETA exists.
Thank you for the update Jason 😊
We have Windows Update configured within Intune utilising deferral, grace and deadline settings. At the moment they are setup as per what feels best for us, including a Pilot and Production Ring. We have also configured WUfB notifications (Auto Restart 240 minutes & User Dismissal).
We are being pushed to enable users to defer these reboots if they are in "presentation mode" / on Teams calls. Is there any way to make Intune deadline reboots take note of local settings such as NoRebootWithLoggedOnUsers? Or for the reboot functionality to check User Status prior to forcing a reboot?
This is mostly an issue with users who return from vacation and deferral, grace and deadline has already passed and they get hit with the updates and reboot immediately.
- Joe_Lurie
drobinson This is a common question. Here are the best levers available today:
- Intelligent Active Hours: Enable this in Intune — it automatically adjusts active hours based on each device's usage patterns, which helps prevent reboots during typical work/meeting times
- Short deadline but + generous grace period: Grace period is what governs how long after going 'pending reboot' the device is forced to restart. This means that user meetings, presence, etc. will all be honored until grace period is hit.
- Active Hours max range: Can be set up to 18 hours, covering most work schedules
The honest answer is that once all deferral + deadline + grace windows are exhausted, the reboot will happen regardless of user activity. The best strategy is making the windows generous enough that users rarely hit the hard deadline, and Intelligent Active Hours keeps the forced restart outside their normal working pattern.Thanks for the reply.
Deadline being restricted to a max of 7 days is part of the issue (be good if this could be extended to 30 days). Another improvement would be if you could have deadline without a grace period (confusingly 0 in grace is not "off" it is "no time at all"
In the UK it is common for people to take 14 or even 21 days off. This often means that if they start a vacation on the last day of deferral even an extended deadline and grace period expire while they are off so they get hit with the updates immediately.
Setting AutoRestart to 240 minutes (would be great of this was extended to 480 minutes) and forcing user dismissal of notification are also great levers.
We are currently trialling Enterprise App Management in Intune - what is the process for getting applications added to the Catalog that are missing. I can see requests in the Community Feedback for apps to be added, but some requests are nearly a year old and no sign of the app appearing in the Catalog.
Also, we noticed that there was a Private Preview running recently - "Auto-updating for EAM catalog apps" - 6-8 weeks from the 27th January. Are you able share any updates on this please? We currently use a third party product that handles automatically updating apps based on criteria that we specify. We want to move to EAM to avoid a license renewal cost, but automatically updating apps would be a key requirement for us. Seems the way currently would be to manually review the 'Enterprise App Catalog apps with updates' report in Intune and take action based on those results?
Any help appreciated as always.
- Joe_Lurie
nlmitchell As you point out, we are using the Community Feedback as the location to request apps be added to the catalog. When you go to https://aka.ms/IntuneFeedback, make sure you upvote the apps you want added, or add feedback for the apps if they aren't there already. We have been focusing our time on auto-updates and other enhancements to EAM but will start adding more products into the catalog soon.
Re: Private Preview of Auto-updating apps, the preview is ongoing and the feature is expected to be GA in late Q2/early Q3 of this calendar year. We'll share more info on how the updates will work once that is generally available. But we'll still also offer manually updating the apps the way you do it today via the report and supersedence.
We're currently dealing with an issue trying to implement some settings in our tenant via Intune settings catalogs. When applying the settings catalogs to test groups of devices, either some or all of the devices will fail to have the settings applied.
For example, one setting we are trying to deploy is "RequirePrivateStoreOnly". These settings are compatible with Windows 11 Enterprise, but not Pro. Assigning a user to a O365 Business Premium license should automatically upgrade their SKU to Win11 pro, but instead on one device it's still showing Enterprise in Intune but displaying "Windows 11 Business" on the device. On another device, it shows Pro in Intune, but displays as "Business" on the device, and the second device doesn't apply this CSP (as expected). I would expect these devices to downgrade to Windows 11 Pro based on the license included in the Business Premium SKU, but the fact that it's changed to Windows 11 Business on the device while still showing up as Enterprise in Intune makes me concerned that certain CSP policies will not apply correctly/consistently.
There have been a few other forum discussions around the topic of Windows 11 "Business" SKU, which seems to not exist in any Microsoft documentation. Can you confirm which version of Windows is included in the Business Premium license and what we should expect for workstation license activation after assigning that license to a user? Do we need to manually switch the activation key for workstations we want running Windows 11 Pro?
- Joe_Lurie
cdadm Great question and I understand the confusion. Microsoft 365 Business Premium includes licensing rights for Windows 11 Pro — there is no official "Windows 11 Business" edition/SKU in the Windows product lineup. What you're likely seeing is a display inconsistency.
When a device is activated via subscription with M365 Business Premium, Windows may report the edition name differently depending on where you look (Settings app vs. Intune vs. winver). The underlying edition should be Pro, and CSP policies compatible with Pro should apply correctly.
A few things to check:
- Run slmgr /dli on the affected devices to confirm the actual activated edition.
- Ensure the devices had a qualifying base license (Windows 10/11 Pro) before the M365 Business Premium license was assigned — subscription activation upgrades Pro, but won't upgrade Home.
- The device showing "Enterprise" in Intune but "Business" locally may have a stale record in Intune — try syncing the device.
If the base OS is actually Pro and policies like RequirePrivateStoreOnly still aren't applying, check the CSP documentation for that specific policy's edition requirements, as some settings require Enterprise. M365 Business Premium does not grant Enterprise — you'd need M365 E3/E5 or a standalone Windows Enterprise license for that.
Fantastic clarification, thank you Joe! Would be interested in seeing this get updated in the documentation so there is a clear understanding of where we would see Pro vs Business, because I can see this question coming up again when someone sees their edition as "Business".
