Event details
59 Comments
In Company Portal, if we disable the device "reset" and "rename" options, will that impact/break anything else?
- Jason_Sandys
Microsoft
There are no known side-effects for doing this. Is there something specific that you are worried about if doing this?
Hi Jason, no just wanted to hear it from the Pros - thank you 😊
Hey Guys - are there any plans to replace the MS Intune Firewall migration tool that stopped working months ago please? We are reviewing our FW rules but would be great to automatically port them across from GP first (to avoid typos etc.) then tidy them up. Thank you :)
- Jason_Sandys
There are no plans today for this. In general, we rarely recommend directly lifting and shifting on-prem policy to the cloud or Intune. I appreciate that some orgs have created a large set of complex firewall rules that will be labor intensive to manually recreate in Intune, but part of moving to the cloud and Intune is rationalizing and simplifying your device configuration to reduce overhead and costs as well as troubleshooting complexity (among other things). I also appreciate that this is easy for me to say but not as easy for you to do, but that is the current status.
Thank you Jason. You can do it for us if you'd like to 😉🙏
Intune/Patching query...
Our team (Win11 24H2) have a Windows Update Ring applied through Intune to configure the OS on our devices for 'Windows Insider Release - Preview'. This was working a treat and we were receiving preview OS patches each month before they were released into Retail Channel (all our other devices) on Patch Tuesday.......until......we applied a Quality Updates policy through Intune enabling Windows Hotpatch. Since this was applied, we receive the 'Hotpatch capable' patches each month, but not the preview patches. Is this expected behaviour? We're hoping it just affects Quality Updates (monthly OS cumulatives) and not feature updates as 25H2 is due for preview release next month, or at least it has been May for the last few years.
We are also in the process of enabling Windows Autopatch and trying to ascertain how it all fits together, and Hotpatch is part of that as well.
We like the idea of Hotpatching, 8 months of the year devices receive the security updates with not only a much smaller filesize, but without the need for devices to reboot in order to be fully protected, much less annoying for the end users. The other 4 months they get the usual monthly cumulative patch which does still require a reboot to finalise.
- EricMoe
There are a couple of things that you mention in your comment/question so I'll try to address them separately.
For devices that have configured the "Get the latest updates as soon as they're available", this will configure them to receive the "D" release. Once a device receives a "D" release, it's off the Hotpatching cycle for the quarter. Hotpatching only updates devices that have the baseline "B" release, so once you install the "D" release, you will not receive a Hotpatch the next month.
For devices in Windows Insider Preview channels, as they get updates, if the update is hotpatch-capable and applies to the device (it has received the B baseline update and has only received hotpatches since then) it should continue to get hotpatching. There is nothing in the Quality Update policy to receive hotpatches that should turn off receiving the "D" release. Those are managed separately from one another.
Hotpatching does not involve Windows 11 Feature Updates.
We like the idea of hotpatching too!
Thanks for coming back to me.
Devices within our team have an Update Ring policy stating Windows Insider Preview Channel and patch ASAP. These devices have been receiving the '2025-xx Cumulative Update Preview for Windows 11.......' patches - "D" release.
When we applied the Hotpatch Quality Update policy to them (with the above one still applied also), they no longer receive the Preview patches (D), only the Hotpatch stuff - "B" release. So it does seem that it's overridden the devices receiving the D Release patches.
I like the idea of hotpatching and really want to adopt the approach, obviously only for Win11 24H2. Device estate approx 5,500 - 500 devices are 24H2 and one good selling point to move the others to 24H2 (scheduled in a couple of weeks) is to bring along Hotpatching as well - just want to make sure i've got it right.
And there's how we integrate everything with Autopatch, more reading needed on my part on that one :-)
To tag onto this comment -- for Autopatch, after we activate that in Intune, there is no impact from activation -- we need to populate the groups for Autopatch, before anything would be triggered from a patch perspective? We use Update Rings today and looking at doing some testing with Autopatch -- any suggestions on the best approach for that?
- EricMoe
Hi CaseyB,
Start here: Manage Windows Autopatch groups | Microsoft Learn which will walk through how to use and manage Autopatch groups. If you already had Windows Update for Business rings configured, those remain. You can elect to move devices into new rings, or continue using those existing rings. We are trying to reduce the barrier of entry as much as possible.
One of the biggest advantage of using Autopatch Groups is you can dynamically allocate devices across rings using percentages of a parent group. You don't need to define the group membership explicitly for every ring. That helps reduce admin overhead and makes management long-term a lot easier.
PAC Validation - No Kerberos Errors in Mixed Environment (CVE-2024-26248 & CVE-2024-29056)
According to the security updates described in CVE-2024-26248 and CVE-2024-29056: Managing PAC Validation Changes, after installing the April 2025 Windows security updates, support for Compatibility Mode will be removed, and strict PAC validation will be enforced.
From what I understand, in a mixed environment where domain controllers are not yet updated, but some Windows clients and member servers are updated, Kerberos authentication issues should occur, due to the mismatch in PAC validation behavior.
However, in our environment, we haven’t seen any authentication failures so far — everything continues to work normally.
Can someone please help me understand why no errors are occurring yet? Is Compatibility Mode still somehow active on updated clients or servers? Or is there an enforcement delay that needs to be manually triggered?
Thank you!- EricMoe
Hi ioanpapita,
The Enterprise Guidance for PAC Validation is published here: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 - Microsoft Support. Please note that after the January 2025 update, all Windows domain controllers and clients were moved to Enforced mode. If you had existing registry keys on your DCs to override the enforced behavior, that override would stay in effect until the April 2025 update. After the April 2025 update, the registry keys won’t override the enforced behavior. As to why no errors are occurring – that would indicate that you don’t have any cross-forest filtering failures in your environment (which is a good thing).
If we are more familiar with the behavioral characteristics of Windows 10, Windows 8.1, Windows 7 and Windows XP, I hope that Microsoft will release a system UI customization tool specially built for Windows 10 and Windows 11 as soon as possible, called Windows UI Tweaker, to give Microsoft developers an explanation.
- Pearl-Angeles
Community Manager
LiXuanChen35 can you share a bit more about what you're trying to achieve and the goals you're working toward? It'll help us figure out how best to support you!
