Event banner

Windows Office Hours: August 17, 2023

Event Ended
Thursday, Aug 17, 2023, 08:00 AM PDT
In-Person

Event details

Get answers to your questions about adopting Windows 11 and managing the Windows devices used by remote, onsite, and hybrid workers across your organization. Get tips on keeping devices up to date effectively! Learn how to cloud attach your on-premises workloads!

Windows Office Hours is our continuing series of live Q&A for IT professionals here on Tech Community.

How does it work?
We will have a broad group of product experts, servicing experts, and engineers representing Windows, Microsoft Intune, Configuration Manager, Windows 365, Windows Autopilot, security, public sector, FastTrack, and more. They will be standing by here -- in chat -- to provide guidance, discuss strategies and tactics, and, of course, answer any specific questions you may have.

Post your questions in the Comments early and throughout the one-hour event.

Note: This is a chat-based event. There is no video or live meeting component. Questions and answers will appear in the Comments section below.

 

Heather_Poulsen
Updated Aug 17, 2023
Office Hours

47 Comments

Show More
  • TheAutisticTechie's avatar
    TheAutisticTechie
    Brass Contributor
    Aug 17, 2023
    We have autopilot set up to hide most of the OOBE which works in Windows 10 however in 11 the users are having to proceed through all of the OOBE and choose work account instead of it greeting them with their name and asking for a password like on 10. Is this something that I haven't done in the configuration to get it to work or is it a bug in Windows 11?
    • Hung_Dang's avatar
      Hung_Dang
      Icon for Microsoft rankMicrosoft
      Aug 17, 2023
      It sounds like the device is not able to get an Autopilot profile. There's a myriad of possible causes, but try first to deregister the device, reregister it, and reassign it to the intended groups. If that works, that helps to narrow down causes.
      • TheAutisticTechie's avatar
        TheAutisticTechie
        Brass Contributor
        Aug 17, 2023
        Its affecting all new devices we enrol too. All are connected via ethernet cable with all the allowlists configured so network is okay, and windows 10 installer works without problems
  • Heather_Poulsen's avatar
    Heather_Poulsen
    Icon for Community Manager rankCommunity Manager
    Aug 17, 2023

    Welcome to Office Hours for August 2023! We're here for the next hour to answer your questions about configuring, deploying, and managing Windows devices! In the cloud, on prem, maybe a mix of both? Ask us anything!

  • jabbrwcky's avatar
    jabbrwcky
    Brass Contributor
    Aug 15, 2023

    Hi guys, thanks for the opportunity to submit a question.

    I run a large network of AAD-joined, Intune-managed, Autopilot-deployed devices.  We've switched to Windows 11 and now I want to phase out enforced password resets since we are largely passwordless with our devices and cloud resources.  Wifi is the weak link as we're still reliant on passwords (via PEAP) so I need to switch to certificates.  I need both device and user certs - the former to provide connectivity from the logon screen and the latter so that users can be identified on the network in the same way as they are currently (this is needed for firewall rules and logging).

    I have created two SCEP profiles (one for user and one for device) plus a wifi profile (using 'user or machine' auth).  This combination seems a tricky one since although the device gets a cert when it's provisioned, the user doesn't (because they don't exist on the device yet).  When the device is handed to a user and they log in for the first time, there's no grace period during which they are allowed to continue using the device cert connection in order to fetch their own cert for subsequent auth; it simply drops the moment they log in.

    Support have responded that this behaviour is by design and there is no configurable grace period or other workaround.  The only alternative we've found is to ensure the availability of a backup network connection on first logon (have the device connected to a dock with an ethernet link) but this is impractical at scale for a large mobile fleet of which less than 10% would be regularly connected to a dock.

    If this is indeed the design, how is it then possible for a user to fetch a certificate at their first logon or renew it at a later point if their cert has expired?

    Thanks!

    • ThomasTrombley's avatar
      ThomasTrombley
      Former Employee
      Aug 17, 2023
      Hi Chris, great question. I'm going to bring in an additional engineer or three to help us troubleshoot! Thanks for your patience.
      • jabbrwcky's avatar
        jabbrwcky
        Brass Contributor
        Aug 21, 2023
        Hey Thomas, was there ever a response on this or is it in the too-hard basket? Thanks!
Date and Time
Aug 17, 20238:00 AM - 9:00 AM PDT