Windows Office Hours: August 21, 2025

We use AutoPatch and overall, it's a really great product with a high success rate.  But when it doesn't work, trying to figure out "why" is a huge chore and quite a pain.  For example we have modern workstations that meet all the requirements of Windows 11, are enrolled in AutoPatch and show as Ready, are part of the update rings and feature update rings, yet they do not get Windows 11.  There is no clear single pane of glass that says why, and even after we hunt, we have little to no information.  For example a device might show as having an alert of "RestartIssue" - but the user in question is getting quality updates and restarts on the regular, so what exactly does this mean and how do we remediate?  The other big one is "SafeGuard Hold".  Can the interface be updated to tell us what the hold is? It's not clear at all and not mentioned in logs, the only way to get the information is to actually reach out to the user, connect remotely to their machine and interactively run setupdiag.exe or mount win11 ISO and begin the process.  Using those methods it will finally tell us what exactly is the issue (driver version etc...).  Why can't this data just be available in InTune portal when looking at a machine?  If we could view the reason for a SafeGuard Hold remotely that would be HUGE as we could then remediate remotely and not have to bother the users.