Event details
40 Comments
It would be great if there was an Entra section that showed everything (policies, apps etc.) assigned to a group 🙏
Thank you for your help this year and happy holidays everyone 🎉- Jason_Sandys
Microsoft
Hi HeyHey16K,
I agree. There's nothing to share on this at this time but there is an item in the backlog to provide this type of view. From memory, there are community solutions that can do this that leverage Graph API.
Thank you Jason 🙏
Hey guys 👋,
Looking forward to the inclusion of Windows Quality Updates in Autopilot from January. Are there any plans to include an option for Feature Updates too in this please?
- Jason_Sandys
Hi HeyHey16K,
There are no committed plans for this. This is something we also have a desire for but adds a great deal of complexity and has thus has not been funded. In general, ensuring the OEM/vendor is using the latest media available for provisioning devices can address not having this but fully understand this doesn't address every possible scenario.
Thank you Jason 🙏
I have a question about Out-of-band (OOB) releases. Is there a way to receive an email notification if a OOB has been made available?
How does an IT department become aware of an urgent OOB that needs to be applied to Windows laptops.
- EricMoe
Hi KamS We publish Out-of-Band update notifications to the Microsoft 365 Admin Center (https://admin.cloud.microsoft/?#/MessageCenter). You can filter notifications by Service (in this case Windows) to see all announcements including Out of Band Updates. If your M365 Admins have granted you access to the message center, you should be able to see all notifications. To programmatically get notified, we offer a Graph endpoint - the documentation for this starts here: https://learn.microsoft.com/en-us/graph/api/resources/service-communications-api-overview?view=graph-rest-1.0
.
Autopilot & Hybrid-Joined devices: I've noticed that while Microsoft has promoted that Autopilot is definitely an option for those customers with Active Directory interested in moving to the cloud, I've also noticed Microsoft has also frequently and strongly recommended against this. My question is what are the known issues behind Microsoft's recommendation to avoid using Autopilot for hybrid-joining devices?
We have been using Autopilot and Hybrid Join for years (don't read this Microsoft 😉) without issue. We want to move to pure-cloud eventually once our blockers are eliminated.
- Joe_Lurie
stdcsb There are a number of reasons where Entra-joined is better than hybrid-joining a device. Mainly, the device works anywhere there is an internet connection: whether in the office or out of the office, and you can enable Conditional Access, MFA, and other Zero Trust principles even without relying on an on-prem infrastructure.
To your question on what are the known issues with Hybrid-joining during Autopilot that make us recommend Entra-joined instead, there's only one main issue and that's the VPN configurations necessary to enable Hybrid-joining during Autopilot. But the reason for our recommendation isn't so much an Autopilot reason but more of a 'moving from hybrid joined to Entra-joined requires a device reset' and since Autopilot is provisioning a brand-new or resetting an existing device, this is the perfect place to take advantage of the new device being Entra-joined. And once it's Entra-joined, then you get the other benefits, such as those I listed above.
- Jason_Sandys
Also check out Success with remote Windows Autopilot and hybrid Azure Active Directory join | Microsoft Community Hub. This is an older blog post I wrote and although it's called "Success with", the bottom-line message is that there are known friction points that will increase your deployment effort, your cost of implementation, and long run pain in general. We've heard from many customers over the years that they wish they would have simply skipped hybrid join and instead applied the effort and costs to the long-term solution of Entra join in the first place. Every customer and scenario is different ultimately so this may not be the correct answer for your org, but factoring in the additional costs and effort should be done. If you feel you must implement hybrid-join for any reason, we strongly suggest you stick with a legacy provisioning process like ConfigMgr OSD.
When users attempt to unlock a locked Cloud PC using the Windows app, they have the option to switch from a password to a PIN for unlocking. Is it possible to configure PIN as the default unlock method for all users in these scenarios?
- Phil_Urban
You should be able to achieve this with a Conditional Access policy that targets Windows 365 (or AVD) and requiring Passwordless MFA.
For full transparency, I haven't validated this configuration.
