Event details
61 Comments
- Heather_Poulsen
Community Manager
That's a wrap for Office Hours today! We'll see you next month! Visit https://aka.ms/Windows/OfficeHours to see future dates and them to your calendar.
We are looking for a solution to ensure that Windows‑integrated Microsoft Store apps, such as Calculator and Notepad, are regularly updated, even if the user does not actively use them. As IT Security classifies these apps as a security risk.
- EricMoe
Microsoft
BarbaraW Store apps should automatically update unless the policy Turn off Automatic Download and Install of Updates has been enabled. Add Microsoft Store Apps to Microsoft Intune - Microsoft Intune | Microsoft Learn
EricMoe I don't believe this is the case when the app is never used. An old version remains installed in the C:\Program Files\WindowsApps folder. I've seen this myself in my org. I would also like clarification on this.
We still see an issue that updates arrive on devices where they should be paused. And the other way around, that they should appeare but never get there. Will the patch process be optimized within intune?
- Jason_Sandys
Hi BarbaraW. I can't specifically comment on devices receiving updates that should be paused. Please open a support case to help dig into this.
As for additional "optimizations" anew feature should be launching later this month (all 9 more days of it), called Windows Autopatch Update Readiness. This was announced at Ignite late last week and will add a whole new set up tools to ensure your devices are ready to receive updates and help you troubleshoot and resolve issues with any of them getting updates. Look for more info on this soon (or search up the sessions from Ignite for info as well).
New Outlook has a dependency on webview2 being up to date. All of our new Surface Laptop 7 are coming out of Autopilot with a version of webview2 that is too old and results in New Outlook prompting the user to update it. This results in an admin prompt as updating webview requires admin. How do you suggest we address this?
- Joe_Lurie
BrienB1085 There're details here that we don't have so we can't give an official answer - details like which OS version is installed; what version of Microsoft Edge; how are Edge updates delivered to the device, etc... but here is our official guide on enterprise management of WebView2 Enterprise management of WebView2 Runtimes - Microsoft Edge Developer documentation | Microsoft Learn.
Hopefully this helps to keep WebView2 up-to-date.
My next question is:
We have moved our endpoint fleet to an Autopilot V2 (Device Preparation) model. We have Surface devices which all log in using APV2 and it works exceptionally well.
Except for one major caviat.
Anyone who uses APV2 knows it only works as long as there's no hash/APV1 as APV1 trumps APV2.
We have had surface devices die on us that are still under warranty. If we were to use the Surface portal to warranty claim anything, registring a surface device automatically registers it for APV1. This is counter productive, this device now has a hash and once we attempt to log into it again, APV2 stops working (all of our policies are based around APV2 now). Not only that, but if we remove the hash again, the history of our warranty for our devices is removed.
We did contact support about this issue, and we got a collective shrug from all agents and escalated managers who were involved and were told to provide feedback. This is very poor service on Microsoft's part.- Joe_Lurie
MaxMatV You are correct that today Autopilot device registration will win over Autopilot Device Preparation (AP-DP) policies. We are working on new AP-DP feature to reverse that. I can't give any ETA or details here (in this public forum) but if you join our Management Advisors (formerly Customer Connection Program - or CCP) we've been sharing details there. If you are not a member, goto https://aka.ms/SecurityAdvisors/Join.
My first question is in regards to Global Secure Access. I could not find a place to submit feedback for this but every time GSA updates (which I have to watch), we have to deploy it as a W32 application. It would be very helpful if Global Secure Access could have an auto updater built into it. Many agents that we install (Sentinel1 for example) have autoupdating methods. It would be a lot more convenient for system admins if we could have this application update itself without us having to redeploy it every time.
(And no, I don't accept Microsoft Intune Enterprise Application Management as a solution as it incurs an extra cost. Even later when it's built into E5 licensing leaves our F3 licenses without a solution that doesn't cost extra)
Thank you
I have numerous end-users that utilize the New Outlook. Is there plans to provide a uninstall for the old outlook?
- Phil_Urban
If you want to do this as part of a separate management motion, you could re-deploy office with the remove tag for outlook. See this doc Configuration options for the Office Deployment Tool - Microsoft 365 Apps | Microsoft Learn
- EricMoe
William Rady - no plans or timeline at this time. You can provide feedback through New Outlook that you are looking for this.
Thanks - Sad that this is not in the pipeline yet 🙂
On the Managed Apps section on the device page, can we have the option to trigger an install? This would be especially useful for ios devices.
- Joe_Lurie
SpeedyGonzalez Thanks for the question. Today, the only way to trigger the installation when it's not assigned to a user/device, is to add the user/device to a targeted group. If you are asking if there is a way to push the app to a user/device without targeting a group, please add that feedback in our https://aka.ms/IntuneFeedback. If the feedback is already there (likely) please 👍the feedback instead of creating it anew.
Win32 App in Intune - once you have wrapped content (scripts, .exe's, msi's etc etc) into an .intunewin file and uploaded it into Intune land as part of the App creation process, is there a way of retrieving that file and it's content? I'm thinking along the lines of an engineer not storing the content locally somewhere in a file repository, not documenting it properly or even if they leave the organisation.
Also, where does it store that content? Is it within the organisations tenant or somewhere else?
- Jason_Sandys
Hi nlmitchell,
Today, there is no supported way to do this. It is technically possible with enough in-depth knowledge of the process. There is an item in our backlog to provide a formal capability to do this but it has not been prioritized. Please provide feedback through the console or the feedback hub as this helps us define the priority for our feature work.
Thanks Jason_Sandys , would be handy I must admit. Once it's wrapped into the .intunewin file and the app creation has gone through, you're relying on local knowledge of what was in it.....or good documentation. Having the ability the retrieve the content would put less reliance on the 'human' part of the process :-)
I am about to enable the Secure Boot policy via Intune - specifically "Enable Secureboot Certificate Updates = Enabled". I am 99% sure this will not have an adverse effect on devices with BIOS not ready\or where certificate import fails. I'd like to confirm that is still the case.
We're still getting error code of doom (65000) on every device for these policy settings, but I heard a rumour this will be fixed for everyone by the end of Feb 🤞
- Jason_Sandys
Hi Dan Alvarado, Great question. First please make sure that you have reviewed and are familiar with our guidance including Secure Boot Certificate updates: Guidance for IT professionals and organizations - Microsoft Support.
Next, there is some small amount of risk with this so we strongly encourage that orgs do not enable this across the board without proper testing and validation in their environment first. This testing and validation should follow your standard practices, similar to rolling out any update including Windows Updates (in ring/waves). You should also take into account different device types in your environment as there is a dependency on the firmware properly accepting the certificate update that may necessitate updating the firmware on specific device models first. For information on firmware compatibility, please check with your OEMs as they are the keeper and controller of this info.Bottom line is that we strongly recommend a slow, controlled roll out just in case you are impacted or encounter something unique.
We're about to do the same Dan Alvarado , but have gone with all three options in the Intune policy
I have read somewhere that MS have no plans to remove the 2011 certificates, so I guess if the 2023 certs fail then the device would just revert back to using the 2011 ones. Would be good to get MS clarification here though
- Jason_Sandys
Hi nlmitchell, Correct that we will not remove the old certs as doing so would break the boot process since all boot critical components are still signed using these old certs.
As noted, we strongly recommend a slow, ring/wave based, controlled rollout based on your org's standard update rollout and device type distribution.
