Event details
39 Comments
- Heather_Poulsen
Community Manager
That's a wrap for January's Office Hours. We'll be back next month. Save the date: Windows Office Hours: February 19 2026 - Microsoft Tech Community
Hello!
We’re a cloud‑first organization and are seeing inconsistent Autopilot behavior across several Surface models primarily with the error code 8018000a. Older models like the Surface Laptop 4 and 5 often show a black screen during enrollment, then continue normally after reboot. Removing and re‑adding devices to Autopilot improves reliability on some models (like the SL5), but new Surface Pro 7 devices out of the box still have multiple reboots, repeated sign-ins, and intermittent enrollment errors even after resets.
Mainly curious: what’s the expected normal behavior for Autopilot enrollment across Surface devices, and is what we're seeing typical?- Jason_Sandys
Microsoft
What you've described above is not expected behavior. I can't specifically comment on your issues but suggest that you open a support case to help troubleshoot and identify root causes.
Thank you and we currently have one open.
Will there be implementations or reporting available in Intune to verify if existing devices are prepared for upcoming Windows Secure Boot certificate expiration and CA updates?
What steps are recommended to prepare organisation for these updates and are those methods supported in intune?- EricMoe
Cuetberg check out Secure Boot playbook for certificates expiring in 2026 - Windows IT Pro Blog for the steps for preparing and rolling it out. There is no native reporting today.
So there is no reporting done to intune from devices or device values in intune we can query? We need to query devices locally?
Or is there another method by which we can do these scripts for consolidation and reporting purposes managed centrally?
I have the issue of the MS teams application on my end users mobile android devices saying this action is not allowed by your organization. the app has worked on our devices for several years no compliance or conditional access policies are set to stop the use off the teams app on these devices and no changes have been made in our tenant.
Odd, I have had an android user complain of this exact same thing this morning. And no changes have been made on the policies side here as well.
- Joe_Lurie
Carvertb if you haven't made any changes to the devices, the way they are enrolled or the way the apps are installed and run, and you have no compliance or conditional access policies in place, sounds like you might need to open a support ticket, so that the agents can collect the logs from the device to see what's going on.
My apologies, I think I misspoke. we do have CA and compliance policies in place but neither of them have had any changes, I was just curious if there had been some form of update or security rollout in roughly the past 2 months within one of the admin portals that may have had an effect on this issue
Our organisation is currently hybrid. We'd like to use Autopilot and were thinking of migrating GPO's over to intune. Eventually the goal would be to go cloud only. Would it be better to create and recreate our policies in intune rather than migrate aka have a clean slate ready for the future? How much of a difference will this make?
- Joe_Lurie
Hari_Seldon Hi Hari, yes, for most customers we would recommend recreating the relevant policies in Intune instead of migrating GPOs. But for other customers that keep their GPOs up-to-date, migrating is just fine. The difference is how often you maintain your GPOs (do you still have Active Desktop policies from Vista configured, for example).
If you are recreating the policies while the device is still hybrid joined, make sure you remove the device from the OUs receiving the GPOs, as conflict resolution isn't always perfect.
- Jason_Sandys
Some collateral for your reading enjoyment on the broader topic of moving to cloud-native Windows: https://aka.ms/cloudnativeendpoints.
- Heather_Poulsen
Welcome to January's edition of Windows Office Hours! Thanks for joining us today. Post your questions here in the Comments and we'll get started.
What is the correct process for converting a Windows 11 device that is currently Microsoft Defender for Endpoint–joined (MDE-joined) in Intune into a fully Microsoft Entra–joined / Intune-managed (MEM) device? I’m specifically looking for the required steps and any prerequisites to ensure the MEM join succeeds without conflicts from the existing MDE enrollment.
- Jason_Sandys
Hi Cuetberg,
A couple of clarifying questions:
- What is the join state of the devices today (on-prem domain join, hybrid-join, or full Entra join)?
- Are the devices managed by anything today (other than MDE)?
- The devices are Domain joined.
- Other than GPOs and MDE there is no endpoint management in place.
Is there a way if we can unpin the M365companion apps (files, people, calendar) from Intune from the windows taskbar those get pinned automatically when the M365companion apps is installed ?
- EricMoe
Hello Piyush3o5o, the installation of the M365 Companion Apps automatically pins to the task bar because the intent is that they are quickly available for end users to launch and interact with, without the user needing to launch a full-screen application or switch context from what they are doing. So short answer, there is no policy available to automatically unpin them. If you are installing them on devices, consider how they are supposed to be used before unpinning them. Check out this for more info and suggestions: Microsoft 365 companions apps overview - Microsoft 365 Apps | Microsoft Learn
- Joe_Lurie
Piyush3o5o Also consider that if you have multiple displays, you can ensure that the taskbar on the external displays only shows the apps that are running on that display. So that, even if the M365 apps are pinned to the Taskbar, they'll only be pinned to the main display's taskbar, not all of them.
This setting is in the Settings > Personalization > Taskbar
Is there any way to created a dynamic device group based on the location of the device in Intune ?
- Phil_Urban
There isn't a built-in method for this.
This is the list of attributes that you can use to define dynamic group membership Manage Rules for Dynamic Membership Groups in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn. Keep in mind that dynamic groups can take up to 24 hours to refresh after a change.
The 25H2 SRI has been published at aka.ms/sri for the Laptop 7 and Pro 7+ but is still missing for many other of your hardware models (e.g. Pro 7 - 24H2, Laptop 3 - 23H2, Laptop 4 - 24H2, Laptop 5 24H2 etc.).
This is impacting us considerably as downloading/installing 25H2 manually from Windows Updates in OOBE before Autopiloting takes 2+ hours 😵.
Can you confirm when a 25H2 SRI will be published for all your hardware models please?
