Event banner
Windows Office Hours: July 20, 2023
Event Ended
Thursday, Jul 20, 2023, 08:00 AM PDTEvent details
Get answers to your questions about adopting Windows 11 and managing the Windows devices used by remote, onsite, and hybrid workers across your organization. Get tips on keeping devices up to date effectively! Learn how to cloud attach your on-premises workloads!
Windows Office Hours is our continuing series of live Q&A for IT professionals here on Tech Community.
How does it work?
We will have a broad group of product experts, servicing experts, and engineers representing Windows, Microsoft Intune, Configuration Manager, Windows 365, Windows Autopilot, security, public sector, FastTrack, and more. They will be standing by here -- in chat -- to provide guidance, discuss strategies and tactics, and, of course, answer any specific questions you may have.
Post your questions in the Comments early and throughout the one-hour event.
Note: This is a chat-based event. There is no video or live meeting component. Questions and answers will appear in the Comments section below. |
Heather_Poulsen
Updated Jul 20, 2023
- Char_CheesmanBronze Contributor
Thanks for joining Office Hours! Be sure to add next month's event to your calendar.
And thanks to our experts "in the office" today: Thomas Trombley, Steve Thomas, Aria Carley, Beverley Ashton, Harjit Dhaliwal, Jason Sandys, Jay Simmons, Joe Lurie, Rob York, David Guyer, Sean McLaren, Aaron Czechowski, Yolanda Ruffin. - rjlucas365Copper ContributorIntune reports that some devices are in a "Not Scanned" state for WuFB. Yet, they are communicating with Intune per the last activity status. What could be some of the issues with this if there are no legacy WSUS policies tattooed?
- David_Guyer
Microsoft
Rick, good question. That indicates that the device hasn't sent any client telemetry for updates since the update was approved. For feature updates and expedited quality updates, that means enabling the Windows Health Monitoring policy as described here: https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-reports#configure-data-collection . For Driver updates, that means configuring Windows data collection in Intune as described here: https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-reports#devices-and-data-collection . Note that soon we'll be moving Feature update and expedite reporting to use the same data collection settings as Drivers. For Drivers, notice in the documentation the telemetry level setting, and also make sure you haven't configured the DisableOneSettingsDownloads setting. HTH!
- nojppdxOccasional Reader
Any plans to stabilize UUP updates requiring multiple reboots to finish patching? This has been pretty hit or miss and unpredictable since UUP rolled out (July patches needed 3 reboots in most systems!) and causes a few issues like:
- Policy to disable BitLocker PIN for patch reboots in ConfigMgr only disables for one reboot, so systems that patch and reboot unattended for remote workers get stuck on PIN prompt
- Native OS orchestrations fail, e.g. selecting "Update and Shutdown" results in the system never completing the shutdown and just being left at the login prompt
The first item above seems like an easy fix from the ConfigMgr side - just change the BitLocker PIN disable to allow arbitrary reboots, after all the Client will re-engage protectors when it's back in control anyway. The second item seems like a deeper bug that will need to be addressed in the Windows Update agent or Windows itself though?
- SteveThomas
Microsoft
I assume you mean multiple reboots pre-logon while the payloads update. I am not aware of a UUP-specific update requiring multiple reboots post-logon unless you were experiencing additional payload updates (i.e. .NET, hardware/firmware packages, etc.) As far as the orchestration of reboots with Bitlocker PINs, the advent of more secure modern hardware (with Secure boot, TPM 2.0, etc.) has surpassed PIN leveraging as our recommended practice as you mentioned.
- Florent Mordelet
Microsoft
Hi PGs! I often talk about the future of Windows with my customers. Windows 10 came with a Servicing model that is enabling continuous Upgrade of the OS. This servicing model should remove the "Big Bang Migrations" that occurred every 5 years (or so) and cost a lot of money to our customers. We need to move away from a Migration model to embrace a Servicing model with a continuous Upgrade approach. Yet, some/many customers are talking about a Windows 11 "Migration", when it should really be seen as an "OS Upgrade". The fact that we rename Windows (10,11,1X...) is fueling that "Migration model". Question to Windows PG: Do you see a future where Windows will only be called Windows (with build numbers, and no more 10,11,X) ? That could help remove the "Migration model" from our customer's mind and reinforce the Servicing Model. Thanks!- Joe_Lurie
Microsoft
Florent Mordelet With Windows 10, version 20H2, we made upgrades easier by using eKBs, also known as "enablement packages." These eKBs made moving from one version of Windows 10 to the next version of Windows 10 just like a monthly update with a single, 3-5 minute reboot. Moving to Windows 11 required an in-place upgrade.
We recently announced for those customers that are running Windows 11, version 22H2, when they move to version 23H2 later this year, it will also be an eKB. So customers that are running Windows 10 should move to Windows 11, version 22H2 now, and take advantage of the quick and easy update later.
There's no plan to remove a version indicator from Windows. But with our continuous innovations and eKBs, we are making these migrations easier for both IT and users.
- GerardoHernandezBrass ContributorAny thoughts on having priorities for Intune policies as we have for GPOs? we follow MSFT baseline but we have several exceptions for different groups and it is complicated manage that with Intune in the same way we do with GPOs.
- Jason_Sandys
Microsoft
Hi Gerardo. Today, the use of AAD groups and filters are the sole constructs for targeting within Intune. These targeting constructs do not allow conflicts so you must carefully design your policies to avoid conflicts and this means possibly dividing the settings up in a different manner than you did with group policy to allow them to merge without conflicts. This is certainly a shift from with a small shift in your policy design, it is doable and manageable. We are currently working hard on designing advanced targeting constructs and thinking about how to possibly add a hierarchy, policy priority, policy merging, and similar constructs as have been traditionally available in group policy. As you can imagine, this is non-trivial and a large shift away from what is available today and thus must be planned and designed very carefully. We have no exact timelines for this and nothing to specifically share about when (or if) we will be delivering this.
- Char_CheesmanBronze Contributor
Don't be shy! We’re almost halfway through. Please keep posting your questions in the Comments, and we'll answer them in the chat!
- GerardoHernandezBrass ContributorWhy are new firewall rules for w10,w11 and server in intune not applying to multisessions (any of them)? They should...
- ThomasTrombley
Microsoft
Good Morning, Afternoon, Evening Geraldo, This will most likely require a call to Support; however, the team here recommends three locations for more detail inclusive of Win10, Win11, and Server: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring https://learn.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop-multi-session#security-baselines https://learn.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop-multi-session#compliance-and-conditional-access Best, Thomas- GerardoHernandezBrass ContributorThe support team hasn't been very helpful either 😞
- se8791Brass ContributorIs there a way to tell that the pending reboot notification for a Windows update - is for the Windows 11 upgrade? Users aren't aware the reboot they are about to do is for Windows 11 - it comes across as a normal windows update - which i understand it really is just an reg update in the end. Just curious if any options to let them know the reboot is for the W11 update ?
- AriaUpdated
Microsoft
Totally hear you! This is feedback we have gotten and is something we are investigating. 🙂
- Char_CheesmanBronze Contributor
Welcome to this month’s Windows Office Hours! We'll be here for the next hour answering your questions, so please post away in the Comments section.
- se8791Brass Contributor
Whats your recommendation for using Autopatch to update a large # of devices to Windows 11:
1. Do you use the default Autopatch groups and simply change the setting "Upgrade Windows 10 devices to Latest Windows 11 release"? or do you build separate Autopatch groups only for HW that is compatible with Windows 11? It appears that if a W10 device that is not W11 compatible is targeted with a W11 upgrade policy - it will just do nothing (but fail to apply future W10 updates due to conflict in AP policy - until removed from W11 target AP group?) How did MS update to W11 using Autopatch or rings + policy? Did they use default groups - or spread out over departments using custom group/policy - or grouped everyone together?>
2. There are many reports that show Windows 10 device/HW readiness for W11 upgrade (Work from Anywhere + Windows feature update device readiness report + Windows Update for Business reports - Windows 11 Readiness Status) - and they all have varied information - is there a defacto report that should be used? Personally i find the Work from Anywhere report the most useful, but, it is missing devices - some devices don't appear in Work from Anywhere report even though they are enrolled in Endpoint Analytics.
3. Would it ever be possible to generate dynamic device groups using User attributes?(example: give me all devices for users that have AAD attribute of Accounting department - instead of say using scope tags?) Since autopatch only support device-based groups - its difficult to create groups by department using device-based attributes? Any plans for other options?
4. Does it makes sense to request the option to include object ID's in reports that only contain say the device name? If we export a report from intune with Devic names in it - from any report/area in Intune, then want to use those device names to Bulk import device group members, it needs object ID's for bulk import - many/all reports from Intune tend to not include object ID's - we wind up having to use graph and or AAD PowerShell to generate this data (object id's)
5. Autopatch - if we only want to target a Feature Update to a set of devices in a custom Autopatch group, and not apply Quality Updates, can we simply pause Quality updates in the custom autopatch group settings - permanently for that custom group?
- AriaUpdated
Microsoft
1. There are a few ways to do this. For example, you can use the Upgrade Readiness report to determine eligibility and group by Win 11 eligible vs. ineligible. Another option is to assign all devices to Win 11, then move those that don't upgrade after X period of time to a separate group and target with the latest Win 10 version. 2. Use whatever reporting works best for you. 3. That is a great question! We are certainly evolving our grouping strategy/capabilities and can keep those suggestions in mind. 4. I'll go find someone to get back to you on 2 and 4 for your reporting questions 🙂 5. That depends on how you plan on managing Quality Updates. If you plan on managing them onprem with WSUS / Configuration Manager and have scan source set to WSUS for QUs then sure. However, if you plan on managing them through the Cloud / an MDM then I wouldn't do this as Quality updates will be paused.- David_Guyer
Microsoft
1. Eric, you are correct that the Update Rings policy doesn't know which devices are eligible, so the recommended way to use that setting is to set it to Update to Windows 11 until you get the eligible devices on Windows 11, then set it back to the off setting so that the feature update deferrals continues to work. Even better, is to use Feature update policies for the update. I'm not 100% sure of the AutoPatch plans for this, but I believe they will be moving the feature update management at some point.
2. We are generally recommending the update readiness and compatibility reports in Intune for most customers because it provides additional information like potential app or driver compatibility issues, in addition to the driver settings. That does require enabling Windows data, which the Work From Anywhere reports in Endpoint Analytics do not. In the end, as Aria pointed, use the report that works best for you with these considerations.
4. Your notion makes sense, so it depends on each report, since the reports for Windows Updates to include device IDs for that reason. I can pass it along to our reporting team.