Event banner
Event details
45 Comments
- Heather_Poulsen
Community Manager
Thanks for joining us today for Office Hours! Our Windows, Intune, Windows 365, Windows Autopilot, Windows Autopatch, and public sector will be back next month and every third Thursday!
- Hi, I created a custom connector for a project I am working on in Power Automate. I have the API working fine for tests since I am still developing the calls I want to implement. I do want to know if there are any resources for how refresh tokens work on a custom connector. I'm more so interested in if the custom connector handles the work of refreshing the token by itself. Along with that, if there are any resources for uploading files from Microsoft Project since I would like to automatically upload a .MPP file through my API call to an external site.
- What is the best way to create and maintain a 'whitelist only' Windows Defender App Control (WDAC) policy? We would prefer a 'pipeline' triggered by approval of each patch or new software. By 'pipeline', we want a way to maintain the system that doesn't require the manual generation and or maintaining of XML documents. We need a more feasible way to do the daily ongoing adjustments to the system. Microsoft's WDAC wizard is a start, but it does not seem to support this type of feature, nor does the PowerShell module it relies on.
- How do I enable IRM on windows devices?
- SteveThomas
Microsoft
Do you mean Information Rights Management or Insider Risk Management? What is the end goal? Data protection? - AriaUpdatedPer Bing Chat AI - here is how you can enable it: To enable IRM, you need to login to Microsoft Admin Center at https://admin.microsoft.com. Expand Settings from left navigation, click on Settings, then click on Microsoft Azure Information Protection. Click Manage Microsoft Azure Information Protection settings, make sure Rights management is activated. At Information Rights Management (IRM), enable the radio button for Use the IRM settings. Click on the Refresh IRM Settings button. Click OK when the IRM settings have been refreshed 1. The RMS administrator can configure company-specific IRM policies that define who can access information and what level of editing is permitted for an e-mail message 1. Is there anything else you would like to know?
- Our devices are currently hybrid-joined. We use a WCD package to automate domain join where the devices will then take their initial set of policies including the one to trigger the InTune onboarding scheduled task. I know that task runs every 5 minutes for 24 hours, my question is what happens when these prepared systems have been shelved for a few days before it they ever take their initial user login? In my testing I found that the schedule task remains beyond 24 hours it is just no longer set to run every 5 minutes. But I've also found that when that initial user login happens, even days later, the devices still onboard to Intune, at least sometimes. Does the task remain to run on every user login, until onboarding occurs? Or does it only remain for one login success or failure? Is there a best practice regarding the use of this policy to ensure the greatest likelihood of onboarding success?
- We are currently evaluating Windows 11 for deployment but have a CMG related question. We have had internet-based client management (IBCM) in place for several years, and currently have co-managed devices with MECM/Intune. To assist in our ROI evaluation to move to CMG, can you provide any information as it pertains to the following? 1. Co-managed endpoints with IBCM (Current State) - i.e., enhanced policy configuration 2. Cloud-native endpoints in Intune (Future State)
- SteveThomasWith relation to costs, we've laid out all of the cost factors in this reference here: https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/cost - and Danny lays out some of the ROI with CMG and tenant Attach here: aka.ms/bigthree I would love for you to bring this question to the next episode of Unpacking Endpoint Management as we will be discussing this very topic. aka.ms/UEM
- Jason_SandysCo-management is unrelated to either IBCM or the CMG so there's not much to provide there. Co-management is about dual management of device using both Intune and ConfigMgr in a coordinated fashion. Co-management is *not* about remote management of devices. While this is certainly provided by Intune, with co-management and remote devices, you still need IBCM or CMG to enable ConfigMgr management of those devices. You also must choose whether you use ConfigMgr or Intune for configuration as having both of them attempt to apply configuration would be painful at best. As for cloud native endpoints, we wrote a great set of docs on this subject: https://aka.ms/cloudnativeendpoints.
Anything in the pipeline to be able to disable Optional Updates from appearing within Windows using either Intune CSP's or Windows Update Ring policies?
- AriaUpdatedHi Nick, if you have deferrals configured for feature and/or quality updates you will not see any optional updates offered to the device by default.
- Hi Aria, thanks for your reply. We have both Quality and Feature Updates set to '0' days deferral as having them as anything other than that has caused us problems previously. Optional updates are not installed automatically, but they are sat there in Windows Updates Settings for the user to apply and just wondered if there was a way to stop them appearing via an Intune policy?
- Any chance of different channels coming to Autopatch for Office Apps? The semi-annual channel for instance.
- AriaUpdatedThis is great feedback! Will investigate. 🙂
- Through Intune I want to deploy antivirus software, is there a way to configure that through intune without much user involvement? Along with that, is there a way to use autopilot but keep the configurations on the computer like applications and software downloaded? The account would be removed, but I would want the applications to save, not the application data.
When it comes to refreshing your devices, it looks like Autopilot reset is what you are looking for:
Windows Autopilot Reset | Microsoft LearnHey marycortez!
If your antivirus is an MSI installer, Intune supports command line arguments during the installation. I'd recommend working with your anti-virus vendor for quiet installation:
Add a Windows line-of-business app to Microsoft Intune | Microsoft Learn
Please let me know if this helps.
- Yes, it is an msi installer. I'll reach out to our vendor and see how I can set up a script to run the installer and configure it. Thank you!
- Best way to implement local admin accounts on azure ad devices? This will be with business premium licenses. And how would it work?
- JaySimmonsMaryAnn have you looked at the Accounts CSP? https://learn.microsoft.com/windows/client-management/mdm/accounts-csp There are other approaches but that is the one that I would focus on first.
- I have looked into it, but I wasn't sure if there would be complications from using that method. I'm pretty new to AD so I was more so curious on industry best practices.
