Event details
34 Comments
is there any way to solve automatically ?
- Heather_Poulsen
Community Manager
Thanks for joining today. Save the date for next month's Office Hours session on April 16th! đź“… Windows Office Hours: April 2026
Intermittent auto logon issue in Kiosk mode configured via Microsoft Intune
A Kiosk profile has been configured on Windows devices through Microsoft Intune. Within the configuration, the "User logon type" is set to "Auto logon" to ensure the device automatically signs in with the kiosk user.
However, the behavior is inconsistent:
On some devices, auto logon works as expected.
On other devices, although the kioskUser account is successfully created, the automatic sign-in does not occur, and the device remains on the login screen.
Expected Behavior
The device should automatically sign in using the configured kiosk account (kioskUser) after boot, without requiring any user interaction.
Actual Behavior
Although the kioskUser account is created successfully, the auto logon:
Does not execute consistently.
Requires manual user interaction on some devices.
What exactly happens when the auto login fails? Are there any errors logged in Event Viewer?
Is it possible the kiosk user is targeted by a Conditional Access policy that requires user interaction? Users can't log on to Windows 10 or Windows 11 computers with multi-app kiosk profile assigned - Intune | Microsoft Learn
Several hardware vendors (OEMs) we work with recommend not installing drivers delivered via Windows Update, claiming that in some scenarios they may cause performance regressions or instability, and instead ask us to deploy OEM‑validated drivers only.
From an enterprise perspective, we would like Microsoft‑supported guidance on this topic.
Specifically:
- What is the recommended approach when OEMs advise against Windows Update drivers?
- Should organizations block all driver updates via Windows Update, or use a controlled approval model instead?
- How do Intune Driver Update policies or Windows Autopatch fit into this scenario?
- Is the expectation that drivers from Windows Update are production‑safe, or should they be treated as optional / staged updates?
Our goal is to balance stability, performance, and security without relying on unsupported workarounds.
- Kevin-Sullivan
Microsoft
thanks for the question here. OEMs and hardware vendors submit their own drivers through Partner Center and choose to publish them to WU. The OEM decides what goes there and which devices it targets.
We're not directly familiar with OEMs advising customers against drivers they've published to WU themselves. If that's what you're experiencing, we'd want to understand more – reach out to your Microsoft account team and they can connect you with the right folks to dig into the specifics.
Hello, thanks for this and answering our questions!
I’m the primary Intune administrator for a healthcare non‑profit operating on a GCC tenant. We are currently transitioning our devices from AD/Entra hybrid‑joined to Entra‑joined. We are a remote‑first organization with very few users working onsite.
Today, our prior hybrid‑joined devices (connected to a domain through VPN) authenticate using RSA and our more recent Entra-joined devices use the Windows Hello for Business passwordless experience with Intune, as we are working toward moving to adopting the Cloud Kerberos Trust model.
Our challenge is administrative access and account management during this transition. Specifically:
• We still need to manage hybrid‑joined accounts via AD DS.
• We need to audit administrative escalations on devices, typically for single installations of software vs. full-blown Intune deployment or running Command Prompt/PowerShell as admin.
Because the Windows Hello for Business passwordless experience is enabled on our Entra‑joined devices, our IT users cannot sign in with a domain admin account to administrate anything. As an example, this prevents us from running say, Active Directory Users & Computers with elevated privileges as AD DS can't be used without logging in as an account with domain admin rights, which seems to make AD DS administration from Entra-joined devices impossible at this time.
Is there a supported way to enable these administrative tools locally or administrator credentials for other than just the local admin, while still using Windows Hello for Business passwordless authentication? At the moment, our current workaround for AD DS is to log into an on‑premises VM for AD DS management and we've just been using the local admin password for standard escalations for now, which is not ideal.
Thank you for the guidance!
- Jason_Sandys
Hi TLyon-TMF​,
Using the SSO functionality built into Windows, as long as the user account is a hybrid account, then authentication to the on-prem domain will just work seamlessly as it uses the on-prem identity of the hybrid account. This is detailed at How SSO to on-premises resources works on Microsoft Entra joined devices - Microsoft Entra ID | Microsoft Learn and Debunking the myth: Cloud-native Windows devices and access to on-premises resources | Microsoft Community Hub.
Of course, you really shouldn't be logging in to a device with an account that has domain admin permissions. Thus, the better path here is to use runas with the /netonly switch and specify the on-prem account with appropriate permissions to launch dsa.msc or whatever tools you need. It's been a while since I tried this, but it does work (from memory).
Using the jump box here is a great choice as well for a variety of reasons and has been used by orgs since well before cloud-native Windows existed.
Not sure what your last sentence about "standard escalations" means. Can you elaborate on this please? Using LAPS in many cases is actually preferred assuming you are using Windows LAPS (and not the classic LAPS) as this restricts access to a single, well-audited account that is easy to shut off if compromised and cannot be used for lateral movement.
Hi Jason,
I'll have to give this a try, will see if that works.
As for escalations, our Help Desk users normally use admin accounts to escalate for installations, command prompt, PowerShell, etc. so we normally track that via use of those accounts. LAPS seems to make this a bit more difficult to track.
- Joe_Lurie
TLyon-TMF​ The RSAT tools should work on Entra-joined devices as long as your user account exists in AD DS. It's the user identity that would determine if the tool can run and be logged into, not the device identity. And you can use Intune's Local Users and Groups policy to manage group membership in the local Admin group on the Intune-managed devices.
Hi Joe,
I'm not sure if I understand you fully or maybe I miscommunicated something, but if I am, that's the core issue actually. The way we are set up is that we run user accounts and then escalate to administrative accounts say for domain admin privileges. A good example would be logged in as "Joe" as the user account and using "Admin.Joe" as the domain admin account to access AD DS. The Windows Hello for Business passwordless experience blocks us off to just the local admin account for escalations.
Trying to better understand the different reports for Windows Updates for business in Intune. The new reports do not see to match each other. They are difficulty to navigate and often time have unknown devices on them when all diagnostic data is on.
Hot do the autopatch reports work? I see data in them but we are not using the service. Why am i seeing data, can i use these reports, how do i get all devices to populate, we have over 9000 devices
- EricMoe
WillB123​ If you qualify for Windows Autopatch (Prerequisites | Microsoft Learn), follow the deploy guidance to create Autopatch groups and assign devices into those groups (Windows Autopatch groups overview | Microsoft Learn). Once devices on onboarded into Autopatch you should see the information you are looking for work its way into the Autopatch reports.
The Feature update status report shows the status of devices that are currently being targeted by a Feature Update - look to see what Feature Update policy you currently have active and targeting devices. The Update Readiness report is the hypothetical - of the devices in my environment, if I were to target them with the Feature Update I selected (Win 11 24H2), which devices are "ready" (low risk), and which are in a risky state. The summary report here does not have the details of the unknowns - you may need to export the report with its columns to be able to identify your unknowns and go from there.
This does not answer any of the questions I posed.
the unknowns are now showing up after I enabled a disabled scheduled task that checks for compatibility so the trouble shooting information on the learn more page is not correct. Even though I have diagnostic data enabled the task Microsoft created to run was disabled. Now I am seeing the unknowns populate the report. I guess I need to open a fast-track request for support because this chat is not very helpful.
We manage a large number of Windows 10/11 devices via Microsoft Intune / Windows Update for Business.
We frequently encounter recurring Windows Update failures (feature updates, cumulative updates, servicing stack issues) that require manual troubleshooting:
- log analysis
- reset Windows Update components
- running Windows Update Assistant
This is not scalable for us.
Is there a Microsoft‑supported way to automatically detect and remediate common Windows Update failures at scale?
Specifically, we are looking for guidance on:
- Proactive Remediations or built‑in auto‑healing
- Windows Autopatch or Update Health / Update Compliance auto‑correction capabilities
- Any official remediation scripts, policies, or services that can replace manual fixes
Our goal is to self‑heal update issues automatically, without human intervention whenever possible.
- EricMoe
jn006379​ Autopatch recently released a set of Autopatch Update Readiness reporting that help address the pain points you describe. There is a specific report described here: Alerts and remediations overview | Microsoft Learn that identifies the common update failures and provides recommendations for resolution. If you are using Autopatch, the report is available here:
- Go to the Microsoft Intune admin center.
- Select Devices > Windows updates > Feature or quality updates.
- Select Alerts and remediations.
We are starting to the Bitlocker recovery prompts due to expiring UEFI certificates, what is MSFT approach to addressing this before the expiration date of June.
- EricMoe
vpena​ It appears that during our Secure Boot AMA held on 12 March 2026, at the 33:02 mark, there was a similar question that was answered. Ask Microsoft Anything: Secure Boot - March 12, 2026 - Windows Tech Community Question "Looks like there have been reports online of users receiving driver updates that are requiring bitlocker keys to be entered after reboot. Is this expected behavior? If the certs were already installed via policy still get prompted from driver updates? Is there a way to know what driver updates in Intune actually have the drivers that potentially can cause bitlocker keys to be entered? Naming conventions in Intune for drivers are a bit difficult to decipher. – answered at 33:02."
- Arden_White
BitLocker measures things like the device firmware, the boot loader, firmware drivers (Option ROMs) that come as part of the device, Secure Boot settings, etc. These measurements are used to determine if the system has been tampered with.
Windows drivers are not measured by BitLocker and driver updates should not be causing BitLocker recoveries.
The two things that I'm aware of that could cause BitLocker recoveries related to Secure Boot are:- If the device is configured to boot first from an alternate source such as PxE boot and then the device fails over to booting from the boot manager on the disk, this can cause BitLocker recoveries if the PxE server is presenting a 2011 signed boot manager and the on-disk boot manager is signed by the 2023 certificate. The fix for this is to configure the firmware to boot from the disk first.
- Some firmware incorrectly reports the device settings when Secure Boot updates have happened, and BitLocker is resealing to the new certificates or boot manager.
Hi all,
We are working to deploy Windows Hello for Business with the Cloud Kerberos trust model to our hybrid joined workstations. Unfortunately, we have discovered that if a user does not have line of sight to a domain controller when they attempt to sign in to their workstation for the first time with WHfB, they are blocked from signing in and receive a cryptic and misleading error message. Apparently this is "working as designed" per Windows Hello for Business Frequently Asked Questions (FAQ) | Microsoft Learn.
Practically speaking, how does one roll this out if they have mobile users and do not have an always-on VPN?
- Jason_Sandys
I don't think there's any direct or easy path around this. I know this isn't an answer that will make you happy, but hybrid join isn't meant for or best for hybrid work scenarios.
Question: are you using Autopilot to provision these hybrid join devices?
Hi Jason_Sandys​, and thanks for confirming my suspicions. I am happy to have something to show my boss 🙂
And no, we did not use Autopilot to provision these devices.
- Heather_Poulsen
Welcome to the March edition of Windows Office Hours! In the "office" today, we have Joe_Lurie​, EricMoe​, Jason_Sandys​, Maggie_Dakeva​, and Christian_Montoya​. We're getting started on the early questions. Keep them coming if you have them. :)
