Event banner
Event details
52 Comments
For managed iOS devices in Intune ... all of our iPhones are under 1 profile (under "Enrollment program tokens"). How do you handle multiple carriers with iOS enrollment for eSIM activation? (and not just input 1 URL?)
- Phil_Urban
Microsoft
You can create multiple Enrollment program tokens between the same Intune and Apple Business Manager (ABM) environments. This will allow you to assign devices from your various carriers to the appropriate MDM Server in ABM that aligns to the corresponding Enrollment program in Intune.
Thanks Phil_Urban. The only issue is that if they're on an existing profile and if we move them over to a new profile, the user won't be able to do a restore from iCloud backup if they receive a new iPhone. That's what I've found in my testing.
If a device has a scope tag other than default and is enrolled into Windows Autopatch would that explain why some devices are sitting there with a "Download and Install" option in Check for Updates?
- EricMoe
Device scope tag should not impact the update behavior. This sounds like an issue more related with the update policy. I would suggest you open a case with Autopatch to have our engineers investigate the potential policy issues or conflicts that could cause this behavior.
Device Scope Tag should only come into play when using Scoped Admins (we are currently running an RBAC preview now in Autopatch, so stay tuned!).
We have been having issues with RDP/RDS connections since the release of KB5053598. I don't necessarily expect a response to those particular issues here. What I'm wondering is in situations where we are seeing persistent and consistent issues related to a recent KB release, where is the best place to report those issues?
- Christian_Montoya
Mobiusstrip - Thanks for posting! I would start with your Support team, that way they can specifically investigate the issue. And if it is a larger issue, Support will work with us to announce and distribute followup KBs.
- Jason_Leznek
Please open a support ticket so we can evaluate it. Also look at the Release notes to see if there are known issues.
Thank you for the response. Is the following the best place to start a support ticket:
https://support.serviceshub.microsoft.com/supportforbusiness/onboarding?origin=/supportforbusiness/create
Has there been a fix for the 24H2 activation issues yet? I know running slmgr /ato fixes the problem, but it still scares our end users that their device isn't getting activated upon upgrade.
- Jason_Leznek
Hi! Can you provide more details? Have you opened a support ticket?
Hi Jason_Leznek !
The issue pertains to upgrading a windows 11 23H2 device to 24H2. After the upgrade and when the user first signs in, they get a message about windows needing to be activated. The user will have an A3 or A5 license assigned to them in Microsoft Admin. I have not opened a support ticket on this as it's low priority for us with the easy fix, but the issue has happened enough to want me to ask about it.
I’m not sure if this fits squarely in the scope of this session but here goes:
For years we’ve removed unwanted Windows Store apps (solitaire, Xbox, Bing News, etc) from install.wim using ‘dism.exe /Remove-ProvisionedAppxPackage’ before deploying a Windows image to new devices via SCCM. It only recently came to my attention that removing Appx provisioned packages from the Windows image is strongly discouraged and can cause problems, so I’m looking to revamp this part of the process. If we instead use AppLocker to block the unwanted Appx packages from running at all, this should prevent the Appx packages from installing into new user profiles during their initial logon, correct? And to completely remove the provisioned apps and prevent them from installing for each new user profile, we should have Intune uninstall the packages at the Device level (as opposed to the User level), correct?
- Jason_Sandys
Hi pc-88, no, blocking the running of an app using AppLocker will not prevent it from being provisioned for additional accounts (or installed). Removing apps depends on how exactly they were installed and/or provisioned in the first place. The general common practice that most orgs adopt for removing built-in apps is to run a script after Windows provisioning to remove them or to use Intune to deploy uninstalls for the apps (also after provisioning).
Jason_SandysThanks. Am I correct in understanding that the Windows provisioning process is complete after OOBE is finished, and you've reached the Windows login screen?
Is there a way to get this page to auto refresh?
- Heather_Poulsen
Community Manager
I know! We miss that functionality greatly. Can you kindly add that feedback/request to the most recent MTC platform release notes post?
- Heather_Poulsen
Welcome to Windows Office Hours! Let's get started. Post your questions here in the Comments and we'll do our best to help and get you on your way.
I have Kerberos Cloud Trust deployed to AADJ devices, but my test environment is still getting prompts for to sign in with a password instead of Windows Hello. I've followed the deployment guides for Passwordless single sign on, a prerequisite, and for Kerberos Cloud Trust. I've confirmed the user and computer objects exist in my on-prem Active Directory. I have a case open with Microsoft Support, but I thought I would ask here as well.
- Jason_Sandys
Hi shin0933, When you say getting prompts, when are you getting them? What are you doing and/or trying to access when you get them? Is Entra Connect properly set up and is the Entra ID account that you are logged in with properly synced to the on-prem AD domain?
The prompts are something to the effect "Windows requires the user to lock the pc and sign in with their password instead of Windows Hello" when the user tries to access an on-prem resource like a network share. This only happens when an AADJ device is connected to a network that has DNS managed by a domain controller. We do have AzureADConnect 2.3.6.0 set up correctly and is syncing the AD-sourced user account to Entra. We are in the process of planning the upgrade to the latest version of Entra Connect as well.
How is everyone removing Classic Teams Machine Installer from OEM Surface Pros when using Autopilot. I use pre-provision to prep my devices, I deploy Teams NEW, but users end up with both since classic ships with Surface 7+, Surface 8, Surface 9 and Surface 10 with factory installed Windows 11 Pro images.
