Windows Office Hours: May 15, 2025

Thanks for joining us for Office Hours today. We'll be back next month on June 19th! https://techcommunity.microsoft.com/event/windowsevents/windows-office-hours-june-19-2025/4391593

I was recently testing installing Windows 11 24H2 using SCCM task sequences in our Entra hybrid joined environment. Sometimes after imaging I would get a toast notification: 'work or school account problem - to fix this, select this notification to sign in again.' Clicking through to fix it in Windows 11 settings > Accounts > access work or school > "sign in again to fix your work or school account" would just immediately fail with the message "sign in failed. please try again to repair your account". The machines appear to be correctly registered in Entra and Intune, and they do successfully get Intune policies, app deployments, etc. Any idea why this message keeps coming up and how to fix the supposed problem?

I did a little reading and some people recommended exempting Intune device enrollment from MFA Conditional Access requirements, but my understanding is that this shouldn't be necessary since our devices are Entra hybrid joined (and therefore are being registered in Intune by SCCM, and not logged-in user).

We're piloting hotpatch -- this month we got an additional patch on some devices that got the hotpatch CU.  It's a powershell security update, KB5061096, -- and Windows calls for a restart after applying it.  The KB indicates that this applies to hotpatched devices and may call for a restart, so it seems expected.  Any comments on that?  Hopefully we don't expect that to be the norm.  

We see issues from time to time where a user needs to set their time zone on Win11.  Or they say that the time zone is incorrect for where they are.  We typically have devices set to autoupdate the time zone.  This relies on location awareness I think.  The user sometimes goes to the old control panel and updates the time zone there.  But it reverts back.  The options to resolve are to turn off location awareness, and then use the older control panel.  Or, to turn off autoupdate of the time zone in Settings -- this exposes the time zone dropdown in Settings, Date & time.  I saw something in the release notes from the January 28 CU -- 

• [Settings] New! You can change time zones in Settings > Time & Language > Date & Time. You don’t have to be an admin to make this change.

I find that when I click on Date & time on my Win11 hybrid joined device, I get prompted by UAC -- is this expected?  Just trying to get some clarify on how date and time is expected to work for admins and non-admins.  

Are there any resources you'd recommend for learning best practices on how to apply Microsoft Purview solutions effectively?
I understand there are many options for configuring DLP, but honestly, I often struggle to even envision how some of them would make sense in a real-world setup.

Slight grumble from me around the Win11 24H2 upgrade. We are in the process of deploying it across our estate, however are having to exclude any devices that have less than 30Gb free diskspace, approx. 1000 devices currently. Most devices only have a 120Gb HDD :-(

I don't recall previous upgrades needing this amount of freespace to be able to apply an OS upgrade.

We are looking at potential solutions and have had calls in with MS about it. Implementing a Storage Sense policy has reduced the number slightly, but still a long way to go

Welcome to Office Hours! If you need help with planning for migration, deployment, configuration, management, updates, and [fill in the blank], we're here to help.

We are attempting to configure organizational messaging for sending out emergency alerts and other service messages. In our testing we've found it very inconsistent in sending messages out to the test group of users that we selected. Some users get the messages, and others do not. We have completely validated that the users are getting the same policies applied. I have followed the Microsoft documentation on configuring the correct policy (see Organizational messages in the Microsoft 365 admin center - Microsoft 365 admin | Microsoft Learn) and all users are licensed with Microsoft 365 E5 licenses which meet the licensing requirements. We have submitted a ticket to Microsoft Support on this issue, but they have not provided a resolution. I did find that if a user has the "Suggested" notification option turned off, this negatively affects a user being able to see the toast notification. Are there any other settings or configurations that could affect a user being able to receive an org message toast or taskbar notification?

1. There is an ongoing MAPI problem within the Graph service preventing 3rd party software from accessing some end-users’ mailboxes. Do you have any info about the case and fixing progress on MS end?
2. EOP servers in the UKSouth Azure region seems inefficient because they return much more temporary exceptions than several other Azure regions. Is there anything wrong happening there? Any maintenances?
3. There are much more network related exceptions (“A transport-level error has occurred when receiving results from the server”) within the function apps in the WestEurope Azure region. Is there anything wrong happening there? Any maintenances?
4. According to CA/Browser Forum decision about reducing SSL certificates lifetime up to 47 days in 2029 - what incoming features or integrations should we expect for services like Azure Key Vault? More 3rd party vendors to automatically buy and renew certs?

We are totally based on cloud with nothing on prem. We all work remote and a bunch of our users are windows 10. Please if you can advise me the exact steps of migrating win10 users to win 11. also would it have any impact on users system like data loss or BSOD during migration. Secondly, I have the global admin rights and I am unable to join devices to cloud our per user device limit restriction is 6 and I have 5 devices with 1 left for my own use. Please advice how can I increase my limit to enroll more devices