Event banner
Event details
88 Comments
- We are currently preparing for Autopilot in a hybrid joined setup. With hybrid you have very limited options in naming your devices according to a company standard. Is there any work planned to expand this with additional logic that would allow something like including the device serial number in the name during the hybrid join process?
- Joe_Lurie
Microsoft
Hi Tim Crosby thanks for joining us today. No, we don't plan to add this functionality to Autopilot Hybrid joined profiles. Our official recommendation is to not use hybrid-join with Autopilot, but to use Entra-joined/Intune-managed (what we call cloud-native). Hybrid is fine for your existing devices, but once they are replaced or refreshed/repurposed or new devices are purchased, we recommend starting that cloud-native journey. For the devices that are being repurposed and must remain hybrid-joined you should continue using your current imaging solution.
If you have to do hybrid-join, and still feel Autopilot is the right solution for you, there are scripts you can find online to help you name the device during the Autopilot process. Note that they aren't written or supported by Microsoft so please test them thoroughly before using them in production.
- We deployed Firewall and other security policies according to M365 security center recommendations. However, these policies block certain apps that require a _direct_ connection to other devices. Examples: Miracast and German government eID app, which connects to your smartphone for use as an NFC reader. Obviously, the network policies are designed for max security, but in certain cases they block user from doing stuff they need to. How can we determine which policies are disrupting these connections and open them selectively? We have a ticket open with M365 support, but beyond standard advice to allow services through the firewall, we have made no progress. Which, btw, indicates that blockage is happening at a different level than Firewall. Thanks!
- SteveThomasThe security policies over in the Security Center were not meant to be a one-size-fits all approach as there are always app exceptions. It’s also essential to strike a balance between security and usability. First, I would need to know the apps involved and the protocols they use to communicate with the devices (i.e. bluetooth, NFC, web, etc.) If it is web-based you should be able to create an application exception. If you run the app as an admin, it may even prompt you fro adding firewall exceptions. This link explains the process - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/rules#applications-rules and you can script it out at scale - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell But - if disabling the firewall does not resolve the issue, than you could be hitting up against a number of things like disabled protocols.
- Let's stick with Miracast for now - a fully standardized protocol with known behavior. Firewall IS open for it (verified with support), but it still is blocked on managed devices. It's frustrating for us and our clients, since we don't even know where to start looking (Firewall doesn't seem to be it).
- When we export policies from M365, they are usually exported with their Entra OID. In which situations would it be helpful or detrimental to re-import those policies with their original OIDs in to new tenants? Use case: we are an MSP with a baseline config with over 800 settings in it and need to deploy this to new tenants with minimal risk and effort. Thanks!
- I recently took a close look at M365 Lighthouse and was, frankly, disappointed. It doesn't seem to support custom policies beyond Intune. For example, how would I use Lighthouse to configure Teams and Compliance Center (IP labels)? Or custom Entra authentication policies? When can we expect Lighthouse to support ALL key services in M365? Currently, it feels more like "Intune Lighthouse" rather than M365 Lighthouse. Thanks!
- Joe_Lurie
Hi Dom_Cote. Thanks for the feedback. This Office Hours is for Windows and Intune, so the people monitoring this chat are Windows and Intune SMEs and PG. You'd be better off posting the feedback in the Microsoft 365 forums, like this one: Microsoft 365 - Microsoft Community Hub
Good luck-
- I have recently used the Feature update to upgrade from Windows 10 22H2 to Windows 11 23H2. Now I am being asked to Sign in to verify my Work or School account. I can sign in and it will go away for a few days then a new notification will show up. I have another user that is getting this too. I tried to open a ticket with Intune support since it happened after the Feature update but was told that wasn't the way to get support. I was told to use the Get Help on the window in Settings -> System -> Activation. This didn't help much since it just said contact your IT department.
David_GuyerAfter conferring with a couple of colleagues, we recommend opening a support ticket with Windows support. It's appropriate Intune wouldn't be the best for something that happens after a successful feature update. Sorry I don't have a better answer, but this isn't a common problem.
- I am working on setting up admin permissions for some help desk users to manage a small group of devices. I have down the group, but I am struggling on what is really necessary in the custom role I am creating. These are Zebra Android based scanners if it matters. They will need to be able to do the enrollment and some other basic tasks. No need to adjust any profiles as that will be handled by another team.
