Event banner

Windows Office Hours: May 18, 2023

Event Ended
Thursday, May 18, 2023, 08:00 AM PDT
In-Person

Event details

Get answers to your questions about adopting Windows 11 and managing the Windows devices used by remote, onsite, and hybrid workers across your organization. Get tips on keeping devices up to date effectively! Learn how to cloud attach your on-premises workloads!

Windows Office Hours is our continuing series of live Q&A for IT professionals here on Tech Community.

How does it work?
We will have a broad group of product experts, servicing experts, and engineers representing Windows, Microsoft Intune, Configuration Manager, Windows 365, Windows Autopilot, security, public sector, FastTrack, and more. They will be standing by here -- in chat -- to provide guidance, discuss strategies and tactics, and, of course, answer any specific questions you may have.

Post your questions in the Comments early and throughout the one-hour event.

Note: This is a chat-based event. There is no video or live meeting component. Questions and answers will appear in the Comments section below.

 

Heather_Poulsen
Updated May 18, 2023
  • Welcome to Office Hours! Let's get started. Post your questions in the Comments section.

    • RickDuda's avatar
      RickDuda
      Copper Contributor
      How do I add a comment? I wanted to know if there were any MAM policy experts here today.
    • Danny_Guillory's avatar
      Danny_Guillory
      Icon for Microsoft rankMicrosoft
      I started this feature and I owe you a update on this. I need to connect with team building it. Good job holding us accountable, I will get a update out most likely tomorrow or later today.
  • JBuck0795's avatar
    JBuck0795
    Occasional Reader

    Hi,

    Have a question about Windows 11 22H2. We use Active Directory and use Group Policies to add security groups to the local administrator group and the Remote Desktop Users. Windows 11 21H2 shows the groups when you look at the members. When we image a computer using W11 22H2 (or upgrade using Windows Update) it only shows the SID of the group. We noticed this cause there’s seems to be intermittent issues logging on to 22H2 when this happens. Here’s what the difference looks like between 21H2 and 22H2.

     

     

     

    Thanks,

    Jim

    • JaySimmons's avatar
      JaySimmons
      Icon for Microsoft rankMicrosoft
      Hi Jim, I am not aware of any issues in this area wrt Win11 (any version). Does this always repro or is it intermittent? My first suggestion is that when the Win11 machine is in this state, please dbl-check the state of the Netlogon secure channel (nltest /sc_query:<domainname>) since name\sid lookup has a dependency on the secure channel being valid. If the SC is bad it usually implies lack of connectivity 🙂 but that's probably not it. If the SC looks good email me offline (jsimmonsATmicrosoft.com) and I can get some deeper log collection going. thx, Jay
  • R D's avatar
    R D
    Copper Contributor
    Comparing a new install of Windows 11 vs. a Windows 10 to 11 upgrade via Feature Update, are there some things that are not enabled or configured in the OS with the upgrade scenario compared to a new install of 11 that we should be aware of?
    • Joe_Lurie's avatar
      Joe_Lurie
      Icon for Microsoft rankMicrosoft

      R D When we say Windows 11 is the most secure OS, we mean by default on a new installation. If you have a Windows 10 device with all of the security features disabled, we will not automatically enable them in an IPU scenario. So to answer your question, yes there will be a difference in an IPU vs fresh install, based on what's installed and enabled on the Windows 10 device prior to IPU.

      • R D's avatar
        R D
        Copper Contributor
        is there a list of these features that we can review and is there anything prohibiting certain features from being enabled after the upgrade?
  • ChrisAtMaf's avatar
    ChrisAtMaf
    Steel Contributor

    We have experienced issues with the new ‘Time & language / Date & time’ Settings panel in Windows 11 – can you help?

     

    First – if ‘Location Services’ and ‘Let apps access your location’ under ‘Privacy & Security’ are DISABLED, but the Windows service ‘Auto Time Zone Updater’ startup type is set to Automatic (set by the ‘Set the time zone automatically’ setting), then in the Settings panel, both ‘Time zone’ AND ‘Set the time zone automatically’ are ‘greyed out’. The outcome is that users are unable to change their time zone, and unable to ‘disable’ ‘Set the time zone automatically’ to allow them to do so. For example: https://answers.microsoft.com/en-us/windows/forum/all/unable-to-change-timezone-settings-windows-11/95d42f77-6516-4115-9401-055b3d5afcec?page=2

     

    Second – if a user on an Active Directory domain-joined device opens the ‘Date & time’ control panel while disconnected from the Active Directory domain (e.g. remote worker, not currently connected via VPN), the ‘Set the time automatically’ control is shown as available, and in the ‘Off’ state. The user will have the ability to toggle this ‘On’, but when they do so the ‘Type’ setting in the registry is updated to ‘NTP’ (from the default for domain-joined devices of ‘NT5DS’). When the user accesses the domain again the incorrect ‘NTP’ setting remains (it is not reset back to ‘NT5DS’) which results in the device never performing domain time synchronization again. On a domain joined device the ‘NT5DS’ setting should be interpreted as ‘On’, and should also be what is configured when the control is set to ‘On’ https://answers.microsoft.com/en-us/windows/forum/all/time-sync-issues-on-windows-10-domain-joined/03738fe4-a455-477e-8275-b100902418b7 https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings#parameters

     

    Third – if system administrators seek to mitigate against these issues via the ‘Configure Windows NTP Client’ Group Policy setting (e.g. to force the Type setting to ‘NT5DS’, or ‘AllSync’ with a fallback time server e.g. ‘time.windows.com,0xA’), and a user on the Active Directory domain-joined device opens the ‘Date & time’ control panel while disconnected from the Active Directory (as above), the user still appears to be able to change the ‘Set the time automatically’ setting even though it is ineffective, (the ‘Type’ registry value is updated in the usual area, but the Windows Time service ignores it and acts according to the applied Group Policy), giving the end-user an false impression of control.

      • ChrisAtMaf's avatar
        ChrisAtMaf
        Steel Contributor

        Sean McLarenAre you saying that it's 'expected' that a user is unable to set their timezone, and that there's no indication of how they can do so? If the user has disabled Location Services (which is in an entirely different panel) but the 'auto time zone update' service is enabled (but not functional because Location Services is disabled) then all functionality to set the time zone manually is disabled. There is no information in the UI that re-enabling Location Services will allow the time zone to be set. This is not at all user friendly, and especially so when you consider that the 'old' date & time control panel is still able to set time zone in this situation (if the user can find it).

        P.S. Your 'fix' involves forcing Location Services on for every user. Just FYI not everyone likes being spied on.

        Also this came up recently when a C-suite user travelled and rang up the IT department furious because he couldn't change the time zone himself, and the screen said 'Some of the settings are managed by your organisation.' Of course we had done no such thing, we just had to tell them that the Windows 11 settings app is broken.

  • Trying to upgrade remaining 365 Apps for Business plan to Premium plan and only given E3 options. Have not exceeded 300 and did this previous during initial migration to 365. Is there something I am missing?

     

    • Heather_Poulsen's avatar
      Heather_Poulsen
      Icon for Community Manager rankCommunity Manager
      There could be a number of variables at play here. The best way to figure out what's going on would be to raise a support ticket in the Microsoft 365 admin center.
      • JosephMelendez's avatar
        JosephMelendez
        Occasional Reader
        I have opened a ticket, however, it has been 2 days and just got first call finally today and they have to get back to me.
  • R D's avatar
    R D
    Copper Contributor
    With the Servicing Profiles feature in the M365 apps admin center, if we select All Devices will it only work on devices devices that are AAD/HAAD joined or would this also work for on-prem AD only joined devices?
    • Sean McLaren's avatar
      Sean McLaren
      Copper Contributor

      Ryan, A servicing profile takes precedence over other management tools, such as Microsoft Intune or the update configuration set by the Office Deployment Tool, so yes, it will work on all devices. When you set a servicing profile, the device will be moved to the Monthly Enterprise Channel and will get its updates from the Office CDNs. M365 Apps on that device are then managed by the servicing profile.  Reference: https://learn.microsoft.com/en-us/deployoffice/admincenter/servicing-profile

  • We deployed a test policy using the Disk encryption section of Intune, (depicted below). The test device initially received the policy and encrypted as expected. I then manually removed the encryption from the endpoint and reapplied the same policy. Intune shows the policy successfully deployed but it will not re-encrypt the OS drive. Any ideas?

     

    • Joe_Lurie's avatar
      Joe_Lurie
      Icon for Microsoft rankMicrosoft

      Howdy412 Hi Tyler thanks for reaching out. Encryption is a policy that will not reapply once it shows as successfully applied. Best bet is to create a duplication of the policy and apply the new policy to the device. And to remove admin rights from the user so that they cannot decrypt the drive.

       

      You should also create a compliance policy and conditional access policy requiring encryption so that they cannot access resources when decrypted, and possibly a Remediation script (formerly known as Proactive Remediation). With the Remediation script you create a "detection" script checking for encryption, and a "Remediation" script which could run a manage BDE to encrypt if it's not encrypted.

      • Howdy412's avatar
        Howdy412
        Casual Reader
        Hi Joe, I did try creating a duplicate of the policy. While again it shows it applied to the device, the drive remains unencrypted. Thank you for the tip on compliance policy and conditional access policies.
  • Thanks for joining Office Hours! Be sure to add next month's event to your calendar

    And thanks to our experts "in the office" today: Aaron Czechowski, Aria Carley, Beverly Ashton, Christian Montoya, Danny Guillory, David Guyer, Jay Simmons, Joe Lurie, Rob York, Sean McLaren, Steve Thomas, and Thomas Trombley!

Date and Time
May 18, 20238:00 AM - 9:00 AM PDT