Event details
22 Comments
In the Teams Admin Portal, I see documentation on this topic, but I was wondering if there are additional screenshots or more detailed guidance that could be shared. I also noticed this appears to apply regardless of license. Can
you confirm if that is expected to remain the case moving forward?
- Joe_Lurie
Microsoft
Because we are all Windows, Windows 365, and Intune, and I don't want your question to go unanswered, please repost this at Microsoft Teams | Microsoft Community Hub.
Someone there should be able to help. Good luck.
Appreciate it! Thank you.
The Security Baselines Blog has recently released Microsoft recommendations for Microsoft 365 Apps, Windows 11 25H2, and Microsoft Edge. In looking through these recommendations, we've found that there are a number of recommended settings that aren't available in Intune for device configurations and for Microsoft 365 Apps configurations. Along with that, some baselines in the Security Baselines menu under the Endpoint Security section for Intune haven't been updated recently. Specifically, the Microsoft 365 Apps baseline hasn't been updated since 2023. What is the Intune teams plan to address these gaps in providing timely alignment within Intune for Microsoft's recommended baseline policies both in providing updated settings in the settings catalogue and providing timely updates to the Security Baselines in Endpoint Security?
- Joe_Lurie
Thanks for the question, I appreciate the detail you provided. You're right that there's been a gap between the Security Compliance Toolkit baseline releases and what's available natively in Intune's Endpoint Security baselines. The Security Compliance Toolkit team released the M365 Apps v2512 baseline in December 2025 and work is underway to bring the Intune-native baselines in-line with that update. In the meantime, the Settings Catalog in Intune is updated way more frequently than the baselines and often has the individual settings you need. I'd recommend using them both: supplementing your baseline with Settings Catalog policies to cover any critical gaps.
You can also import the latest baseline GPO templates to make cross-referencing easier. Check out the baseline management guidance here: https://learn.microsoft.com/en-us/intune/device-security/security-baselines/configure-baselines.
Joe_Lurie, the latest recommended settings for the M365 apps are not available in the Settings catalogue either and instead my team has needed to use the M365 Apps Admin Center Portal to apply the recommended settings. This is not ideal as it breaks the "single pane of glass" aspect of Intune along with the M365 Apps Admin Center not containing the proper reporting to validate policy application to instances of M365 Apps.
It would be nice to know when the Intune team is planning to align both the settings catalogue and the Security Baselines with the recommended settings created by the Security Compliance Toolkit team.Thank you
Hey Everyone,
Coming from a school district in Washington State with Windows machines in a pure Entra/Intune environment. We are attempting to update the secure boot keys that are set to expire in June, following the advice below for deployment:
https://support.microsoft.com/en-us/topic/microsoft-intune-method-of-secure-boot-for-windows-devices-with-it-managed-updates-1c4cf9a3-8983-40c8-924f-44d9c959889d
We're seeing mixed results in terms of how long it takes for our machines to update as shown in Event Viewer ID 1808. Is anyone else having trouble getting their machines to update in a timely manner, and what are other methods you would suggest for addressing this?
- Jason_Sandys
Hi kMor,
Depending on exactly what you've configured, it may take some time. The default update process is only initiated on devices that have been added to the high confidence compatibility list/DB to ensure that we maximize success. In an enterprise environment, we do strongly encourage orgs to enable the update explicitly on representative device in their environment though to ensure that compatibility and success information is fed back to us so that we can update the high confidence db.
Thank you for the response!
Would you suggest we do anything other than apply the profile? I'm hearing we just need to be patient with the process.
I want to rollout Passwordless login and Web Sign-In to users, but we have an Always-On VPN product (Palo Alto GlobalProtect) configured to prevent Network access before connection.
I'd like to configure URL whitelist to allow the Web Sign-in traffic, but I can't find those listed on the documentation https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune and Support weren't able to provide this either. Is there a list of Network Requirements for Web Sign-in published anywhere else?
- Joe_Lurie
Web Sign-in uses the same Entra ID browser-based authentication endpoints, so at minimum you'll want to allow outbound HTTPS (443) to:
- login.microsoftonline.com
- login.microsoft.com
- *.msauth.net
- *.msftauth.net
- device.login.microsoftonline.com
- autologon.microsoftazuread-sso.com
You may also need msftconnecttest.com for connectivity detection and ocsp.msocsp.com / crl.microsoft.com for certificate validation. For your GlobalProtect setup, these would go in your pre-logon split-tunnel exclusion list. The docs page you referenced is here: https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in. Please use the feedback button on that page to request the endpoint list be added. That feedback goes directly to the content team.
In the Teams Admin Portal, I see documentation on this topic, but I was wondering if there are additional screenshots or more detailed guidance that could be shared. I also noticed this appears to apply regardless of license can you confirm if that is expected to remain the case moving forward?
- Joe_Lurie
ReidSchneider I see that this question was posted twice. I responded to the other post above (or below depending on your sorting preferences 😊)
If you are taking questions about Windows server... Is using logon scripts still the best way to get powershell scripts deployed to devices? We are in a hybrid environment, not quite adopted to Intune yet. So far logon scripts appear to be working fine, but I want to make sure it is the best option. I'm mainly using it for software deployments.
- EricMoe
ComTruise99 PowerShell scripts can be deployed using Logon Scripts, if you are using Azure Arc you get that option too Run command on Azure Arc-enabled servers (preview) - Azure Arc | Microsoft Learn, and as one-offs you can use WinRM too.
Will the feature update 11 26H1 be released to the public? We've recently deployed 25H2 but have noticed another version out in the wild for a while.
- EricMoe
ReidSchneider great question and our own Aria blogged about this back in February, What to know about Windows 11, version 26H1 - Windows IT Pro Blog. The important thing to know is that 26H1 is available but only on new devices with select new silicon. 26H1 is not a feature update for version 25H2.
Based on the Microsoft documentation, it is to be expected that new Teams can be behind on updates by 3 months. We are looking to force updates as they come. What is the best way to do this? Teams Admin, Intune Config profile, M365 Office updates? Thank you!
- Joe_Lurie
10151607 Because we are all Windows, Windows 365, and Intune, and I don't want your question to go unanswered, please repost this at Microsoft Teams | Microsoft Community Hub.
Someone there should be able to help. Good luck.
- Joe_Lurie
Welcome to the May edition of Windows Office Hours! In the "office" today, we have Joe_Lurie, EricMoe, Jason_Sandys, and Christian_Montoya. We're ready for some early questions. What's on your mind?
