Event banner
Event details
81 Comments
- I am struggling with the ability to give a small group of users elevated access to manage Android devices in Intune. I have tried to leverage scope tags but I am missing something still to tie them to just the specific devices with the scope tag.
There are a couple of admin guides that might better shed light on this depending on whether they are personally owned devices or not. They each provide details on configuring system update settings, which in this case may assist with elevating access for select individuals:
- Personally owned: Admin checklist for software updates on BYOD in Microsoft Intune | Microsoft Learn
- Enterprise owned: Admin checklist for Android software updates in Microsoft Intune | Microsoft Learn
If these don't work, ping me directly and I'll dig in with our engineers.
- Is there any documentation of the process to convert from on-premise domain controllers to cloud-based Intune management?
- I mean, yes, but that's a massive transition. That's like "is there a document for the process to move my on-prem server workloads to the Cloud?". You could read a ton of docs, but you probably want some consultancy to get started on that journey.
- Joe_Lurie
Microsoft
carolcarmen we have lots of documentation that starts at https://aka.ms/CloudNativeEndpoints. We also have a Skilling Snack you should check out at https://techcommunity.microsoft.com/t5/windows-it-pro-blog/skilling-snack-go-cloud-first-with-windows-device-management/ba-p/4213270
- Thanks for the links. It looks very helpful. A couple years ago we got a scope of work from a consultant in our industry to assist us with this. The price was out of our range, which we aren't a large firm and already mostly cloud anyway. Most all of our applications are fully cloud. We don't have any on-prem software of consequence. Is there a ballpark that we should expect to pay for about 150 endpoints to be moved, and eliminate our legacy domain controller infrastructure?
- Heather_Poulsen
Community Manager
Welcome to Windows Office Hours! Excited to see so many early questions. Let's get started! We'll be answering here until 9:00 am PT and if the folks "in the office" can't answer today, we'll find an answer for you shortly!
- Thanks, Heather, it's wonderful to be with you here today!
- Is there a way to pause a single Windows Quality Update in Intune instead of having to pause ALL updates for a device please?
- EricMoeQuality and Feature updates can be paused separately, but at this time when you pause Quality Updates, it will also pause Driver & Firmware updates and .NET updates. Is your ask to be able to pause Quality Updates separate from those, or is it something else?
- Hi Eric, currently we have 100s of Surface Pro 7s with the camera issue, whereby we cannot allow them to update to the latest drivers as it breaks the camera. Microsoft have acknowledged, and are working on the issue, they thought they had fixed it with a firmware update but sadly not. So currently all these devices are on hold for updates. That's just one scenario. It would be great if we could specify which updates not to install, so they could continue installing the rest please.
- Is there a limit on the number of times you can sync a device from the Intune console within a certain timeframe (e.g. an hour)? First couple of device syncs seem to happen very quickly (and the timestamp updates on the device record in Intune) but then successive syncs seems to take up to 30 mins.
- Jason_SandysHi Michelle, Yes, there is throttling on manually initiated policy refreshes from the console or locally on devices to prevent adding pressure on the service and the device itself. The throttling details are undocumented and subject to change. Is there a specific requirement or expectation on your part? What challenge are you facing where this is significant, and you need or want to attempt to manually initiate policy refreshes rapidly?
- Hi Jason, thank you for your response. As Hans says, when you're testing policy changes etc. it gets frustrating to not be able to instantly sync. Could Microsoft consider allowing us to add test devices to a group that would allow more frequent syncs? Or can we force them using "restart-service IntunemanagementExtenstion" perhaps? Thank you
- License assignment in M365 portal only and removing the feature from Entra is a serious degradation. This is extremely frustrating. We apply several licenses to each group, the UX is truly horrible in M365 portal. If you're going to push change on us, at least make it as good as what it replaces (hopefully better), otherwise it just feels arrogant and customer hostile. You're getting a lot of negative responses to this change, at the very least we'd like to know why you've felt the need to make things worse for us. Was it a technical requirement on your side, or a whim? We just don't know.
Hi Paul,
Please post your concern here, as I know our Engineering team proactively reviews these pages (I say it as I'm one of them for Windows servicing!): Microsoft Entra - Microsoft Community Hub.
In addition, there's an existing comment in Message Center that aligns with your concern: Message Center - Microsoft 365 Admin Center - NEEDS IMPROVEMENT · Community.
I hope this helps.
- Windows Updates applied in OOBE - while I do want this behaviour in most cases, there are plenty of times I would want to skip updates. Why are you launching this change with no Admin controls? Feels arrogant and user hostile.
- Jason_SandysHi Paul, Thank you for the feedback. We should be publishing more info on this in the near future. If possible, can you provide some additional info here on why this is important or significant for your org to be able to do this?
- User brings us broken device, has urgent meeting. We can't fix device quickly, and device Reset takes way too long, so we give them a new laptop from the build room, and they go through user-driven autopilot. They'll be pretty upset if there are lengthy delays before they get to the desktop because of Windows Update. In our org we image devices with an up-to-date build, so they won't be so out-of-date that we can't allow the user to get started right away. Other scenario, I'm troubleshooting Autopilot deployments, so I'll use a custom deployment profile that's as streamlined as possible for efficiency.
- When can we expect more details on the *Windows enrollment will include quality updates during OOBE* change (message id MC891140)? The impact on the user enrolment & ESP experience is not clear - will device ESP last much longer and will users need to perform an additional sign-in-due to a reboot at the end of device OOBE? What will happen with pre-provisioning? If the updates install during pre-provisioning but the device is enrolled a month later will the user have to wait for updates to install and also reboot?
- Seconded here for clearer guidance please. My current understanding is that the quality updates would apply during device provisioning stage of Autopilot, including pre-prov? If a device is then given to a user a month or so later, they would go through the user enrollment stage and updates would just apply once they are at the desktop level as per the WUfB policies that are in place in Intune and not delay the user enrollment stage further? Just trying to gauge the potential impact on engineers and users and get my head around what the change in process might look like. Bit like Bart is it seems
- We have UK Cyber Essentials certification and there is a requirement for passwords to be 12+ characters in length. We can achieve that in hybrid mode but not with Azure AD accounts. i.e. we can create passwords 8 characters in length. Please add a minimum password length to the road map. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#microsoft-entra-password-policies. NB I am *not* referring to password complexity which we definitely don't want and is considered bad practice. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-April-2023.pdf so removing that requirement should be available too.
- Joe_Lurie
Hi DavidB2390 - thank for the feedback. Since this forum is primarily Windows, Windows 365, Autopatch, and Intune, we don't have anyone from the Entra team that joins us here.
Can you repost that feedback in the Entra community? Microsoft Entra - Microsoft Community Hub
- Will Windows servers ever be supported in Intune and if not why not - we want to migrate off SCCM
- We're in the same boat. We only really use MECM now for Remote Takeover and Patch and App/Package delivery to Servers. Non-domain and other-domain servers would no doubt present an issue with getting them into Intune, but hopefully we can get them into their in the future. Currently co-managed, but would like to go 'Full' Intune at some point. Servers are the main thing holding us back on this at the moment, don't really want to go back to bare WSUS for patching if I can avoid, like the MECM skin on top 🙂
- Joe_Lurie
nlmitchell and DavidB2390 I won't say "never" but we have no plans today to add servers into Intune. Intune is designed as a solution for endpoints: PCs, macOS, mobile, Linux (to an extent). For server management we recommend moving to Azure, and for on-prem servers you can use Azure Arc.
Hope this helps.
