Event banner
Event details
129 Comments
- My comment was deleted with no information about why. I'll try one more time... A customer is facing an issue with emails sent to "customername.onmicrosoft.com" email addresses. They want those emails sent to such aliases (default email addresses are using customer's custom domain) to be routed to a 3rd party security solution. Microsoft official response was to have them routed through and ETR (Exchange Transport Rule), which never worked. We found later the reason is because transport rules apply after the recipient is resolved and the post-resolution email address is changed to the user custom domain bypassing the rule. We have spent many many hours in calls with Microsoft Support without a fully working solution. We don't want the 3rd party solution to be configured by Microsoft, just all traffic sent to "customerdomain.onmicrosoft.com" email addresses routed to it. This was easily done for the custom domain (pointed the DNS MX record to the 3rd party gateway), but there is no such option to the same for the "*.onmicrosoft.com" domains (although Microsoft owns these, onmicrosoft.com subdomains are independent from its parent and it should be possible), only TXT records can be managed for them. Anyways... I was hoping to find any help about this on this session. Any help would be great! Thank you!
- Is there anyway to get a device out of Windows 11 Insider Preview without having to reset the OS on the device? We have found no luck with any other options?
- Also add that if you are consumer you can just opt out. But if you are an enterprise user you have to reset the device. This is a huge issue in my company because Intune enrolled devices got updated to Windows 11 Insider Preview when they should not have been because when you manually tried to update to Windows 11 you were stopped by TPM, Processor, etc.
David_GuyerMicrosoft
If you are using Update Rings policies, you can set the Enable Preview Builds to Not Configured. This will set devices to offboard from Insider builds once the next Feature Update is released. If the device didn't use Update Rings to get there, then you can still set the Manage Preview Builds setting to the value of 1 (see more info here: https://learn.microsoft.com/en-us/microsoft-365/solutions/apps-type-lob?view=o365-worldwide ). This setting keeps the device on Insider builds until the next Feature update is released because that's the only way to keep the device getting security updates without reimaging the device to an official build. Once the new Feature update is released, the device will be moved off of insider builds automatically and be on the General Availability train. HTH.
Our devices are currently on HAADJ. We also want to prevent customers Azure AD joining their personal device by setting the "Users may join devices to Azure AD" to None. Will changing this setting have any effect on Autopilot with HAADJ?
- The setting is for Microsoft Entra joined and having None blocks user initiated but still allows flows like Entra joined via Autopilot, Azure VMs enabled with Azure AD auth, etc..
- Thank you Thomas, I appreciate you replying to me
- Is it possible that someone will get back to me on this in the future?
- Yes, Shijil. The team is working on your question.
- In relation to the changes in Windows Server registry to address CVE-2022-37966 and CVE-2022-37967, October is approaching fast, I am not sure if the Microsoft Updates should add registry to the system or not. Initially I understood the registry need to be modified by the sysadmin but that this may imply that registry are installed - added by the patch. Can you expand on this or have a full work-around related to Kerberos changes in AD? Thank you.
Task manager is not as responsive in Windows 11, as it was in Windows 10. It’s slower to open, load and slower to browse and render info. We’ve experienced this behavior across a fleet of pc’s some high end workstations. Is this a known issue? Is it being worked on?
- Can you further describe the performance degradation you're seeing? I not seeing an open item on this. However, have you submitted to Feedback Hub on this one? Best, Thomas
- What is the best way to deploy an app by using Intune - by the msi or should that be converted into an exe?
I have found that the two best ways to deploy an app in Intune are:
- Microsoft Win32 Content Prep Tool
- https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management
- The best feature of this tool is its superscedence functionality and that alone is why we now use it for all installations.
- Microsoft Store Apps
- https://learn.microsoft.com/en-us/mem/intune/apps/store-apps-microsoft
- Microsoft Win32 Content Prep Tool
- David_Guyer
Hi Rich, No need to convert an MSI to an EXE, you can upload and deploy an MSI with Intune. I'd start with this topic... and it might be helpful to read some other topics in the table of contents if you want more context. Understand line-of-business apps for your managed environment | Microsoft Learn
- David_GuyerI forgot to mention, if you already have an MSI and it's not a Store app, look at LOB apps as well as Win32 apps!
File Explorer is not as responsive in Windows 11, as it was in Windows 10. Slower to open and slower to browse. We’ve experienced this behavior across a fleet of pc’s some high end workstations. Is this a known issue? Is this being worked on?
- I am investigating on our side to see if an issue is being tracked. In the meantime, may I ask if you have filed anything in Feedback Hub?
- Thank you Thomas. I have not filed anything in the Feedback Hub, but did open a support ticket for our issue of File Explorer crashing when clicking on the icon to open which is still pending resolution.
- We have issues where in File Explorer, the OneDrive menu is missing completely or portion of it missing.
- Hi Abraham, please file this issue with Feedback Hub as soon as possible. Thank you.
- It's definitely been slower on Windows 11, but even worse on the latest optional update that was pushed out on Tuesday (22621.2361). It seems related to OneDrive integration. If I browse non-OneDrive folders, they're nice and snappy, like Windows 10.
- Intune Question Regarding Update Rings - we have an issue where Intune updated machines to Windows 11 Insider Preview that were on Windows 10 and when you attempted to manually update them to Windows 11 the machine was not eligible because of the processor, etc. How did Intune update those machines to Windows 11 Preview if you manually attempted to update to Windows 11 and was stopped.
- David_GuyerHi Rich, interesting question since Intune only configures devices based on available device settings and uses Windows Updates, so doesn't have any way to work around that system. My understanding is that Windows Insider builds are published with the same hardware requirements. So, I'm not sure how your devices were able to get on Win11 Insider Preview. The only idea I have is that perhaps those devices were on Insider Preview on Windows 10 and were moved to Windows 11 before the hardware checks were implemented. I don't know if that helps, I hope so!
- Those machines were NOT on Windows 10 Insider Preview. What we say is that Intune installed a generic driver and then the devices got updated to Windows 11 Insider Preview.
- Heather_Poulsen
Community Manager
Welcome to Windows Office Hours! I see we have some questions already posted (great!). Let's get started! Our engineering and product teams will be answering here in the chat, and if anything is beyond our scope today, we'll work to find the right person to get you the info you need.
- I see a lot of questions but no responses one hour later
- How can I assist you Abraham? We're still answering many of the questions here, but have replied to most.
- At work, I faced a situation with a customer trying to route all emails sent to their users but through "*@customername.onmicrosoft.com" email addresses. They don't use Microsoft Defender but a different security solution, which is why they want to route all email traffic (including those emails sent to "customername.onmicrosoft.com" email addresses) to it. This was easily done for their custom domain (customername.com) by changing the DNS MX record and point it to their security solution, but there is no such option to do that for the "customername.onmicrosoft.com" domain in the M365 Admin Center (it only has the option to handle TXT records not MX records). We have spent many many hours in calls with Microsoft Support without any fully successful solution to do this just because the security solution is not the one provided by Microsoft (which I believe is non-sense, because we are not trying Microsoft to configure the 3rd party security system for us, just route the email received by Microsoft - *.onmicrosoft.com domains belong to Microsoft - to it). Official Microsoft documentation says the way this could be achieved is through an ETR (Exchange Transport Rule), but we configured it as instructed (in different Tenants, including a brand new testing one) and it doesn't work (emails are just not getting routed or other issues like quarantined emails and problems forwarding meetings appeared). We found then the reason is because transport rules apply after the recipient is resolved and the post-resolution email address is changed to the user custom domain (which is the user's primary email address) so the ETR is bypassed. Another possible complications is that user's Default domain is still the Fallback domain, not their own custom domain, but we got the exact same experience on another M365 Tenant with the custom domain set as the Default one anyways. I found about Windows Office Hours and I was hoping to find anyone who can help me check if there is any other easier, simpler, or cleaner solution to do this routing. I would really appreciate any help on this matter! 🙏
