Event banner
Event details
47 Comments
- Hi All! Thank you for joining us today for Windows Office Hours! We'll be back next month and every third Thursday. Visit https://aka.ms/Windows/OfficeHours for details. Have a great day.
- We get complaints from Windows 11 users about being unable to click buttons in the Snipping Tool app or the new File Explorer, especially when they have multiple displays with different "scale" levels set. We can usually temporarily fix by changing the scale of one of the screens. They're able to interact using the keyboard, it is only the mouse that is affected. Is this a known issue, or is there any guidance for this?
- Good Morning/Afternoon/Evening Pete. Please share this into Feedback Hub right away. I promise, we have a large crew monitoring it all the time, so the issue you're seeing won't fall into a void.
Hello all.
How can we ensure that devices are getting all the correct policies from Intune and its working from a remote standpoint.
Examples:- Policy to "Remove Chat Icon" yet Consumer teams is still showing. Policy is from Catalog and shows successful. -- i have other examples of this also.
- Policy to add a local user account to admin group (Windows LAPS) but I get a 65000 error on the policy. I have to revert to a Powershell script to inject the name.
Besides Sync and pray .. maybe a way to force/enforce specific policy/Config
- Yeah, remove consumer teams is... Hard. We found you also have to uninstall it, for the icon (and app) to go away. We built a powershell script that we deploy as a win32 app for it. There are code snippets app over the web for that.
- And that is the crux of the issues. My platform and remediation script count continues to grow to fix features that are built in but not working. I feel like im stepping back to the old days of writing Login Scripts for GPO with VBS, now it's just powershell and Intune.
- Dears, good morning! I have few machines registered in intune that although they show as "Compliant" we can see LAPS is not enabled. For all other machines with same status, we can see the option to rotate and see LAPS. Any idea why some machines although well registered do not have this feature enabled? Any place I can look into? Thanks
- We ran into that. This information solved the issues. Making sure Windows is on the supported version for this. LAPS will sometimes show as Not Applicable if the version of Windows is not up to date. Windows LAPS is now available on the following OS platforms with the specified update or later installed: Windows 11 22H2 - April 11 2023 Update Windows 11 21H2 - April 11 2023 Update Windows 10 - April 11 2023 Update
- Hi Lowell, thanks for the info. However, this is the weirdest part... this is a sample machine running "Operating system version 10.0.22631.3296" (Win11) and the LAPS is not an option... and the machine says compliant, everything seems to be OK but not 😞
- Heather_Poulsen
Community Manager
Good morning, Mauricio. Our resident LAPS expert happens to be out of office today so I'm following up with that team. We'll try to get you an answer during the hour, but, if not, we'll follow up. Thanks for being here!- Thank you so much for your prompt response 🙂
- Configuration Manager question: How do you change the Limited Collection designation of a Device Collection?
- If i'm understanding the request correctly, then right click the device collection and the 'Limiting Collection' appears on the 'General Tab' where you can browse out and select a different collection
- I followed your instruction and when I Browse the desired Limited Collection and add it, I get the warning: The selected collections 'Servers' will create a circular dependency. Then it does not allow me to Apply the change. Suggestions?
- This question is in regards to Windows Autopatch. Is there a reason why the Windows OS Zerodays were not pushed out at an expedited schedule?
- EricMoe
Microsoft
For zero-day threats, Autopatch will use an expedited cadence per https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/overview/windows-autopatch-faq#will-windows-quality-updates-be-released-more-quickly-after-vulnerabilities-are-identified--or-what-is-the-regular-cadence-of-updates. Which Windows OS Zero Day are you referring to? You can also open a service request with Autopatch through the Autopatch admin console to request specific questions about an update.- These zerodays https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-two-windows-zero-days-exploited-in-malware-attacks/ And I opened a ticket and was told they weren't going to be pushed out via autopatch at an expedited cadence. I was told we had to do it ourselves with the expediated push feature in Intune,
- Heather_Poulsen
Welcome to Windows Office Hours for IT pros! Product experts across Windows, Windows 365, Azure Virtual Desktop, Microsoft Intune, and security are gathered and here to help. Please post your questions here in the Comments section. (One question per comment helps us a lot!)
- With Windows Update for Business driver update management, we can now update device firmware. We consider this as a sensitive operation. For example, we have BitLocker configured with PIN code for startup, and also a risk is to have the recovery code asked to the user because the firmware update changed something in the TPM config. So question is when firmware is installed, is BitLocker suspended (once) or how is this handled ?
- EricMoeJohan, check out https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#do-i-have-to-suspend-bitlocker-protection-to-download-and-install-system-updates-and-upgrades- Specifically, when applying updates to UEFI\BIOS firmware through Windows Update, Windows handles suspending Bitlocker to apply the update. The description of Bitlocker suspension is covered earlier in the FAQ at https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#what-is-the-difference-between-suspending-and-decrypting-bitlocker- Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
- Is there a way to upgrade Windows 10 22H2 to Windows 11 22H2 using Intune? I have tried articles that I have found online and haven't had a lot of success.
- I have one of our rings with the option to upgrade to Win11 and so far, it is working like a charm. I hv only 10% of my park running win10 today.
- We undertook our Win10 to Win11 transition using Intune Feature Update Profiles. Had a few issues when trying to do user based EID groups, but switched to device ID groups and it worked a treat. Shortly about to go Win11 22H2 to Win11 23H2 using the same process > 6,500 devices
- EricMoeYes, you can - the Intune documentation starts at https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates#upgrade-devices-to-windows-11 If you you have Windows E3 or E5 licensing, Autopatch is another option, https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview
- Has there been any update on when 3rd party patching will be available in Intune?
David_GuyerHi Roger, Enterprise Application Managment is now available in Intune as an add on. You can find out more here: https://learn.microsoft.com/en-us/mem/intune/apps/apps-enterprise-app-management and more apps are consistently being added. -David
