Event banner
Event details
- Heather_Poulsen
Community Manager
Thanks for joining Office Hours today. We'll see you again in 2025! Bookmark https://aka.ms/Windows/OfficeHours for upcoming dates to add to your calendar.
- Joe_Lurie
Microsoft
DavideCrespi Make sure you check out the Ask Microsoft Anything that we held a couple weeks ago. You can watch all of the AMA's from that day here: https://aka.ms/TCL/Windows. The Hotpatching AMA, specific to that question is here: https://www.youtube.com/live/AR87adSGeMc?t=158s.
I see you have the November updates installed. Hotpatching requires the October base updates, which should be included in November. If hotpatching isn't working, you may need a ticket to review the logs to ensure they are rebooting due to security updates; Hotpatching allows security updates to install without the reboot, but other updates may still may require it.
I'm hoping to get some clarification about how Windows Autopatch handles updates that patch critical vulnerabilities. In the FAQ, it says: "For zero-day threats, Autopatch will have an Out of Band release. For normal updates Autopatch, uses a regular release cadence starting with devices in the Test ring and completing with general rollout to the Broad ring."
Does this mean that updates released on the regular cadence which patch critical vulnerabilities are not expedited?
- ThomasTrombley
Hi Ryan, I'm working with the Autopatch team to find you an answer!
Having a great Pilot Program.
I work in the Financial / Medical industry and piloting all changes before production release is crucial to success. It is also important to know who the users are so that they can be communicated with when big changes are being tested on them so that we can get feedback. We use this group for all testing in our environment, they are used to the process and know what to expect.
WUfB tries to do something like this with AutoPatch, however that solution is not intelligent on the backend, randomly selecting devices without any analytics being done.
In the past we had to cold call managers to get participation in our Pilot Program to ensure we had 5-10% of users accounted for. The problem was we did not have a great way of cataloging / normalizing application names and making sure we had everything covered.
Desktop Analytics introduced a function called "Identify Pilot" which we utilized with great success. This seemed to analyze our application catalog based on information from ConfigMgr and then help us identify a pilot that covered the most applications with the fewest devices/users. We were also able to select a group of our current pilot devices that was taken into consideration.We were then able to inform managers that these users were part of the pilot program and why. It was based on telemetry and analytics; it wasn't anything personal or guess work.
Well, people switch groups, roles, leave, and we need a way to re-evaluate our Pilot Program coverage.
Right now it appears our only option is to export the "Discovered Apps" under Apps monitoring in Intune. Then open the 1+ million row csv and manually normalize apps, and work some Excel magic to try and figure out what machines/users to add.
It would be great if this type of feature was reintroduced. I would imagine that many other companies could utilize something like this.
Or is there another solution out there in the wild that can do this? I guess even if there was a way to get a report of normalized products/publishers in Intune, that would help a great deal.
We have hybrid joined AAD devices and are starting to roll-out Windows Hello for Business. Is there a recommended way to remove the ability to log-in with Windows Hello in case we need to block a user from accessing a device in the future. From what we understand, it can only be done with Intune if App Management loads have been moved to Intune, which we are a long way from being able to do.
(I'm not an MS employee)
It won't matter whether they have Hello or a password. Without visibility to the domain controller, the machine won't know that the account or device is disabled and they'll still be able to log into the machine. I may explore the suggestion Eric offered since we've played with blocking credential providers in the past, but currently, we use Entra to SSO for most of our corporate apps and when the account is disabled, they cannot access these items (new mail won't sync, OneDrive won't connect). We sometimes take the step of using the Isolate command in Defender to shut off internet on the device too. However, none of this will stop them from accessing files on the laptop. You can send a remote wipe command to the device, but you could lose corporate data. We're now deploying Entra Joined devices instead of Hybrid, and this is one of the reasons.- EricMoe
If a user account has been disabled, once they attempt a logon when a connection to the cloud, they should be blocked from logging in. That said, we do have an Intune policy defined here ADMX_CredentialProviders Policy CSP | Microsoft Learn that can be used to disable a specific credential provider. Provider GUIDs are defined here: Multi-factor unlock | Microsoft Learn
EricMoespeaking of credential providers, is there a way to block the password option on Windows login screen, but still allow passwords in the UAC prompt for admins to use domain admin credentials and select users that are allowed local administrator access with LAPS?
We have an Intune policy in place to manage Windows updates and have it set to allow users to check for updates. However, many of our users have this option greyed out. We don't have any physical servers pushing out GPO's and cannot find what is blocking this. Are there other places I can look on what can be controlling this?
- EricMoe
Check if the local policy "Remove access to use all Windows Update Features" has been enabled. It may be set in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate, "SetDisableUXWUAccess" set to 1 (which will also block the option).
Does anyone know why Windows Spotlight background/wallpaper has suddenly started running on Windows 11 computers (not just on our Intune managed company computers but my personal laptop too)? We have had a static image (the Windows Bloom) managed by policy, which has been set for years, but suddenly (as of the last few weeks) the background picture is auto-rotating to match the daily Spotlight image. When looking at the background settings it is still set to static Picture?
- Jason_Leznek
Hi, please file a bug.
Hi Jason, thank you - do you mean log a support ticket? Or is there a specific place I need to go to, to report the bug?
On my personal laptop, I set it back to the static image each day but the next day it goes back to Spotlight auto-rotate, even though in the wallpaper settings it is configured to static Picture (same as shown above, just without the "managed by your organisation" bit) 🤷♀️
- ThomasTrombley
This should set you on a better path:
In the search bar, type edit group policy, which will launch the Local Group Policy Editor menu. Navigate to Computer Configuration, Administrative Templates, Control Panel, and finally Personalization. At right you'll see "Prevent changing desktop background". Double click on it to open the menu, then click disabled. Hopefully this should work for you. If not, let me know!
I've noticed this issue as well. The icon "learn more about this picture" also shows up on the desktop.
A few others on another MS forum have noticed it too, so the issue does not appear to be just our company but will raise the support ticket to get the ball rolling 🙂
- Heather_Poulsen
Welcome to our final Office Hours session of 2024. We'll be here for the next hour to answer your questions -- and back each third Thursday in 2025! Visit https://aka.ms/Windows/OfficeHours to add future dates to your calendar.
Topic: Organizational Messages - What happened to the On Boarding option "Welcome to your new PC"? This would be extremely helpful for our New Hire and New PC Refresh scenarios.
Deliver organizational messages with Windows 11 and Microsoft Intune | Microsoft Community HubFor an AADJ device that has Windows Hello, we allow users to utilize PINs to unlock and sign into their device. However, this method of signing in can cause issues with some of our on-prem resources. Sometimes users will get a popup that says "Windows needs their current credentials" and need to lock their device and sign in with their password when they are on the company network. We still utilize AD and network shares in our company environment. Is there a way where we can allow our on-prem systems to recognize and associate users signed in with Windows Hello PINs on AADJ devices with their on-prem AD account?
I've looked into cloud trust Intune configs, but it either didn't solve my issue, or I didn't implement it correctly.- EricMoe
You're on the right track - you need the Intune Hybrid Cloud Kerberos Trust configuration to support SSO to on-prem resources. The guidance is here, Windows Hello for Business cloud Kerberos trust deployment guide | Microsoft Learn There are quite a few steps, so make sure you step your way through.
