Event banner
Event details
- Heather_Poulsen
Community Manager
Thanks for attending Office Hours. We'll be back next month to answer more of your questions!
- Thank you guys, really appreciate your help 🙂
- We tried putting in a configuration policy to auto-update Google Chrome, however I keep getting vulnerability alerts that most of our devices need to update Chrome. Are there any configuration policies out there that actually force Chrome to update on our devices for user who have it installed?
- past experience with Chrome and vulnerabilities reports. If a user installs from the web (no admin required) then you install the Enterprise or MSI version of Chrome it will not remove Chrome.exe/dll from the users Appdata locations and Vuln alerts will continue even though you can confirm it is running the latest version.
- Joe_Lurie
Microsoft
Nesav132 As Chrome is an app that self-updates, meaning that once it's installed Google takes control of updating it. This means that each of the devices will reach out to Chrome for updates at whatever schedule is defined by Google. Even if Chrome is deployed in Intune, Intune cannot control its updating schedule.
If you use Enterprise App Management, we can help deploy Chrome and keep it up-to-date (updates will be available in EAM soon!). But even with EAM, Chrome defaults to being self-updating, so you'd need to modify the Installation command line to remove the self-updating configuration.
- I haven't used the EAM, but can certainly try. Would there be any documentation on how to modify the command line?
Question regarding managed iOS devices. Our iOS security policies state that the user must change their PIN code every 90 days. When you setup a PIN code initially the numerical PIN keypad pops up. However, after 90 days when they are forced to change their PIN, a full QWERTY keyboard pops up asking the user to change their PIN and not just a numerical keypad. To add, if a user manually changes the PIN code before the 90 day period by going to "Settings > Face ID & Passcode" the numerical PIN code does come up. Also, I can confirm that our iOS policy shows Password type as Numeric (and NOT Alphanumeric).
The crux is that the users are changing their PINs from a numerical PIN to a alphanumeric PIN (because they see a full QWERTY keyboard) and they get this confused with their network password. I've put in a ticket with MS Support on this and was advised that there's nothing they can do about this. As I understand it, in essence this is an Apple issue where they'd need to open up their API's.
Is that right? Is there anyway to change this full QWERTY keyboard layout to just a numerical PIN keyboard when the security policy dictates this? It's an issue I'd like to solve in our environment as we constantly get HelpDesk tickets regarding this.In Intune - there are options to export the Intune device list, Autopilot device list, Audit logs etc. into Excel files. Is there an equivalent PowerShell command to do this to avoid needing to do it from the Intune GUI please? Thank you 🙂
- Joe_Lurie
HeyHey16K You can use Graph for this: Use Graph APIs to export Intune Reports | Microsoft Learn
- Thank you Joe 🙂
- UE-V was a tool we used extensively with Win10. We know it is being retired and not available for Win11. What alternative tool would you suggest that has the same/similar functionality?
- Are there any good training sources? I'm not talking about classes only meant for being able to pass a test for certification but real courses? The online documentation for most of Azure is so twisted and disjointed its impossible to follow half the time. I've tried searching and usually to no avail. Any courses I have found or online tutorials are pretty useless.
- Joe_Lurie
csmith-norwood I assume you are asking about training resources for Intune? If so, we just released this: https://aka.ms/IntuneResource. This lists links, kits, classes, tutorials, etc...so you don't have to go looking for them.
You'll also find some good community-led courses run by our MVPs if you search on X or LinkedIn.Good luck!
- Microsoft ESI has been great for us 🙂 https://esi.microsoft.com/
Is there a configuration policy in Intune or Entra for password complexity? We are moving from multiple tenants to a new tenant. When we go to change our password, we end up at the company portal and it shows a minimum of 7 characters but our on prem policy is 14 characters. Hoping to get pointed in some kind of direction as what I have found online so far is vague.
- Joe_Lurie
reastman1966 You can enforce complex passwords in Entra: Combined password policy and check for weak passwords in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn. Keep in mind these Entra password complexity settings do not apply to users sync'd from on-prem AD.
- Is there a way with a comanaged device imaged with SCCM but with workloads moved to Intune to not have the enrolled user and primary user from becoming the first user to log in?
- Joe_Lurie
microsoft-questions I'm not sure I understand the scenario. A user receives a device. This user is the primary user of the device. But this user should not be the first person to login? Is that correct? I assume a helpdesk person logs in first and you are having an issue where that helpdesk person is now listed as the primary user/the one that enrolled the device?
The real answer is to start using Windows Autopilot to deploy the devices. Send the device to the user with all apps/policies assigned, and they will be installed as the user unboxes their shiny, new device. no need for anyone else to log on first.
- Thank you, Joe. For a little more context these are lab devices that we will be using Autopilot for next year, but for now we have to stick with imaging with SCCM. We use Autopilot for everything else. They are shared devices, which is why we wouldn't want either the enrolled by or primary user to be that first user. I know we can script the removal of the primary user, but not the enrolled by user I believe.
- We set up the Windows Update for Business report Azure workbook (https://learn.microsoft.com/en-us/windows/deployment/update/wufb-reports-enable) to identify workstations that are missing updates, and submit a report to management. One afternoon we updated on several Windows workstations and got them fully patched with monthly updates, then left them online overnight to check in with Azure. 24 hours later, the WUfB report still showed all of them as "MultipleSecurityUpdatesMissing". Running an Azure log query, I could see the LastWUScanTime field was not correct, the OSversion was not correct, the OSBuilds were not correct, etc. In my query of UCDeviceAlert, "TimeGenerated" was about 5-8 hours after these computers had completed updates, so I would've expected the data to reflect the state of those workstations at that time. Is there a way to force machines to submit current data to Azure on demand, that will reflect in these WUfB reports by the next day? The report didn't show updated information for these workstations until at least 2 days after they became fully patched.
- EricMoeData latency in WUFB reports is documented here, https://learn.microsoft.com/en-us/windows/deployment/update/wufb-reports-use#data-latency, and the data latency on updates and update status can be 24-36 hours per the table. If after 36 hours you still are not seeing appropriate data, then I'd recommend opening a support case to have someone investigate deeper.
EricMoe I see this says "Device connectivity to the internet and generally how active the device is influences how long it will take before it appears in Windows Update for Business reports" - is this indicating that a device that is more active will appear in WUfB reports more quickly, or less quickly?
- Is there a good way or will there be a GUI way to export Intune Configurations with values to a CSV or XML? The same would be helpful for device configurations to see what is being applied by value not just Green/Red on the settings.
- Joe_Lurie
Keith_S1977 For your 2nd question: With the Copilot for Security in Intune integration, you'll be able to list all polices assigned to a device (or user), and even be able to compare two devices.
For the first question: There is no way in the GUI today to list out all policies that have a value, but there is likely a Graph call that could do this. Or you can use this PowerShell script. Note that the script is written by an MVP, not by Microsoft: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group! - Microsoft Community Hub
