Matt Call

@BrianGadeWI I can take a look. Some of this stuff uses different enforcement mechanisms. We might send delete but the CSP might not do a great job cleaning up.

@DeviceDeploy No, Settings Catalog

@DeviceDeploy will Intune’s shift from Get-Set-Get to Declarative Management aid in removing CSPs that are no longer applied? Example: DeviceLock CSP supports Delete but Intune doesn’t currently expose a way to send a Delete. #microsoft #intune #msintune

@BruceSaaaa You know it.

My old trusty #Surface X just got Win 11 24h2 offered 🤲🙏 @DeviceDeploy do you still use yours?

@rock_digga Check the licensing of the user who is failing to register. The event logs should also give you the failure reason. Check the MDM scope as well -> #enable-windows-automatic-enrollment" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/mem/intu…

@DeviceDeploy Hi I was in one your sessions at MMSMOA and was wondering if you have ever seen a situation where one user cannot register a device in Intune all of a sudden but the same device can be registered by another user with the same exact role assignments.

@rem_ch @IntuneSuppTeam @brookspeppin @AasawariNavathe I can ask. My perspective is that 200 keys on an object is a pretty reasonable higher limit, and it makes sense why we don’t let a device delete their keys. Sounds like devices are “over-escrowing”. Curious, how many keys are active on the device?

@IntuneSuppTeam @brookspeppin @AasawariNavathe @DeviceDeploy Are there any insights or answers to this great question? Unfortunately, the problem still persists! Cleaning up on the client side using "Remove-BitLockerKeyProtector" definitely does not solve the issue. Recovery keys in Entra are never cleaned up...

So when Intune manages BitLocker and you "suspend" BL to do let's say a BIOS update, and Intune syncs, it will add another recovery key password on the device. You can rinse and repeat and get like 12 keys. @IntuneSuppTeam tells me this is "as designed". Why? @DeviceDeploy

Thanks for having me @mmsmoa and look forward to the next time!

Come see us at this afternoon at @wpninjasummit sched.co/1i3Pl

@gwblok @echoRelay We’re in the process of completing ARM support. No date yet.

@echoRelay @DeviceDeploy Great question, my personal ARM testing hasn't touched EPM yet.

@DeviceDeploy Hey, anything you can share about EPM and arm64? We're testing hardware that it appears to be incompatible with. Thanks!

Great read…

@inthecloud_247 @SkipToEndpoint @MSIntune @MikeDanoski For sure - no argument from me there.

@DeviceDeploy @SkipToEndpoint @MSIntune @MikeDanoski Would be good to keep all in one place for people using the Endpoint Security profiles 👍

Am I overlooking this settings, or is it indeed not in one of the Intune Endpoint Security profiles? It is in the Settings Catalog. @MSIntune @DeviceDeploy @MikeDanoski any idea?

@SkipToEndpoint @inthecloud_247 @MSIntune @MikeDanoski We can certainly work to update it. Likely it was added or created after the AV profile was created.

@inthecloud_247 @MSIntune @DeviceDeploy @MikeDanoski Correct, I recently added this (and some others) to my baseline as SC policies as they're not in Endpoint Security.

@0x80070001 @NathanMcNulty @MikeDanoski @Mister_MDM @inthecloud_247 @syst_and_deploy @MMelkersen @AdamGrossTX Check to make sure your devices aren’t going in and out of the groups you use to assign scope tags.

@0x80070001 @MikeDanoski @Mister_MDM @inthecloud_247 @syst_and_deploy @NathanMcNulty @MMelkersen @AdamGrossTX Not tracking anything. Maybe @IntuneSuppTeam is…. Seen this sort of behavior in the past when someone is tinkering with RBAC… but never been able to root cause it…

@GraemeCE @NathanMcNulty @MikeDanoski has stories.

@NathanMcNulty Blame @DeviceDeploy not me

For Defender AV catch-up scans, the default for DisableCatchupFullScan and DisableCatchupQuickScan is Disable, which is a value of 1 To disable catch-up scans, we have to set the value to Enable, which is a value of 0 🫠

@GraemeCE @NathanMcNulty lol. The definitions we use come directly from the platform. We’ve tried various efforts to make them better with mixed results.

@SwiftOnSecurity The romantic language of the 21st century…

Me, texting my ex: i fumbled u like microsoft fumbled cortana

@Scott_wi_badger @abetterpc Fixed for most. Still working on a few. We will send a mail when we’re all good.

@DeviceDeploy @abetterpc Hey Matt, I am getting a permission error when trying to download the Debugging Endpoint Privilege Management and Roadmap slides.

This will be fun -> sched.co/1cK2h #MMSMOA #Intune Might need a bigger room @abetterpc :)

@acjuelich @MyNameIsMurray You’re right. I don’t love auto elevate based on reputation, but I do love reputation as a attribute to allow/deny elevation. Working on it… :)

@MyNameIsMurray @DeviceDeploy

Microsoft is so close to the solution I want: They have Defender Application Control with managed installers & reputation-based allow policies; They have Endpoint Privileged Management to handle admin rights, but last I looked that didn't allow reputation-based auto-elevate?

@abetterpc @RadissonBlu Wait, you like wine?

What a wonderful surprise to find at the end of #MMSMOA. The thoughtfulness of the @RadissonBlu MOA staff is only matched by the decency and fun of MMS attendees. You all need to know you're appreciated!

Great week, great feedback. See everyone soon #mmsmoa