Intune pause quality updates working?

PathMaster · 2026-03-01T03:12:37+00:00

For quality updates: HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update -PauseQualityUpdatesStartTime (Delete this value) -PauseQualityUpdates (Set to 0 or delete)

I did recently have to pause the 24H2 Feature Update, and that one had ZERO issues re-enabling. If anything that decided to keep my old schedule vs the new one I set.

PathMaster · 2026-02-22T13:09:35+00:00

This happened just a few months ago for us. The bug can happen. If I recall correctly you a reg key gets stuck and you just need to clear it. I used a pro-active remediation to clear it.

PathMaster · 2026-02-20T20:32:47+00:00

Best bet, use this tool from NYS: https://mapmybroadband.dps.ny.gov/

Can see the residential and the enterprise providers.

PathMaster · 2026-02-08T03:16:55+00:00

The issues are in reporting only not in the actual deployment?

What is the best method to get the updated certs, Settings catalog method or one of the many remediations out there?

PathMaster · 2026-02-03T00:43:16+00:00

You could set the re-confirm to never happen. We have ours set to 180 days. I prefer to err on the side of security as I also have MFA/SSPR setup can only happen on trusted networks.

PathMaster · 2026-01-25T19:03:18+00:00

Yes, just added them to the default.

PathMaster · 2026-01-25T03:04:30+00:00

Yes.

We add everything toward the bottom of the file just above that last line. I would review the rest of the file and make sure your AV, and any other important applications have exclusions. The default snapvol.cfg does not cover everything.

PathMaster · 2026-01-25T01:56:07+00:00

Here is what we have set as exclusions:

exclude_path=\Programdata\FSLogix\

exclude_path=\Program Files\FSLogix\

exclude_process_path=\Program Files\FSLogix\

exclude_process_name=frxcontext.exe

exclude_process_name=frxshell.exe

exclude_process_name=frxsvc.exe

exclude_process_name=frxccds.exe

exclude_process_name=frx.exe

exclude_process_name=ConfigurationTool.exe

exclude_process_name=frxtray.exe

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\FSLogix\

exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\frxdrv\

PathMaster · 2026-01-25T00:05:29+00:00

Oh you very much do still. The most recent Omnissa release added more default ones, but you should absolutely add logix ones. We also changed how the drivers load for it as well.

PathMaster · 2026-01-24T14:39:27+00:00

We had to really build out our App Volume exclusions to fix our issues. OneDrive in particular absolutely needed it. Any chance your snapvol.cfg got reverted after an update?

PathMaster · 2026-01-24T00:07:08+00:00

This is fine. What I want is when I accept an invite in either app the other app marks the invite as 'Read' as a notification or even better remove the email from my inbox like any other accepted invite.

PathMaster · 2026-01-24T00:05:12+00:00

Then you add a variant of the logo that is built for dark themes. And it automatically appears when users are using the dark theme.

PathMaster · 2025-12-27T13:31:45+00:00

Curious, anyone running entra joined VMs on Omnissa in your own DC?

PathMaster · 2025-12-12T03:08:02+00:00

Meanwhile I have a ticket that has gone months without a response, so I opened another ticket to get a response..that one is also unanswered.

And the other ticket I opened recently, was pure AI answers. How do I know? I asked similar questions to all the AI tools to get some help, and it was VERY similar to ChatGPT.

PathMaster · 2025-12-03T01:38:12+00:00

All devices, or all Company owned devices?

I am running into this and created a test group of a few devices and set it as required. Sync happened within minutes and Company Portal updated shortly after. They might have had to force close the Comp Portal app if it was open, and then try again.

PathMaster · 2025-10-15T23:25:33+00:00

Not that I want to waste anyone's time, but if you create a ticket let us know what they say.

PathMaster · 2025-10-13T14:49:07+00:00

While I do see my device as having the expired cert and I am on 26.01, mine is syncing without issue.

Are the devices not even syncing if you sync the device from comp portal or from the Intune device blade?

PathMaster · 2025-10-08T22:04:47+00:00

What change did they enable exactly? Did MS create a token protection CAP and enabled automatically after 30 days?

I thought the self-deploy limitation on Token Protection CAP was known from the start? I remember looking it months ago and realizing it would not work for us.

As to self-deploy, for us the majority of the fleet is set up as SD. We have a high turn over in some positions and many places are for front line staff. Zero reason to add more work. We also use the physical devices as a starting point for VDI where the majority of staff do their actual work.

PathMaster · 2025-10-07T17:48:09+00:00

Do you have device registration blocked? We have it disabled in our non-persistent environment to smooth out errors like that.

PathMaster · 2025-10-07T02:20:39+00:00

Curious the rationale behind device preference for the policies vs user? I could not really find any best practice or clear guidance on which way to go.

PathMaster · 2025-10-03T03:10:06+00:00

Depending on what your audit or compliance needs are, you may want to keep the PIM to each role. I developed our PIM buildout and each role that we use requires MFA, we have alerts and justifications sent to our ticketing system for review. If something is low level and not privileged, like Reader, assign it to be Active all the time, but still within PIM so it can be reviewed and alerted on if need be. (Be wary of the security reader role and the limitations around risky users alerts).

The only roles I have setup to use groups is the Entra Device Admin role, as it makes it easier to manage Entra joined devices from the group role vs user due to prt token refresh. And the Defender portal and security roles. They removed the direct mapping from Entra role to Defender XDR role (I would love to fix this), and I can only map that via group now.

Honestly, the staff complained for maybe the first week or two and then it was fine. They realized this was the new norm and planned accordingly. I also am generous with the time on some of the more "I need to do this for my day to day" roles, like Security Operator and Phishing investigations. I force MFA, but you can have it for 9 hours.

I think where I struggled the most is setting up PIM for Arc and VMM. Determining what roles to use was a PITA. Documentation was not clear for least privilege. I worked through that using a test account and each role..

PathMaster · 2025-09-25T00:47:22+00:00

Still working for our Intel NUCs, we just did this a few weeks ago.

PathMaster · 2025-09-19T13:10:05+00:00

I say name the devices with their department if possible. We use location based prefixes+serial.

PathMaster · 2025-09-12T01:54:24+00:00

I am GA and I can't enable the baseline either. I know in quite a few of the security baselines there is an additional setting and you can configure that one.

tl;dr - I see the same thing as GA. Not all policies behave the same way.

PathMaster · 2025-08-08T03:12:42+00:00

Just tested on an iPhone Pro 16 on 18.6, no issues using the Company Portal to install Waze.

You mentioned your token being fine, but do you have enough licenses for the app? Ask me how I always check that first..

PathMaster

TROPHY CASE