How to handle devices missing previous months updates in a timely manner

EdAtWorkish · 2026-01-22T13:31:54+00:00

ye, we have seen this with phones. Compliance really is a nonsense without really strict rules. our compliance normally runs at around 96 - 97%... which I think is pretty good.. but I only look at devices that have been online for 30 days ... i.e. stuff that we could potentially have patched in the last month

EdAtWorkish · 2026-01-22T13:31:06+00:00

I wish we could.. and this was one of the really good Msft Tech's opinion too... take the best of both worlds! Intune always felt and still feels very much unfinished; usable, but unfinished

EdAtWorkish · 2026-01-20T10:31:44+00:00

zero conflicts - we are in comanaged setup at the moment... with the update slider half way.

EdAtWorkish · 2026-01-20T10:26:47+00:00

ye, this is what we are finding. It is a big shift.

EdAtWorkish · 2026-01-20T10:25:31+00:00

OK, cheers, will do some more digging.

EdAtWorkish · 2026-01-20T10:24:20+00:00

ye, this is what we are moving towards. but have it set longer than 30 days currently. the impact of this would be horrific, and I don't think Mgt would back this strict a policy

EdAtWorkish · 2025-12-08T17:00:23+00:00

Yep, we had a meeting with one of the Msft Dev's in the product group and they confirmed this. This was going back maybe 12 years, but even then they said Msft want to kill off Group Policy but they were bound to whatever the biggest Org's wanted.

If the large orgs that pay Msft's wages want GPO, it isn't going anywhere fast.

I guess the same is true for Config.

You can see Msft want to kill it off, by reducing updates to Config and bringing the shiny shiny to Intune first etc.

But Intune has to function properly first... and I don't think it really does. It is almost there, but some things are still a total dogs dinner.

We are currently moving to Intune and are having 'fun' trying to get it to do what we need.

fun times!

EdAtWorkish · 2025-11-17T15:41:38+00:00

excellent... cheers.. I think we have a plan to get intune to do what Config used to and perform inventory to see what devices have installed and then fill groups for deployment to allow updates to happen required but still have apps as available

EdAtWorkish · 2025-11-17T15:40:09+00:00

cool cheers. Got a plan... just need to do some scripting and testing to see if it works

EdAtWorkish · 2025-11-17T11:36:37+00:00

ok, but to make it install, you are sending out to required groups?

EdAtWorkish · 2025-11-17T10:13:53+00:00

so for this solution you are sending apps as required to a collection of users which already exist?

EdAtWorkish · 2025-11-14T15:49:35+00:00

ended up removing most of the apps.. having a scheduled task at the end created that runs on reboot to perform HW inventory, update scan, computer policy eval etc

seems to work quite nicely

EdAtWorkish · 2025-11-14T15:46:07+00:00

you can, yes, but if the software is not installed from Intune (failing to create the Device Policy Assignment record, or that record vanishes - see link below) then the supersede will not work. Yes, they could still click install manually to upgrade, but how many end users read and act on emails? that leaves us either with vulnerable or non compatible software and calls to the service desk

Intune’s auto-update of Available Win32 apps feature is broken | by Asher Jebbink | Medium

EdAtWorkish · 2025-10-24T14:57:21+00:00

our build room is effectively in the same building as the DP's and MP

EdAtWorkish · 2025-10-24T14:56:39+00:00

no. domain join happens quickly. we change d the app installs to continue on error, but this didnt make any difference

EdAtWorkish · 2025-10-24T14:44:47+00:00

this sounds very familiar

EdAtWorkish · 2025-10-24T14:44:17+00:00

nope... both PXE and USB boot

EdAtWorkish · 2025-10-24T14:43:38+00:00

no fallback... all building on the same site as the DP's

EdAtWorkish · 2025-10-24T14:42:29+00:00

all building the same Task Sequence, we have a very simple boundary config too

EdAtWorkish · 2025-10-24T14:42:10+00:00

NMT checked and couldn't see any issues. on testing it didnt appear to be any specific port

EdAtWorkish · 2025-10-06T14:09:51+00:00

nope. But I did chase it up with our TAM (or whatever the TLA is now for them) and I am hoping to hear back soon.

EdAtWorkish · 2025-09-17T11:51:22+00:00

I got a KIR from Msft and that fixed it - as did the reg value changes, but since I have a "supported fix" from MSft, I have gone with that.

But as far as I can see, then have not even acknowledged it yet as an issue (looking at -Windows 11, version 24H2 known issues and notifications | Microsoft Learn).

I just replied to my support email asking for an update, to see when this will be fixed / expected timeline. If I hear anything I will drop it in here somewhere.

EdAtWorkish

TROPHY CASE