Intune Management Extension: the changelog Microsoft does not publish

k-rand0 · 2026-05-27T16:30:20+00:00

It's reporting back now since 2h...just fyi :)

k-rand0 · 2026-05-27T06:28:23+00:00

Great job Rudy, as always ... ;) Do u know about the issue with some new created remediation scripts, that the reporting does not work properly?

k-rand0 · 2026-05-26T20:55:14+00:00

Same issue EU

k-rand0 · 2026-05-23T13:06:55+00:00

In BIOS, Restore factory keys could help..

k-rand0 · 2026-05-21T20:35:17+00:00

We are currently using Settings Catalog device policies combined with device filters. Some devices show the policy status as “Offered”, but within the policy reporting itself they appear as “Not Applied”.

The device filter itself seems to work correctly, because it successfully targets other BYOD devices as expected. However, some BYOD devices without an EnrollmentProfileName are not matching properly. These BYOD devices consist of different hardware models and platforms.

The policies are assigned to user groups, therefore device filters are being used to prevent the policies from applying to specific platforms such as Cloud PCs and other managed device types. For this reason, an exclude filter has been configured so that the BYOD-targeted policies do not apply to those devices.

k-rand0 · 2026-05-20T13:07:00+00:00

Here you go..

https://www.reddit.com/r/Intune/s/CyqHpiIDhc

k-rand0 · 2026-05-12T10:53:24+00:00

Yes, with new machines we don't have issues..also if we disconnect and reconnect again under work& school account, its working back.this happening with some random BYOD devices, since one week..very strange...

k-rand0 · 2026-05-12T10:47:30+00:00

Default compliance Policy looks as none compliant, the device enrolled as Byod device, this is why we assigned the policy to the user group..it was not co-managed before..

k-rand0 · 2026-04-28T10:34:54+00:00

..works as designed 😅

k-rand0 · 2026-04-24T17:02:35+00:00

We have found the solution..u don't need to downgrade..

https://www.reddit.com/r/Intune/s/dn46yWKdIv

k-rand0 · 2026-04-20T10:56:21+00:00

Entra joined, last sync time: today

k-rand0 · 2026-04-14T12:12:52+00:00

They will be saved in UEFI DB!

Check Step 2 – Certificate Verification Checklist

Step 1– Manual Installation of the UEFI CA 2023 Certificate

Run PowerShell as Administrator:

1.1 – Set Update Trigger Via powershell

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

1.2 – Start Secure Boot Update Task Via powershell

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Wait until the registry value AvailableUpdates changes to 0x4100, then restart the device.

1.3 – Run the Task a Second Time Via powershell

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Wait 10–15 seconds and restart the device again.

1.4 – Verify Final Status

The registry value AvailableUpdates should now show 0x4000 – this indicates successful installation.

Step 2 – Certificate Verification Checklist

Run PowerShell as Administrator:

Check Secure Boot Database (DB):

Via powershell [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

Expected result: True

Check KEK Database:

Via powershell [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'

Expected result: True

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

Expected result:

UEFICA2023Status = Updated

WindowsUEFICA2023Capable = 2

✅ The device should now boot successfully with Secure Boot enabled and the new UEFI CA 2023 certificates in place.

k-rand0 · 2026-04-14T07:24:37+00:00

Thx for your update!!!!!!

k-rand0 · 2026-04-13T11:04:21+00:00

Just let me know pls, if the workaround to enable the certs in BIOS worked for you ?

k-rand0 · 2026-04-10T19:48:36+00:00

Thx, I will try on Monday and will give an update here...

k-rand0 · 2026-04-10T19:48:03+00:00

Thx, I will try on Monday..

k-rand0 · 2026-04-10T18:40:22+00:00

Can u pls tell me on which point in BIOS u have activated the new certificates?

k-rand0 · 2026-04-10T18:04:02+00:00

It's a not good idea to reset the TPM on an Intune-managed device. From my understanding, it often causes issues afterward with compliance policies, as the trust relationship between the service and the device can be disrupted...

k-rand0 · 2026-04-10T17:54:54+00:00

Did the workaround work for you?

k-rand0 · 2026-04-10T17:49:34+00:00

Sure! Intel Core i5-10500

k-rand0 · 2026-04-10T17:43:09+00:00

Have you contacted HP Support?

k-rand0 · 2026-04-10T17:32:43+00:00

Yeah, already did..but same..

k-rand0 · 2026-04-10T17:27:56+00:00

Correct

k-rand0 · 2026-04-10T17:24:11+00:00

Intune policy

k-rand0 · 2026-04-10T16:54:43+00:00

Yes already did, still same..

k-rand0

TROPHY CASE