u/StrugglingHippo

Hallo zusammen

Wollte mal eure Meinung zum Thema 'Deloading' hören. Macht ihr das in regelmässsigen Abständen (also z.b alle 6-8 Wochen) oder nur wenn euch der Körper gewisse Signale wie fehlende Motivation, Stagnierung oder Müdigkeit gibt?

Und wie genau deloaded ihr? Ich mach den Deload so wie es mir mein App vorgibt, das sieht meistens ungefähr so aus:

- Normal: 10 Wdh, 3 Sets, 80 Kilo

- Deload: 10 Wdh, 2 Sets, 70 Kilo (ca 5 RIR)

Bin gespannt auf eure Inputs :)

Hi guys

I got two questions regarding user synchronisation in SCCM:

Does the Active Directory Group Discovery also sync users within those groups, eventhough those users are not synced in the Active Directory User Discovery? Because we only sync one OU and I found out that there are a lot of users in our Database outside of this OU and even users from Azure AD (we are hybrid) and I am wondering where those users are coming from.

How do you cleanup deleted/inactive users? As far as I know, if you delete a User in AD, it does not delete the record in SCCM. I found a Site Maintenance task named "Delete aged discovery data" and I am wondering if this task is what I am looking for. Or do you guys use another way to delete old users from the database?

Appreciate your feedback!

Hi all!

A quick overview of the current situation:

We use CoMgmt (SCCM/Intune), and the workload for endpoint configuration is set to Intune. I am using the “Microsoft Defender for Endpoint Security Baseline” there and have configured the full scan as follows:

- Scan Parameter: Full Scan

- Schedule Quick Scan Time: 120

- Schedule Scan Day: Tuesday

- Schedule Scan Time: 720 (1:00 AM / 1:00 PM)

The problem is that the scan is not running on the endpoints. When I check the event log, I see the following message at 1:00 AM:

"Microsoft Defender Antivirus scan has been stopped before completion.
Stop Reason: Scan was stopped to save battery

How can I work around this issue or force the scan to run at a later time? Would you create a custom policy under “Endpoint Security” and set the scan to “not configured” in the Security Baseline, or are there better solutions?

Thank you for your help!

Edit: Creating an Antivirus Policy under Windows Defender gives you the option to enable a catch up scan, I will try that but I am not sure if this is the real "way-to-go" when using the Security Baseline for MS Defender.

Hi all

We have an issue with Windows Hello for Business which appeared today.

We have Co-Management inplace with the following policies in Group Policy:

- Use cloud trust for on-premesis authentication -> enabled
- Use Windows Hello for Business -> enabled
- Do not start Windows Hello provisioning after sign in -> enabled

We then configure WHFB over Intune as following:

- Use Windows Hello for Business (Device) -> True
- Require Security Device -> True
- Use Certificate for On Prem Auth -> Disabled

And some settings for PIN Length and Recovery.

We do not have anything configured in the "Enrollment" Tab in Intune.

Suddenly, since yesterday, after loging in it enforces to use Windows Hello for Business and it stop working. When trying to login with Password, the message:
"Something went wrong and your PIN isn't available (Status 0x000a100, substatus 0x0)" appears. Removing the PIN does not work. The only option that does work so far is resetting the TPM and setting a new PIN.

We did not change the policy within the last year. I know that it surely isn't best practise to configure it that way, but I didn't got the time so far to change the configuration.

Does anyone have any idea what the issue is or where I could find useful information? I also checked the output from dsregcmd /status but this seems fine to me...

Edit: When checking tmp.msc, the status of the TPM seems to be fine. The Workload on SCCM is set to ConfigMgr for Device Configuration and Intune for Endpoint Protection.

This is the output from my device using dsregcmd /status:

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : INTRA
           Virtual Desktop : NOT SET
               Device Name : devicename.domain.com

+----------------------------------------------------------------------+
| Device Details                                                       |
+----------------------------------------------------------------------+

                  DeviceId : %ID%
                Thumbprint : %Thumprint%
 DeviceCertificateValidity : [ 2025-02-10 12:26:47.000 UTC -- 2035-02-10 12:56:47.000 UTC ]
            KeyContainerId : %ID%
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES
          DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : YES
                  NgcKeyId : {ID}
                  CanReset : NonDestructiveOnly
           WorkplaceJoined : NO
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId : https://login.microsoft.com
            WamDefaultGUID : {GUID} (AzureAd)

+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

                AzureAdPrt : YES
      AzureAdPrtUpdateTime : 2026-05-05 05:58:07.000 UTC
      AzureAdPrtExpiryTime : 2026-05-19 07:46:49.000 UTC
       AzureAdPrtAuthority : https://login.microsoftonline.com/id
     AcquirePrtDiagnostics : PRESENT
      Previous Prt Attempt : 2026-05-05 07:15:47.336 UTC
            Attempt Status : 0xc000023c
             User Identity : %email%
           Credential Type : NGC
            Correlation ID : %ID%
              Endpoint URI : URL
               HTTP Method :
                HTTP Error : 0x80072ee7
               HTTP status : 0
         Server Error Code :
  Server Error Description :
     RefreshPrtDiagnostics : PRESENT
      Previous Prt Attempt : 2026-05-05 05:58:08.144 UTC
            Attempt Status : 0xc000006d
             User Identity : %email%
           Credential Type : Password
            Correlation ID : %ID%
              Endpoint URI : https://login.microsoftonline.com/%ID%/oauth2/token
               HTTP Method : POST
                HTTP Error : 0x0
               HTTP status : 400
         Server Error Code : invalid_grant
  Server Error Description : AADSTS70008: The refresh token has expired due to inactivity.áThe token was issued on 2025-08-19T14:07:19.1524837Z and was inactive for 90.00:00:00. Trace ID: ID Correlation ID: ID Timestamp: 2026-05-05 05:58:08Z
             EnterprisePrt : NO
    EnterprisePrtAuthority :
                 OnPremTgt : YES
                  CloudTgt : YES
         KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+

        AadRecoveryEnabled : NO
    Executing Account Name : domain\accountname
               KeySignTest : PASSED

        DisplayNameUpdated : Managed by MDM
          OsVersionUpdated : Managed by MDM
           HostNameUpdated : YES

      Last HostName Update : NON

The error " HTTP status : 400 does not appear on all devices with the issue.

Hello everyone,

Here’s the scenario:

We have devices that are deployed via SCCM and joined to Entra using Hybrid Join. After deployment, a user typically logs in with a test account (provided by IT) to verify that everything is working properly, and the device is then enrolled in Intune.

After that, the device is rolled out, and from then on, only local users log in to the device. Now I’m wondering whether I should set the update workload on these devices to SCCM or Windows Update for Business. We generally manage device updates via WUFB, which is why that would be my preferred scenario, but I’m not sure if it works properly when only local users are working on the device?

Could someone perhaps share their experience with this? Thanks in advance!