Recent Discussions
SCCM vs Autopilot
Hi All, i hope i'am writing in the right section. i have a request but before that let me explain the goal and what i'am looking for. in My company , i passed by several migration , and i had to re-deploy machines using 2 ways , USB image and join to domain manually , or using SCCM Server thanks to PXE mode. next migration i will be using Autopilot which i'am not familiar with . the problem i'am facing is , to re-deploy machine , i had to wipe it , install an OS , and start the OS in configuration page then CTRL + SHIFT + D , and from another machine i have to go to Intinues and do lot of stufff there (' like machine tag , add autopilot etc ) and then , back to the machine to continue configuration. i find this very long , and not practical specially if i have lot of machines to deploy in the same time. my question is , is there a simple way to deploy big number of machines using with Autopilot n without doing all these steps i mentioned , i was thinking about , deploying USB image , then perform DSREGCMD /JOIN , to add machine to Azure , but i'am not sure if it is good solution. Thank you in advance
Removable Media settings tattooed to device
Hello, I created a policy to block USB Removable Media in Configurations > Templates > Device Restrictions > General to block Removable storage, which successfully blocks USB access. However, removing this setting does not revert the block. I noticed the following registry key is created in the device: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices] "Deny_All"=dword:00000001 "MDMRegSet"=dword:00000001 "RebootTimeinSeconds_state"=dword:00000001 "RebootTimeinSeconds"=dword:0000012c Is this the correct registry location for this setting? Even after manually deleting the key, USB access remains blocked. After a reboot, the registry key reappears, even though the policy is no longer assigned to the device in Intune. Can anyone confirm if this is the only registry entry involved, or if additional steps are required to fully remove the restriction? Thanks!
Windows Autopilot Pre-Provisioning (White-glove)
Hi, Does anyone can help what would be the cause of the issue with Windows Autopilot Pre-Provisioning (White-Glove)? We did assign user & grab device hash then deployed to autopilot group. The computer process set up complete properly, device RESEAL. However, we faced issue when we start up the laptop at the login OOBE screen we didn't see the assign user appear? I used to see the login page user UPN already attached, it is just waiting user to put the password only. In my case, the sign in ask user to enter their UPN. Is there any suggestions? Note: Windows 11 23H2, and Windows 11 24H2 through the same behaviour. Thanks, Phearin
Intune support of WearOS
We have an application we have developed for a customer which is WearOS native and does not required a paired phone/tablet to function on a Wi-Fi capable watch/wearable. This customer's corporate team requires that all network devices be managed by Intune. Is there a timeline for Intune natively supporting WearOS management? Thank you ScottLocation services 24H2
Hello everyone, I'm having an issue with a bank to access my location with Edge. I manage the pcs with intune and if i open the location to everything it's working but when i keep only Microsoft Edge in the one to have access to my location it stop working, what im doing wrong??? Thanks for your help. here is my config:
Agents will install on 2 DC's but will not get configurations
Hello, I have 2 DC's that when i install the MECM agent on them, they will install but will not get the configuration files and when i open the client on the machines its missing the configurations tab and the action tab only has 2 actions. also, on the general tab of the client, the Client Certificate says "none" I know the easy answer is this is a "boundary issue" but it is not. i have other servers with the same IP address range and they have no issue getting the client fully configured. It is not a local firewall issue as i tried turning it off and got the same results. in the ccmsetup logs i am seeing this "Failed to get MDM_ConfigSetting instance, 0x80041013" can anyone please help figure out what is going on here?? thanks in advance
Intune Certificate Connector Installation Fails at Azure AD Sign-In
I'm currently setting up Microsoft Intune Certificate Connector for SCEP integration, and I'm stuck at the Azure AD sign-in step during installation. Issue Description: When I run the Certificate Connector installer, it launches the sign-in prompt. I enter valid Global Administrator credentials, but after signing in, nothing happens โ it does not proceed to the next step of the installation wizard. There are no clear errors displayed in the UI, and the installation remains stuck at the sign-in stage. Here is the image: I need to get this connector running to issue SCEP certificates via Intune, and Cisco ISE to extract Intune compliance checks. The current block at sign-in is preventing me from moving forward with the integration. Has anyone else faced the signed in window hanging without any UI error? Thanks in advance for your help! Iโd appreciate any pointers to get the connector past the Azure AD sign-in stage and successfully registered.Preventing a data spill from a company M365 profile to a personal M365 profile on iOS
Apologies if this has been answered elsewhere but I am struggling to understand the art of the possible here. I know that M365 iOS apps can handle multiple M365 accounts and specifically can handle a user having a work based M365 account and a personal M365 account. My question is whether you can configure Intune to mange the accounts so that the user can't accidentally or intentionally migrate data from one account to the other? Although my iOS devices are company assets and use Intune to manage app protection policies for the corporate apps (outlook and all the MS Office apps), some of my users would like to be able to also access their personal M365 accounts and be able to use the same apps specifically OneDrive and MS Office apps. Is there a way to allow this without a user opening up a file from one account and saving it, sending it, or or copying/pasting it to the other account? If this is possible could you please point me in the right direction to where I can find out more about making the appropriate app protection policies, conditional access controls and app based critical protections? Many thanks in advance!!Multiple accounts on one device managed by different companies
I have employees who work for multiple companies and have Microsoft 365 and Intune at each of their companies. They add their work accounts to their personal devices to access Outlook and Teams. When applying App Protection Policies, will the applications have policies relevant to the organization that owns the data have that organization's policies applied to the data? What happens if two work accounts have App Protection Policies applied? Will one take precedence over the other? Searching around seems to indicate this was impossible before Outlook allowed more than one work account. I cannot find an answer where multiple work accounts are now permissible in Outlook and in Teams. Thanks in advance.
Company Portal not installed (device based install with pre provisioning deployment)
Hello to all Intune friends here in the forum ๐ I am slowly getting desperate regarding the installation of the Company Portal. The Company Portal is sometimes installed, but sometimes not. Thank goodness we are not yet in productive operation, we are in the testing phase. Here are a few sticking points about my project and the configuration: - endpoints with Windows 10 Eucation 22H2 (at the moment 4-5 devices for testing purposes) - devices should be hybrid joined - company portal app source: store (uwp-app) - company portal assignment: device group (device group contains several sub-groups with the testing devices inside) - company portal assignment is marked as neccessary - autopilot enrollment configured (with pre provisioning deployment What happened?: - started the device in pre-provisioning mode to install all apps and sealed it after finishing - started device and logged in as user (with my local ad account) - company portal was installed - for additional tests I wiped the device completely - doing it again: - started the device in pre-provisioning mode to install all apps and sealed it after finishing - started device and logged in as user (with my local ad account) - company portal is not installed - app status in the endpoint manager shows installed I can't explain it to me what Iยดve overseen... What should I provide you that we can find the error? Thanks in advance ๐ If you switch to the installation status for the apps in the Endpoint Manager Portal, you will see that the Company Portal has been successfully installed. However, the Company Portal cannot be found on the endpoint. Translated with DeepL.com (free version)
Android Edge (Auto populate account sign-in)
Android - Azure AD Multi App Kiosk Device Sorry for the bad image quality (policy not allowing screenshots) Trying to configure so Edge auto-populates the account with the current logged in user. I have tried multiple ways but not able to get this to work. Teams will auto sign-in with out any issues. Add app configuration policies for managed Android Enterprise devices - Microsoft Intune | Microsoft Learn None of the values will work using JSON or Configuration designer. First thing is if you use Configuration designer then the option Allow only Intune Accounts will fail with error no matter what you do. This is the same for the rest. Using the variable {{userprincipalname}} for this settings will not work. Sample JSON of values tested. All will fail. { "kind": "androidenterprise#managedConfiguration", "productId": "app:com.microsoft.emmx", "managedProperty": [ { "key": "com.microsoft.intune.mam.managedbrowser.PasswordSSO", "valueBool": true }, { "key": "com.microsoft.intune.mam.managedbrowser.enableKioskMode", "valueBool": true }, { "key": "com.microsoft.intune.mam.managedbrowser.account.syncDisabled", "valueBool": true } ] } Policy checked on the device in edge, results in Error - Unknown PolicyQuickAssist Error 1002 - can we no longer run this as a non-admin user on windows 11?
We are heavily reliant on QuickAssist to support our staff. We seem to have a permanant QuickAssist 1002 error on our windows 11 intune manged devices. https://ibb.co/63XTSg7 https://ibb.co/Fq5n0ffM https://ibb.co/LDN6NTC2 Some time ago QuickAssist moved from C:\windows\system32 to C:\Program Files\WindowsApps\ Which is a folder restricted to trusted installer. So the app was heavily changed and probably due to it moving to the store. I think its this fundamental change that is causing the pain for us. Regular non local admin users cannot run it. It just fails out with error 1002. This was at first just affecting a few machines. It seems however it now affects all. As a test I removed a load of policies from a test device just in case the Edge policy or something was affecting it. Still shows the same error. I decided to try go down the LAPS route. Setup a local admin on the device 'lapsadmin'. When running it with that it fails out saying EDGE cannot create the files. After alot of testing and reading up online of other users fixes it seems to be that this program will not really work correctly anymore unless its run as an admin on an local admin logged in account. Anyone have any smart ways to get around this? Just to clarify - we cannot run as .\lapsadmin (a local admin account on the device) we cannot run it as a regular user we cannot run it unless the user logged in is a local admin (which is no good from a security perspective) Thanks!Contact sync between Outlook for iOS and native iOS contact app
Edit: I would like to continue this topic here: ๐ https://techcommunity.microsoft.com/t5/microsoft-intune/ios-managed-contacts-how-to-deal-with-that/m-p/1473555#M4572 Hi folks, i'm struggling with the sync between outlook for ios and the native contact app. What I've done so far: Created an app protection policy for managed devices, where contactsync is allowed Created an app protection policy for unmanaged devices, where contactsync isn't allowed. This is working as expected. When the device is enrolled in intune it's processing the managed policy and is able to activate the contact sync. Well, what bothers is me is the fact that 3rd party apps like whatsapp are able to see these work contacts. I already read throught this article: Support Tip: Enabling Outlook iOS Contact Sync with iOS12 MDM Controls I tried to add the following to my app configuration for outlook, but it isn't working: (mentioned here: docs.ms ) com.microsoft.outlook.ContactSync.AddressAllowed > false com.microsoft.outlook.ContactSync.BirthdayAllowed > false When synchronising some test contacts they still contain adress & birthdate. Any help understanding this problem is highly appreciated. Kind regards, PatrickSoftware Center Restart Loop
Hi, i have to devices that are stuck on reboot loop. the computer restarts then the restart count down starts again over and over. the computers are running the latest Windows 11 Build and they have the latest CM Client (5.00.9132.1011). i have done the normal troubleshooting process like CM Client repair, uninstall CM client and delete CCM, CCMSetup folders then install the client. run update evalution from CM Console and from the client. the only solution that i am left with is reinstall the whole system but that something i would do if there is no way out any input is appreciatedMicrosoft 365 Admin App Protection
Hello, We're having an issue where the Microsoft 365 Admin / Office 365 Management app is not being App Protected and therefore we're unable to log in based on our CA policy to require app protection. All other apps work and Microsoft 365 Admin shows up and is applied in the App Protection Profile, but the sign in fails with the error below. Reviewing the sign in logs, the login is correlated to the application "Office 365 Managment" and that application does not show in App Protection or Conditional Access. Failure reason Application needs to enforce Intune protection policies. Additional Details MFA requirement satisfied by claim in the token Does anyone have this problem? I didn't find much on the topic and I don't know if Microsoft is aware or working to resolve the issue. The only work around we have is to exclude the end user from the CA Policy requiring App Protection but that weakens our security.Need BYOD configuration advice for all platforms
Hi everyone, I'm somewhat new to Intune and currently browsing through a lot of the documentation to try and provide a solution for a small business. The business wants to collaborate with several free lancers, who will be using their own devices to access company resources like SharePoint and emails. I need a way to restrict BYOD devices to only be able to sign into dedicated apps that the company have control over (can wipe remotely), but without fully joining their devices and giving the company more control than required. Scope: 25 Microsoft Business Premium users with Corporate owned computers and BYOD mobiles. 20 Microsoft Basic users with BYOD computers and mobiles. Most computers are Mac. My current solution for mobile devices is to have a mobile device policy that sets Outlook for IOS and Android to quarantine (for approval), and all other platforms to block automatically. I've also added a App Protection Policy to ensure a separate PIN is required to unlock Outlook. Haven't found a solution for restricting SharePoint app yet. For PC, I was hoping to set up Company Portal for the devices to log into and view Outlook and SharePoint, but I can't figure out a way to restrict the BYOD user from logging into Outlook with their business email outside of Company Portal. Is there even a functionality where we can create a separate space on a personal computer with Company Portal, and only allow company data to be stored there, blocked elsewhere? I've also been trying to read up on Macs for this and might trial Jamf to see if I can place these restrictions without causing an invasion of privacy for BYOD users. Apologies if any of the above are repeated questions, please direct me to the answers if that's the case. Thanks in advance.
Recent Blogs
- One-size-fits-most guidance: Use Intune to configure your Microsoft 365 tenant with security and productivity settings.Apr 09, 2025
- By: Luke Ramsdale โ Sr Security Customer Escalation Engineer | Microsoft Intune Effectively managing feature updates for Windows devices is essential for maintaining system performance and secu...Apr 08, 2025
