Recent Discussions
Entra ID LAPS and BitLocker on Hybrid AD–Joined Devices
Hi All, We have Hybrid AD–joined Windows devices with BitLocker managed on-prem via GPO and BitLocker recovery keys already escrowed to Microsoft Entra ID. If we enable Windows LAPS in Entra ID (cloud LAPS), will this have any impact on: Existing BitLocker recovery keys stored in Entra ID, or Current/future BitLocker configuration and escrow behavior? Is there any dependency or interaction between Entra ID LAPS and BitLocker on hybrid devices? Thanks in advance Dilan
SYSTEM CENTER IMPLEMENTATION & LICENSING Guide
Dear Microsoft Community, Our organization is planning to deploy a comprehensive IT management solution using the Microsoft System Center Suite. The goal is to streamline infrastructure operations, enhance backup and recovery, manage both virtual and physical resources, oversee endpoints, and maintain security and compliance. We need guidance regarding the number and type of licenses required, specifically Client Management Licenses (CML), Server Management Licenses (ML), and System Center Suite licenses.
System Center Configuration Manager : Trojan QGIS software false detection ?
Hi, I’m not sure where to report or ask about this alert, so I’m posting here. I use SCCM to deploy the software QGIS (an open-source GIS application) to users’ computers using .msi installers. Recently, SCCM removed my installer and reported the following alert: System Center Endpoint Protection a détecté un programme malveillant sur un ou plusieurs ordinateurs de votre organisation Nom de la collection : _Tous les serveurs Nom du programme malveillant : Trojan:Win64/ScarletFlash.ASA!MTB Nombre d'infections : 1 Heure de la dernière détection (heure UTC) : 03/12/2025 02:14:24 Voici les infections de ce programme malveillant : Nom de l'ordinateur : xxx.xxxxxxx.xxxx Domaine : xxxx Heure de détection (heure UTC) : 03/12/2025 02:14:24 Chemin d'accès au fichier du programme malveillant : containerfile:_E:\Sources_Packages\QGIS\3.40.10\QGIS-OSGeo4W-3.40.10-1.msi;containerfile:_E:\Sources_Packages\QGIS\3.40.12-1\QGIS-OSGeo4W-3.40.12-1.msi;file:_E:\Sources_Packages\QGIS\3.40.10\QGIS-OSGeo4W-3.40.10-1.msi->application.cab->filD90E2F766C2B1014B0D199BDDDF46963;file:_E:\Sources_Packages\QGIS\3.40.12-1\QGIS-OSGeo4W-3.40.12-1.msi->application.cab->fil338C30DA73AC1014AF5482D1DA910BA5 Action de correction : Aucune action État des actions : Réussi Pour afficher d'autres informations sur l'activité des programmes malveillants dans votre organisation, exécutez le rapport des détails du programme malveillant. I contacted QGIS security team that says it's probably a false detection. How can I report this to Microsoft and request an update to their detection signatures to prevent this installer from being deleted? Sincerly,
Configuration Manager ADR for Windows Servers Not Deploying Updates
Hi everyone, We recently deployed Configuration Manager 2503 in our environment. The environment consists of the following: 1 Primary Site Server including Distribution Point role in head office, 1 Distribution Point server for a field office location, and 1 Site database server. We followed some articles or links online to deploy the Software Update Point on the primary site server that includes the Distribution Point role. The SMS_WSUS_CONFIGURATION_MANAGER, SMS_WSUS_CONTROL_MANANGER, and SMS_WSUS_SYNC_MANAGER components show a green checkmark and OK status. We followed some online articles or links to also create an Automated Deployment Rule as well. Despite creating the Automated Deployment Rules, it does not seem that updates are deploying to the targeted servers that are part of a Device Collection in Configuration Manager. Please advise what we should review to remediate this issue. Thanks.
Issues with Windows 11 Autopilot Hybrid Joined Since last Week
Hi all, as of Thursday 4th December our Windows 11 Autopilot (Hybrid Joined) has ceased functioning. On the very first step, after the user attempts to enter their username&password, we can see the deployment profile gets downloaded to the device but then everything immediately stops with error "Something went wrong. Confirm you are using the correct sign-in information and that your organisation uses this feature. You can try and do this again and contact your system administrator with the error code 800004005". We can see that the ODJ process never starts. And we think we're seeing errors with the device reading the deployment profile JSON locally. Has anyone else had any errors? Wondering if Microsoft have made a change somewhere or have issues.
Multi-App Kiosk not applying on Samsung A55 (Android 16)
Hello everyone, I’m facing a critical issue with Android Enterprise Multi-App Kiosk mode on a Samsung Galaxy A55 (SM-A556B). The problem started suddenly last week without any configuration changes, and now no Android Enterprise configuration profiles apply anymore. What happened originally The device was running Android 15, and it had been working fine for months in Managed Home Screen (Multi-App Kiosk). Then suddenly: Managed Home Screen stopped showing all apps The device booted into MHS, but the screen was completely empty No policy changes were made on our side I tried several troubleshooting steps, but nothing fixed it. Eventually, I factory-reset the device and re-enrolled it as a Corporate-Owned Dedicated Device (COBO). Current situation after re-enrollment Even after a clean enrollment: No Android Enterprise device restriction profiles apply (Multi-App Kiosk doesn’t start at all) The device stays in the normal Samsung launcher Only very basic commands work: Remote restart App install/uninstall via group assignment All assigned apps show as Installed Profile status in Intune shows Success, but nothing is actually enforced I then upgraded the device to Android 16 (patch 2025-11-01). Unfortunately, the behavior did not change. Current configuration Android Enterprise → Device Restrictions → Multi-App kiosk Allowed apps: Teams, Managed Home Screen, Contacts Managed Home Screen installed Enrollment type: Android Enterprise – Fully Managed / Dedicated No OEM kiosk (no Samsung Knox settings) No Work Profile on the device Symptoms now Managed Home Screen never launches Kiosk mode is completely ignored Device is fully usable like a normal phone Only app deployments work, nothing else This began while still on Android 15 Updating to 16 did NOT resolve the issue Questions Has anyone seen this behavior where Android Enterprise policies stop applying entirely after MHS fails? Is there a known issue with Samsung A55, Android 15/16, or Managed Home Screen? Could this be related to a bug in the Fully Managed/Dedicated enrollment flow for the A55? Any recommended workarounds or known fixes? Any guidance is appreciated — this behavior is completely blocking Kiosk deployments for us. Thanks!
Window 11
Hello I am using windows 11 few weeks ago I received windows update after update my windows started asking Bitlocker key i didn’t used Bitlocker my computer is stuck almost 2 weeks I don’t know what I do I didn’t used Bitlocker I buyed HP company alsmost 2 years. please help me to find solution without bitlocker key i can’t access my computer. thank you
Win 10 Security Baseline: Issue with WHFB
Hi, I activated the Intune Win 10 security baseline on a set of devices. I know experience an issue with WHfB. My face and fingerprint is not recognized, rsp. the login process is giving an error, saying that I cannot be identified. One user reports, that when away from company WhfB works as expected, asking for face or fingerprint and as second factor a PIN. I have another policy in Intune that is giving MDM policies precedence over GPO, so I cannot understand why it works for that one user when outside of company. What settings in MDM security Baseline could possibly be the cause resp. be responsible for broken WHfB?How to feed third party intelligence feed into Microsoft Intune
We want to create a connector/integration which can connect to Third Party Intelligence product and ingest that data into Microsoft Intune. Is it possible to create such a connector/integration? if yes then how, also do specify if there are any other ways to achieve this use case.Error 80190190 Entra Join Device
Yesterday we could enroll devices fine until about 10am. After that we can no longer complete an Entra join on a corporate laptop. It gives an error code of 80190190. In the logs it shows the device registered/enrolls then shows a removal less than a minute later. Successfully joined device using account type Successfully deleted the device with identifierConditional Access Policy Not Allowing Users to Access AVD
We have an existing conditional access policy which requires a users' device to be marked as "compliant" in order to access "All Agent Resources". We are trying to deploy an AVD as an alternative to allowing users to use personal devices, but this CA policy seems to be interfering with users being able to access the AVD via Windows App. Yhe device they're accessing from isn't "Compliant" with Intune enrollment being one of the requirements for being compliant. Again, we do not want to allow personal devices into Intune which the MSP allowed previously. For the CA policy it's applied to all users EXCEPT for specific users in an exclusion group. Putting users in this exclusion group allows them to access the AVD via Windows App but at this point they can just access all resources from their personal machine defeating the purpose of the AVD. Target Resources Include All Resources Exclude: The AVD Itself, Windows 365, Azure Virtual Desktop, Azure Windows VM Sign-in Conditions Device Platforms - Windows, MacOS Client apps - Browser, Mobile apps and desktop clients, exchange ActiveSync clients, other clients are checked Grant Access Require MFA and Require device to be marked as compliant are both checked. Access to the AVD works in the browser but not in Windows App.Autopilot failing while hardwired in but face no issue on the Wi-Fi
We are in the process of migrating from SCCM to Intune. The issue we are facing is that when the device is hardwired in, the autopilot process fails and says network connection lost. When the device is connected to the wireless network, it goes through the entire autopilot process and successfully enrolls the device. Has anyone faced this issue before?Issues with Capturing Windows11 25H2
I have been trying to capture an updated image from vsphere8 and sccm. I had zero issues with 22H2 and 23H2 but now I cannot get sysprep to pass generalizing. This error keeps coming up but I have tried most things the great Google had to offer. Any one else running into this issue?Intune LAPS custom Admin account not enabled
Hello, I have configured a policy in Intune to enable a custom admin account to an Intune Windows 11 device group, in order not to have the primary user as admin. However, the policy never creates the custom account as it says. Is there something else to check, besides enabling Intune → Endpoint security → Account protection → MyLAPSPolicy > Edit Configuration and enable settings in: Automatic Account Management Enabled Automatic Account Management Enable Account Automatic Account Management Randomize Name Automatic Account Management Target Best regards KDevice Enrollment
Hi everyone, I need some guidance regarding a device-management scenario in my environment. We currently have Microsoft 365 Business Basic with the Intune Plan 1 add-on. All of our devices (about 150+) are Azure AD Registered, and I’m trying to determine the best method to enroll them into Intune using only our existing licenses. I’m unsure which enrollment method is most appropriate for this setup, and I haven’t been able to find a solid, recommended approach. I want to avoid unnecessary complexity and I cannot upgrade or change our licensing. I would really appreciate a well-structured explanation that covers: The best enrollment method for this scenario Why this method should be used Step-by-step guidance Pros and cons of the proposed method Any insights from those who have handled similar situations would be extremely helpful. Thanks in advance!
Intune Connection Issues in Defender for Endpoint
We have M365 E5 across the board which includes Defender for Endpoint P2. We're planning to enable Intune-MDE integration but getting this warning "A Microsoft Intune license was not found" Despite that message, I can still enable it (toggle the switch is allowed) and then the connection appears to be established.? But! more importantly, when it comes to the functionality, I cant create a "Auto from connector" EDR policy from Intune which could be due to the above glitch? "Create from Preconfigured Policy" option also greyed out. A custom policy also doesn't have the "Auto from connector" option to onboard devices. Has anyone seen this? Any inputs are highly appreciated ! Thank you KevWindows 11 and Office 365 Deployment Lab Kit
Hello, I am attempting to setup the most recent version of the Windows 11 and Office 365 Deployment Lab Kit, using the following link: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-11-office-365-lab-kit However, the evaluation periods for Windows Server, SQL, and MECM are all expired once the lab is setup. When can we expect a new version with fresh eval periods? Thanks.MDE vs Intune Windows Device Management
I have started applying security policies for Defender for Endpoint using MDE to manage them, adding the MDE tag to my Windows 11 machines. If I am migrating to Intune management, is it necessary to offboard the devices first, before applying the auto-enroll GPO and onboarding device configuration to the machines?Existing required application deployments policy is not sent to devices
I have couple hundred applications in SCCM/MCM that are set to required and whenever there is a new device is built, all these required applications automatically get installed. I am on 2503 and 5 days ago i started seeing this issue. But if modify that deployment with current date and time then the application gets deployed right away if i run Application Deployment evaluation cycle. I also tested by deleting the existing deployment and created a new required deployment and run Application Deployment evaluation cycle then the application installs right away. The problem seems like the Primary server is not sending the policy to the client for existing deployments. The application compliance that we see for every deployment under Monitoring for all the devices moved to Error with Success. Not sure why this is happening. All these changes i noticed in the last one week. A week ago all these Already Compliant and Success status device count is under Success tab. Let me know if you have any suggestions.Applications deployed on device based collection are missing from devices.
Hey guys, In my SCCM environment we are facing an issue. Its a co-managed environment where apps are deployed via SCCM. All of a sudden the apps deployed on Device based collection are not reaching the end user devices. The policies related to these app are also not reaching the device. The compliance status for these apps also went down even though if it is installed on the device the SCCM reports as Non-Compliant\Error. Has anyone faced this issue or can help me to identify what could be causing the issue.
Events
Tune in to learn how Microsoft Intune can help you, as a Microsoft Managed Service Provider (MSP), develop new opportunities and enhance existing offerings. Let’s talk business outcomes and why Intun...
Online
Recent Blogs
- Here’s a November and December capability summary of how Intune’s 2025 changes in endpoint management help securely support cross-platform and IT admin workflows.Dec 11, 2025
- Microsoft 365 extends advanced security and AI-powered endpoint management to more customersDec 04, 2025
