Recent Discussions
Policy applied allthough it shouldn't
Hi, all of a sudden Intune chaanges its behavior. I have a policy in place that sets persistent browser session. On the device filter tab I excluded devices with this syntax: device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company" Starting last week I have to re-authenticate on a remote Desktop running Windows Server 2025 every 8 hours. Thats what the policy requires. In Entra I see in the logs for my user that this conditional access policy applied. I then extended the filter to this device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company" -or device.operatingSystem -contains "Server" But it did not make a difference. Any idea what is going? This is not specific to my tenant. On a different tenant it behaves the same way.Microsoft #IntuneForMSPs resource guide
Welcome to your home for all things #IntuneForMSPs! Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business by combining productivity apps, intelligent cloud services, and the world-class security of Microsoft 365 with the multi-tenant management capabilities of our partners. Navigate to: Guidance and tutorials | Marketing and business development | Multi-tenant management partners | Application packaging partners | Additional resources #IntuneForMSPs community meetups Gain valuable insights from first-hand experiences with configuring and managing customer tenants. Up next: #IntuneForMSPs Community Meetup: May edition May 19, 2026 - 8:00 a.m. PT | 3:00 p.m. UTC #IntuneForMSPs Community Meetup: June edition June 16, 2026 - 8:00 a.m. PT | 3:00 p.m. UTC On demand: From box to business‑ready with Windows Autopilot Advanced automation and PowerShell for Intune Planning your customers' Intune migration Getting started with Microsoft #IntuneForMSPs Guidance and tutorials We hear from many MSPs that time for learning is limited. To help you ramp up quickly, we’ve pulled together ready-to-use decks, videos, and interactive demos you can follow step-by-step for the most common scenarios. A great place to begin is the checklist available by downloading Enhancing Security with Microsoft 365 Business: A Hands-on, Effective Guide. Microsoft 365 Business Premium deployment best practices Download PowerPoint decks that build on the videos listed below. They go deeper with additional guidance, context, and tips you can apply in customer environments. Identity and access controls (14.81 MB) Device enrollment (15.92 MB) Email and app protection (38.84 MB) Device security (17.89 MB) Data security (36.49 MB) Videos and demos ▶️ Achieve greater security and productivity with Microsoft Intune and Microsoft 365 - Follow along with each step of the checklist with complementary videos. Watch on one screen and follow along in your own tenant on the other. We’ll keep expanding this playlist with new content that goes beyond the checklist, so follow along on our social channels for the latest updates. 🖱️ Microsoft Intune guided demos - Learn how to configure app protection policies and Conditional Access, update Windows from the cloud, manage corporate devices, deploy and manage line of business (LOB) apps, enable Universal Print, protect corporate resources on personal-owned devices, utilize Windows Autopilot for new device delivery, and reduce update bandwidth consumption. Marketing and business development Step 1: Join Microsoft Partner programs AI Business Solutions for Partners Microsoft Security Partners Step 2: Join the Partner Skilling Hub Go to the Microsoft Partner Skilling Hub and create your free account. Select solution areas of interest. (Hint: Intune content: AI Business Solutions, Security) Explore these recommended modules: Implement with impact: Endpoint management with Microsoft Intune Implement with impact: Implement identity and access management with Microsoft Entra Step 3: Download turnkey campaign assets "Protect my devices" campaign-in-a-box (119.20 MB) Multi-tenant management partners Microsoft Intune is proud to collaborate with leading global providers of multi-tenant Intune management solutions. These companies are building innovative capabilities on top of Microsoft Intune, Microsoft Security solutions, and the broader Microsoft 365 platform. Their companion solutions empower you to: Centrally view and manage all customer tenants and action items through a unified partner dashboard. Take action across environments, leveraging Intune for device management, cloud security, and compliance. Standardize security settings, automate onboarding, and ensure policy consistency at scale-no more repetitive, manual tasks or risky policy drift. Want an introduction to multi-tenant management? ▶️ Watch this video from Jonathan Edwards. AvePoint is the global leader in data protection, unifying data security, governance, and resilience to provide a trusted foundation for AI. More than 28,000 customers rely on the AvePoint Confidence Platform to secure, govern, and rapidly recover data across multi‑cloud environments. Through AvePoint Confidence Platform: Elements Edition, AvePoint extends Microsoft Intune with secured multi‑tenant automation, lifecycle management, and centralized visibility—enabling partners to scale Intune delivery profitably and consistently across customers. With a single platform for governance, lifecycle control, and recovery, partners reduce operational overhead, prevent sprawl, and accelerate Copilot readiness. AvePoint supports a global partner ecosystem of 6,000 MSPs, VARs, and SIs, with solutions available in over 100 cloud marketplaces. CyberDrain CIPP provides MSPs with a centralized, multi-tenant management platform for Microsoft 365. It enables partners to securely manage tenants at scale, automate common administrative tasks, enforce standards across environments, and gain deep visibility into tenant security and configuration. With built-in automation, governance controls, and extensibility, CIPP reduces reliance on custom scripts and manual processes. MSPs can standardize operations, streamline user and tenant management, monitor security posture, and respond quickly to issues across all customers from a single interface. CIPP is supported by one of the largest and most active MSP communities in the Microsoft ecosystem, with thousands of partners contributing feedback, automation ideas, and best practices. As one of the most widely adopted platforms for Microsoft 365 multi-tenant management, CyberDrain CIPP continues to evolve rapidly to meet the needs of modern MSPs. inforcer empowers MSPs to standardize Microsoft 365 and Intune policies across all tenants, automate environment configuration, monitor compliance in real time, and reduce risk through policy drift detection. Its reporting and automation features free teams from manual, error-prone scripting and help deliver consistent, secure customer experiences, setting MSPs up to deliver advanced AI services to their customers. Nerdio brings deep automation and analytics to Intune, Windows 365, Azure Virtual Desktop, and the broader Microsoft cloud. MSPs benefit from multi-tenant dashboards, global policy insights, role-based access, centralized app deployment, and automatic policy versioning with rollback and drift correction. Nerdio’s tooling is designed specifically for MSPs and scales from small teams to large enterprise portfolios. SoftwareCentral Tenant Manager helps MSPs run Microsoft Intune across multiple customer tenants with consistency and control. MSP teams can standardize policies, manage applications and devices across environments, monitor configuration drift, and maintain visibility into changes across tenants from a single platform. The platform runs entirely on Microsoft Azure with region-selectable deployment for your data protection requirements. It includes CIS certified security baselines, helping MSPs deliver secure, repeatable Intune services as their customer portfolios grow, even without in-depth Intune knowledge. Application packaging partners Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI and Copilot era. To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from Configuration Manager to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption Note: These app migration services are offered directly by partners and are subject to their terms. Microsoft makes no guarantees or commitments regarding availability or outcome. Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting. Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT. Additional resources Microsoft 365 Blog: small and medium business content Microsoft 365 Partner on LinkedIn Microsoft Intune Blog: MVP community contentApp Enforced Restrictions not working on Chrome
Hi All I hope you are well. Anyway, a strange one here. We have implemented App Enforced Restrictions on unmanaged / BYOD macOS devices. This seems to have taken effect on Edge and Safari browsers but not Chrome. Is there anything we can do to resolve this or force BYOD macOS to use Edge? Info appreciated. SK
Reporting on Device CPU and Memory
I have a requirement to produce a monthly report on all our Intune managed Windows devices and the applications they have installed. I have written a script that is able to report on UPN, Device Name, Manufacturer, Model, Serial Number, OS, Total HHD and Free space along with all the applications installed. I am however unable to output the devices CPU and Memory details. I have tried using the Get-MgBetaDeviceManagementManagedDevices with the ProcessorArchitecture and PhysicalMemoryInBytes parameters but these just report 0 or NULL. What is the best way to report on the CPU and Memory from Intune?
SCCM PXE Boot Deep Dive – Backend Flow & DP Migration
SCCM PXE Boot Deep Dive – Backend Flow & DP Migration I recently worked on a Distribution Point migration and noticed PXE requests were still routing to the old DP due to DHCP/IP helper configuration. I put together a deep dive explaining: PXE flow (DHCP and TFTP sequence) Role of Distribution Points What changes during DP migration Common failure points One key takeaway: PXE issues are almost always network and routing related, not SCCM itself. Curious how others are handling PXE in large environments. Are you standardizing on IP helpers or still using DHCP options? Full article: http://SCCM%20PXE%20Boot%20Deep%20Dive%20–%20Backend%20Flow%20&%20DP%20MigrationProtect org data on BYOD Windows / macOS devices
Hi All I hope you are well. Anyway, I have a need to protect org data on: Window personal / BYOD devices MacOS personal / BYOD devices What's the best way to achieve this? My thinking is: 1 X Conditional Access policy that blocks 1 X Conditional Access policy that allows via Edge, no persistent session, no downloads etc Device filter on both policies that target unmanaged devices Any other suggestions? SKBest approach for migrating AD joined devices to Entra ID without wiping user profiles?
We’ve seen many organizations struggle with device migration when moving from traditional Active Directory (AD) or hybrid environments to Microsoft Entra ID. The biggest challenge is avoiding user disruption especially when wiping devices causes profile loss, app reconfiguration, and downtime. In large environments, wipe-and-reload becomes difficult to scale and impacts productivity significantly. Curious to know how others are handling this: Are you still using wipe/reimage methods, or are you using alternative approaches that preserve user profiles, applications, and settings? Would love to hear practical experiences from the community.Autopilot V1 vs “Device Preparation” (V2): Great direction — but is it enterprise-ready yet?
We evaluated Autopilot v2 but decided to stay on Autopilot v1 for large‑enterprise scale. Group Tags + dynamic groups are still essential for our device naming, segmentation, and governance model. We intentionally limit apps in EAS to speed up provisioning, so EAS‑based app deployment in v2 isn’t a compelling advantage for us. v2 looks promising, but until there’s stronger parity for enterprise‑scale targeting and naming, v1 remains the better fit. Curious how others at scale are balancing provisioning speed vs. segmentation without Group Tags.Autopatch - Microsoft 365 Apps Update Rings
I’m trying to understand how the UpdateDeferredVersions registry value is updated in an Intune Autopatch scenario, specifically the version and FileTime values. Registry path: HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Updates Example value: UpdateDeferredVersions = 16.0.19725.20170:13420719560293 | 16.0.19822.20180:13421142577563 I’ve observed the following and would appreciate any clarification: When I modify deadline or deferral settings via Autopatch (policy changes), the FileTime value does not update. Is there a delay or specific trigger (e.g., policy refresh, scheduled task, CDN sync) that updates this FileTime? How exactly is this FileTime calculated? Is it tied to when the build was released, assigned, or when the policy was applied? Is there any supported way to force or influence this FileTime update? Or is this value simply tracking when the build cap was issued, with deferral logic calculated relative to that timestamp? Additionally, I’ve noticed that updates only seem to apply when the FileTime is approximately 4 days behind the current date, is this expected behavior with Autopatch deferral logic? I was able to successfully test this updating FileTime 4 days behind ((Get-Date).AddDays(-4)).ToFileTime(). Any insights into how this mechanism works under the hood (especially with Click-to-Run + Autopatch interaction) would be really helpful. Below is Autopatch group settings for Microsoft 365 update rings that we set in our environment: Test - Deferral 0 - Deadline 0 Ring 1 - Deferral 1 - Deadline 0 Ring 2 - Deferral 2 - Deadline 0 Last - Deferral 4 - Deadline 1 Thanks in advance!Intune application migration & app management
Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI and Copilot era. Start here Read Face the future today by moving your application to cloud native Bookmark the Microsoft Intune planning guide Navigate to: Why app migration matters | Application packaging partners | Frequently asked questions Why app packaging matters Centralizing application management in Intune can deliver operational benefits such as unified enforcement and improved security posture—while supporting broader modernization goals. Common blockers that slow cloud-native adoption include: App compatibility and dependency complexity Manual repackaging effort at scale Risk of disruption during cutover Application packaging partners To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from Configuration Manager to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption. Note: The app migration services listed on this page are offered directly by partners and are subject to their terms. Microsoft makes no guarantees or commitments regarding availability or outcome. Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting. Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT. Frequently asked questions Q: Is this a Microsoft-managed service? A: No. Partner offers are provided directly by partners and subject to partner terms; Microsoft makes no guarantees regarding availability or outcomes. Q: What kinds of apps can these paths help with? A: The published focus is on helping migrations from Conifguration Manager to Intune, including complex legacy and line-of-business apps. Q: Where do I start if I’m early in planning? A: Start with the Intune Planning Guide and Migration Guide.Which Entra account are you supposed to use to connect to a managed Google Play account?
At Connect Intune account to managed Google Play account - Microsoft Intune | Microsoft Learn, it says: We recommend using the Microsoft Entra account you're signed into to create the Google Admin account. So I used my Entra account to set it up. Now, though, when I look at the Managed Google Play item in Intune under Devices > Android > Enrollment, it has my email address under "Linked account". Was I supposed to create a shared Entra account to make this connection? What happens when I leave the org?
Platform SSO "Page not found" on macOS Tahoe 26.4 — Company Portal 5.2602
Environment: macOS Tahoe 26.4 Company Portal 5.2602.0 (latest as of April 2026) Microsoft Intune — Automated Device Enrollment (ADE) Platform SSO with Secure Enclave (UserSecureEnclaveKey) SSO Extension: com.microsoft.CompanyPortalMac.ssoextension / Team ID: UBF8T346G9 URLs configured: https://login.microsoftonline.com, https://login.microsoft.com, https://sts.windows.net Device: MacBook Pro 14" (Apple Silicon), supervised, ADE-enrolled Issue: During Platform SSO registration, after the user authenticates successfully in the SSO registration prompt, Company Portal crashes with a "Page not found" error. The registration never completes — no WPJ certificate is created, no SSO registration key is stored in the Secure Enclave. Console logs show: CompanyPortalMac: URL(filePath:) API misuse — usingass old file path API which does not support security scoped bookmarks The error occurs specifically at the token exchange step after authentication, suggesting the Company Portal binary is calling a deprecated macOS file URL API that Tahoe 26.4 now enforces more strictly. What we tried: Full wipe and re-enrollment via ADE Removing and reinstalling Company Portal via Intune Different user accounts Verified SSO extension profile is correctly applied (confirmed via profiles show -type configuration) Verified network connectivity to Microsoft identity endpoints Tested on a clean macOS Tahoe 26.4 install — same result Expected behavior: Platform SSO registration completes, WPJ certificate is created, and SSO token is cached for seamless authentication. Actual behavior: "Page not found" after authentication in the SSO registration flow. Console shows the URL(filePath:) API misuse warning. Registration fails silently — no error surfaced to the user beyond the page not found screen. Question: Is this a known bug in Company Portal 5.2602 with macOS Tahoe 26.4? Is there a newer build or hotfix addressing the URL(filePath:) deprecation? Any workaround available? Tags: Platform SSO, macOS, Company Portal, ADE, Intune
Intune enroll on redhat 10 KDE
**intune-portal 1.2603.31 fails to authenticate on RHEL 10 KDE Plasma — Misconfiguration(0) in gtk4/actions.rs** **Environment** - OS: Red Hat Enterprise Linux 10 - Desktop: KDE Plasma (Wayland, XDG_SESSION_DESKTOP=plasma) - intune-portal: 1.2603.31-1.el10.x86_64 - microsoft-identity-broker: 3.0.1-1.el10.x86_64 - xdg-desktop-portal-kde: 6.4.5-1.el10_1.x86_64 - webkitgtk6.0: 2.50.4-2.el10_1.x86_64 **Summary** The Intune portal fails to complete authentication on KDE Plasma. The same machine, same user account, and same tenant works correctly under GNOME on the same RHEL 10 install. The only difference between the working and non-working sessions is XDG_SESSION_DESKTOP (gnome vs plasma). **Error** The portal throws the following Rust error when attempting to start a login: ``` [intune-portal/src/gtk4/actions.rs:103:29] e = Error { context: "Starting a new login", source: Misconfiguration( 0, ), } ``` The OneAuth logs show: - `No accounts found in the OneAuth account store` - `Auth params authority is empty` - `MATS device telemetry disabled` This results in a [4kv4v] error in the Microsoft auth window with Code: 0. **Additional findings during investigation** 1. On RHEL 10, the KDE portal service is named `plasma-xdg-desktop-portal-kde.service` rather than the expected `xdg-desktop-portal-kde.service`. This means it is not auto-discovered without explicitly starting it, which is a secondary issue. 2. Overriding `XDG_SESSION_DESKTOP=gnome` at launch does not resolve the Misconfiguration(0) error, suggesting the portal reads the session desktop variable at startup rather than at auth time. 3. The auth flow reaches the broker, the broker starts MSAL, but the portal fails to pass authority parameters, so the login flow never presents a credential prompt to the user. **Steps to reproduce** 1. Install intune-portal 1.2603.31 on RHEL 10 2. Log into a KDE Plasma Wayland session 3. Launch intune-portal and attempt to sign in 4. Observe Misconfiguration(0) error — no login prompt is shown 5. Log out, log into GNOME on the same machine 6. Launch intune-portal — authentication completes successfully **Expected behaviour** Authentication should work on KDE Plasma in the same way it does on GNOME. **Workaround** None found. Using GNOME is the only current option on this machine.
SSID connection using intune pushed profile kept prompting manual login
Hi, anyone encountered an issue where users connecting to an SSID with 802.1X authentication using an Intune-pushed Wi-Fi profile (with credential caching enabled) are still being prompted to enter their credentials manually? However, it works fine by configuring the network connection protocol manually. Thank you.Hybrid Azure AD joined device not enrolling into Intune
Issue A Windows device successfully registers in Entra ID (Hybrid Azure AD join) but never enrolls into Intune. Result: Device appears in Entra ID Device does not appear in Intune Intune Management Extension is not installed Device remains SCCM‑only (co‑management never starts) Log (CoManagementHandler.log): EnrollmentUrl = (null) Device is not MDM enrolled yet. All workloads are managed by SCCM. Environment Windows 10/11 Hybrid Azure AD Join On‑prem AD + MECM (Cloud Attach / Co‑management enabled) Microsoft 365 E3 (Intune license assigned) Device on corporate trusted network What I’ve done Verified Azure AD join and MDM URL Confirmed MDM user scope = All Verified Intune enrollment restrictions allow Windows Verified user has Intune license Identified Conditional Access policy targeting “Register or join devices” Updated that CA policy to Exclude → Microsoft Intune Enrollment Waited for replication and retried enrollment (deviceenroller.exe /c /AutoEnrollMDM) Question Despite excluding Microsoft Intune Enrollment, the device still does not enroll into Intune.
App Protection: Custom app vs Partner app
Is there any functional difference in using an app protection policy to manage a public partner app versus a custom application? We have an app vendor that says they wrapped their app with the SDK but it is not on the partner list so we cannot pick it from the public app list. Which leaves us with the custom app option. Is the functionality the same? Will it show up on the app protection report, work with conditional access policies, other Microsoft solutions, etc.? Thank you - JessieWebinar Cancellation
Hi everyone, The webinar “Re‑Envisioned: The New Single Device Experience in the Intune Admin Console,” originally scheduled for April 7 at 9:00 AM Pacific Time, has been cancelled at this time. We plan to reschedule the session, and when a new date is confirmed, it will be shared at http://aka.ms/securitycommunity We sincerely apologize for the inconvenience and appreciate your continued engagement with the Microsoft Security Community.
Company Portal Profile installation failed on iPhone - Status code 400
Hello, I've been managing mobile devices through InTune for almost a year. Most of our devices are iOs - I add the phone to the Apple Business Manager - wait for it to appear in InTune - then install company portal, and log my user in. This pushed out software etc to the phone. I successfully set one up on Thursday. Today I'm trying to set a new one up and I can't get the Company Portal profile to install. I get a long error, ending in Status Code 400. This error happens often, but usually if I try again, it works. Recently I thought I had discovered the issue, and have started ensuring the iPhones are updated before installing Company Portal. But nothing works with this phone. Any suggestions? Thanks in advance! Amber
Events
Save the date for May's #IntuneForMSPs Community Meetup! These community‑driven events bring together MSPs, Microsoft MVPs, and Intune experts to discuss top‑of‑mind topics shaping device management ...
Online
Policy management has evolved fast: from on‑prem Group Policy/ADMX and domain‑joined assumptions to hybrid realities and truly cloud‑native configuration at scale. Tune in as we unpack what changes (...
Online
Recent Blogs
- By: Carol Burns - Principal Product Manager | Microsoft Intune and Sucheta Gawade, Microsoft MVP (Azure & Security / Intune) Practitioner perspective from Sucheta Gawade, Microsoft MVP (Azure & Sec...May 01, 2026
- 5 MIN READApril in Intune: faster app inventory on Windows and stronger cross-platform management for Linux and Apple devices.Apr 30, 2026
