Recent Discussions
How to remove Intune policy from a device after its pushed to the device
Hi, I pushed a standard password Intune policy to a windows device and would like to know how to remove this policy from the device once it is pushed to the device already. I excluded this device from the policy and after a day or two, I could see in the Intune portal that this password policy is no longer hitting the device. However, when I try to change the password, it's still hitting the password requirement that I setup before. Any advice would be appreciated.54Views0likes2Commentsintune MDM, IOS device after a restore skips remote Management screen
I am using Intune MDM to enrol the devices. Enrolling a new device with Manged apple ID works without any issues and I can install profile getting all the apps installed via VPP Apps on the device When restoring a device from iCloud or a local computer backup taken on iTunes don’t seems to work as expected after a restore, device skips remote management screen and loads into the phone welcome screen. I am taking the backup of the same device and restoring it back, keeping in mind the device was never MDM managed therefore no management profile has been restored. We are using managed apple id’s so no VPP apps downloaded but due to managed Apple id this blocks the store capability of downloading any apps from app store. The device was added into MDM Intune via apple configurator therefore visible on Intune 1 - Backup to iCloud to keep all data 2 - wiped the device via Erase all content and settings. 3- Added the phone using Apple configurator 4- In ABM I assign the device to the MDM server. 5- kicked in manual sync from Intune. Once the device visible in Intune and profile assigned. start the setup process and select to restore from iCloud or backup from computer. I expected it to restart after the restore and show the remote management screen, but it does not. The only way around this is to restore via iCloud to a different device. This is not ideal Please let us know if you can recommend a better way of doing this therefore restoring the backup on same device and getting remote management configuration to enrol the device on MDM14Views0likes0CommentsAccess Issues due to supervised Device
Hello we have Supvised (ADE) and user affinity iOS devices in our company. The users can log on to their device via their Modern Auth and the whole thing is managed with Intune. As a company, we have access to Azure Virutell clients (Win 11) hosted by our customers. If I now want to access this virtual Azure client via my supervised iPad and the iOS AppWindows App, I receive the message: ‘Warning: incorrect configuration. The administrator wants the apps on this device to be managed via the ‘xxx’ account. [...] To access company data via the ‘yyy’ account, you must unregister your device from the company portal’ Is it possible to define exceptions in Intune so that I can log on to the virtual client with credentials other than those stored in the company portal? best regards25Views0likes1CommentFile types restriction on Android OneDrive
Hi guys, I have an intune to manage android tablet in my company and I am trying to make a policy to restrict downloading (Make available offline), but i don't know how to achieve that. i can't find anything relevant in internet. I would really appreciat it if anyone can help me with that. Summary of the desired result: users of android tablets can make sharepoint folders available offline but only for specific files (pdf, docx,pptx,xlsx) and other file types shouldn't be available offline because of their big size such as (dwg,dxf,stp). Thank you in advance!10Views0likes0CommentsAndroid Kiosk devices not updating
In intune we have kiosk devices running on manged home screen as a kiosk launcher. system update are set to "automatic" but the devices never recieve any system updates they are stuck at 13 even though i can update it manually to 14.. We have also deployed 2 system apps (found a reddit link) also deployed it in the kiosk. com.sec.android.soagent com.wssyncmldm the devices are not on wifi. anyone else experience this with their kiosk devices?11Views0likes0CommentsApp Protection Policy Intune iOS Restrict Cut Copy Paste but allow certain third party apps only
The restriction of cut copy and paste is chosen as Microsoft apps only. Even if we push the apps from Company portal as managed apps, even VPP apps, the App protection policy is not getting applied on those apps. Apps are like SAP, Concur, Salesforce, etc,. were used global and widely across many organisations and how are you overcoming these policy restriction by MS Intune on iOS Devices. We have to secure - so that no data should be moved out to any third party apps, also in the meanwhile, we have Business apps like above mentioned to get things done. Tried methods and not working- Sending the UPN as app configuration policy using the third party apps also. Added Custom bundle-id for those apps in the App protection policy. in App PP - under Data Protection - add apps to exempt - also tried with no results. In our existing policy we have chosen "selected apps mode" for app protection policy. and all these apps were selected as Microsoft apps, and its working fine as expected. The cut copy and paste will work only on those apps which we have chosen as selected apps. Remaining all apps the cut copy and paste will be blocked. Now we have a scenario of business apps usage and we have deployed those via Company portal as iOS Store app, users downloaded and using it already. From app management, it shows as managed apps. Requirement here is to have cut, copy and paste from Outlook, Teams to those business apps.75Views0likes2CommentsThe application was not detected after installation completed successfully (0x87D1041C)
I' ve packaged Notepad++ with the IntuneWinAppUtil tool to deploy it with the Endpoint Manager, but i keep getting the following error message after installation. The application was not detected after installation completed successfully (0x87D1041C). I tried different detection rules: Registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Notepad++\"C:\Program Files\Notepad++\uninstall.exe" and File> C:\Program Files\Notepad++\uninstall.exe I get the same error message with both options. Does anyone have any tips to get rid of this error message?Solved122KViews0likes13CommentsHotspot through Windows Defender Firewall
I would like to know ALL ports and protocols, services, etc... that need to be whitelisted for hotspot to work with windows defender firewall. Or otherwise the baseline/recommended procedure I have tested to enable the below so far: Inbound/Outbound: UDP:67,68,53, 5355 TCP:443,80, 53 ICMP4/6: protocols 1/58 Types and codes: 0/8 Services: icssvc I still get drop events here and there in Windows Defender firewall logs for ports 80/ICMP, etc...... Any Idea what could be the reason and what is the best way to set this up to allow hotspot access from the device.11Views0likes0CommentsGet List of Apps from single devices (Powershell)
Hello everyone, i'm currently looking for a way to use msgraph to run a query in Intune to determine which apps are assigned to a device. The idea is that when a device is changed, all the apps used can be made available to the user on the new device. A large proportion are of course assigned via groups, but there are also many company-specific applications that cannot be assigned in this way. The most promising post so far has been the following article "https://practical365.com/using-powershell-to-install-apps-on-endpoints/", but this initially records all apps and then sorts them to the devices. Does anyone have an alternative to this? Many thanks in advance for any tips and advice.54Views0likes1CommentBest Practices for Managing Autopilot Profiles Across Multiple Locations
Hello everyone, I have a question, and I’d like to get your thoughts on it. In a scenario where an organization manages Hybrid Join devices using Autopilot, distributed across different locations, each with its own Autopilot profile, how do you prefer to manage groups and profile assignments? The options I’m considering are: Option 1 Using a single dynamic group (e.g., “All Autopilot Devices”), with a query like: (device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]")) to include all corporate devices, and then assigning profiles using Scope Tags. Option 2 Creating multiple dynamic groups, one for each location (e.g., “Location 1 Autopilot Devices,” “Location 2 Autopilot Devices,” etc.), with queries like: (device.devicePhysicalIds -any (_ -eq "[OrderID]: Location 1")) and then assigning the respective Autopilot profile to each dynamic group. What’s your approach, and what advantages/disadvantages have you encountered? Thank you to anyone willing to share their experience!61Views0likes4CommentsExisting devices to be autopiloted
I would like to autopilot the existing Windows 10 devices that were removed from Intune for testing. If I wipe the device and have the HWID added to the enrollment profile would that be sufficient? I am not seeing that it is downloading all the apps, and it is showing as waiting to install. What is the best method or process to do this?25Views0likes1CommentAll DDR Properties should be available to view on Column select
Every property you see in the DDR, should be available to view as a column...IMO. For example, the Creation Date (UTC) property in the DDR is not available to be shown as a column. There are others but let's start with this on. There are so many other column choices that are far less important then date stamps. Agree? Disagree?33Views0likes3CommentsBitlocker Recovery Key Sync Issue in Intune
Hello All, We’ve configured Bitlocker settings in Intune using a device configuration profile in a hybrid environment. While it was previously working fine, for the past two weeks, devices assigned to the Bitlocker policy are encrypting successfully, but the recovery keys are not syncing to Intune/Entra. Below are the relevant event logs from the affected devices: - Event ID: 846 - Failed to backup Bitlocker Drive Encryption recovery information for volume C: to your Azure AD. - TraceId: (xxxx) - Error: JSON value not found. - Event ID: 875 - Server reported a failure while attempting to retrieve recovery password information from AAD. - Error: Unknown HResult Error code: 0x80190000 - HTTP Status Code: 0 - RetryRequest: false - DidSetRetryHint: false - RetryHintSeconds: 0 - Event ID: 868 - Failed while attempting to get Bitlocker Drive Encryption recovery information from Azure AD. - Error Code: Unauthorized (401) If anyone has encountered similar issues, your guidance on troubleshooting would be greatly appreciated. Thanks,52Views0likes2CommentsManipulating the registry via Intune push
Our goal is simple: Manipulate the registry as part of application deployment or PowerShell script. Use case: When we install our VPN client, there are a raft of registry updates that need to be made to configure it for use in our environment. The easiest way of doing this is simply by importing a .reg file we've created. The problem that I just can't seem to overcome is how to import a .reg file using PowerShell as part of an Intune deployment. For testing purposes, I've created a simple test registry file and I'd ideally like to use a PS script that simply has the command "reg.exe import .\1Test.reg" in it. The command runs perfectly from CLI but when I try pushing it as part of a Win32 app, it fails. When I build in other diagnostic steps, everything in the script runs perfectly except for the actual import. I've tried using the script to create a temporary directory, copy the files to it, set it as the working directory, and importing from there in case there were path issues. Everything works perfectly all the way up to the actual import, which never works. I've tried using "regedit.exe /silent" as well as "reg.exe" and I've spun it off as a separate process; nothing seems to work. I think it needs to run in the user instead of system context so I've tried both of those. I'm currently at a 100% failure in my ability to figure this out and I'm hoping that someone out there in the community has dealt with this and knows the incredibly simple secret and can demystify it for me. Thanks in advance for your help!140KViews0likes11Comments[New Blog Post] Selective Wipe Corporate Data on unmanagmed devices (iOS/iPadOS and Android)
1. Introduction This blog aims to detail the Mobile Application Management for un-managed iOS/iPadOS devices and un-managed Android devices. This blog is intended to demonstrate how to utilize selective wipe corporate data. When a device is stolen, or lost or an employee leaves the company, you want to be sure there is no corporate data left on the device. This can be achieved by performing a selective wipe. After the selective wipe is requested, the corporate data will be removed from the app. This will be performed the next time the app is started. This guide will touch on three aspects as follow: Conditional Launch Device based wipe request (Stolen/Lost device) User based wipe request (Employee leave the company) How to initiate a wipe There are two ways to initiate a selective wipe. The selective wipe can be performed as part of the Conditional Launch in the App protection policy or by manuallyinitiating a wipe request (Device based wipe and User base wipe). 2.1.Conditional launch When you configure an app protection policy a selective wipe will be configured. This is part of theconditional launch. One of the default settings is “Offline grace period -> 180 days”. After 180 days offline you need to reconnect to the network and successfully authenticate. If the user successfully authenticates nothing will happen, but if the user fails, a selective wipe will be performed. 2.2.Manually initiate a wipe request Here are two ways to manually initiate a wipe request. There is a device based wipe request and a user based wipe request. To initiate a wipe select in the MEM admin center “Apps” -> “App selective wipe” or presshere.In the top of the app selective wipe blade, you can select “Wipe request” (device based wipe) or “User-Level Wipe” (user based wipe). 2.2.1.Device based wipe request With a device based wipe request a wipe can be initiated for each user device registered with an app protection policy.If a user has lost the device and a new device is in use. Then a device based wipe can be used to only wipe the previous device. Press the button “Create wipe request” in top of the page. 2.Press “Select user” to select the user of which you want to wipe a device. After the user has been selected the devices belonging to the user will be displayed. Select the device you want to wipe and press “Create”. 3.The wipe request will be sent to the device to remove corporate data from applications protected with an app protection policy. You will return to the app selective wipe blade where you can monitor the removal process of the user. Pending requests can be deleted by right-clicking the request and selecting “Delete wipe request”. 4.After successfully performing a wipe, the device will be removed from the device overview that was display on step 2. Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request has been made. 2.2.2.User based wipe request When performing a user-based wipe request a wipe request will be sent to all apps on all the devices. This wipe you may want to perform when a user leaves the company and you want to be sure that all data is removed from all devices associated with the user. In the app selective wipe page select “User-level wipe” and press “add” to select the user for which you want to perform a user-level wipe. 2.Now the user has been selected wipe requests will be sent to all the devices of the user. As long as the user is on the list. The user will continue to get wipe commands at every check-in from all devices. To allow sign-in on a device you first need to remove the user from the list. 1.The wipe action can be monitored using theUser report(“Apps” -> “Monitor” -> “Reports”) or click here. Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made. Author Shady Khorshedis a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals.5.3KViews2likes5CommentsWeird issue accessing netlogon
Got a bit of a weird issue here...... We have just started using AAD machines via autopilot & intune and doing testing on them accessing resources on our current onprem domain, got things sorted so they can access file shares and DFS namespace shares perfectly fine and thats all going through, but having an issue with intermittent issues with netlogon. There seems to be no pattern but when trying to hit \\domain\netlogon that will work but when trying \\domain.fqdn.gov.uk\netlogon that wont work. However without doing anything trying again a little while later and it will be the opposite way around that can access on the full fqdn but not the short name, and then to make it worse, sometimes both work at the same time. Different devices have been tried and had 2 side by side where one could access short but not fqdn and the other could access fqdn but not short. At the same time if i try to access any server shares on either short name or fqdn then those are fine, seems to just be issues with netlogon on the domain. at all times i can run to \\domain & \\domain.fqdn.gov.uk and the folder list of sysvol and netlogon both appear but its just guess work which is going to work. This happens the same on both our internal network and when connected via cisco anyconnect vpn back into our network. Hopefully someone has come across a similar issue and fixed it! Thanks if you have managed to read this far :)54Views0likes6CommentsHow to block users from downloading files in the Teams or Outlook app on a windows desktop?
I am only seeing EDGE as something to configure in the application protection policy but I need a way to block downloading/copy/paste/print when using the fully installed teams/outlook application. Does anything exist for windows device enrolled with Intune?53Views0likes4Comments
Events
Recent Blogs
- You want to PXE Boot? Don't use DHCP Options.Dec 04, 2024345KViews34likes33Comments