Forum Widgets
Latest Discussions
How to Getting Started with Intune: SOE Deployment, CIS Compliance, and Device Upgrades
We are planning to use Intune as our endpoint management tool and need guidance to get started. Our environment consists of: Windows 10/Windows 11 Professional devices Some Windows 10 Home Edition devices macOS devices Questions: Where should we begin? My initial plan is to upgrade the Windows 10 Home devices to Windows 11 Professional. How can we deploy a Standard Operating Environment (SOE) using Intune? We need to comply with CIS benchmarks. Considering the numerous configurations required, configuring everything manually via device profiles seems time-consuming. Is it possible to use a pre-configured image and deploy it through Intune? Your guidance and suggestions will be greatly appreciated!madurangac91Jan 23, 2025Copper Contributor24Views0likes1CommentTwice profile installation - Apple ADE / company portal
Hi at all experts :-) I`ve setup Intune for ADE enrollment for our macOS devices. - user-affinity - modern authentication During the startup process the device shows that it belongs to our company. The user have to login with the microsoft account. --> the profile is installed on the device After starting up, the Mac can be used. Now a user want to install apps via company portal. The user opens company portal and have to download and install a profile. This results in an error during installation. I think because the profile which was installed during startup already exists. What I´ve done false?theunknownJan 23, 2025Brass Contributor18Views0likes0CommentsIntune - Multi-App Kiosk Mode Android - Managed Home Screen - How to Toggle Between Open Apps?
Hi there, We use Intune - Multi-App Kiosk Mode for Android - Managed Home Screen quite a bit. However, we'd like to be able to see open Apps and switch between them like you can on a standard Android phone (using the 3 vertical lines icon). I can't find an equivalent function in Managed Home Screen. Any ideas? Ta, Ian HearnesSolvedIan_HearnesJan 23, 2025Copper Contributor35Views0likes2CommentsNew iPad - "Invalid profile" Apple Business manager using Enrollment program tokens
Hello, I have recently created an Apple Business Manager account, purchased iPads through the Apple Business Store which linked directly into Devices under business.apple.com devices. I have configured MDM server (Intune) successfully via the Apple Business Manager. Everything seems to be Synced. For example, if I go to Intune, Enroll devices, Enrollment program tokens, I can see the new iPads in "ready to enroll". I've created a Profile and assigned it to the iPads. The state is "Not Contacted" but I figure that's normal until the enrolment is done? I tried enrolling just a single iPad to start with and I'm hitting Invalid Profile (see screenshot). Not sure what I've done wrong. Appreciate some help. ThanksglennsfieldJan 22, 2025Copper Contributor33KViews0likes15CommentsIntune bulk enrollment issue with package
Hello, We are encountering an issue while trying to enroll a device in Microsoft Intune within a Windows 10/11 workgroup environment. Using Windows Configuration Designer, we created a provisioning package for device enrollment. However, after executing the package on the device, we observe the following error in the Event Viewer under: Applications and Services Logs>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin: MDM ConfigurationManager: Command failure status. Configuration Source ID: (fb5b5ed2-b681-475c-bb21-c31762a5953d), Enrollment Name: (Provisioning), Provider Name: (AADJ), Command Type: (SetValue: from Replace), CSP URI: (./Vendor/MSFT/AADJ/BPRT), Result: (Unknown Win32 Error code: 0xcaa2000c). Additionally, when reviewing the Entra Audit logs, we notice that the device gets registered but is immediately unregistered. Could someone help us identify the root cause of this issue or suggest steps to resolve it? Thank youdrivesafelyJan 22, 2025Brass Contributor97Views1like3CommentsDynamic device group from InTune user groups
We've onboarded a number of users into InTune, and we're all new to it. Previously, they were on MaaS360, which had both device groups and user groups, and you could assign to either individually. A bit shocked InTune can only assign down to the group level. (I know Filters exist, but these only filter by Devices, and take longer than just creating a new group)... Anyway, trying to rebuild things as closely to MaaS as possible. For onboarding, we created user groups, so when a user enrolled, they would automatically get the right policies. We couldn't create a device group until the devices were enrolled AND logged in, and showing in Entra. However, the tenant actually wants the groups to be by DEVICE for various reasons (replacing people, for example). So I have two questions - Is there a way to dynamically generate the device groups, based off each user's group association? Also, since devices can't be grouped without an associated Entra ID (either dynamically or manually), if a user leaves/signs out, will that device automatically lose all it's group associations? if there is another way to get the structure the tenant wants, I'm all ears. But essentially, the devices have different hardware, and they want their department to be tracked even if they have no user.underQualifriedJan 21, 2025Copper Contributor67Views0likes2CommentsIntune Dinamic group by Device IP
I know is not possible, but, may be there is an alternative view of this. We want to group devices by his IP, because is the way we are doing it now with Configuration Manager and Its our unequivocal way of locating equipment. Gràcies!PeperoniJan 21, 2025Copper Contributor11Views0likes1CommentIntune/Defender Firewall Policies
Coming from an environment where the Windows Firewall had been disabled, and having seen the light, we finally got approval to enable the firewall, but I am hitting a learning curve with Intune behaviors; I have a device where the firewall is enabled, and I get an admin prompt for an app that wants access. I cancel the admin prompt and do a little digging on what app wants access, and to what etc. and then create the policy to allow traffic inside of Intune. I thought the policies were not applying, but after poking around, I found that they are applied and listed under Monitoring > Firewall instead of the normal Inbound or Outbound Rules sections. However, because I canceled the admin prompt to allow the traffic, it automatically created a Block policy on the Inbound Rules section. Inside of Monitoring > Firewall I can see both the Block policy from the Inbound Rules, but also the Allow policy from Intune. Question: Is there a way to use the cloud Intune/Defender policy to wipe out the Block on the Inbound Rules section? Or do I need to make a remediation script to clean these up? Or is there some other 'best practice' way to clean up the unintended blocks from the local policy?SolvedCaedenVJan 21, 2025Copper Contributor18Views0likes1CommentApp assignment bug?
I am in the middle of deploying a new software package out to user groups and ran into a weird issue where and older version of the app re-installed over the updated version. Haven't seen this behavior before and just wanted to verify if this is a new behavior that is expected, or if this is a bug of some sort? App v1: -Required for all machines -Available to all users -Has been required for ~1 year without changes to the package App v2: -Set to supersede v1 -Deadline to a machine test group (available immediately, deadline in 2 days) -Available to a couple user test groups I had made the app available to my own user account and installed v2 last week for an initial test. After adding the deadline for the machine group my laptop is a part of, and running a sync an hour later, the v1 package re-installed over the v2 package. Detection still showed v2 as being installed in spite of v1 having over-written it, but I think that is because of my detection method. We are letting this particular app auto-update going forward, and the MSI is expected to change periodically, so MSI detection wouldn't work (learned that lesson w/ another app last year). Because the detection rules are set to look at the exe (same name as the old one), and a custom reg key (so we know we pushed it with our customizations and not a random internet download), it makes sense that Intune still thought v2 was installed after v1 over-wrote it. Just weird that v1 even wanted to re-install in the first place. As a work-around: On the v1 package I set exclusions for the test groups assigned to v2, and it isn't reverting again. I don't use the supersedence feature often, but in the past the superseding version has always fully removed processing of the old version. Wasn't sure if this is a new expected behavior when processing app deployments where old 'required' versions take precedence over new 'available' versions? It didn't revert me when I made it available to my user acct last week and I installed the v2 package, and seems to have processed something wrong after setting the machine deadline for a couple days out. Is it good practice to set exclusions to old versions for test groups of new versions anyways?CaedenVJan 21, 2025Copper Contributor9Views0likes0Comments[iOS] can you use a mix of VPP-enabled apps and regular apps?
I'll be straightforward, I find the InTune documentation particularly terrible. It did not help that we had to deploy hastily, but still. Bad.. We brought a number of iOS devices into InTune using an ABM token and enrollment profiles. Unfortunately, after the first enrollment, no other devices would actually get the InTune application. So we changed things up to use VPP-enabled apps, since they are managed devices. (the domain capture occurred essentially after the first enrollment (not by choice), and I'm assuming Managed Device's dubious ability to download their own apps contributed to this)... Anyway, it seems like a number of functionalities don't work with VPP apps. Policy sets, App provisioning/protection (as far as I can tell)... So I'm wondering if it's possible to use regular, App-store apps (without adding them in ABM)? I've read conflicting things on whether being apple-managed prevents App Store downloads, so hoping someone has experience. If this is an easy answer, I'll ask another: Does anyone understand the "OutOfDate" error that sometimes pops for iOS update policies? SOMETIMES, it comes with an error code that I've found referenced in the Graph InTune API reference - either "Installing" or "Downloading" - but they've been stuck for days, so it's not really clear what's going on. "OutOfDate" implies to me that when the device checked in last, the update didn't apply because of my Update timerange.... But I have devices that were both in and out of the timerange.underQualifriedJan 21, 2025Copper Contributor5Views0likes0Comments
Resources
Tags
- Intune3,958 Topics
- Mobile Device Management (MDM)2,145 Topics
- Mobile Application Management (MAM)788 Topics
- Conditional Access435 Topics
- Software Management416 Topics
- Graph API232 Topics
- Azure Friday157 Topics
- Autopilot105 Topics
- Android64 Topics
- iOS52 Topics