Forum Widgets
Latest Discussions
IOS Device Registration Issue - Duplicate Devices
After configuring a Conditional Access Policy to require compliant devices, I noticed that user's IOS devices were failing the compliance check. Further investigation showed the devices as listed in Intune were compliant, but when looking in Azure AD, the user would have (2) devices - one compliant and Intune managed and one not compliant. The AzureAD Device ID in Intune corresponded to the compliant Intune managed device listed in AzureAD as expected. The Sign in logs indicated the device (Device ID) failing the compliance check in the conditional access policy was the non-Intune managed device that was indicating not compliant in AzureAD. Devices are Personally Owned, BYOD. We were using an Account Driven User Enrollment policy. Device enrollment into Intune seemed to be successful without any errors indicated. Devices were receiving the required apps upon enrollment. I've successfully reproduced the issue numerous times using a test device and test account. After enrolling into Intune, there is only 1 device - non-MDM managed in the AzureAD (Device does show in Intune as compliant). Upon signing into the Company Portal app, the 2nd Intune Managed device shows up in the AzureAD list. However, the device doesn't pass the conditional access policy when utilizing apps such as Outlook, conditional access policy sign in logs indicate conditional access policy failed due to non-compliant device. The Device ID indicated corresponds with the non-MDM managed device in AzureAD. Switching to user enrollment with Company portal, and utilizing the Company portal app to enroll, everything works, and I only end up with 1 device in AzureAD. I'm going crazy trying to resolve this. The Account driven enrollment was a few clicks easier for my very non-technical user base. Any insight or thoughts would be appreciated! I've got 100 devices enrolled, and I'm really not looking forward to having to re-enroll them all.mwalkertx320Jan 16, 2025Copper Contributor1.1KViews0likes2Commentshelp with remediation
Hi, i'm trying to create detection and remediation scripts for intune to detect the presence of a template in the users word startup folder **My detection is as follows** $path = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Word\Startup\ACS Template 2010 2013 2016 (2) (1).dotm" if (Test-Path $path) { Write-Output "File exists: $path" exit 1 # Success, file exists } else { Write-Output "File not found: $path" exit 0 # Failure, file does not exist **My remediation** $path = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Word\Startup\ACS Template 2010 2013 2016 (2) (1).dotm" if (Test-Path $path) { Remove-Item -Path $path -Force It seems like the detection works as the detection status is "without issues" but the remediation doesn't run. Any advice on how to correct this very much welcomedmonkeybraddersJan 16, 2025Copper Contributor17Views0likes2CommentsConditional Access Policy Loop with Edge on BYOD Devices – Need Help!
Body: Hello Tech Community, I’m facing an issue with an Azure AD Conditional Access Policy that seems to be causing a loop when users access Office 365 resources using Microsoft Edge on Windows 11 24H2 BYOD devices. Here’s the scenario: Problem: The policy is titled "Require App Protection Policy for Edge on Windows for All Users when Browser and Non-Compliant-v1.0" and continuously prompts users to switch profiles in Edge. These devices are BYOD and intentionally excluded from full Intune management (non-compliant by design). However, Edge repeatedly requests authentication or profile switching, creating a frustrating experience. Policy Details: Applies to: Windows devices using browsers (primarily Edge). Excludes: Compliant devices or those with trustType = ServerAD. Includes: Office 365 applications. Excludes Groups: Certain groups that should bypass the policy. What I’ve Tried: Verified device compliance status in Azure AD and Intune. Checked Azure AD Sign-In Logs for errors or repetitive authentications. Cleared Edge browser cache and cookies. Ensured Edge is configured to use Windows sign-in information. Adjusted the App Protection Policy settings for Edge. Questions: Could this be an issue with how Edge handles profile authentication in Conditional Access scenarios? How can I ensure that BYOD devices remain excluded from full Intune management but still work seamlessly with this policy? Are there specific adjustments I can make to the Conditional Access or App Protection Policy to avoid these loops? Additional Context: My goal is to secure access using App Protection Policies (MAM) for BYOD scenarios without requiring full device enrollment in Intune. Any insights, suggestions, or similar experiences would be greatly appreciated! Thank you in advance for your help!Abdullah_OllivierreJan 16, 2025Copper Contributor28Views1like1CommentWindows Update Rings
Suddenly stopped working after 50% of the devices got updated and the remaining 50% did not get updates for December 2024. Even a manual update error out Finally, they are saying that the system certificate registry key could be corrupted and import that from a good computer and update it. I did that on one build of Windows 11 it works but for another build it does not work. This is the reg key they are talking about HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates But I see that this key is in Wow64 location also. So, I am not sure whether I should update this on the device that it does not work. Has anyone run such issues with December 2024 Updates?oryxwayJan 16, 2025Iron Contributor10Views0likes0CommentsRe-Installing Native apps removed via intune
Hi All, I have ~30 phones set up with device management in our enviornment. When these phones were originally set up, their profile was set up to remove a number of native apps. This was accomplished through blocking the app bundle id's of these apps as shown below: Obviously this configuration caused issues and we've removed it, but although the configuration was removed and we've synced the phones over countless times these native apps are not reinstalling. Is there a way to push native apps back out via intune?softwaretoughJan 16, 2025Copper Contributor25Views0likes1Comment- imrani2aJan 16, 2025Occasional Reader1View0likes0Comments
Blocking Bluetooth file transfer
We have created a policy to block Bluetooth file transfer. The policy was created through Attack surface reduction -> Device Control. 1-This seems to "Dim" the option to add a Bluetooth device in windows. Which is not what is needed. Only file transfer is to be blocked. How can this be achieved? 2-In allow Bluetooth, You get the following description: Allows the user to enable Bluetooth or restrict access. Note This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. There is another option "Reserved" There is no documentation for this option, Any Idea?AhmedSHMKJan 16, 2025Brass Contributor10Views0likes0CommentsHotspot through Windows Defender Firewall
I would like to know ALL ports and protocols, services, etc... that need to be whitelisted for hotspot to work with windows defender firewall. Or otherwise the baseline/recommended procedure I have tested to enable the below so far: Inbound/Outbound: UDP:67,68,53, 5355 TCP:443,80, 53 ICMP4/6: protocols 1/58 Types and codes: 0/8 Services: icssvc I still get drop events here and there in Windows Defender firewall logs for ports 80/ICMP, etc...... Any Idea what could be the reason and what is the best way to set this up to allow hotspot access from the device.AhmedSHMKJan 16, 2025Brass Contributor71Views0likes2CommentsUbuntu 24.04 LTS + Entra ID Authentication + Intune Enrollment
Hi Community I want to combine in Ubuntu 24.04 LTS the new user authentication with Entra ID along with enrollment in Intune using the new version of the intune portal. The goal is that the user can log in Ubuntu with the local user created during the Device Authentication process and then be able to enroll in Intune and sign in to the portal whenever he wish. During my tests, I have seen that if you install the necessary components for authentication with Entra ID, along with Microsoft Edge and the Intune company portal using the Ubuntu installation user, and then authenticate with the Entra ID user after the device authentication process, you get this error when you try to enroll using the company portal: Continuing with my tests, I have seen that if you start Microsoft Edge you can save a default keyring with a password. This security feature is specific to GNOME as far as I have read. With this keyring, it will be possible to enroll the device in Intune later. When starting the company portal, the default keyring password is requested, and after entering it, enrollment can be completed. From then on, the user can sign in to the portal as long as they enter that password However, the generation of this default keyring is a process that we do not want to leave in the hands of the user. The goal is to deliver the device to the user with all the necessary software, so that once they have authenticated the device with Entra ID, they can open the company portal and enroll in Intune. Does anyone know if there is a way to avoid using such keyrings in a scenario like this? On a machine with only Ubuntu and Edge, it is possible to make this process transparent, by disabling user autologin or setting an empty password for this keyring, but in the scenario of Ubuntu + Entra ID + Intune, I can't manage it. Thanks for your help and I wish you a great 2025AguinacoJan 16, 2025Copper Contributor187Views1like2Comments- CEO24Jan 15, 2025Copper Contributor18Views0likes1Comment
Resources
Tags
- Intune3,945 Topics
- Mobile Device Management (MDM)2,139 Topics
- Mobile Application Management (MAM)786 Topics
- Conditional Access433 Topics
- Software Management411 Topics
- Graph API229 Topics
- Azure Friday155 Topics
- Autopilot105 Topics
- Android64 Topics
- iOS52 Topics