Recent Discussions
MGP Keep apps on certain version
Hi All I hope you are well. Anyway, a wee urgent one here. Is there any way to keep apps from the Managed Google Play to a certain version number? Apparently, the latest version of one of our apps is flawed. This is an app that is available publicly and not an LOB / APK etc. Info appreciated. Stuart
Device shows twice in Intune and Entra after upgrade, still not activating Enterprise
Hi everyone — I'm looking for advice on a device we're trying to onboard into Intune with proper licensing and Entra join. Background: I have a user whose device was: Originally on Windows 11 Home Manually upgraded to Pro using a generic key (unactivated) Then upgraded to Enterprise using a generic key Factory reset in an attempt to trigger proper OOBE and Entra join Current Problem: Now, we have two device records for the same machine in both Entra ID and Intune: One device is marked Entra registered (personal), showing Windows Pro The other is Entra joined (corporate), showing Windows Enterprise but still not activated (0xC004C003) The user is correctly signed in with their work account Device did not trigger the expected work/school OOBE flow Subscription activation is not completing What I've Tried: Factory reset and cleanup using slmgr /upk and systemreset -cleanpc E5 license is properly assigned Verified login during OOBE is using the correct organizational account Device shows as compliant and managed in Intune But Windows remains unactivated on Enterprise What I'm Wondering: Could the duplicate records (personal and corporate) be interfering with activation? Should I delete both and start fresh? Is there a better way to force clean OOBE + Entra join when recovering a Home device? Should I stop using generic product keys and let subscription activation take over? Any insight would be hugely appreciated — I'm in the middle of deploying Intune across 75 devices by the end of August. Thanks in advance!
Error running on-premises Intune Connector for Active Directory (ODJ Connector).
Hi, I trying add AAD joined devices hybrid at my AD DS local whit Autopilot. I downloaded the ODJConnectorBootstrapper.exe file from the Microsoft Endpoint Manager > Devices > Enroll devices portal, the installation was successful, but after trying to sign in, an error occurred in the log file (C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorUI\ODJConnectorUI. log) and also in the Event Viewer (Application and Servecies Logs > ODJ Connector Service) .. Event Viewer: { "Metric":{ "Dimensions":{ "InstanceId":"746F3603-6956-42CF-B6B0-A9673088C5F0", "DiagnosticCode":"0x0FFFFFFF", "DiagnosticText":"We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: \"DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again.\"] [Exception Message: \"Value cannot be null.\u000d\u000aParameter name: cert\"]" }, "Name":"RequestHandlingPipeline_DownloadFailure", "Value":0 } } log file: ODJ Connector UI Error: 2 : ERROR: Failed to check if machine is already enrolled. Detailed message is: Error in retrieving certificate. A certificate could not be found in the specified store. The articles I used: https://docs.microsoft.com/en-pt/mem/autopilot/windows-autopilot-hybrid https://techcommunity.microsoft.com/t5/intune-customer-success/admins-experience-deploy-hybrid-azure-ad-joined-devices-by-using/ba-p/1131428 The IE Enhanced Security Configuration is already OFF, I've removed everything related to Intune and reinstalled only the ODJConnector, I've restarted the server, but the problem persists. Can anyone help me?Which Windows Licenses are required to manage BitLocker through Intune
License Confusion for Managing BitLocker via Intune Scenario: We are managing BitLocker through Intune, with recovery keys backed up to Entra ID for both Hybrid and Entra ID-joined devices. Our devices run Windows 10/11 Professional, and we have EMS E3 licenses. Confusion: Most Microsoft documents state that Windows 10/11 Professional is sufficient to enable and manage BitLocker. However, one document mentions that Windows 10/11 Enterprise is required to manage BitLocker using CSP (Configuration Service Provider). We need clarification on whether Windows 10/11 Professional is fully capable of BitLocker management via Intune or if Enterprise is required for CSP-based management. I am providing reference Microsoft articles and screenshots to support this. BitLocker Enablement: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/#windows-edition-and-licensing-requirements BitLocker Management: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common#windows-edition-and-licensing-requirements Encrypt Devices with Intune: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#view-details-for-recovery-keys You can find this paragraph in above document. "Information for BitLocker is obtained using the (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, Windows 10 Pro version 1809 and later, and Windows 11." Contradictory Statement Document: https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
iOS blocks screenshots on any managed app
We are encountering a problem with intune managed apps screen sharing/ screenshotting on iOS devices, where sharing content from managed apps results in a black screen, same goes for takeing a screenshot. This behavior stems from a recent Intune feature designed to enhance data security by blocking screen captures and screen sharing in mobile application management (MAM)-protected apps on iOS devices. This feature is automatically enabled when the "Send Org data to other apps" setting in the App Protection Policy (APP) is configured to any option other than "All apps." Consequently, attempts to capture or share the screen from a managed account within a MAM-protected app result in a blank screen instead of the actual content. To permit screen sharing on iOS devices, administrators can configure an app configuration policy with the setting com.microsoft.intune.mam.screencapturecontrol = Disabled. However, this adjustment also allows on-device screenshots and screen recordings, which might not align with organizational security requirements. --> https://techcommunity.microsoft.com/blog/intunecustomersuccess/new-block-screen-capture-for-iosipados-mam-protected-apps/4366312 But this solution does not make sense, Microsoft always recommended the usage of Managed Devices Policys so why the sudden change to only allow this with managed apps policys? We would need a feature to enable screenshotting on a managed devices policy! We already opened two SR for this but none of them could provide a solution. Please help out here, a lot of our customers who use intune for MDM purpose are very annoyed by this feature. BR
Sharepoint - OneDrive Sync
Hi all, (posted here but was asked to move to here: Sharepoint - OneDrive Sync - Microsoft Community in my company we use a sharepoint: https://xxx.sharepoint.com/Name%20Public/ i can open the site in edge, i can interact with the files and folders and i can push on the "sync" method and onedrive will start syncing manually. Now to my problem: In intunes Admincenter I have a configuration policy with: "Configure team site libraries to sync automatically (user)" as follows: Value: https://xxx.sharepoint.com/Name%20Public | 1c27e911-bb36-4ae7-8fd8-d3b68c4d6e8c Name: xxx Public The policy is successfully applied to the users. However, one drive does not start synchronisation. $OneDriveCmd = "C:\Program Files\Microsoft OneDrive\OneDrive.exe" Start-Process -FilePath $OneDriveCmd -ArgumentList "/url:$SiteURL /id:$LibraryID /automount" Results in an error, something like "cannot open program, url not readable" Path and library are given in variables to the script Does anyone have an idea for me
Syncing Outlook contacts on Android to native Contacts app
What process are you guys using to sync your Outlook contacts from the Work side to the native Contacts app on the personal side? We are basically personal phone enrolled with Work Profile (even though we own the phones). I tried to create an App Config but not doing as I expect. Feel free to show screenshots or instructions on how you handled it. Thanks in advanced.Autopilot Company owned
We deploy all our Wiindows Laptops with AutoPilot and are Hybrid AD joined. An old sore is that devices are created twice as the device is first Entra AD joined, after which the device is joined as a Hybrid AD joined device (configuration profile), and thus creating two devices which represent one physical device. An Entra-ID joined device which becomes stale over time, as the device stats are no longer updated. And thus becomes Uncompliant. A Entra-ID Hybrid joined device which is managed by Intune, and updated wherefore the device is compliant. This is an old sore and confirmed by Microsoft support, wherefore does not seem to be a sollution. We have in some cases removed the stale Entra-ID joined device, and others we merely disabled the stale device. Yesterday i discovered some devices which show the opposite. The Hybrid AD joined device shows that it is not managed by an MDM, while the Entra-ID joined device showes managed by Intune. This results in that the correct device is no longer updated by Intune. Also when looking the deviceownership i can see that the wrong device states company owned, while the Hybrid AD joined device shows none. Is there anyway to rectify this situation? I confirm that the device is in use.
Acrobat DC Install via Intune
Has anyone been success on deploying Acrobat DC Professional via Intune? I downloaded the package from Adobe and used the IntuneApp to create a package but so far it refuses to install failing with a (0x80070005) error. I can deploy the reader without issue. Deployed Dreamweaver and Photoshop CC without error but this one is puzzling. This like all of CC is subscription based now, so not sure what I am missing...User Profile Deletion
Hi, I just wanted to pick anyone's brains, in case they have also encountered this or would have any idea why this is the case. I am fairly new to Intune and script writing, to clarify. Basically, we have been working on a Detect and Remediation script that is deployed via Intune (Devices >Ssni Script and Remediations) to Windows 10 (Ent 22H2) and Windows 11 (Ent 24H2) devices. On any fresh enrolled devices, it detects and deletes user profiles completely fine, but fails to even detect profiles on devices that were enrolled a while ago. However, if we run an Autopilot reset on those devices, the script works again. What difference would a freshly built/enrolled device have to an older one, when they also run other scripts fine. The script targets profiles that are older than 1 hour as we want to keep on top of removing profiles consistently to keep disk space low, especially on lower spec laptops. It will exclude SYSTEM profiles and also any *Admin* user folders - as that has a separate script to only delete LAPSAdmin on an evening, when the workplace is closed (8pm UK). This LAPSAdmin script worked fine on the older enrolled devices. Some of the profiles on the machines go back to 2023, is the '1 hour' target not effective against that old of a profile - has it become stale?SS Like I said, I am fairly new to this and have used bits and pieces from different locations to help muster up a script. I thought I had it nailed as it was working on test devices that were just enrolled purely for testing, until I was asked to put it onto another group. Intune doesn't say the script fails - indicating there are no errors. However, I am not saying there isn't. Detect: Remediate: Thanks for your time, DeanUser Profile Deletion
Hi, I have encountered an error when using Intune to delete user profiles. I am new to this and have put bits and pieces together from multiple sources to try and compile a script. I am using a Detect and Remediation Script deployed via Devices > Scrips and Remediation in Intune, to Windows 10 Enterprise 22H2 and Windows 11 Enterprise 24H2. I will attach scripts at the end. My issue is, the scripts detect and remediate as intended on devices that i have recently enrolled. However, we have devices that will have been enrolled in 2023 which doesn't seem to allow the scripts to run. If I then run an autopilot reset on the device, the scripts work fine. The scripts essentials look for user profiles in C:\Users and remove them if they are older than 1 hour. We want to keep disk space as free as possible especially on the lower spec devices. It ignores SYSTEM and any Admin user folder, as we have a separate script to delete the LAPSAdmin only at 8pm, when the workplace is closed. Note: The LAPSAdmin script worked on the older devices before the where autopilot reset. Does anyone know why this could be the case? Does the 1 hour check have issues reaching profiles that are over 2 years old or is there an issue in the script. Thanks, Dean
How is your company managing driver updates via Intune?
Hey folks, I’m currently reviewing our driver update strategy for Windows 11 devices managed via Intune. As you probably know, using Windows Update for Business (WUfB) gives us two main options for driver updates: Automatically allow drivers via WUfB Manually approve drivers via Intune + Windows Update for Business deployment service (WUfB-DS) Each approach has its own pros and cons: Automatic driver updates are great for keeping everything up to date with minimal effort, but they come with risks. We’ve seen networking components randomly break after an update, or newer GPU drivers triggering application compatibility issues. Definitely not zero-risk. Manual approval, on the other hand, gives you control and helps avoid surprises, but it also introduces operational overhead: identifying needed drivers, testing, scheduling approvals, and communicating with users — all of that takes time and effort. We’re debating internally whether the automation risk is worth the convenience, or if the manual path is the only safe option in an enterprise setting. So I’m curious: How is your company handling this? Are you letting Windows install driver updates automatically? Or are you manually controlling which drivers get deployed — and if so, how are you handling the process and workload? Would love to hear your thoughts, especially if you’ve found a good balance or process that works well in production! Thanks in advance!Outlook for iOS (MAM only Call Identification)
In order of the implementation of O365/M365 and with it Microsoft Intune, Outlook for iOS has become the standard mail client on iOS devices for many customers today. This is due to the excellent user experience and the constant stream of new features implemented by Microsoft. From a security perspective, in addition to the provision on managed devices (managed by Intune), the secure use on unmanaged devices with MAM or App Protection Policies (APP) is a big argument for using Outlook for iOS. Currently, many ouf our customers are working on a BYOD setup for blue collar worker, who typically have a maximum of one email inbox. A big pain point for many users who use Outlook for iOS in an MAM-only setup (and for MDM setup with Intune) is the missing caller identification of Exchange Online (EXO) contacts. Outlook for iOS supports a one-way contact export process whereby contacts from within Outlook for iOS can be exported into the personal (unmanaged) part of the native iOS Contacts app. This means a contact must first be imported into the users personal contacts directory of EXO and then exported from Outlook for iOS to the native (unmanaged) iOS Contact app in order to see who is calling. This functionality enables Caller-ID, iMessage, and FaceTime integration for users’ Outlook contacts. The exported Outlook contacts are considered unmanaged and are accessible by unmanaged, personal apps. Especially for European customers who are subject to GDPR compliance, this is a no go, as personal data and company data must not be mixed. The unintentional outflow of contact data worthy of protection to commercial platforms, such as WhatsApp or Google, and the unintentional synchronization of address books with social media apps, represents a significant GDPR risk. Although the user's personal EXO contacts can be synchronized, there is currently no option to synchronize the GAL. Furthermore, there is currently no provision in Outlook for iOS to synchronize the GAL cyclically. The user has to add a GAL contact to his personal contacts as described above and then within the Outlook for iOS app export the contact to his native iOS contacts app to be able to see who is calling. To meet the GDPR compliance, we need to prevent the contact export. So this is not a solution. The question to ask is: Why does a user need to export a GAL/personal contact to their native iOS Contact app? There are already several paid app solutions that close exactly this gap (ebf Contacts, Secure Contacts, etc.) which offer more or less the same range of functions. The app builds a container and downloads the managed address books (GAL, personal) of the user and then enables the resolution of the CallerID or identification of the caller via the so-called Apple CallKit integration. Apple has been offering the so-called CallKit integration for years. With CallKit you can integrate your calling services with other call-related apps on the system. CallKit provides the calling interface, and you handle the back-end communication with your VoIP service. For incoming and outgoing calls, CallKit displays the same interfaces as the Phone app, giving your app a more native look and feel. CallKit also responds appropriately to system-level behaviors such as Do Not Disturb. In addition to handling calls, you can provide a Call Directory app extension to provide caller ID information and a list of blocked numbers associated with your service. When a phone receives an incoming call, the system first consults the user’s contacts to find a matching phone number. If no match is found, the system then consults your app’s Call Directory extension to find a matching entry to identify the phone number. This is useful for applications that maintain a contact list for a user that’s separate from the system contacts, such as a Outlook for iOS. For example, consider a user who is a colleague to Jane, but doesn’t have her phone number in their contacts. If the Outlook for iOS app has a Call Directory app extension, which downloads and adds the phone numbers of all of the user´s colleagues. When the user gets an incoming call from Jane, the system displays something like “(App Name, e.g. Outlook) Caller ID: Jane Appleseed” rather than “Unknown Caller”. The effort to integrate the Call Directory Extension is minimal and would solve many pain points from both a security and user experience perspective. Apple has documented CallKit excellently on the developer site: CallKit | Apple Developer Documentation With the possibility of using Apple CallKit in combination with Outlook for iOS and the contact synchronization (personal/GAL) of a managed EXO mailbox, the use of M365 in a BYOD scenario for customers Blue Collar workers will massively increase. Furthermore, the use of contact synchronization is then also possible for devices managed by Intune. This creates an outstanding user experience while increasing user adoption! This article was also published as feedback in the Outlook Forum for iOS: Outlook for iOS (MAM only Call Identification) · Community (microsoft.com) There are already other requests within the Microsoft community that I would like to link here: PatrickF11 : Outlook for iOS + Caller Identification - Microsoft Community Hub Daniel Huttenlocher: Identify Calls with Call Directory App Extension · Community (microsoft.com)Versa SASE client push
Has anyone pushed VERSA SASE client through Intune to devices? I am having issues with the detection rules and it does not upgrade nor it does not uninstall the existing version and I am struggling to get this working. Any help or suggestions would be great. It is not upgrading or uninstalling the previous version to get this working. I tried everything possible, I am pushing it to devices and now I am trying using user group. Not sure that would make any difference, earlier the previous version 7.8.9 was pushed to all devices. It worked fine with the same syntax. Even Microsoft is struggling and not sure what to do.
Recent Blogs
- By: Chris Kunze – Principal Product Manager | Microsoft Intune The Microsoft Intune management agent for macOS is a crucial part of deploying and managing applications and scripts through Intun...Jul 09, 2025
- By: Marc Nahum – Senior Product Manager | Microsoft Intune FileVault is Apple's built-in disk encryption technology for macOS. To deploy FileVault securely and effectively in an enterprise setting...Jul 03, 2025
