Recent Discussions
Controlling Excel Add-ins and Microsoft Store App Installations
We have a requirement to block users from adding add-ins to Excel and Installing certain application directly which utilize Microsoft Store apps. Below are the two scenarios we need to address. I would appreciate any guidance or recommendations on how to implement these controls. 1) Blocking Excel Add-ins from Microsoft Store Users are currently able to add add-ins such as “Claude by Anthropic in Excel” directly from the Microsoft Store apps. For example, if a user accesses the URL: https://marketplace.microsoft.com/en-us/product/saas/wa200009404?tab=overview they can proceed to add the add-in to Excel. So, We need a method to prevent users from adding Office add-ins from the Microsoft Marketplace or external sources. 2) Blocking Installation of Microsoft Store Apps (e.g., WhatsApp) We are currently blocking Microsoft Store apps on OS level. However, users can still download and install applications such as WhatsApp directly from the vendor website, which utilize Microsoft store apps in backend: https://www.whatsapp.com/download We are considering configuring the Intune policy “Only Private Store is enabled.” However, we noticed that enabling this setting prevents users from accessing certain built-in applications (e.g., Notepad). Is there any other way to block access Microsoft Store apps directly? Thank you in advance for your assistance. DilanReplacing Complex GPO Item-Level Targeting with Intune
Hi All, I’m looking for some advice on the best way to handle this scenario. We’re running a hybrid environment and currently have a GPO that creates 1,000+ registry entries across 150+ user groups using item-level targeting with security groups. Now we need to move this over to Intune, and that’s where things get tricky. Intune doesn’t really offer the same item-level targeting flexibility as GPO. So far, the only workable option seems to be creating 150+ platform scripts or Proactive Remediation scripts, which obviously isn’t ideal from a management perspective. I’m thinking it might be much easier long-term to create one large PowerShell script that checks the logged-in user’s group membership and then applies the appropriate registry settings dynamically. Has anyone dealt with something similar? Is there a cleaner or more scalable approach in Intune? Thanks in advance! Dilan
Intune - ASR Rules - exclusion
Hello, please can anybody give me an advice about Intune exception? We are using N-Able client for computer management and Intune ASR is blocking it. I tried to add exception in rule setting but it has not helped so far. I am getting defender popup with info that risky action blocked Your admin blocker this action. Blocked app or process - winagent.exe Blocked by - surface attack reduction Rule - Block using of copied or personified system tools. There is my exception but it did not helped. Thank you.
What are the system requirements for hardware-accelerated BitLocker announced in ignite 2025?
Microsoft has recently announced hardware-accelerated Bitlocker (Ref. Link: https://techcommunity.microsoft.com/blog/windows-itpro-blog/announcing-hardware-accelerated-bitlocker/4474609) I would like to know system requirements (Specifically Hardware) that supports this functionality. The article also says below "Coordinate with your suppliers and keep an eye on listings from us and other vendors as PCs become available on the market." But I am unable to find any link for the listing from Microsoft. Does it support all the devices that has TPM 2.0 or does it require any other hardware?
Will Intune device-only subscription get additional value in FY27
Will the Intune device-only subscription (Microsoft Intune announces device-only subscription for shared resources | Microsoft Community Hub) get the additional features which Intune P1 will get in FY27 (Microsoft 365 adds advanced Microsoft Intune solutions at scale - Microsoft Intune Blog), Intune Remote Help, Intune Advanced Analytics and Intune P2? This would have a huge impact of our planning how to manage special purpose devices in production environments without any user affinity. Deploying security and configuration settings, Windows Autopilot for Windows IoT Enterprise LTSC kiosk deployment, Windows Autopatch (servicing), Remote Help and FOTA for Zebra devices would be drivers to add these production devices to Intune.
Cannot enroll azure vm(windows 24H2) in Microsoft company portal
I created a windows VM in Azure. To access company resources on this machine, I attempted to enroll the device through the Company Portal. However, the enrollment failed while setting up the work or school account, with the error message “This connection isn’t secure.” How should I fix this issue?
How to Disable Self-Service Passcode Reset for Standard Users in Microsoft Intune
Hi, We are using Microsoft Intune to manage Android corporate-owned devices. Currently, standard users can reset their own device passcode remotely. The problem is: Users reset the passcode themselves Then they get confused They call IT saying they cannot open their phone We want to prevent users from doing self-service passcode reset. Only admin should be able to reset the device passcode. I already checked configuration profiles and compliance policies in Intune, but I cannot find any setting to disable this. Has anyone successfully disabled this feature? Thank you.Entra Shared Mode - Force App Stop
Hi All I hope you are well. Anyway, I was asked this yesterday and think I already might know the answer, but here goes. We had an instance of Microsoft Excel stuck in "getting things ready" on an Android Entra Shared Mode Device. Technical Support wondered if there was a way to Force Stop Excel or clear the app data. We had a look in Exit Kiosk Mode, Android Settings, and the Force Stop of Excel said "Action not allowed" and the clear the app data said "Unable to delete data for app" So, my question(s) would be, is going into Exit Kiosk Mode and even trying to force stop / clear data on apps even a valid option, or is this by design? Would adding Excel to this setting help? Any help or confirmation would be greatly appreciated. StuartHelp creating Device groups
Hi, I'm new to using Intune on a day to day basis, after adding our devices to Intune via our On-prem Active Directory. What's the best practice for organizing our Devices, such as Staff devices and Student devices? I want to create a group for all staff devices and another for student devices. Also, is there any way to auto enroll these pcs in to the correct groups once they're new ones added via our on Prem AD and Entra?
Autopilot enrollment through serial number
I’m working for a reseller, and one of my customers has asked us to enroll their device serial numbers into their Intune/Autopilot tenant. We only have permission to upload devices because we are not their CSP partner. Now the customer wants us to enroll the devices, including their Purchase Order (PO) number, in the Purchase Order field in Intune. The issue is: Because we are not their CSP, the tenant does not allow us to enter or modify the Purchase Order field when we upload devices. My question: Is it possible for a non‑CSP reseller or partner to add a Purchase Order number during Autopilot device enrollment? If not, what options exist for a reseller to ensure that the Purchase Order field is populated?Unmanaged Microsoft 365 Applications in Intune-Managed Windows 11 Devices
Hello Everyone, We have identified in our Intune environment that several users have installed Microsoft 365 applications outside of Intune on their managed Windows 11 devices (Corporate). Could you please confirm whether these users receive configuration profiles (for Microosft 365 app update enforcement for example)? Additionally, we would appreciate guidance on the best practices for addressing unmanaged application replacements. Thank you for your assistance. :) Best regards,Intune MAM BYOD: Remove Account message for iOS devices
Hello, I am seeing an issue for Intune MAM BYOD(iOS) users. After a user account password reset, it causes Intune to remove the account configured from mobile applications like MS Outlook, Work, OneDrive, etc. Current Intune Configuration: Done - App Protection Policy Done - Conditional access policy --> Grant --> Requires app protection policy (checked) Users had to re-enrol to access his/her data. Here is the screenshot, Thank you,
Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: https://www.androidenterprise.community/t5/admin-discussions/android-15-cannot-set-default-password-app/m-p/8827#M2105 Thanks, TomEdge for Android Smartscreen
Hi All I hope you are well. Anyway, is it possible to configure Edge for Android Smartscreen to: Prevent end user bypass Block potential risky downloads I can see various methods and guides pointing to Edge App Configuration policies but just cannot seem to get the this to work on Android Enterprise Fully Managed devices. Any help would be great. SKBrave Browser Intune Deploy
Good Morning/Afternoon/Evening, I am having issues deploying Brave Internet Browser. I have tried following various guides but always end up with installation failures. Verified and double checked all settings, but still the issues persists. The main error I get is either Error unzipping downloaded content. (0x87D30067) or The unmonitored process is in progress, however it may timeout. (0x87D300C9). It seems that the process starts but stops awaiting some kind of approval which does not show. Tried using the recommended silent command but nothing seems to work. Anyone managed to make it work recently? Thanks!New MECM Build, Device Collections not showing devices
I just built a new MECM server and updated it to version 2509. I imported an older Device Collection script to make collections. The Windows Server 2012/2012R2 did find the 4 servers that I have but for 2019, 2022 and 2025, nothing is showing. Here are some queries that I have tried: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Version = "10.0.20348" select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.OperatingSystemNameandVersion like "%Server 10%" and SMS_G_System_OPERATING_SYSTEM.BuildNumber = "20348" select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.BuildNumber = "20348" I even tried one using the OS Name. The limiting Collection used is Servers | All which shows 97. I also changed it back to All Systems, but to no avail. All the boundries and boundry groups are set.LAPS Intune policies
So it seems that there are legacy LAPS policies (via Configuration/Policies/New/Windows 10/Settings catalog Search for LAPS = Administrative templates/LAPS Well, I did configure them & added my device group. Then I realize that it is NOT this LAPS I need (by then quite few devices got the policy) I unlinked the group, deleted this policy & created NEW LAPS policy via Endpoint Security/Account Protection/Create policy/Windows/Windows LAPS Here I can setup new settings (especially Password Complexity = Passphrase) While lots of my devices get the local admin password reset to correct Passphrase, there are quite a few that have complex password (leftover from previous attempt?) No matter what I do, I cannot get this local admin password changed to Passphrase Any idea how to get ALL the local admin passwords to be in same format? Thanks Seb
Events
Endpoint security is shifting fast, and you need strategies that can keep up with evolving threats and increasingly distributed work. Tune in as we break down the latest trends shaping endpoint prote...
Online
Join the Windows Autopilot engineering team for a live Ask Microsoft Anything session dedicated to making the move from the original Windows Autopilot experience to Windows Autopilot device prep. We’...
Online
Recent Blogs
- Secure corporate data on BYOD, contractor, or agency-managed Windows PCs without full device managementFeb 24, 2026
- Starting on June 16 th , 2026, or soon after, Intune will enforce HTTPS content delivery for customers using Microsoft Connected Cache for Enterprise and Education. To continue using Microsoft Connec...Feb 20, 2026
