Forum Widgets
Latest Discussions
VPP Licensing Issues
Hi there, i'm currently getting frustrated on the following problem: At first the outline: We want users to choose: Do you want to use a personal device? If so you can enroll in MDM with type "User Enrollment". If the user "qualifies" to receive a corporate iOS device, we're using Automated Device Enrollment via ABM No on to the issue: App Assignment for the App MS Teams Required: All devices, with an include filter (All ADE Devices), Device based licensing Idea: this should only happen when using corporate devices Available: All Users, with an exclude filter (All ADE devices), User based licensing Idea: All devices which are not corporate should apply this one. App Assignment for the App MS Whiteboard No Required Assignment Available: All Users, with an exclude filter (All ADE devices), User based licensing Idea: All devices which are not corporate should apply this one. Azure AD Security Group with all Users using corporate ios devices, Device based licensing Idea: All devices which ARE corporate should apply this one. What is the result? The Whiteboard App is working perfectly: When using an ADE device, the device bases license is used. (therefore a silent installation happens, after the user choose "Install app" from Company Portal.) When using an User Enrolled device, the user based license is used. Great! As soon as an App has additionally a required assignment, the whole thing brokes up: When the user on the user enrolled devices tries to install the app from company portal, nothing happens. Intune shows the total misleading error: "Device VPP licensing is only applicable for iOS 9.0+ devices. (0x87D13B69)" The device is way above 9.0 AND the device shouldn't use device licensing. (Of course User Enrollment doesn't support device licensing) I'm totally aware of the fact, that we have to use "user based licensing" for User Enrolled devices AND we have to use Device Based licensing when using ADE and want to install silently or the user donΒ΄'t has an apple-id. How can we achive this scenario? We totally don't want to have to choose between either ADE or User Enrollment. Any help, as always is highly appreciated. π Cheers, Patrick!
Intune - Issues with Account-Driven User Enrollment Issues on iOS 18.5
Hello everyone, Since the release of iOS 18, Apple has deprecated profile-based user enrollment via the Company Portal app, requiring the use of Account-Driven User Enrollment. While this change enhances user experience, I'm encountering challenges in implementing it. Steps Taken: Apple Business Manager (ABM) Account: Created and linked the ABM account to Intune using the token. Corporate devices are successfully appearing in Intune. MDM Server Configuration: Set Intune as the default MDM server for all devices in ABM. Domain Federation: Established Entra ID federation in ABM to synchronize all users. Intune Enrollment Profile: Created an 'Enrollment Type Profile' of type 'Account-Driven User Enrollment.' MDM Push Certificate: Configured and validated the MDM Push certificate. Issue Encountered: According to https://support.apple.com/guide/deployment/account-driven-enrollment-methods-dep4d9e9cd26/web, starting with iOS 18.2, hosting a service discovery file on a web server is no longer mandatory. The device should automatically contact the ABM organization associated with the Managed Apple ID if no web server is found. On an iOS 18.5 device, I navigate to: Settings > General > VPN & Device Management > Sign in to Work or School Account After entering my Microsoft email address (which matches my Managed Apple ID due to federation), I consistently receive the error: "Your Apple ID does not support the expected services on this device." In ABM, under "Access Management" > "Apple Services," all services are activated. Could I be missing a crucial step in the configuration? Any guidance or insights would be greatly appreciated. Thank you in advance for your help. Best regards,
Password reset via InTunes takes up to 30 minutes
Hello, How can I speed up the password reset for InTunes. It currently takes up to 30 minutes until a password change is active and the user can log in again. According to Intunes, it takes up to 15 minutes - even that is far too long in my opinion. There must be a way to speed this up. ThanksIs it really impossible to force an Intune sync from the command line?
Is it really not possible to force an Intune sync on a client computer from the command line? It seems like such a simple thing to do. Rather than make me dig 3 subpages deep to click a button, just let me fire off a DOS command and get on with my day. I'm familiar with the MS-Graph method, but honestly, clicking a "Sync" button should never be as complicated as that. I'm also familiar with Michael Neihaus' method... Get-ScheduledTask | ? {$_.TaskName -eq 'PushLaunch'} | Start-ScheduledTask That has never worked, but don't tell anyone because there are a lot of admins out there who think it does, and I'd hate to spoil their day. Am I just too dim to figure this out or is there really no way to sync from a CLI? Thanks,Device shows twice in Intune and Entra after upgrade, still not activating Enterprise
Hi everyone β I'm looking for advice on a device we're trying to onboard into Intune with proper licensing and Entra join. Background: I have a user whose device was: Originally on Windows 11 Home Manually upgraded to Pro using a generic key (unactivated) Then upgraded to Enterprise using a generic key Factory reset in an attempt to trigger proper OOBE and Entra join Current Problem: Now, we have two device records for the same machine in both Entra ID and Intune: One device is marked Entra registered (personal), showing Windows Pro The other is Entra joined (corporate), showing Windows Enterprise but still not activated (0xC004C003) The user is correctly signed in with their work account Device did not trigger the expected work/school OOBE flow Subscription activation is not completing What I've Tried: Factory reset and cleanup using slmgr /upk and systemreset -cleanpc E5 license is properly assigned Verified login during OOBE is using the correct organizational account Device shows as compliant and managed in Intune But Windows remains unactivated on Enterprise What I'm Wondering: Could the duplicate records (personal and corporate) be interfering with activation? Should I delete both and start fresh? Is there a better way to force clean OOBE + Entra join when recovering a Home device? Should I stop using generic product keys and let subscription activation take over? Any insight would be hugely appreciated β I'm in the middle of deploying Intune across 75 devices by the end of August. Thanks in advance!Defender Browser Protection Extension for Chrome
Has any one noticed how pointless this extension is? Deployed using Intune with tamper protection so the user is forced to use it, but Microsoft has built in a disable feature to the extension that can not be controlled, or can it? Any ideas on how to harden this, or something for Microsoft to fix? Tamper Protection enabled: User can bypass by disabling the protection:
ActiveX Controls
Hello, I want to enable the exact settings as below: Steps to enable ActiveX controls if you are confident the file is safe While enabling ActiveX controls is not recommended due to security concerns, you can enable them through the Trust Center if necessary. Caution: Changing ActiveX settings will apply to all files in Office applications: Word, PowerPoint, Excel, and Visio β not just the file in which you make the change. Select File, then Options. Select Trust Center, then the Trust Center Settings button. Select ActiveX Settings, then make sure Prompt me before enabling all controls with minimal restrictions. Select OK, then OK again to save your settings and go back to your document. For optimal security, Microsoft strongly encourages leaving ActiveX controls disabled unless absolutely necessary. I have intended to apply this however I am struggling to find the relevant settings for this within intune. One example of a setting I have applied is "ActiveX Control Initialization(user) using value 6. This is still flagging an issue with an excel file, alongside not allowing a prompt to allow it. Anyone got any ideas at settings they may have applied for this? This is to run in the most minimal way as possible. Thank you, Jamie.How to Enforce Office Add-In Restrictions via Intune for Azure AD-Joined Devices (Office 2013β2021)
Dear Community, We are currently migrating users from a traditional Windows Active Directory environment (where we used GPOs to restrict Office add-in management) to Microsoft 365 with Azure AD-joined devices. Our goal is to prevent users from disabling critical Office add-ins across multiple standalone Office versions β specifically Office 2013, 2016, 2019, and 2021. We are looking for guidance on: How to implement similar restrictions using Microsoft Intune and Microsoft 365 Admin Center. Whether there are Intune configuration profiles or administrative templates that support this use case. Any limitations or compatibility issues with standalone Office versions (non-Microsoft 365 Apps). Recommended best practices or documentation links for enforcing add-in policies in a cloud-native setup. Any help or shared experiences would be greatly appreciated! Thank you.
