Forum Widgets
Latest Discussions
Defender Browser Protection Extension for Chrome
Has any one noticed how pointless this extension is? Deployed using Intune with tamper protection so the user is forced to use it, but Microsoft has built in a disable feature to the extension that can not be controlled, or can it? Any ideas on how to harden this, or something for Microsoft to fix? Tamper Protection enabled: User can bypass by disabling the protection:
ActiveX Controls
Hello, I want to enable the exact settings as below: Steps to enable ActiveX controls if you are confident the file is safe While enabling ActiveX controls is not recommended due to security concerns, you can enable them through the Trust Center if necessary. Caution: Changing ActiveX settings will apply to all files in Office applications: Word, PowerPoint, Excel, and Visio – not just the file in which you make the change. Select File, then Options. Select Trust Center, then the Trust Center Settings button. Select ActiveX Settings, then make sure Prompt me before enabling all controls with minimal restrictions. Select OK, then OK again to save your settings and go back to your document. For optimal security, Microsoft strongly encourages leaving ActiveX controls disabled unless absolutely necessary. I have intended to apply this however I am struggling to find the relevant settings for this within intune. One example of a setting I have applied is "ActiveX Control Initialization(user) using value 6. This is still flagging an issue with an excel file, alongside not allowing a prompt to allow it. Anyone got any ideas at settings they may have applied for this? This is to run in the most minimal way as possible. Thank you, Jamie.
Intune - Issues with Account-Driven User Enrollment Issues on iOS 18.5
Hello everyone, Since the release of iOS 18, Apple has deprecated profile-based user enrollment via the Company Portal app, requiring the use of Account-Driven User Enrollment. While this change enhances user experience, I'm encountering challenges in implementing it. Steps Taken: Apple Business Manager (ABM) Account: Created and linked the ABM account to Intune using the token. Corporate devices are successfully appearing in Intune. MDM Server Configuration: Set Intune as the default MDM server for all devices in ABM. Domain Federation: Established Entra ID federation in ABM to synchronize all users. Intune Enrollment Profile: Created an 'Enrollment Type Profile' of type 'Account-Driven User Enrollment.' MDM Push Certificate: Configured and validated the MDM Push certificate. Issue Encountered: According to https://support.apple.com/guide/deployment/account-driven-enrollment-methods-dep4d9e9cd26/web, starting with iOS 18.2, hosting a service discovery file on a web server is no longer mandatory. The device should automatically contact the ABM organization associated with the Managed Apple ID if no web server is found. On an iOS 18.5 device, I navigate to: Settings > General > VPN & Device Management > Sign in to Work or School Account After entering my Microsoft email address (which matches my Managed Apple ID due to federation), I consistently receive the error: "Your Apple ID does not support the expected services on this device." In ABM, under "Access Management" > "Apple Services," all services are activated. Could I be missing a crucial step in the configuration? Any guidance or insights would be greatly appreciated. Thank you in advance for your help. Best regards,
How to Enforce Office Add-In Restrictions via Intune for Azure AD-Joined Devices (Office 2013–2021)
Dear Community, We are currently migrating users from a traditional Windows Active Directory environment (where we used GPOs to restrict Office add-in management) to Microsoft 365 with Azure AD-joined devices. Our goal is to prevent users from disabling critical Office add-ins across multiple standalone Office versions — specifically Office 2013, 2016, 2019, and 2021. We are looking for guidance on: How to implement similar restrictions using Microsoft Intune and Microsoft 365 Admin Center. Whether there are Intune configuration profiles or administrative templates that support this use case. Any limitations or compatibility issues with standalone Office versions (non-Microsoft 365 Apps). Recommended best practices or documentation links for enforcing add-in policies in a cloud-native setup. Any help or shared experiences would be greatly appreciated! Thank you.
Remove Autopilot Deployment Profile From Devices
Hello, Has anyone found a way (preferably programmatically) to remove an Autopilot deployment profile from a device in Autopilot? From what we've seen, these profiles are permanently stuck on devices and cannot be removed or changed. I've heard it's possible to switch them but haven't personally seen it and wanted to get a better understanding about this. We would like to be able to remove profiles, but keep the device in Autopilot with no profile assigned for OSD task sequence builds at times. Any thoughts or info others have would be greatly appreciated! Thank you!AutoPilot Hardware hash error, You cannot call a method on a null-valued expression
When we trying to download the hardware hash for Autopilot via Powershell, we recently are getting null-valued expression errors on random laptops W11P laptops . So far on W10P we never hard problems. Is there a way to exclude $model, $make? Or can we adjust the script? our script: @ECHO OFF echo Enabling WinRM PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command Enable-PSRemoting -SkipNetworkProfileCheck -Force echo Gathering AutoPilot Hash PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command %~dp0Get-WindowsAutoPilotInfo.ps1 -ComputerName $env:computername -OutputFile %~dp0compHash.csv -append echo Done! pauseMGP Keep apps on certain version
Hi All I hope you are well. Anyway, a wee urgent one here. Is there any way to keep apps from the Managed Google Play to a certain version number? Apparently, the latest version of one of our apps is flawed. This is an app that is available publicly and not an LOB / APK etc. Info appreciated. StuartDevice shows twice in Intune and Entra after upgrade, still not activating Enterprise
Hi everyone — I'm looking for advice on a device we're trying to onboard into Intune with proper licensing and Entra join. Background: I have a user whose device was: Originally on Windows 11 Home Manually upgraded to Pro using a generic key (unactivated) Then upgraded to Enterprise using a generic key Factory reset in an attempt to trigger proper OOBE and Entra join Current Problem: Now, we have two device records for the same machine in both Entra ID and Intune: One device is marked Entra registered (personal), showing Windows Pro The other is Entra joined (corporate), showing Windows Enterprise but still not activated (0xC004C003) The user is correctly signed in with their work account Device did not trigger the expected work/school OOBE flow Subscription activation is not completing What I've Tried: Factory reset and cleanup using slmgr /upk and systemreset -cleanpc E5 license is properly assigned Verified login during OOBE is using the correct organizational account Device shows as compliant and managed in Intune But Windows remains unactivated on Enterprise What I'm Wondering: Could the duplicate records (personal and corporate) be interfering with activation? Should I delete both and start fresh? Is there a better way to force clean OOBE + Entra join when recovering a Home device? Should I stop using generic product keys and let subscription activation take over? Any insight would be hugely appreciated — I'm in the middle of deploying Intune across 75 devices by the end of August. Thanks in advance!
