Forum Widgets
Latest Discussions
Stuck with InTune
Hi, need some help from those that know more than me, I have two devices that were previously enrolled and managed through InTune. We have a hybrid environment. Unfortuantely they were accidentally deleted from InTune and then EntraID in an attempt to get them re-enrolled. The devices are now showing as pending in Entra ID again due to the hybrid sync. I have tried scripts and GPOs to get them to re-enroll but so far nothing has come back. I have found out that on the device side they are still showing as being enrolled in InTune MDM. I am wondering, can I fix this by disconnecting this MDM connection and getting the user to sign into it? Hopefully, I have been clear enough on this, but if not ask and I will try to clarify. Thanks, M
Visible personal apps on private enrolled Android phone
Hello, Is there a way to prevent personal apps installed on a privately-owned Android device enrolled in Intune from being visible within Intune, while still allowing the device to have a Work Profile? Please note that we have already blocked Android Device Administrator enrollment in the platform restrictions. Thank you in advance for your assistance.
Is it possible to restrict/allow specific Bluetooth services on macOS via Intune MDM?
I’m exploring whether it's possible to allow only certain Bluetooth services — for example, allow HID (keyboard/mouse) and A2DP (audio), but block OBEX (file transfer), PAN (Personal Area Networking), BPP (Basic Printing Profile), BIP (Basic Imaging Profile), etc. On Windows, we can achieve this via Intune using Bluetooth service GUID filtering, but I couldn’t find an equivalent method for macOS. Does Intune support the following on macOS: Restricting or filtering Bluetooth services or profiles individually? Controlling OBEX, SPP, A2DP, HSP, or HID over Bluetooth? Any workaround using scripts, configuration profiles, or TCC/PPPC settings? If anyone has experience with this or knows if it's not supported, I’d really appreciate your input — along with any relevant documentation from Apple or Microsoft as reference. Thanks in advance!Is it really impossible to force an Intune sync from the command line?
Is it really not possible to force an Intune sync on a client computer from the command line? It seems like such a simple thing to do. Rather than make me dig 3 subpages deep to click a button, just let me fire off a DOS command and get on with my day. I'm familiar with the MS-Graph method, but honestly, clicking a "Sync" button should never be as complicated as that. I'm also familiar with Michael Neihaus' method... Get-ScheduledTask | ? {$_.TaskName -eq 'PushLaunch'} | Start-ScheduledTask That has never worked, but don't tell anyone because there are a lot of admins out there who think it does, and I'd hate to spoil their day. Am I just too dim to figure this out or is there really no way to sync from a CLI? Thanks,Updating device group for device preparation setting failed
Hello everybody, I'm new with Intune, I just registered for 1 month free trial to play with it in a new tenant just for this demo. But I'm stuck in the beginning. I've created a new group: https://learn.microsoft.com/en-us/autopilot/enrollment-autopilot I also added Intune owner to this group https://learn.microsoft.com/en-us/autopilot/device-preparation/tutorial/user-driven/entra-join-device-group Group is created without any issues. Problem is, when I want to assign this security group to a Device preparation policy, it always ends with this error: Failed to update device group device preparation setting Updating device group for device preparation setting Preparation policy failed. Something went wrong. "Preparation policy" is the name of the policy. Creating a new group didn't help. Thank you very much in advance for any help. Cheers SislikHybrid to Entra ID WiFi Certificate Authentication NPS via WHfB Cloud Trust & Cloud PKI-Replace ADCS
Hello Team, We are working in moving our devices Hybrid Entra ID Joined to Intune autopilot Entra ID Joined Current scenario: Hybrid Entra ID Joined devices (joined to both on-prem AD and Entra ID) Active Directory with Entra ID Connect for object synchronization AD Certificate Services (ADCS) issuing user and device certificates via GPO auto-enrollment Group Policies to push Wi-Fi configuration (EAP-TLS using device certificate) NPS RADIUS server using EAP-TLS ("Smart Card or Other Certificate") for secure 802.1X authentication On-prem SSO enabled through standard Kerberos authentication Now, I am testing Autopilot Win11 Entra ID Joined with WHfB using Cloud trust to SSO to on-prem resources. The autopilot is working, however, the WIFI is not working as the autopilot device doesn't have any certificate from the on-prem ADCS. What is the best practice to try be as much cloud and begin to decommision on-prem services. I have 2 options to push the User and computer certificate to the AUtopilot device: Option 1: Intune Certificate Connector that will bridge on-prem ADCS and Intune, In Intune a PKCS profile to install the certificate to the autopilot device. Option 2: Intune Cloud PKI and configuration profile PKCS profile to install the certificate to the autopilot device. on-prem install the root CA from the Intune cloud PKI. https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-cloud-pki-deployment For the on-prem SSO I will contine using Cloud Trust. Component Target Device Identity Autopilot + Entra ID Joined only (no domain join) User Sign-In Windows Hello for Business (WHfB) with Cloud Kerberos Trust Certificate Issuance Replace ADCS/GPO with Microsoft Cloud PKI and Intune PKCS Wi-Fi Authentication Retain existing NPS RADIUS using EAP-TLS, but trust both ADCS and Cloud PKI root CAs On-prem SSO Enabled by AzureADKerberos on domain controllers Hybrid Devices Continue current operation during the transition — no immediate impact The 2 network environment needs to coexist: the on-prem and the cloud. Device Type Certificate Issuer Wi-Fi Auth SSO Hybrid AD-joined ADCS via GPO EAP-TLS (device cert) Native Kerberos Autopilot Entra ID Joined Cloud PKI via Intune EAP-TLS (device cert) WHfB + Cloud Trust (AzureADKerberos) How the New Wi-Fi Auth Works: Autopilot devices receive: A device certificate from Cloud PKI via Intune A Wi-Fi profile using EAP-TLS authentication NPS RADIUS server: Validates the device cert Issues access to Wi-Fi WHfB Cloud Trust provides a Kerberos ticket from AzureADKerberos, enabling seamless access to file shares, print servers, etc. This allows Autopilot Entra ID Joined devices to: Connect to Wi-Fi without GPO Access on-prem resources without passwords High-Level Implementation Steps Deploy Microsoft Cloud PKI in Intune Configure PKCS profiles for user and device certificates Deploy WHfB Cloud Trust via Intune + Entra ID (no AD join needed) Configure AzureADKerberos on domain controllers Install Cloud PKI Root CA in NPS server trust store Update NPS policy to accept certificates from both ADCS and Cloud PKI Deploy Wi-Fi profiles to Autopilot devices via Intune (EAP-TLS using device cert) Based on it, what is the best practice to move the device to the cloud as much possible.
Error 65000 with Settings Catalog
Hello Community! This is my first posting looking for answers. I'm pretty new to Intune and Endpoint Manager. In doing some testing, I have created a configuration profile using the settings catalog. I'm trying to disable the News and Interests from the taskbar. I have applied this to my testing group. Below is a screenshot of the settings I used. After the policy pushes to the device, it errors out. I get the following Error details for this device. I've tried looking for information on this error with no luck. Any help would be appreciated! DuncanRequire Fingerprints For Android Personal Devices For Work?
Good day, was hoping I could get help with requiring setting up fingerprints on android to login to apps and Microsoft authenticator. Is this possible. I feel like it would be easier for a employee to setup without additional help if they just have to use one automatically instead of having to figure out how to setup a work fingerprint on their android by going into the settings themselves. Also for security issues in case someone is in public. That way they automatically require a fingerprint rather than typing in their password if there are prying eyes around. Even if it is not public, but just in the office, would be more secure so they don't have to put their password on their phone in around other employees. Is this a setting to setup in intune at all?Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: Re: Android 15 - Cannot set default password app - Android Enterprise Customer Community - 8708 Thanks, Tom
