Forum Widgets
Latest Discussions
Password reset via InTunes takes up to 30 minutes
Hello, How can I speed up the password reset for InTunes. It currently takes up to 30 minutes until a password change is active and the user can log in again. According to Intunes, it takes up to 15 minutes - even that is far too long in my opinion. There must be a way to speed this up. Thanks
WDAC + App Control For Business + App Control Wizard
Hello All, We are trying to use the following combination—WDAC, App Control for Business, and the App Control Wizard—to create and deploy WDAC policies in our tenant. We have a general base policy derived from a slightly modified 'Allow Microsoft Mode' template, along with a couple of supplemental policies that explicitly allow certain apps by publisher.(Such as PaloAlto, Omnissa/VMware etc). Enabled rules on base policy are as follows: Enabled:Unsigned System Integrity Policy Enabled:Advanced Boot Options Menu Enabled:UMCI Enabled:Inherit Default Policy Enabled:Update Policy No Reboot Enabled:Allow Supplemental Policies Enabled:Managed Installer Basically, we are allowing only those applications that are installed via a managed installer—in our case, the Company Portal. For example, if Palo Alto's GlobalProtect is installed through the Company Portal, it is not blocked by the WDAC policy. However, on some devices where GlobalProtect was installed manually, we have a supplemental policy that allows it by publisher. Despite this, the manually installed version of GlobalProtect is still being blocked by WDAC, which suggests the policy isn't working as expected. Example of such Supplemental policy is below: I'm curious—are there any people or organizations using a similar setup? If so, are you experiencing similar issues? What has the general feedback been regarding this setup?
Jail Broken = Yes
Hi all, I have a Yealink MP56 Teams device reporting back into the portal as being Jail Broken. The device has been checked, and no evidence of it being jailbroken is evident. We have a few hundred of these devices, and they are all set up and running the same. I am in the process of implementing policies for all Android devices that would block rooted devices (all device settings) And have held off after doing a quick check and noticing this one device. Has anyone come across this before? Or have any suggestions? Also I have several hundred devices reporting back a status unknown against being jail broken, but this may be down to their low android os version. Any help is appreciated.
Declarative Device Management (DDM) Updates of iOS devices
Hi Everyone, I am currently looking to migrate the update policies from iOS Update policy to DDM update policy. Created a DDM policy and assigned 100+ devices to it. However, the policy is showing as only 7 devices are currently assigned to the policy. No status of the rest. I cannot see them in pending, error or conflict state. Policy settings are quite straight forward Enforce Latest Software Update Version - True Delay in Days Install Time Software Update Settings Rapid Security Response Devices assigned are corporate and MDM managed devices
Windows App Application Protection Policy
I have been testing out an Intune MAM policy to restrict copy/paste and drive redirection to AVD session hosts based on the link here: Require local client device security compliance - Windows App | Microsoft Learn However, I've run into problems (in two separate tenants) that have halted me from being able to test. Setup Intune App Protection Policy targeting Windows Devices & Microsoft Edge\ Conditional Access Policy enforcing App Protection Policy when users access 'Azure Virtual Desktop' target resource via https://windows.cloud.microsoft.com Results First When signing into a user account targeted by the policy, they are prompted to Switch Edge Profile which signs in the user to a new Edge profile for 'Work or School Account'. The account has to sign in again. The account can access Windows App resources When launching a desktop session, this authentication page pops up for an account "local@debugonly" Second When signing into a user account targeted by the policy, they are prompted to Switch Edge Profile which signs in the user to a new Edge profile for 'Work or School Account'. The account has to sign in again. After sign in, the account loops with 'Switch Edge Profile' and gets stuck here I'm curious if anyone has gotten this to work and what was your setup? Or if Microsoft or provide some assistance or if this is in the wrong forum, any help would be appreciated.Require Fingerprints For Android Personal Devices For Work?
Good day, was hoping I could get help with requiring setting up fingerprints on android to login to apps and Microsoft authenticator. Is this possible. I feel like it would be easier for a employee to setup without additional help if they just have to use one automatically instead of having to figure out how to setup a work fingerprint on their android by going into the settings themselves. Also for security issues in case someone is in public. That way they automatically require a fingerprint rather than typing in their password if there are prying eyes around. Even if it is not public, but just in the office, would be more secure so they don't have to put their password on their phone in around other employees. Is this a setting to setup in intune at all?How can I get the Operating System Build Number for an Android device in Intune
Hello all, I am trying to pull information about an Android devices Operating System Build Number from Intune using PowerShell, however - the closest information I can find is the Operating System Version. I've been successful in connecting to Microsoft Graph via PowerShell, and I'm certain I have permissions to access all the device information. However, I cannot find information about how to pull the data I'm looking for. Google suggested that I need to include 'hardwareInformation' as an ExtendProperty of Get-MgManagedDeviceManagedDevices but I receive an error stating: "Parsing OData Select and Expand failed: Could not find a property named 'hardwareInformation' on type 'microsoft.graph.managedDevice'" Can someone please help me find how to select the Operating System Build Number from Intune or MgGraph? I've included an image of the exact data I'm looking for as it shows up in Intune
Intune is unable to register Ubuntu 24.04.2 device
Hey, Writing this issue since I found no source code/repo, and no other issues here matched my symptoms. Anyone got any hints on how I could proceed? Or maybe even better, where to find the source code and build instructions for `intune-portal` so I can build towards the current libraries... 2025-06-26 08:46:50+02:00: ~ w/❄️ w/🧙 took 2s x10an14@ubuntu ❯ : intune-portal 2025-06-26 08:47:41 INFO Command line arguments args=PortalArgs { common: CommonArgs { interactive: false, socket_path: "/run/intune/daemon.socket" } } version="1.2503.10" 2025-06-26 08:47:45 INFO Starting a new login Could not create default EGL display: EGL_BAD_PARAMETER. Aborting... 2025-06-26 08:47:48 WARN oneauth{tag="9a8hm"}: HTTP status: 404 2025-06-26 08:47:48 WARN oneauth{tag="5fsch"}: Failed to get image from Graph ^CError: nu::shell::terminated_by_signal × External command was terminated by a signal ╭─[entry #143:1:1] 1 │ intune-portal · ──────┬────── · ╰── terminated by SIGINT (2) ╰──── 2025-06-26 08:47:56+02:00: ~ w/❄️ w/🧙 took 14s x10an14@ubuntu ❌-2 ❯ : lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04.2 LTS Release: 24.04 Codename: noble 2025-06-26 08:48:08+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ /etc/apt/sources.list.d/microsoft-prod.list:1:deb [arch=amd64,arm64,armhf signed-by=/usr/share/keyrings/microsoft-prod.gpg] https://packages.microsoft.com/ubuntu/24.04/prod noble main 2025-06-26 08:48:27+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : history | last 11 ───#───┬───────────────────────────────────────────────────────────────────────────────────command──────────────────────────────────────────────────────────────────────────────────── 12135 │ grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ 12136 │ sudo apt purge intune-portal microsoft-edge-stable microsoft-identity-broker 12137 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft-identity*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12138 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12139 │ systemctl --user daemon-reload 12140 │ sudo apt install intune-portal 12141 │ systemctl --user daemon-reload 12142 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft-*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12143 │ intune-portal 12144 │ lsb_release -a 12145 │ grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ 2025-06-26 08:48:48+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : Here are the relevant logs I was able to find: x10an14@ubuntu ❯ : sudo journalctl -t intune-portal -t microsoft-identity-broker -f Jun 26 08:47:41 ubuntu intune-portal[261043]: Command line arguments args=PortalArgs { common: CommonArgs { interactive: false, socket_path: "/run/intune/daemon.socket" } } version="1.2503.10" Jun 26 08:47:45 ubuntu intune-portal[261043]: Starting a new login Jun 26 08:47:45 ubuntu microsoft-identity-broker[261088]: I/IdentityBrokerService: [2025-06-26 06:47:45 - thread_id: 1, correlation_id: UNSET - ] Starting DBus Service for Microsoft Identity Broker... Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: Defaulting to no-operation (NOP) logger implementation Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:46 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: I/MapDbStorage:getDb: [2025-06-26 06:47:46 - thread_id: 1, correlation_id: UNSET - ] Attempting to open DB File at path: /home/x10an14/.local/state/microsoft-identity-broker/broker-data.db Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/IdentityBrokerService: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] DBus Service for Broker has been started! Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: UNSET - ] Received method call from UID [1000], with correlationId [ffba9791-791b-4237-b485-2101a8cd85b9]. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/MapDbStorage:getDb: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Attempting to open DB File at path: /home/x10an14/.local/state/microsoft-identity-broker/account-data.db Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerUtil:getCacheRecordListFromBrokerCache: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] This client ID is not known to brokerOAuth2TokenCache. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerUtil:getCacheRecordListFromBrokerCache: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] No accounts available in client app cache, trying the FOCI cache. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: W/DefaultBrokerApplicationRegistry:getMetadata: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Metadata could not be found for clientId, environment: [b743a22d-6705-4147-8670-d92fa515ee2b, null] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:isAppInBrokerApplicationRegistry: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] App in broker application registry: [false] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:addDeviceAccountIfNeeded: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] App in registry is allowed to access WPJ: [false] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:addDeviceAccountIfNeeded: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] is a known FoCI App: [true] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerServiceOperation:getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Received get account result for correlation id: ffba9791-791b-4237-b485-2101a8cd85b9 Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerDBusV1Impl:getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Sending result back to calling application for correlation id: ffba9791-791b-4237-b485-2101a8cd85b9 Jun 26 08:47:48 ubuntu intune-portal[261043]: oneauth{tag="9a8hm"}: HTTP status: 404 Jun 26 08:47:48 ubuntu intune-portal[261043]: oneauth{tag="5fsch"}: Failed to get image from GraphHow to Identify and Validate the Current Device's Intune Registration (Android & iOS)
In both Android and iOS environments, which specific device-level field or identifier can we use via Microsoft Intune or Microsoft Graph API to reliably determine: - Whether the current device is registered or managed by Intune - Whether the current device is Intune-compliant Our use case involves validating device trust during app login. So we need to identify the exact device the user is currently using (not just any device associated with their account) and confirm that it is Intune-managed. We are looking for a consistent identifier, such as: Hardware ID Entra ID Device ID device object ID Or any identifier accessible through MSAL, Entra ID claims, or Microsoft Graph API This identifier should allow us to cross-reference with Graph API responses, such as from: /deviceManagement/managedDevices /me/managedDevices What is the best practice or recommended identifier to securely link the current device to its Intune record? Are there any platform-specific differences between Android and iOS we should consider?
