Forum Widgets
Latest Discussions
MGP Keep apps on certain version
Hi All I hope you are well. Anyway, a wee urgent one here. Is there any way to keep apps from the Managed Google Play to a certain version number? Apparently, the latest version of one of our apps is flawed. This is an app that is available publicly and not an LOB / APK etc. Info appreciated. Stuart
How to Enforce Office Add-In Restrictions via Intune for Azure AD-Joined Devices (Office 2013–2021)
Dear Community, We are currently migrating users from a traditional Windows Active Directory environment (where we used GPOs to restrict Office add-in management) to Microsoft 365 with Azure AD-joined devices. Our goal is to prevent users from disabling critical Office add-ins across multiple standalone Office versions — specifically Office 2013, 2016, 2019, and 2021. We are looking for guidance on: How to implement similar restrictions using Microsoft Intune and Microsoft 365 Admin Center. Whether there are Intune configuration profiles or administrative templates that support this use case. Any limitations or compatibility issues with standalone Office versions (non-Microsoft 365 Apps). Recommended best practices or documentation links for enforcing add-in policies in a cloud-native setup. Any help or shared experiences would be greatly appreciated! Thank you.
Intune - Issues with Account-Driven User Enrollment Issues on iOS 18.5
Hello everyone, Since the release of iOS 18, Apple has deprecated profile-based user enrollment via the Company Portal app, requiring the use of Account-Driven User Enrollment. While this change enhances user experience, I'm encountering challenges in implementing it. Steps Taken: Apple Business Manager (ABM) Account: Created and linked the ABM account to Intune using the token. Corporate devices are successfully appearing in Intune. MDM Server Configuration: Set Intune as the default MDM server for all devices in ABM. Domain Federation: Established Entra ID federation in ABM to synchronize all users. Intune Enrollment Profile: Created an 'Enrollment Type Profile' of type 'Account-Driven User Enrollment.' MDM Push Certificate: Configured and validated the MDM Push certificate. Issue Encountered: According to https://support.apple.com/guide/deployment/account-driven-enrollment-methods-dep4d9e9cd26/web, starting with iOS 18.2, hosting a service discovery file on a web server is no longer mandatory. The device should automatically contact the ABM organization associated with the Managed Apple ID if no web server is found. On an iOS 18.5 device, I navigate to: Settings > General > VPN & Device Management > Sign in to Work or School Account After entering my Microsoft email address (which matches my Managed Apple ID due to federation), I consistently receive the error: "Your Apple ID does not support the expected services on this device." In ABM, under "Access Management" > "Apple Services," all services are activated. Could I be missing a crucial step in the configuration? Any guidance or insights would be greatly appreciated. Thank you in advance for your help. Best regards,Device shows twice in Intune and Entra after upgrade, still not activating Enterprise
Hi everyone — I'm looking for advice on a device we're trying to onboard into Intune with proper licensing and Entra join. Background: I have a user whose device was: Originally on Windows 11 Home Manually upgraded to Pro using a generic key (unactivated) Then upgraded to Enterprise using a generic key Factory reset in an attempt to trigger proper OOBE and Entra join Current Problem: Now, we have two device records for the same machine in both Entra ID and Intune: One device is marked Entra registered (personal), showing Windows Pro The other is Entra joined (corporate), showing Windows Enterprise but still not activated (0xC004C003) The user is correctly signed in with their work account Device did not trigger the expected work/school OOBE flow Subscription activation is not completing What I've Tried: Factory reset and cleanup using slmgr /upk and systemreset -cleanpc E5 license is properly assigned Verified login during OOBE is using the correct organizational account Device shows as compliant and managed in Intune But Windows remains unactivated on Enterprise What I'm Wondering: Could the duplicate records (personal and corporate) be interfering with activation? Should I delete both and start fresh? Is there a better way to force clean OOBE + Entra join when recovering a Home device? Should I stop using generic product keys and let subscription activation take over? Any insight would be hugely appreciated — I'm in the middle of deploying Intune across 75 devices by the end of August. Thanks in advance!Password reset via InTunes takes up to 30 minutes
Hello, How can I speed up the password reset for InTunes. It currently takes up to 30 minutes until a password change is active and the user can log in again. According to Intunes, it takes up to 15 minutes - even that is far too long in my opinion. There must be a way to speed this up. Thanks
iOS/iPadOS Copy, Paste exempt possible?
Hi everyone, I'm currently struggling with the App Protection Policies in Intune for iOS devices. There are a few requests regarding the app usage in our company. One of them would be, for example, that you should be able to copy content from Teams and use it in the native Safari browser. The Teams app is protected with a policy, the setting: Restrict cut, copy, and paste between other apps is set to Policy managed apps with paste in. So I put the Safari app in the Send org data to other apps in the “Select apps to exempt”. But nothing came up. After some research I found the section: "The exempt unmanaged app must be invoked based on iOS URL protocol. For example, when data transfer exemption is added for an unmanaged app, it would still prevent users from cut, copy, and paste operations, if restricted by policy." It´s restricted for now. So it´s saying there's not really a way to make copying and pasting possible except to open this policy setting completely? The Safari app cannot be managed via SDK. How do you solve this or is there a better way rather than open the policy?WDAC + App Control For Business + App Control Wizard
Hello All, We are trying to use the following combination—WDAC, App Control for Business, and the App Control Wizard—to create and deploy WDAC policies in our tenant. We have a general base policy derived from a slightly modified 'Allow Microsoft Mode' template, along with a couple of supplemental policies that explicitly allow certain apps by publisher.(Such as PaloAlto, Omnissa/VMware etc). Enabled rules on base policy are as follows: Enabled:Unsigned System Integrity Policy Enabled:Advanced Boot Options Menu Enabled:UMCI Enabled:Inherit Default Policy Enabled:Update Policy No Reboot Enabled:Allow Supplemental Policies Enabled:Managed Installer Basically, we are allowing only those applications that are installed via a managed installer—in our case, the Company Portal. For example, if Palo Alto's GlobalProtect is installed through the Company Portal, it is not blocked by the WDAC policy. However, on some devices where GlobalProtect was installed manually, we have a supplemental policy that allows it by publisher. Despite this, the manually installed version of GlobalProtect is still being blocked by WDAC, which suggests the policy isn't working as expected. Example of such Supplemental policy is below: I'm curious—are there any people or organizations using a similar setup? If so, are you experiencing similar issues? What has the general feedback been regarding this setup?
