Recent Discussions
enrolling in Intune MacBook Pro with an M5 Pro
Hi everyone We have tested the Wi-Fi and ethernet profile without success with Apple businesses manager. The Wi-Fi and the ethernet connection itself works, but the enrollment process into Intune does not complete successfully. At this stage, we cannot sign in, and neither the Wi-Fi nor the Ethernet connection appears to be working. The device is a 14-inch MacBook Pro with an M5 Pro chip, running macOS 26.5.1 the device connects to the server, the settings begin to apply, but the process suddenly stops, and we are then unable to log in. These are steps followed : Synchronize the device from Apple Business Manager to Intune. Assign the enrollment profile to the device. Perform a device wipe/reset. Start Automated Device Enrollment (ADE). Complete the device setup and user sign-in. The device successfully enrolls into Intune. Intune begins deploying configuration profiles, compliance policies, security policies, and applications. During the policy application process, Wi-Fi connectivity stops responding. The device loses network connectivity and cannot continue synchronizing policies. We are unable to sign in because the enrolment process has not been finalized. As a result, we have to wipe the Mac and start the process again each time. We have disabled some policies, but we are still experiencing the same issue. Have anyone experienced any issues like that ? Regards,
CanReset value flipping on cloud only devices
Hello, I have a problem with cloud only Windows 11 devices configured with passwordless policy. I have noticed that when you run dsregcmd /status command, CanReset value under User State is flipping between "No" and "DestructiveAndNonDestructive". When it's latter, everything works fine, users can start wizard for facial recognition or make PIN changes under Sign In options in Windows. But when it flips to No, everything is blocked. It seems to happen randomly, you can leave device untouched for few hours and just check dcregcmd and the value will change. CanReset is the only value that changes in the dsregcmd report. It happens for different devices located on different networks. Also, I have disabled web gateway completely for one device just for testing but no change. Any suggestions would be welcome.
Windows App Update Notification
Hi everyone, We have deployed the Windows App for a client. Currently, when an update is available, users are seeing an in app banner that says: "Click here to update the app. Meanwhile you can use the app." If the user clicks it, the update finishes successfully. However, our organization requires a completely hands off, automated update process. We do not want end-users to have to interact with a notification or manually click a button to keep the app up to date. Is there a specific Group Policy, registry key or Intune configuration that completely suppresses this in app notification and forces the MSIX package to install silently in the background when the app or machine is idle? Any advice on how to bypass this "Notification" behavior and enforce touchless updates enterprise wide would be greatly appreciated. Thanks!
Intune Install Printer Driver
I am trying to install a Printer driver via a Win32app using System to install. Have set configuration as below: Its a simple powershell script which runs perfectly when installing on a device as an administrator. $printdriver = "PCL6 V4 Driver for Universal Print" C:\Windows\system32\pnputil.exe /add-driver "r4600.inf" /install Add-PrinterDriver -name $printdriver However installing it via Intune I get an event id 215 with failed error code 0x0 HRESULT 0x80070705 on the device. Any help appreciated.Moving from Windows Server 2022 to 2025
And by moving I mean stand up a completely fresh Windows Server 2025 as the old server was patched for one too many times. (painfully slow and stuffy) What I figured out so far, is to install Windows Server 2025, and the exact same SQL Server 1:1 to the build # install ODBC v18 update current MECM to the latest and its OS (update other Microsoft products with windows update) go to sites / maintenance tasks and do an export robocopy the "software" folder as is Now next would be to shut down old MECM server, rename new to the old's hostname, and start the "recover site" What my concern is as always "What if" can I at this point or once I set up the new MECM up and running go back by shutting down this new server, and powering on the old (leave and rejoin domain for trust) and go back to business as usual? That if anything goes sideways, or things won't get better. By that i mean speeding up things which is the main reason of the 'move' which now I do not wish to troubleshoot. Our environment, database size is 7.9 Gb, which is far from being big. The reason must be the update over upgrade over update over 15 years or more no and never brand new OS. I can take care of the "how to" I know exactly how to recover a site 'on paper'. I just want to know there's no such thing as point of no return. (when not making a single change in the Db/console) I also understand I should not make any changes in the Db (console) while testing, which is no problem at all. All we use MECM for is staging computers. Nothing else really. Like nothing else at all. PXE. The end. Thanks for the inputs. (I hope I picked the right tags)
Intune macOS ADE: support for minimum macOS version enforcement before Platform SSO registration
Hi everyone, I would like to ask whether Microsoft Intune has any supported method, roadmap, or recommended workaround for enforcing a minimum or target macOS version during Automated Device Enrollment before Setup Assistant continues. The scenario is macOS zero-touch deployment with Intune, Automated Device Enrollment, Setup Assistant with modern authentication, Await final configuration, and Platform SSO registration during ADE. Platform SSO registration during Setup Assistant depends on newer macOS capabilities. In addition, some macOS deployment scenarios, such as Platform SSO password sync and macOS LAPS, may require or strongly benefit from a specific macOS version being installed before the user completes enrollment. Today, Intune can manage macOS software updates after enrollment using Declarative Device Management software update policies. However, that does not fully solve the issue where the Mac starts ADE on an older macOS version. In that case, the device may begin Setup Assistant and Platform SSO registration before the required macOS version is installed. What I am looking for is an Intune-native equivalent of enforcing a minimum or target macOS version during ADE, before Setup Assistant continues. Ideally, the macOS ADE enrollment profile in Intune would support options such as: - Minimum required macOS version - Target specific macOS version - Target specific build, if supported - Latest eligible macOS version for the device - Apply the OS update before Platform SSO registration and final configuration - Reporting in Intune showing whether the ADE OS update was required, started, completed, skipped, or failed Without this capability, organizations using Intune-only macOS deployment may still need manual IT staging or macOS restore/update before handing devices to users. This weakens the zero-touch deployment model, especially when adopting Platform SSO registration during Automated Device Enrollment. 1. Is there currently any supported way in Intune to enforce a minimum or target macOS version during ADE before Setup Assistant continues? 2. Is this capability on the Intune roadmap? 3. Are there any recommended workarounds for organizations deploying Platform SSO registration during ADE where a specific macOS version is required? Thanks in advance for any guidance from the Intune team or the community.
8 hour wait time for Intune when "Configuring team site libraries to sync automatically"
I hate this, we dont want to wait for this long to find out it doesnt work because we forgot a curly bracket!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Fix this or give us a solution to manually push this config policy out so we can see it working immediately!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! More exclamation marks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thanks!Intune App inventory Graph
Hi All, I've enabled the configuration profile to receive app inventory data in Intune. In the GUI the data I can view the data just fine, but I would like to use Graph to automate this data and create custom reports. When I use the following https://graph.microsoft.com/beta/deviceManagement/managedDevices/[device-id]/deviceInventories('ApplicationProperties') I get an error: "Forbidden - 403 - 199 ms Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab" even though the docs I can find about permissions are OK.Edge displays a splash screen saying ‘Sign in to sync your data’
Hello When the user logs in to a device for the first time and launches Edge, the following splash screen appears, even though we have created the Intune configuration below, which is intended to prevent this. We have following Intune configuration: Why does the splash screen still appear?Broken functionality of macOSWiFiConfiguration policies
I'm having trouble accessing macOSWiFiConfiguration policies. They are completely inaccessible via the Intune admin portal (no actual data is displayed) and the Microsoft Graph API. When using Graph (/beta/deviceManagement/deviceConfigurations or with policyId) an InternalServerError is returned mid-response, resulting in a truncated and malformed body. This error indicates that the 'wifiRequirePhysicalMacAddressEnabled' property (type Edm.Boolean, Nullable = False) has a null value stored in the back end. The policy also fails to load in the Intune which I suspect is caused by the same underlying issue. ERROR DETAILS: Endpoint: GET https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{policy-id} Error code: InternalServerError Error message: "The property 'wifiRequirePhysicalMacAddressEnabled[Nullable=False]' of type 'Edm.Boolean' has a null value, which is not allowed." STEPS TO REPRODUCE: 1. Create a macOSWiFiConfiguration policy in the Intune admin portal. Additional note: front end will attempt to create the policy multiple times (around 20), even though the back end responds with a 201 HTTP code. 2. Try to GET the policy via Graph API (returns InternalServerError with malformed JSON body) or retrieve it using the WebUI (no data is shown). EXPECTED BEHAVIOR: The policy should be retrievable via Graph API and visible in the Intune admin portal. The property wifiRequirePhysicalMacAddressEnabled should hold a valid boolean value (true or false). ACTUAL BEHAVIOR: Failed to retrieve policy through Graph API and Intune WebUI. Has anyone else encountered this issue? Does anyone know how can I report this directly to Microsoft? All the options I have found lead me to AI chatbots which unfortunately are not helpful at all. Thank you.
Updates Not Installing by Install Deadline
Hello all! We have an organization with about 12,000 Windows 11 Workstations. I'm noticing that even though install deadline is set, and updates are allowed to be installed before install deadline hits, we are noticing in Software Center that updates say "will install after _____" (deadline date). How can I change this? I want updates to install during the maintenance window as well as a reboot. What am I missing? ConnorIs monthly BIOS updates via Intune overkill for enterprise Windows 11
Hey all, Looking for some opinions from others managing BIOS and Drivers on enterprise environments. We’re considering pushing BIOS/firmware updates monthly across our Windows 11 fleet using Intune, but it feels a bit too aggressive. Is anyone actually doing BIOS updates this frequently? Do you see real risk in not updating BIOS regularly? Or do you treat BIOS updates more as “only when needed” (security issue / vendor recommendation)? Any issues you’ve run into pushing BIOS updates at scale via Intune? My concern is stability risk vs actual security benefit — feels like monthly might be overkill unless there’s a critical vulnerability. Keen to hear how others are handling this in production environments.
Retrieving the “Device inventory” of iOS devices via the Graph API
We use Microsoft Intune to manage our iOS mobile devices. To achieve the highest possible level of efficiency, we use PowerShell as a supplementary tool for administration. Since our devices may contain two SIM cards, it is important for us to be able to read this information in order to perform relevant processes (e.g., adding phone numbers to address books). In general, it would be desirable to be able to read the information from the “Device Inventory” of iOS devices. For the reasons mentioned above, we would like this information to be made available via the Graph API. Alternatively, there should be a way to provide this information for all devices in a single report.
Company Portal No Longer Installing During Autopilot Enrollment
Up until today, Autopilot enrollment which included Company Portal from the Microsoft Store (NEW) was successful. Starting today, the same enrollment workflow with similar hardware is failing to install Company Portal, reporting an error code of 0x87D1041C ("The application was not detected after installation completed successfully"). The only difference between yesterday and today? Today's enrollment including updating Windows to10.0.26200.8457 (today's Patch Tuesday update). I did find information that there was a similar issue nearly a year ago, where the latest Windows Update resulted in the same errors, and Company Portal requiring an update to fix. Are we looking at the same issue again?BYOD devices can't launch Windows 365 PC because of device compliance check during CA policy check.
We have a device compliance policy for all cloud apps. We would like to allow personal (BYOD) devices to be able to connect to Windows 365 Cloud PC. In the sign in logs we see the failures for application "Windows 365 Client" app id 4fb5cc57-dbbc-4cdc-9595-748adff5f414. We can't exclude that application in the conditional access policy as it's not available. We already added exclusions for Azure Virtual Desktop, Windows 365 and Windows Cloud Login. How can we allow BYOD devices to connect to cloud PCs?Policy applied allthough it shouldn't
Hi, all of a sudden Intune chaanges its behavior. I have a policy in place that sets persistent browser session. On the device filter tab I excluded devices with this syntax: device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company" Starting last week I have to re-authenticate on a remote Desktop running Windows Server 2025 every 8 hours. Thats what the policy requires. In Entra I see in the logs for my user that this conditional access policy applied. I then extended the filter to this device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company" -or device.operatingSystem -contains "Server" But it did not make a difference. Any idea what is going? This is not specific to my tenant. On a different tenant it behaves the same way.App Enforced Restrictions not working on Chrome
Hi All I hope you are well. Anyway, a strange one here. We have implemented App Enforced Restrictions on unmanaged / BYOD macOS devices. This seems to have taken effect on Edge and Safari browsers but not Chrome. Is there anything we can do to resolve this or force BYOD macOS to use Edge? Info appreciated. SK
Events
Moving to Intune isn’t just about replacing legacy management tools; it’s about rethinking how devices are deployed, secured, and managed in a cloud-first world. But where should you start? How do yo...
Online
Save your spot and tune in for a brand-new Intune edition of Tech Community Live! Whether you need help with your cloud-native management strategy, tackling Windows Autopilot and enrollment challenge...
Online
Recent Blogs
- 1 MIN READNaveen Kumar Akkugari wrote up a blog post on how we deployed an early version of the Platform SSO for MacOS devices. We decided to try something a little different in the blog-o-sphere so it was po...Jun 18, 2026
- By: Naveen Akkugari, Sr. Service Engineer and Michael Griswold, Principal Service Engineering Manager | Microsoft Intune Who we are Our internal Intune administration team at Microsoft is respons...Jun 18, 2026
