Recent Discussions
Company Portal Installation failing due to missing Microsoft.UI.Xaml.2.7
Dear All, We are deploying Company Portal App as Microsoft Store app (new) from Intune on Hybrid Domain Joined devices. While some devices are successfull to install company portal, some device are failing. I did review of events in, below locations subfolders. Event Viewer -->Applications and Services Logs --> Microsoft --> Windows --> Appx Deployment Event Viewer -->Applications and Services Logs --> Microsoft --> Windows --> Appx Deployment-Server. Event Viewer -->Applications and Services Logs --> Microsoft --> Windows --> Appx Deployment-Server-Undocked Event Viewer -->Applications and Services Logs --> Microsoft --> Windows --> AppxPackagingOM During the review I found error 0x80073cf3: Package failed updates, dependency or conflict validation. This is the reason for Company Portal App failed installation. This is due to lack of Microsoft.UI.Xaml.2.7 installed on the device. If i execute below commands 1 after another in the command prompt, Installation of Company Portal gets succeeded. Winget Install --accept-source-agreements --accept-package-agreements Microsoft.UI.Xaml.2.7 Winget Install --accept-source-agreements --accept-package-agreements Microsoft.CompanyPortal My question is how can i add the Microsoft.UI.Xaml.2.7 as a dependency app for Company Portal App, especially when the app type is Microsoft Store app (new) ? I do not want to deploy Company Portal as win32 app and also deploy the Microsoft.UI.Xaml.2.7 as win32 app, because in this method of deployment i always have to create new win32app when a new version is released. Does anyone came across same situation and have any thoughts ?Intune connector stuck because it is no longer supported
Hello, We are trying to connect our JamF Pro to Intune for compliance checks on our Macs. Following Microsoft's (incorrect) instructions, we found that the old (legacy) method to be no longer supported by JamF. However, after entering the Enterprise AppID the connector is now stuck and we cannot clear it because it cant connect to anything at JamF. The "Terminate" button simply produces the following error: "{"error":{"code":"InternalServerError","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"An internal server error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: f0416542-74a3-4876-a3a3-d27cc6a9bb31 - Url: https://proxy.msub02.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceManagementPartners('007d2fff-e0dd-4b28-8595-cec005efe5cd')/microsoft.management.services.api.terminate?api-version=5025-03-20\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2025-11-20T08:33:25","request-id":"11b3ecb3-6b3c-40a1-a2ef-1259682cc5f7","client-request-id":"f0416542-74a3-4876-a3a3-d27cc6a9bb31"}}}" We have since connected JamF Pro using their new method successfully, but our managed Macs are still NOT showing in Intune. We need to clear the old connector, which is in limbo, in case this is blocking the new one from working. We raised a case with Microsoft support in November 2025 and despite repeated efforts to contact them, still haven't had a response. Any ideas, please?
physicalMemoryInBytes always returns 0 with called from ServiceNow
Hello, I am trying to fetch physicalMemoryInBytes for Intune devices from ServiceNow. I tried calling this info by using below endpoints: https://graph.microsoft.com/beta/deviceManagement/manageddevices('1111-2222-3333-abc4-55aa55bb55')?$select=id,physicalMemoryInBytes https://graph.microsoft.com/beta/deviceManagement/manageddevices('1111-2222-3333-abc4-55aa55bb55')?$select=id,hardwareinformation,physicalMemoryInBytes In both cases I'm getting below error error: Failed to iterate on data stream: com.glide.transform.transformer.exceptions.InvalidPathException: Could not find path in stream: $.value I referred to this Intune article but no luck: https://techcommunity.microsoft.com/discussions/microsoft-intune/physicalmemoryinbytes-always-returns-0/3025721 Can someone help with this?
Issue with Android iOS Wi-Fi authentication using certificates EAP-TLS with NPS
I am trying to configure Wi-Fi authentication for Android and iOS devices using certificates (EAP-TLS). I followed the guide below Support Tip - How to configure NDES for SCEP certificate deployments in Intune | Microsoft Community Hub, and I am able to successfully deploy certificates to the devices. The certificates are installed correctly on the final devices, so the distribution part seems to be working fine. However, the devices are not able to authenticate to the Wi-Fi network. The connection fails during authentication, and from what I can see the issue seems to be related to NPS. My doubt is specifically about the NPS configuration. In the guide, user or computer groups are usually added in the network policy conditions, but in my scenario I cannot rely on adding users or groups, since authentication should be based only on the certificate. I am unsure how to correctly configure NPS to accept these devices using certificate-based authentication without assigning them to a security group. Has anyone already faced this situation or can explain how NPS should be configured in this case? Any guidance or example configuration would be greatly appreciated. Thank you in advance.
Restrict User Access to Specific Devices and Location Using Intune & Conditional Access
We have a customer requirement to restrict user sign-ins using Intune and Azure AD (Entra ID) Conditional Access. The goal is to allow access only from specific, managed devices and only from a specific geographic location. For example, users should be able to access corporate resources only when signing in from compliant/managed devices and only when located in Mumbai What would be the recommended approach or best practice to achieve this using Conditional Access and Intune? Any guidance on configuration, limitations (e.g., location accuracy), or real-world experiences would be appreciated.Delivery Optimization breaking Windows 11 update downloads?
We started seeing Delivery Optimization–related issues with Windows updates after upgrading devices to Windows 11 24H2. In our SCCM environment, Windows updates begin downloading but consistently fail or stall partway through the download. In many cases, the download restarts multiple times and eventually errors out. This behavior is consistent across multiple devices and different boundaries. These same devices were patching normally prior to the 24H2 upgrade. Since moving to 24H2, patching has become unreliable, especially for larger updates. From what we’re seeing, this doesn’t look like a traditional content or boundary issue. It feels like Delivery Optimization is failing mid-transfer or not resuming downloads correctly after the OS upgrade. So far we’ve checked the following: - Boundaries and boundary groups are unchanged - Content is available and distributed correctly on DPs - No recent SCCM site or infrastructure changes - Network connectivity looks normal On the client side, we’ve been reviewing: - DataTransferService.log (downloads start but fail or restart mid-way) - DeliveryOptimization logs (showing repeated retries / stalled transfers) - CAS.log and LocationServices.log (content location looks normal) - WUAHandler.log (update detection looks fine) Overall, detection and policy seem healthy — the issue appears during the actual download phase. Has anyone else seen Delivery Optimization downloads stall or fail during Windows patching after upgrading to Windows 11 24H2? If so, did you find a specific DO setting, policy change, or workaround that stabilized patching?Delivery Optimization breaking Windows 11 update downloads?
We started seeing Delivery Optimization–related issues with Windows updates after upgrading devices to Windows 11 24H2. In our SCCM environment, Windows updates begin downloading but consistently fail or stall partway through the download. In many cases, the download restarts multiple times and eventually errors out. This behavior is consistent across multiple devices and different boundaries. These same devices were patching normally prior to the 24H2 upgrade. Since moving to 24H2, patching has become unreliable, especially for larger updates. From what we’re seeing, this doesn’t look like a traditional content or boundary issue. It feels like Delivery Optimization is failing mid-transfer or not resuming downloads correctly after the OS upgrade. So far we’ve checked the following: - Boundaries and boundary groups are unchanged - Content is available and distributed correctly on DPs - No recent SCCM site or infrastructure changes - Network connectivity looks normal On the client side, we’ve been reviewing: - DataTransferService.log (downloads start but fail or restart mid-way) - DeliveryOptimization logs (showing repeated retries / stalled transfers) - CAS.log and LocationServices.log (content location looks normal) - WUAHandler.log (update detection looks fine) Overall, detection and policy seem healthy — the issue appears during the actual download phase. Has anyone else seen Delivery Optimization downloads stall or fail during Windows patching after upgrading to Windows 11 24H2? If so, did you find a specific DO setting, policy change, or workaround that stabilized patching?Unable to use TargetedManagedAppConfiguration end point (Broken)
Within Intune, Graph explorer and PowerShell commands the gateway fails to respond, it's been broken for a couple of months, i have opened multiple support tickets and tumbleweed. i cant get or create any App configuration or app protection policies PS error Get-MgDeviceAppManagementTargetedManagedAppConfiguration Get-MgDeviceAppManagementTargetedManagedAppConfiguration_List: Too many retries performed. More than 3 retries encountered while sending the request. (HTTP request failed with status code: GatewayTimeout. Intune Error { "error": { "code": "UnknownError", "message": "{\"Message\":\"{\\r\\n \\\"_version\\\": 3,\\r\\n \\\"Message\\\": \\\"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6bf99a96-6889-4b10-a52e-c31e099e9111 - Url: https://proxy.msub06.manage.microsoft.com/TrafficGateway/TrafficRoutingService/MAMAdmin/MAMAdminFEService/deviceAppManagement/targetedManagedAppConfigurations?api-version=5025-07-01&$count=true\\\",\\r\\n \\\"CustomApiErrorPhrase\\\": \\\"\\\",\\r\\n \\\"RetryAfter\\\": null,\\r\\n \\\"ErrorSourceService\\\": \\\"\\\",\\r\\n \\\"HttpHeaders\\\": \\\"{}\\\"\\r\\n}\"}", "innerError": { "date": "2025-12-23T12:42:49", "request-id": "b844d1f6-c583-485c-b33f-9a29d9b44a92", "client-request-id": "6bf99a96-6889-4b10-a52e-c31e099e9111" } } }Separate APP policies
Hi All I hope you are well and have a Merry Christmas and a Happy New Year. Anyway, trying to get my head around APP policies for both BYOD and Corp (COBO) Android devices. I'd like nothing more than a single APP policy for Android but there are certain settings such block screenshots that I would like to include in the BYOD APP policy but not include in the Corp (COBO) APP policy. So, my thinking is: BYOD APP policy > Assigned to E3 / F3 groups > Filter on EXCLUDE corp devices Corp Owned / Intune Enrolled COBO APP policy - Filter on EXCLUDE personal devices Could someone advise on the best way to achieve this? What's the best Device / App filter syntax to use? Info appreciatedEntra ID LAPS and BitLocker on Hybrid AD–Joined Devices
Hi All, We have Hybrid AD–joined Windows devices with BitLocker managed on-prem via GPO and BitLocker recovery keys already escrowed to Microsoft Entra ID. If we enable Windows LAPS in Entra ID (cloud LAPS), will this have any impact on: Existing BitLocker recovery keys stored in Entra ID, or Current/future BitLocker configuration and escrow behavior? Is there any dependency or interaction between Entra ID LAPS and BitLocker on hybrid devices? Thanks in advance Dilan
SYSTEM CENTER IMPLEMENTATION & LICENSING Guide
Dear Microsoft Community, Our organization is planning to deploy a comprehensive IT management solution using the Microsoft System Center Suite. The goal is to streamline infrastructure operations, enhance backup and recovery, manage both virtual and physical resources, oversee endpoints, and maintain security and compliance. We need guidance regarding the number and type of licenses required, specifically Client Management Licenses (CML), Server Management Licenses (ML), and System Center Suite licenses.
System Center Configuration Manager : Trojan QGIS software false detection ?
Hi, I’m not sure where to report or ask about this alert, so I’m posting here. I use SCCM to deploy the software QGIS (an open-source GIS application) to users’ computers using .msi installers. Recently, SCCM removed my installer and reported the following alert: System Center Endpoint Protection a détecté un programme malveillant sur un ou plusieurs ordinateurs de votre organisation Nom de la collection : _Tous les serveurs Nom du programme malveillant : Trojan:Win64/ScarletFlash.ASA!MTB Nombre d'infections : 1 Heure de la dernière détection (heure UTC) : 03/12/2025 02:14:24 Voici les infections de ce programme malveillant : Nom de l'ordinateur : xxx.xxxxxxx.xxxx Domaine : xxxx Heure de détection (heure UTC) : 03/12/2025 02:14:24 Chemin d'accès au fichier du programme malveillant : containerfile:_E:\Sources_Packages\QGIS\3.40.10\QGIS-OSGeo4W-3.40.10-1.msi;containerfile:_E:\Sources_Packages\QGIS\3.40.12-1\QGIS-OSGeo4W-3.40.12-1.msi;file:_E:\Sources_Packages\QGIS\3.40.10\QGIS-OSGeo4W-3.40.10-1.msi->application.cab->filD90E2F766C2B1014B0D199BDDDF46963;file:_E:\Sources_Packages\QGIS\3.40.12-1\QGIS-OSGeo4W-3.40.12-1.msi->application.cab->fil338C30DA73AC1014AF5482D1DA910BA5 Action de correction : Aucune action État des actions : Réussi Pour afficher d'autres informations sur l'activité des programmes malveillants dans votre organisation, exécutez le rapport des détails du programme malveillant. I contacted QGIS security team that says it's probably a false detection. How can I report this to Microsoft and request an update to their detection signatures to prevent this installer from being deleted? Sincerly,Configuration Manager ADR for Windows Servers Not Deploying Updates
Hi everyone, We recently deployed Configuration Manager 2503 in our environment. The environment consists of the following: 1 Primary Site Server including Distribution Point role in head office, 1 Distribution Point server for a field office location, and 1 Site database server. We followed some articles or links online to deploy the Software Update Point on the primary site server that includes the Distribution Point role. The SMS_WSUS_CONFIGURATION_MANAGER, SMS_WSUS_CONTROL_MANANGER, and SMS_WSUS_SYNC_MANAGER components show a green checkmark and OK status. We followed some online articles or links to also create an Automated Deployment Rule as well. Despite creating the Automated Deployment Rules, it does not seem that updates are deploying to the targeted servers that are part of a Device Collection in Configuration Manager. Please advise what we should review to remediate this issue. Thanks.
Issues with Windows 11 Autopilot Hybrid Joined Since last Week
Hi all, as of Thursday 4th December our Windows 11 Autopilot (Hybrid Joined) has ceased functioning. On the very first step, after the user attempts to enter their username&password, we can see the deployment profile gets downloaded to the device but then everything immediately stops with error "Something went wrong. Confirm you are using the correct sign-in information and that your organisation uses this feature. You can try and do this again and contact your system administrator with the error code 800004005". We can see that the ODJ process never starts. And we think we're seeing errors with the device reading the deployment profile JSON locally. Has anyone else had any errors? Wondering if Microsoft have made a change somewhere or have issues.
Multi-App Kiosk not applying on Samsung A55 (Android 16)
Hello everyone, I’m facing a critical issue with Android Enterprise Multi-App Kiosk mode on a Samsung Galaxy A55 (SM-A556B). The problem started suddenly last week without any configuration changes, and now no Android Enterprise configuration profiles apply anymore. What happened originally The device was running Android 15, and it had been working fine for months in Managed Home Screen (Multi-App Kiosk). Then suddenly: Managed Home Screen stopped showing all apps The device booted into MHS, but the screen was completely empty No policy changes were made on our side I tried several troubleshooting steps, but nothing fixed it. Eventually, I factory-reset the device and re-enrolled it as a Corporate-Owned Dedicated Device (COBO). Current situation after re-enrollment Even after a clean enrollment: No Android Enterprise device restriction profiles apply (Multi-App Kiosk doesn’t start at all) The device stays in the normal Samsung launcher Only very basic commands work: Remote restart App install/uninstall via group assignment All assigned apps show as Installed Profile status in Intune shows Success, but nothing is actually enforced I then upgraded the device to Android 16 (patch 2025-11-01). Unfortunately, the behavior did not change. Current configuration Android Enterprise → Device Restrictions → Multi-App kiosk Allowed apps: Teams, Managed Home Screen, Contacts Managed Home Screen installed Enrollment type: Android Enterprise – Fully Managed / Dedicated No OEM kiosk (no Samsung Knox settings) No Work Profile on the device Symptoms now Managed Home Screen never launches Kiosk mode is completely ignored Device is fully usable like a normal phone Only app deployments work, nothing else This began while still on Android 15 Updating to 16 did NOT resolve the issue Questions Has anyone seen this behavior where Android Enterprise policies stop applying entirely after MHS fails? Is there a known issue with Samsung A55, Android 15/16, or Managed Home Screen? Could this be related to a bug in the Fully Managed/Dedicated enrollment flow for the A55? Any recommended workarounds or known fixes? Any guidance is appreciated — this behavior is completely blocking Kiosk deployments for us. Thanks!Window 11
Hello I am using windows 11 few weeks ago I received windows update after update my windows started asking Bitlocker key i didn’t used Bitlocker my computer is stuck almost 2 weeks I don’t know what I do I didn’t used Bitlocker I buyed HP company alsmost 2 years. please help me to find solution without bitlocker key i can’t access my computer. thank you
Win 10 Security Baseline: Issue with WHFB
Hi, I activated the Intune Win 10 security baseline on a set of devices. I know experience an issue with WHfB. My face and fingerprint is not recognized, rsp. the login process is giving an error, saying that I cannot be identified. One user reports, that when away from company WhfB works as expected, asking for face or fingerprint and as second factor a PIN. I have another policy in Intune that is giving MDM policies precedence over GPO, so I cannot understand why it works for that one user when outside of company. What settings in MDM security Baseline could possibly be the cause resp. be responsible for broken WHfB?How to feed third party intelligence feed into Microsoft Intune
We want to create a connector/integration which can connect to Third Party Intelligence product and ingest that data into Microsoft Intune. Is it possible to create such a connector/integration? if yes then how, also do specify if there are any other ways to achieve this use case.Error 80190190 Entra Join Device
Yesterday we could enroll devices fine until about 10am. After that we can no longer complete an Entra join on a corporate laptop. It gives an error code of 80190190. In the logs it shows the device registered/enrolls then shows a removal less than a minute later. Successfully joined device using account type Successfully deleted the device with identifierConditional Access Policy Not Allowing Users to Access AVD
We have an existing conditional access policy which requires a users' device to be marked as "compliant" in order to access "All Agent Resources". We are trying to deploy an AVD as an alternative to allowing users to use personal devices, but this CA policy seems to be interfering with users being able to access the AVD via Windows App. Yhe device they're accessing from isn't "Compliant" with Intune enrollment being one of the requirements for being compliant. Again, we do not want to allow personal devices into Intune which the MSP allowed previously. For the CA policy it's applied to all users EXCEPT for specific users in an exclusion group. Putting users in this exclusion group allows them to access the AVD via Windows App but at this point they can just access all resources from their personal machine defeating the purpose of the AVD. Target Resources Include All Resources Exclude: The AVD Itself, Windows 365, Azure Virtual Desktop, Azure Windows VM Sign-in Conditions Device Platforms - Windows, MacOS Client apps - Browser, Mobile apps and desktop clients, exchange ActiveSync clients, other clients are checked Grant Access Require MFA and Require device to be marked as compliant are both checked. Access to the AVD works in the browser but not in Windows App.
Events
Tune in to learn how Microsoft Intune can help you, as a managed service provider (MSP), develop new opportunities and enhance existing offerings. Let’s talk business outcomes and why Intune plus Mic...
Online
Have questions about using Microsoft Intune to enforce device compliance? Curious how to configure devices to help prevent security breaches and limit the impact of threats? Ask Microsoft Anything (A...
Online
Recent Blogs
- Here’s a November and December capability summary of how Intune’s 2025 changes in endpoint management help securely support cross-platform and IT admin workflows.Dec 11, 2025
- Microsoft 365 extends advanced security and AI-powered endpoint management to more customersDec 04, 2025
