Recent Discussions
Intune iOS VPP OneDrive crash on iPad 13 and works on iPad 11
Hi everyone, I’m at my wits' end with this issue. We have a small Intune deployment with a few company-owned iPad Pro devices. All devices are enrolled via Apple Business Manager using a user-assigned profile and modern authentication. We’ve deployed nine apps through VPP, primarily Microsoft 365 apps. The Company Portal and Microsoft Authenticator are used for SSO. Our setup includes six iPad Pro 13-inch models and two iPad Pro 11-inch models. The problem arises when launching OneDrive on a 13-inch device—it either crashes immediately or remains blank without loading any content. The iPad generates a log file which is attached to this thread. I’ve tried everything to diagnose the issue, including disabling all iOS policies (even SSO), but nothing seems to help. As a test, I enrolled one of the 11-inch iPads using the exact same user and procedure, and surprisingly, OneDrive works perfectly on the smaller device. All settings, policies, and permissions are identical across devices. Has anyone encountered a similar issue or have any suggestions? Thanks in advance!Android Devices Not Evaluating
Hi All! I seem to encounter this kind of error several times a year for no apparent reason. It mainly happens on the Android side of things on newly created setups, and then corrects itself over time, which sometimes can be weeks. I recently created two Android dedicated device environments. Dynamic group linked to the enrolment profile name, etc etc I scan the device and follow the normal process, device get all the way to the end but doesn't receive its assigned apps. When I check in the Intune Admin Portal, the device is showing as not evaluated. There is no default compliance policy showing and its custom policy. When I click on Managed Apps, the list of apps the device is going to receive are showing as pending install. The Group Membership tab shows the correct dynamic group. So for me, the setup looks good. I have left the device for 24 & 48 hours in case its a sync issue. Enrolled the device via a different WiFi. Wiped the device and left it 24 hours before enrolling it. Checked spelling of groups etc. Anyone else experienced this issue, and found a solution? I have a Teams Meeting with our external support tomorrow, Have a good one
CA policy enforcing users to use Edge browser on Co-owned devices
I'm trying to give control over while they're on personal devices, enforcing an app protection policy for edge, but still this policy is enforcing to use edge on co-owned devices, I have already excluded co-owned devices from the CA policyClarity on Self-Service Experience, User-Driven Mode and OOBE
HI All, I need clarification on this subject please, as I have checked multiple Microsoft Learn pages to get an understanding. I'm still not 100% sure on this. My question is: Self-Service Experience is the user-driven portion of OOBE? Or are these three items different?
Feature Update Policy relationship to Update Ring Install Schedule
Hoping someone may be able to answer this question. I have not been able to find a definitive answer in KBs. Does the Install Schedule in an Update Ring also apply to Feature Update Policies if the same device group is assigned to both? We are using Intune Windows Update Ring for our monthly updates via an Update Ring. That update has an Install Schedule configured to Install every Tuesday at 11am. We are testing using Feature Update Policies to upgrade W10 devices to W11. So far our tests have been successful but the device group is downloading the Feature Update as soon as it checks in for the Policy and not at this scheduled Install Day/Time in the Update Ring. We are making this a Required update in the Feature Update policy and the Rollout Option is set to "Make Update available as soon as possible" but I guess I thought the Install Schedule in the Update Ring still affected when the installation actually begins. Are the RollOut Options the only way to schedule when the device starts downloading/installing the Feature Update?
AzureADSharedMode - Teams without PIN
I prepared in Intune profile for Samsung devices in kiosk mode with a multi-app setting. I added Teams, Outlook, Egde and Managed Home Screen as apps. In addition, I also created a configuration profile for the Managed Home Screen application in which I set that it is necessary to configure a PIN for the session. I also set the Require PIN code after returning from screen saver option. Everything works great until the user leaves the Teams app on or someone calls the user logged into Teams. At this point, no PIN is needed to unlock the device. You can easily access Teams of the logged-in user. The user is asked for the session PIN only when he wants to switch to another app. I didn't set screen lock in android settings because in my opinion it's pointless since the device is in shared mode. Have you encountered anything like this? It poses a potential security risk if a logged-in user leaves the Teams app open, puts the phone down and walks away from it, and at that moment someone calls the phone and the person who picks it up without probelm gets access to the logged-in user's teams.Podcast Microsoft Ignite E05: Agent Builder
Excited to have Pascal Brunner join me in my Ignite series, where we dive into one of the hottest announcements AgentBuilder In this episode, we break down: -What AgentBuilder is all about. -How it empowers organizations with AI-driven automation. -Key takeaways YOUTUBE https://youtube.com/@shadykhorshed?si=c8CLxoCjMfUMfA19New Blog Post: Android: Browser Access to be Enabled by Default for All Android Users
🔐#Android in #msintune: Upcoming Security Update for Microsoft Entra ID on Android! Starting July 2025, Microsoft Entra ID device registration will be hardware-bound, enhancing security and automatically enabling browser access. 🚀 Key Changes: ✅ Device identities will be tied to hardware for stronger security. ✅ Enable Browser Access (EBA) will be retired. ✅ Browser access will be enabled by default during registration. 📌 No action needed—this change will be applied automatically! Stay informed and prepare for a more secure device registration process. #MicrosoftIntune #MicrosoftEntraID #Android #mvpbuzz https://www.linkedin.com/pulse/microsoft-entra-browser-access-enabled-default-all-android-khorshed-5d8ee?utm_source=share&utm_medium=member_ios&utm_campaign=share_via
Intune for BYOD mobile and Cross tenant compliance
We have 3 separate companies/tenants, and employees need to access mail from each tenant on a single iOS/Android device, with a CA policy requiring compliance or app protection policy. . I understand that Intune MAM currently will not work, but is on the road map for later this year for iOS (not sure on Android) Does Web based / JIT for BYOD work on iOS if I setup Cross-tenant access and enable "Trust compliant devices" trust setting? Or do we have to do full device based MDM enrollment? If not, what do I need to do in this scenario?
Intune/Android - Managing FRP when offboarding devices
Hi everyone, I have this issue with device lifecycle. We use the "FactoryResetDeviceAdministratorEmails" property to enforce certain accounts to be able to recover a device after factory reset, or prevent it from being owned by someone else. But now we have a small issue. What if the device is being sold to someone else? What is the correct way to remove "FactoryResetDeviceAdministratorEmails" from a device before starting a wipe/decommission for a different purpose?No PIN / No Access
Hi All I hope you are well. Anyway, on Android Enterprise Fully Managed devices, I have an ask to to enforce a No PIN No Device Access policy. These devices have the usual, where the PIN requirements are set with a device config policy and then checked with a corresponding compliance policy. But no where can I see "restrict use of the device til a PIN is set" setting. Perhaps it's really obvious but is this possible? Only obvious option I can is in the compliance policy settings on Actions for noncompliance as below: Would this be the appropriate setting or are there others? And if the device is locked, is the user able to set a PIN? Info appreciated. SKAndroid Screen Off if possible!
We have the "Time to Lock screen" set to 1 minute, which is fine, but it stays on the lock screen draining the battery, how do i set the screen to turn off without having to press the power button? i cannot find this in any settings? this sounds like a Basic feature to have! Using a Samsung A9+ Thanks.
Onboarding Devices
Hello, I have a question regarding our Business Premium license. I connected three test devices to Intune, but since these users use BYOD (Windows 11 Home), I did not connect them to Azure AD. I am unsure why these devices are not onboarding, while only my cellphone has successfully onboarded after I installed Defender directly. If the problem is a Business Premium license, what is the best solution to manage users in Defender? Any advice would be greatly appreciated. Thank you."Change Primary User" On Device in Intune is Greyed Out
I am an IT Administrator and have all the permissions to manage my businesses Microsoft 365 accounts including Intune. When trying to update and change to primary users for devices in Intune, it is greyed out and doesn't allow me to change it. I need to get this resolved so we can properly have all devices showing the correct users. How can I get this resolved? I've uploaded a screenshot to this message.Intune Settings Catalog - Microsoft Edge - What setting works?
Under the Edge section of the Settings Catalog, we have this: Similar child settings... Similiar description... Only one configuration in the Edge documentation (Microsoft Edge Browser Policy Documentation | Microsoft Learn) Settings in the documentation of course don't reference what is in the Intune settings....not frutstrating at all. So which one works? Or do both work?Microsoft Intune App Deployment
I have this autoinstall script for MATLAB 2024, the installer_input.text is configured with the right information inside it and every test I've done on my machine (locally) succeeded, however when I'm trying to deploy the software to a device and it creates a path in C:\Program Files\MATLAB however even though its creating this path at the installing stage it still not fully deploy the software like it should.. "%~dp0setup.exe" -inputFile "%~dp0installer_input.txt" TIMEOUT /T 120 /NOBREAK Exit 0 The install command in intune I set to cmd.exe /c autoinstall.bat what can i do to fix it? maybe the intune install command isn't good? or its within my autoinstall script
Recent Blogs
- By: Anya Novicheva – Sr Product Manager | Microsoft Intune Expected in Q2CY25, iOS/iPadOS automated device enrollment (ADE) policies will move to a new infrastructure which enables Intune to spee...Mar 14, 2025
- I'm Catarina Rodrigues and recently, I've had the opportunity to have several conversations with healthcare customers on how Intune can effectively manage devices in frontline critical environments. ...Feb 28, 2025
