Recent Discussions
Will Intune device-only subscription get additional value in FY27
Will the Intune device-only subscription (Microsoft Intune announces device-only subscription for shared resources | Microsoft Community Hub) get the additional features which Intune P1 will get in FY27 (Microsoft 365 adds advanced Microsoft Intune solutions at scale - Microsoft Intune Blog), Intune Remote Help, Intune Advanced Analytics and Intune P2? This would have a huge impact of our planning how to manage special purpose devices in production environments without any user affinity. Deploying security and configuration settings, Windows Autopilot for Windows IoT Enterprise LTSC kiosk deployment, Windows Autopatch (servicing), Remote Help and FOTA for Zebra devices would be drivers to add these production devices to Intune.
How to Disable Self-Service Passcode Reset for Standard Users in Microsoft Intune
Hi, We are using Microsoft Intune to manage Android corporate-owned devices. Currently, standard users can reset their own device passcode remotely. The problem is: Users reset the passcode themselves Then they get confused They call IT saying they cannot open their phone We want to prevent users from doing self-service passcode reset. Only admin should be able to reset the device passcode. I already checked configuration profiles and compliance policies in Intune, but I cannot find any setting to disable this. Has anyone successfully disabled this feature? Thank you.Replacing Complex GPO Item-Level Targeting with Intune
Hi All, I’m looking for some advice on the best way to handle this scenario. We’re running a hybrid environment and currently have a GPO that creates 1,000+ registry entries across 150+ user groups using item-level targeting with security groups. Now we need to move this over to Intune, and that’s where things get tricky. Intune doesn’t really offer the same item-level targeting flexibility as GPO. So far, the only workable option seems to be creating 150+ platform scripts or Proactive Remediation scripts, which obviously isn’t ideal from a management perspective. I’m thinking it might be much easier long-term to create one large PowerShell script that checks the logged-in user’s group membership and then applies the appropriate registry settings dynamically. Has anyone dealt with something similar? Is there a cleaner or more scalable approach in Intune? Thanks in advance! DilanControlling Excel Add-ins and Microsoft Store App Installations
We have a requirement to block users from adding add-ins to Excel and Installing certain application directly which utilize Microsoft Store apps. Below are the two scenarios we need to address. I would appreciate any guidance or recommendations on how to implement these controls. 1) Blocking Excel Add-ins from Microsoft Store Users are currently able to add add-ins such as “Claude by Anthropic in Excel” directly from the Microsoft Store apps. For example, if a user accesses the URL: https://marketplace.microsoft.com/en-us/product/saas/wa200009404?tab=overview they can proceed to add the add-in to Excel. So, We need a method to prevent users from adding Office add-ins from the Microsoft Marketplace or external sources. 2) Blocking Installation of Microsoft Store Apps (e.g., WhatsApp) We are currently blocking Microsoft Store apps on OS level. However, users can still download and install applications such as WhatsApp directly from the vendor website, which utilize Microsoft store apps in backend: https://www.whatsapp.com/download We are considering configuring the Intune policy “Only Private Store is enabled.” However, we noticed that enabling this setting prevents users from accessing certain built-in applications (e.g., Notepad). Is there any other way to block access Microsoft Store apps directly? Thank you in advance for your assistance. DilanCreating a successful intune deployment using an installer exe combine with XML configuration file.
I am having issue creating a successful intune deployment package involving MathCad Prime 11 and XML file, this might be cause my powershell scripting is very weak. This is the current script I am trying to used, but it does not seem to deploy successfully, the errors I am seeing from intune is "The unmonitored process is in progress, however it may timeout. (0x87D300C9)." Perhaps someone has come across this and point me in the right direction on how to handle installer with exe and using XML for configuration. " # Get the current script directory to locate setup.xml $CurrentDir = $PSScriptRoot # Define the installer path and the XML argument file $ExePath = Join-Path -Path $CurrentDir -ChildPath "setup.exe" $XmlPath = Join-Path -Path $CurrentDir -ChildPath "mathcad.p.xml" # Adobe command-line parameters for silent installation with a deployment file $Arguments = "--mode=silent --deploymentFile=`"$XmlPath`"" # Start the installation process and wait for completion $Process = Start-Process -FilePath $ExePath -ArgumentList $Arguments -Wait -PassThru # Return the exit code to Intune (0 is success) Exit $Process.ExitCode "
Issues with OSD in secondary MCM 2509 site
Hi, having upgraded primary and secondary MCM site to version 2509 I cannot perform OSD anymore on secondary site location - errors: Failed to query Management Point locator QueryMPLocator: no valid MP locations are received Boundary Group in secondary site does have assigned MP and that is secondary MCM site server - however I get this as well: <MPLocation SiteCode="" AssignedSiteCode="" MP="" MPCertificatesEx="" x86UnknownMachineGUID="" x64UnknownMachineGUID=""/> Any help would be highly appreciated.Save the date - January 26, 2026 - Tech Community Live: Intune edition
Save the date for Tech Community Live: Intune edition, starting at 8:00 AM PT! Join us for an exclusive live event designed for IT professionals managing endpoints with Microsoft Intune. This interactive experience features four Ask Microsoft Anything (AMA) sessions focused on the most critical aspects of modern endpoint management. Learn how to secure your endpoints with policy and Microsoft Defender, streamline app deployment and updates with Intune, and apply Zero Trust principles effectively across your organization. Each session is led by Microsoft experts ready to answer your toughest questions and share best practices for real-world scenarios. Whether you’re looking to strengthen compliance, optimize app lifecycle management, or embrace Zero Trust strategies, this event delivers actionable insights to keep your organization secure and efficient. Don't miss this opportunity to connect with the experts and elevate your Intune skills. Go to Tech Community Live: Intune edition to add this event to your calendar! Better yet, sign in to add your questions now.
What are the system requirements for hardware-accelerated BitLocker announced in ignite 2025?
Microsoft has recently announced hardware-accelerated Bitlocker (Ref. Link: https://techcommunity.microsoft.com/blog/windows-itpro-blog/announcing-hardware-accelerated-bitlocker/4474609) I would like to know system requirements (Specifically Hardware) that supports this functionality. The article also says below "Coordinate with your suppliers and keep an eye on listings from us and other vendors as PCs become available on the market." But I am unable to find any link for the listing from Microsoft. Does it support all the devices that has TPM 2.0 or does it require any other hardware?Issue with Android iOS Wi-Fi authentication using certificates EAP-TLS with NPS
I am trying to configure Wi-Fi authentication for Android and iOS devices using certificates (EAP-TLS). I followed the guide below Support Tip - How to configure NDES for SCEP certificate deployments in Intune | Microsoft Community Hub, and I am able to successfully deploy certificates to the devices. The certificates are installed correctly on the final devices, so the distribution part seems to be working fine. However, the devices are not able to authenticate to the Wi-Fi network. The connection fails during authentication, and from what I can see the issue seems to be related to NPS. My doubt is specifically about the NPS configuration. In the guide, user or computer groups are usually added in the network policy conditions, but in my scenario I cannot rely on adding users or groups, since authentication should be based only on the certificate. I am unsure how to correctly configure NPS to accept these devices using certificate-based authentication without assigning them to a security group. Has anyone already faced this situation or can explain how NPS should be configured in this case? Any guidance or example configuration would be greatly appreciated. Thank you in advance.
restore Personal Iphone on onother supervised iphone
Good morning, Our employees would like to keep their iPhone settings on the company phone supervised by Intune. How can we restore a personal iPhone from iCloud to an iPhone supervised with Intune? I've heard of a method that allows a restore on an intermediate device before moving to the supervised one. Has anyone already solved that problem?Not able to use derived credentials on android
I have successfully enrolled a Samsung Galaxy S22 ultra using intune. All my apps are installed on the device. I am now trying to use derived credentials but I am not able to scan the QRCode. As soon as the QRCode comes up, the intune app crashes. Wanted to know if anyone else is seeing this issue. The intune app version is 2025.11.02.App Protection Policy and Siri Intents
Hello, I know that there is a MAM Policy setting to be checked "areSiriIntentsAllowed" to decide to allow or block a Siri intent for an Intune SDK integrated application but I am not seeing where in the App Protection Policy that I can change this value to allow the Siri intent. Is there an Intune Console setting that dictates what the "areSiriIntentsAllowed" will be set to? Here's the Intune SDK integration reference https://learn.microsoft.com/en-us/intune/intune-service/developer/app-sdk-ios-phase4#siri-intents Thanks!Modern endpoint management—Microsoft Intune at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn why endpoint security and management are critical in today’s hybrid environments. At Ignite, endpoint management sessions and labs will help you secure devices, automate management, and integrate with AI-powered security tools. Featured sessions: BRK242: Top Essentials for an Integrated, AI-Ready Security Foundation Learn what Microsoft Entra and Microsoft Intune bring across the M365 stack to help you reach a Zero Trust security posture with more compliance and control in the era of agentic AI. LAB542: Zero Trust Lab: Securing Identities and Devices with Intune & Entra Explore how Intune and Entra secure identities and devices, with new implementation indicators and cross-pillar guidance. BRK258: Inside Windows Security, from client to cloud Discover the latest innovations across Windows and Intune designed to improve your security posture and protect users, devices, and data. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions Why attend: Ignite is the best place to learn about new Microsoft Entra capabilities for agentic AI, identity governance, and secure access. We will also share its vision for the future of identity and agent management. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >Google Play Web apps in Edge
Hi Community, We build quite a lot of Webapps in Managed Google Play and assign those to our Android devices managed in Intune as Dedicated with Entra ID Shared device mode. We run MS Edge as the default browser. Lately we have discovered that Webapps, pointing to web sites where you write text in a input field, especially if the text box is at the bottom of the screen, doesn´t behave as we expect. When the virtual keyboard is activated it often hides the text box, making it impossible to see what you write. If we open Edge and manually browse to the same site, it behaves better. I have also tested to open the Web app in Chrome which works as expected. It doesnt matter if I create the Web app with "Fullscreen" "Standalone" or "Minimal UI" display mode. First image shows the site opened manually in Edge. The textbox is moved above the keyboard Same site opened as a Web app. When activating the keyboard, the text box becomes hidden under the keyboardSurvey | Intune Auditing Feedback
Are you a frequent user of Intune audit logs? Your input is critical to shaping the future of Intune's auditing capabilities. This survey aims to gather insights on what works well today and where improvements are needed—whether it’s expanding audit coverage, enhancing search and filtering, or improving reporting experiences. By sharing your feedback, you help us prioritize features that deliver better visibility, stronger compliance, and a more intuitive experience. Thank you for helping us make Intune auditing smarter and more impactful! 👉Take the survey today: https://aka.ms/IntuneAuditSurvey
MMP-C Enrollment Failing
I discovered a few of our devices were running into an issue with EPM functioning properly because the devices were enrolled via MDM only enrollment. I've been following some posts to try to rectify that issue and was successful in enrolling of the devices the proper way. However, I'm now running into an issue where the device is failing to enroll in MMP-C with the following error even though the file enrollment exe exists: The scheduled task looks accurate for enrolling the device in MMP-C and I'm out of details on what to do for this. Please help!Using REST API to get / set device variables
Hi, I'm trying to set a couple of variables against a machine name, through using the REST API. These are the variables that are set that you can see in the console if you right click properties on a device and go to the 'Variables' tab. These are handy because they can later be referenced during Task Sequences / OSD. I just can't figure out how to do it with the REST API. I have no issues doing it with the powershell module using the 'New-CMDeviceVariable' command, but my solution i'm building at the moment requires the solution to be done with rest api, not with ps modules... I can connect to REST API using powershell using commands such as the below. This all works fine. $ConfigMgrServerURL = "https://SCCMserver.domain.local" $MachineName = "MachineName1" # Following command is a sample GET request, which works. (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/wmi/SMS_R_System?`$filter=Name eq '$MachineName'" -Credential $Credential) #I can also fetch "Custom Properties" via this command (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/v1.0/Device($ResourceID)/AdminService.GetExtensionData" -Credential $Credential) Now i just can't see where i can go to set a variable on the machine. Does anyone have any ideas ? Thanks!Are you unable to open Google Chrome or any other browser?
Cause & Solution: If you are using Microsoft Intune, the Microsoft AI system may have automatically created a rule that blocks third-party browsers such as Chrome and Firefox. To resolve this, you need to deactivate or delete the automatically generated rule under Windows Configuration Policies.Re-Join SCCM Client to Intune for Co-Managed join Type
Hello, I have been using SCCM for a long time, I have it is setup for Co-management, and all my workloads are moved over to Intune. I have a few clients that for one reason or other have not been added to Intune. I can get them onboarded, but the join type always ends up Intune. I am trying to find out the correct recipe to reenroll an SCCM client to Intune. I have tried uninstalling the SCCM client and reinstalling. I have tried removing registry keys for Intune to ensure it joins again. I have used DSREGCMD to leave and join back. I have completely removed from Domain and deleted from Intune. I have tried combinations of all of these things together. I have yet to come up with a specific order to do them in. I still think there is some remnant that is preventing a rejoin. Does anyone have details that help me to get systems to rejoin via SCCM? Some may say what is the difference. The difference is there are tools that are not present if the Join type is incorrect. Best regards and thanks.
Events
Endpoint security is shifting fast, and you need strategies that can keep up with evolving threats and increasingly distributed work. Tune in as we break down the latest trends shaping endpoint prote...
Online
Join the Windows Autopilot engineering team for a live Ask Microsoft Anything session dedicated to making the move from the original Windows Autopilot experience to Windows Autopilot device prep. We’...
Online
Recent Blogs
- January delivers native script installers, user-context elevation, and unified Admin tasks for endpoint management.Feb 05, 2026
- Centralize critical IT actions and get AI-ready with Intune admin tasks – helping admin teams act faster, reduce risk and maintain control.Feb 03, 2026
