Recent Discussions
MMP-C Enrollment Failing
I discovered a few of our devices were running into an issue with EPM functioning properly because the devices were enrolled via MDM only enrollment. I've been following some posts to try to rectify that issue and was successful in enrolling of the devices the proper way. However, I'm now running into an issue where the device is failing to enroll in MMP-C with the following error even though the file enrollment exe exists: The scheduled task looks accurate for enrolling the device in MMP-C and I'm out of details on what to do for this. Please help!
Using REST API to get / set device variables
Hi, I'm trying to set a couple of variables against a machine name, through using the REST API. These are the variables that are set that you can see in the console if you right click properties on a device and go to the 'Variables' tab. These are handy because they can later be referenced during Task Sequences / OSD. I just can't figure out how to do it with the REST API. I have no issues doing it with the powershell module using the 'New-CMDeviceVariable' command, but my solution i'm building at the moment requires the solution to be done with rest api, not with ps modules... I can connect to REST API using powershell using commands such as the below. This all works fine. $ConfigMgrServerURL = "https://SCCMserver.domain.local" $MachineName = "MachineName1" # Following command is a sample GET request, which works. (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/wmi/SMS_R_System?`$filter=Name eq '$MachineName'" -Credential $Credential) #I can also fetch "Custom Properties" via this command (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/v1.0/Device($ResourceID)/AdminService.GetExtensionData" -Credential $Credential) Now i just can't see where i can go to set a variable on the machine. Does anyone have any ideas ? Thanks!Are you unable to open Google Chrome or any other browser?
Cause & Solution: If you are using Microsoft Intune, the Microsoft AI system may have automatically created a rule that blocks third-party browsers such as Chrome and Firefox. To resolve this, you need to deactivate or delete the automatically generated rule under Windows Configuration Policies.
Company Portal Installation Deplay/Failed
We have recently observed an issue with the deployment of the Company Portal Application. It either takes a long time to install or fails to install altogether. To address this, could you please provide the following information if available The destinations that need to be allowed via the corporate network, whether it involves the firewall or Proxy? Any specific requirements regarding SSL inspection; does it need to be disabled? The Winget command executed to install CP in the backend; does it depend on any specific version of Winget?MS Graph Device OS Reporting
On the Intune android device view, the OS is listed as ‘Android (fully managed)’ or ‘Android (corporate-owned work profile)’. The MS Graph command get-mgdevicemanagement just has ‘Android’ for the OS attribute. Using MS Graph, does anyone know how or where to get the ‘Android (corporate-owned work profile)’ value that shows in the device view?
iOS 15.8.x iPad Air 2 Failed to retrieve configuration
We are getting "Failed to retrieve configuration" on all iPad Air 2 devices running iOS 15.8.x. I saw on the https://community.jamf.com/general-discussions-2/failed-to-retrieve-configuration-on-ipados-v15-8-4-48978 forums that it's a known issue by Apple and they are working on a fix but I have doubts that they will actually do anything since they no longer support that product. Has anyone else seen this issue and found a workaround?Re-Join SCCM Client to Intune for Co-Managed join Type
Hello, I have been using SCCM for a long time, I have it is setup for Co-management, and all my workloads are moved over to Intune. I have a few clients that for one reason or other have not been added to Intune. I can get them onboarded, but the join type always ends up Intune. I am trying to find out the correct recipe to reenroll an SCCM client to Intune. I have tried uninstalling the SCCM client and reinstalling. I have tried removing registry keys for Intune to ensure it joins again. I have used DSREGCMD to leave and join back. I have completely removed from Domain and deleted from Intune. I have tried combinations of all of these things together. I have yet to come up with a specific order to do them in. I still think there is some remnant that is preventing a rejoin. Does anyone have details that help me to get systems to rejoin via SCCM? Some may say what is the difference. The difference is there are tools that are not present if the Join type is incorrect. Best regards and thanks.
Android COPE - Google Zero Touch Enrollment - Device Resets automatically
Hello, Encountered a strange behavior of an Android mobile phone, enrolled in Intune through Google's Zero Touch method. Device is a Samsung running Android 15. Device is enrolled, reports that all necessary configurations and compliance policies are met, yet the device is prompted with a pop-up notification saying that it belongs to the company and that in order for the device setup to be complete, it will be reset, with a countdown of ~ 2 hours. Multiple resets occurred, yet it's stuck in the same loop. Any idea what might trigger this behavior? No other COPE enrolled phone does this. The user's current Android 14 device is running properly, but it's enrolled as BYOD.
Windows App Application Protection Policy
I have been testing out an Intune MAM policy to restrict copy/paste and drive redirection to AVD session hosts based on the link here: https://learn.microsoft.com/en-us/windows-app/require-device-security-compliance-intune?tabs=web#related-contentHowever, I've run into problems (in two separate tenants) that have halted me from being able to test. Setup Intune App Protection Policy targeting Windows Devices & Microsoft Edge\ Conditional Access Policy enforcing App Protection Policy when users access 'Azure Virtual Desktop' target resource via https://windows.cloud.microsoft.com Results First When signing into a user account targeted by the policy, they are prompted to Switch Edge Profile which signs in the user to a new Edge profile for 'Work or School Account'. The account has to sign in again. The account can access Windows App resources When launching a desktop session, this authentication page pops up for an account "local@debugonly" Second When signing into a user account targeted by the policy, they are prompted to Switch Edge Profile which signs in the user to a new Edge profile for 'Work or School Account'. The account has to sign in again. After sign in, the account loops with 'Switch Edge Profile' and gets stuck here I'm curious if anyone has gotten this to work and what was your setup? Or if Microsoft or provide some assistance or if this is in the wrong forum, any help would be appreciated.Intune is unable to register Ubuntu 24.04.2 device
Hey, Writing this issue since I found no source code/repo, and no other issues here matched my symptoms. Anyone got any hints on how I could proceed? Or maybe even better, where to find the source code and build instructions for `intune-portal` so I can build towards the current libraries... 2025-06-26 08:46:50+02:00: ~ w/❄️ w/🧙 took 2s x10an14@ubuntu ❯ : intune-portal 2025-06-26 08:47:41 INFO Command line arguments args=PortalArgs { common: CommonArgs { interactive: false, socket_path: "/run/intune/daemon.socket" } } version="1.2503.10" 2025-06-26 08:47:45 INFO Starting a new login Could not create default EGL display: EGL_BAD_PARAMETER. Aborting... 2025-06-26 08:47:48 WARN oneauth{tag="9a8hm"}: HTTP status: 404 2025-06-26 08:47:48 WARN oneauth{tag="5fsch"}: Failed to get image from Graph ^CError: nu::shell::terminated_by_signal × External command was terminated by a signal ╭─[entry #143:1:1] 1 │ intune-portal · ──────┬────── · ╰── terminated by SIGINT (2) ╰──── 2025-06-26 08:47:56+02:00: ~ w/❄️ w/🧙 took 14s x10an14@ubuntu ❌-2 ❯ : lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04.2 LTS Release: 24.04 Codename: noble 2025-06-26 08:48:08+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ /etc/apt/sources.list.d/microsoft-prod.list:1:deb [arch=amd64,arm64,armhf signed-by=/usr/share/keyrings/microsoft-prod.gpg] https://packages.microsoft.com/ubuntu/24.04/prod noble main 2025-06-26 08:48:27+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : history | last 11 ───#───┬───────────────────────────────────────────────────────────────────────────────────command──────────────────────────────────────────────────────────────────────────────────── 12135 │ grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ 12136 │ sudo apt purge intune-portal microsoft-edge-stable microsoft-identity-broker 12137 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft-identity*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12138 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12139 │ systemctl --user daemon-reload 12140 │ sudo apt install intune-portal 12141 │ systemctl --user daemon-reload 12142 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft-*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12143 │ intune-portal 12144 │ lsb_release -a 12145 │ grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ 2025-06-26 08:48:48+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : Here are the relevant logs I was able to find: x10an14@ubuntu ❯ : sudo journalctl -t intune-portal -t microsoft-identity-broker -f Jun 26 08:47:41 ubuntu intune-portal[261043]: Command line arguments args=PortalArgs { common: CommonArgs { interactive: false, socket_path: "/run/intune/daemon.socket" } } version="1.2503.10" Jun 26 08:47:45 ubuntu intune-portal[261043]: Starting a new login Jun 26 08:47:45 ubuntu microsoft-identity-broker[261088]: I/IdentityBrokerService: [2025-06-26 06:47:45 - thread_id: 1, correlation_id: UNSET - ] Starting DBus Service for Microsoft Identity Broker... Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: Defaulting to no-operation (NOP) logger implementation Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:46 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: I/MapDbStorage:getDb: [2025-06-26 06:47:46 - thread_id: 1, correlation_id: UNSET - ] Attempting to open DB File at path: /home/x10an14/.local/state/microsoft-identity-broker/broker-data.db Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/IdentityBrokerService: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] DBus Service for Broker has been started! Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: UNSET - ] Received method call from UID [1000], with correlationId [ffba9791-791b-4237-b485-2101a8cd85b9]. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/MapDbStorage:getDb: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Attempting to open DB File at path: /home/x10an14/.local/state/microsoft-identity-broker/account-data.db Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerUtil:getCacheRecordListFromBrokerCache: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] This client ID is not known to brokerOAuth2TokenCache. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerUtil:getCacheRecordListFromBrokerCache: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] No accounts available in client app cache, trying the FOCI cache. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: W/DefaultBrokerApplicationRegistry:getMetadata: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Metadata could not be found for clientId, environment: [b743a22d-6705-4147-8670-d92fa515ee2b, null] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:isAppInBrokerApplicationRegistry: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] App in broker application registry: [false] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:addDeviceAccountIfNeeded: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] App in registry is allowed to access WPJ: [false] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:addDeviceAccountIfNeeded: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] is a known FoCI App: [true] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerServiceOperation:getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Received get account result for correlation id: ffba9791-791b-4237-b485-2101a8cd85b9 Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerDBusV1Impl:getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Sending result back to calling application for correlation id: ffba9791-791b-4237-b485-2101a8cd85b9 Jun 26 08:47:48 ubuntu intune-portal[261043]: oneauth{tag="9a8hm"}: HTTP status: 404 Jun 26 08:47:48 ubuntu intune-portal[261043]: oneauth{tag="5fsch"}: Failed to get image from Graph
Migrate from SCCM 2012 R2 SP1 to Current Branch
Hey folks I am planning to migrate my System Center 2012 R2 Configuration Manager SP1 to the most recent Current Branch of System Center 2025, because the old version is still running on an old windows server version and we need to upgrade to a new windows Server 2025 and also the most recent current branch of configuration manager. Now the documentation for upgrading Configuration Manager https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/install/upgrade-to-configuration-manager states, that upgrading from 2012 is only supported until Current Branch 2203; from 2303 on, you can't do the upgrade anymore. But since this "Important-Warning" message isn't shown on the migration article for Configuration Manager https://learn.microsoft.com/en-us/intune/configmgr/core/migration/migrate-data-between-hierarchies I am wondering if this only applies to upgrading configuration Manager on the same host? Or does it also apply to the scenario where I do a side by side migration (Install latest windows server on a new VM, install latest Current Branch of Configuration Manager and then do a migration via data gathering and migration job). You would help me a lot, because I can't find official info about it and I am very concerned about not being able to do the migration from 2012 to Current Branch 2503.. :( So if it also applies to migration; I can still do migration to 2203 as described in the "migration" article with the video https://www.youtube.com/watch?v=6_0EwW-5b4E and then do an inplace upgrade from 2203 to 2503?
How to Identify and Validate the Current Device's Intune Registration (Android & iOS)
In both Android and iOS environments, which specific device-level field or identifier can we use via Microsoft Intune or Microsoft Graph API to reliably determine: - Whether the current device is registered or managed by Intune - Whether the current device is Intune-compliant Our use case involves validating device trust during app login. So we need to identify the exact device the user is currently using (not just any device associated with their account) and confirm that it is Intune-managed. We are looking for a consistent identifier, such as: Hardware ID Entra ID Device ID device object ID Or any identifier accessible through MSAL, Entra ID claims, or Microsoft Graph API This identifier should allow us to cross-reference with Graph API responses, such as from: /deviceManagement/managedDevices /me/managedDevices What is the best practice or recommended identifier to securely link the current device to its Intune record? Are there any platform-specific differences between Android and iOS we should consider?Intermittent Non-Compliant Status on Chrome Sessions - Resolved by Switching to Edge
We are experiencing an intermittent issue where certain users' devices are marked as "non-compliant" in Intune, even though there are no visible problems with the Chrome session. Interestingly, the issue resolves itself when users switch to Microsoft Edge and then return to Chrome. Has anyone else encountered this issue? Is there a known root cause or workaround for this behavior? Any guidance on how to prevent this from happening would be greatly appreciated!
QR Code Name Changed
Hi All, This is probably the most random post I think I will do. Just performing my daily checks of non-compliant devices, and noticed a few devices that have been enrolled for a while were non-compliant. Did some investigation, and the issue is with the dynamic group looking for the enrolment profile name, and the rule didn't match the name. It took a while for me to notice that an extra space had appeared midway through the QR code name. The time stamp of the change to the QR profile was 14:13 last Friday. This seemed odd as we finished work early on a Friday at 13:30. I checked the audit logs, and there is no entry for that time. Has anybody had an issue similar to this? I have amended the dynamic group to look for the double space so the device is back-compliant. Seems a very strange issue. ThanksMHS Permissions / Samsung OEMConfig
Hi All I hope you are well. Anyway, we are rolling out Android Enterprise ZTE tablets in Entra Shared Device Mode and all seems well. Only thing is the MHS app permissions deployed via the Device config profile just don't seem to have worked and also I can't see anywhere in the OEMConfig file to set Power / Sleep options. Does anyone have the correct working settings for these 2 things? Info appreciated. SKAuth flow between custom iOS app with Intune SDK and Microsoft edge
We have custom iOS app which is integrated with Intune MAM SDK. We are using Microsoft Edge and managing it by applying Intune protection policies. In our's custom app, the authentication flow launches Microsoft Edge and after authentication completion users are redirected back to the custom app using deep links. We can see the Microsoft Edge browser prompts the user to redirect to our's custom app. But after Allowing it, it fails to redirect with some error Something wrong happened. We have applied same Intune MAM protection policy to both custom app and Microsoft Edge where we setting policy as below: Send org data to other apps: Policy managed apps with Open-In/Share filtering and Receive data from other apps: Policy managed apps So, this flow is expected to work. Is it some bug with Microsoft Edge flow due to which it is not able to launch the custom app ? Note: Authentication flow works without protection policies with other browsers like chrome. It also works when we have Send org data to other apps and Receive data from other apps set to All Apps. But as this is not recommended security policy, we are trying to figure out what is going wrong.
SCEP Profile Missing "Challenge password" & "Validity period" Fields
Hello Intune Community / Microsoft Support, We are trying to set up EAP-TLS with Intune-managed Windows devices, using FortiAuthenticator as our CA/RADIUS. Issue: Our SCEP certificate profiles (under Devices > Configuration profiles) are missing the following critical fields: "Challenge password" "Certificate validity period" Additionally, the section for configuring SCEP connectors is also absent under Tenant administration. Impact: FortiAuthenticator requires a static challenge password for SCEP, but Intune provides no field to set this. This incompatibility is blocking certificate issuance and our EAP-TLS deployment. Steps Verified: Confirmed it's a standard SCEP certificate profile for Windows 10 and later. Fields are genuinely not present after thorough checks. Request: Why are these standard SCEP fields and this configuration section missing in our tenant? How can we proceed with SCEP certificate enrollment, especially with a FortiAuthenticator CA? Thank you for your urgent assistance.
Access collections information locally
Is there a way through WMI/Microsoft.SMS.Client comobject to access information from the computer if is in a collection (cached information or otherwise)? I'm not sure if a computer gathers that information somewhere. I can't access that information on the site server or through the AdminService as the account running the commands would be the SYSTEM account. My goal is query if a computer is in a collection and install a piece of software through a task sequence.Intune MAM - Restrict Application Access to Specific Biometric Profiles
We want our employees to be able to restrict access to company apps on private devices to only specific biometric profiles on the devices. If needed: Are you working together with Apple to make this possible? (e.g. via tiered device control levels / admin password in iOS)bitlocker epm rule
Hello everyone, i tried to create a rule for the management of bitlocker in intune epm so that on the client side it is possible to manage it myself with the evelation “automatic”, the “manage-bde.exe” was released with path and co. but nothing changes. i still need admin credentials. is there any more information about this? lovely regards
Events
Kick off Tech Community Live with updates and insights from Microsoft Intune engineering leaders. They’ll walk you through where Microsoft Intune and the Microsoft Intune Suite are today, discuss tre...
Online
With Microsoft Intune, you can protect cloud-connected endpoints across Windows, Android, macOS, iOS, and Linux. Looking for tips to help you reduce costs and complexity by unifying the way you manag...
Online
Recent Blogs
- Ask us anything about assessing, protecting, and managing devices and apps using cloud-based, unified endpoint management.Sep 19, 2025
