Recent Discussions
Not able to use derived credentials on android
I have successfully enrolled a Samsung Galaxy S22 ultra using intune. All my apps are installed on the device. I am now trying to use derived credentials but I am not able to scan the QRCode. As soon as the QRCode comes up, the intune app crashes. Wanted to know if anyone else is seeing this issue. The intune app version is 2025.11.02.Platform SSO - MacOS Authorization Groups and Additional Groups
Working with Platform SSO...all is well for the most part. Has there been any advancements or continued development for Authorization Groups and Additional Groups? The ability to leverage these groups, IMO, is critical. I do have some scripts granting some general authorizations to users on a device (time, print, network), but leveraging groups to manage authorizations/ permissions with a diverse group of users and needs is the way.
Manged Home Screen: Outlook
We are running into issues with the Managed Home Screen and Outlook. Once the user has logged into the Managed Home Screen and tries to access Outlook, it gets stuck in an authentication loop. Loops: Discovering Accounts -> Accounts Found -> Back to Discovering accounts. This is affecting multiple devices/accounts. This only affects
I no longer have an edit button for assignments on one EndpointSec>DiskEncrypt>Bitlocker profiles
I have two Intune>Endpoint Security>Disk Encryption>Bitlocker policies. One is the 2+ year old deprecated policy everyone is currently on, and the other is a new policy I made two months ago. I am in the process of testing to move the company from old to new. Old policy no longer has an "Edit" button for group assignments and exclusions, much like when you don't have permissions. However, I am still able to edit the actual policy. Has anyone seen this or can help with this? Attached picture. I am using Intune Administrator permissions, and again, it's not a permissions issue as I can edit the actual policy. I have tried different browsers. I have tried another computer. The policy is scoped to default. I was last able to edit group assignments 10/25/25 Solution right now will just be to delete the old profile and move to new with no more testing. Thank you in advance, -ZP
Entra Application: "Windows Backup and Restore" blocked OOBE autopilot enrollment
I have a Conditional Access policy to block users not on a Compliant Windows PC and the Intune app and Intune enrollment app are excluded from the CA policy for device enrollment. Last night I manually added a reimaged Windows PC to Autopilot (using PowerShell) and during the OOBE user sign-in the app "Windows Backup and Restore" failed for token issuance. This app, Application: Windows Backup and Restore | Application ID: 74d197dc-b84d-4d43-a1b2-b5bf3bb91c11 is not found in Entra Enterprise apps or App registrations. The Windows OS build was 25H2 Pro, looks like a new service. It would be nice if MSFT would add these new apps to Entra. Now I need to manually add the app using PowerShell so I can exclude it from my policy. Anyone have any news about the Application: Windows Backup and Restore | Application ID: 74d197dc-b84d-4d43-a1b2-b5bf3bb91c11?Can't find and delete an antivirus exclusion made in MECM.
In the Microsoft Endpoint Configuration Manager current brunch I've added some of the detected malware to exclusions list via right-click in the section "Monitoring-Security-Endpoint protection status - Malware detected" and "Allow this threat". They were excluded for all the computers in a collection. How and where to find this exclusions and delete them? They are appeared on the client computers but not in the MECM Antimalware policies.
InTune Enrollment Loop for MacBook loops at i.manage.microsoft.com during setup
Good afternoon, is anyone using InTune seeing issues with enrollment? I have ABM set up with InTune for automatic enrollment. The InTune instance is fairly new and simple. In the last two months, I have rolled out four machines with painless success. I bought a fifth machine and it gets stuck during the Remote Management portion of enrollment, in an endless loop of connecting to http://i.manage.microsoft.com/. Between the last enrollment and now, absolutely nothing was changed in InTune. The machine is a M4 MacBook Air on OS version 15.7.1. I have reset it multiple times to no avail. It doesn't seem to be getting stuck on anything and shows up as responsive in InTune. If I force the machine off and back on, it allows me to complete enrollment, but after a reboot, I get the initial setup screen and when proceeding past that I get a black screen that never progresses. I assume this is an enrollment issue. Where would you suggest starting to troubleshoot this? Has anyone seen it so far? The last successful setup on my tenant before this was around three weeks ago. Thanks in advance! Other things I have tried: Renewing the ABM enrollment token Removing troublesome configuration profiles Creating and using another enrollment program token profile Different networks, including the network I successfully enrolled previously successful machines in Different user accounts with the correct license for InTune management Logging into ABM to make sure that there are no pending terms to accept. I confirmed that I accepted the latest new ABM terms directly from ABM.
How to deploy Win11 Security Baseline with Intune?
Hi, usually you can download the Security Baseline via SCT and deploy it via GPOs. How does that work with Intune? I only found this https://learn.microsoft.com/en-us/intune/intune-service/protect/security-baseline-settings-mdm-all?pivots=mdm-24h2 but it only describes the settings used by th ebaseline and which are available through Intune. To be honest I don't want do configure all those 1000 settings manually. Is there an easy and more comfortable way?Zebra OEMConfig APP not in the APP policy list in Intune
Hi, I have a question about adding an APP policy in Intune. I installed the Zebra OEMConfig Powered by MX app through the Intune Google Managed Play Store. When I try to create an app policy for this app, it doesn't show up in the app list. A lot of other apps do, but this one specifically doesn't. The app does appear in the all apps list in Intune. According to Microsoft, the app is fully supported in Intune. Does anyone have experience with this or any tips on how to get the app to appear? I hope someone can help me out! TIA.
Company Portal | App installation issues
Anyone else experiencing issues with downloading apps from company portal? Win32 apps, pressing install and just spins on “download pending… your device is syncing and will begin downloading your app shortly” Experiencing this issues with 2 different tenants. In 2 different countries now.App Protection Policy and Siri Intents
Hello, I know that there is a MAM Policy setting to be checked "areSiriIntentsAllowed" to decide to allow or block a Siri intent for an Intune SDK integrated application but I am not seeing where in the App Protection Policy that I can change this value to allow the Siri intent. Is there an Intune Console setting that dictates what the "areSiriIntentsAllowed" will be set to? Here's the Intune SDK integration reference https://learn.microsoft.com/en-us/intune/intune-service/developer/app-sdk-ios-phase4#siri-intents Thanks!Uninstalling bundled/preinstall O365 during Autopilot
We recently purchased a bunch of new HP ProBook 400 laptops that come bundled/preinstalled with O365 x64. However, since all staff use a 32-bit line of business application, we need to install and use O365 32-bit. We want to Autopilot the new laptops and have packaged and deployed O365 32-bit as a Win32 app (ie: using the Office Deployment Tool and a custom XML configuration). The XML file contains commands to remove any existing versions of Office before installing O365 32-bit. When we manually run the ODT setup.exe with xml file, it functions correctly (i.e., it uninstalls the 64-bit O365 and then installs the O365 32-bit). However, when we package this up as a Win32 app and set it as a mandatory app in the Autopilot deployment profile, it seems to fail or get ignored. All other Intune apps and configuration profiles install successfully, but the laptops still have O365 64-bit installed. Below is what we included at the top of the ODT XML file. Any suggestions would be greatly appreciated. <Configuration> <Remove All="TRUE"/> <Display Level="None" AcceptEULA="TRUE"/> <Property Name="FORCEAPPSHUTDOWN" Value="TRUE"/>Conditional Access and -Online Device registration error
So there was an Issue creating new discussions yesterday and I ended up with a discussion with Heading only. :) We're using the Get-WindowsAutopilotInfo.ps1 script with the -Online switch to register our Entra Joined Devices, and the process is being blocked by Conditional Access. The sign-in logs point to Microsoft Graph Command Line Tools (App ID: 14d82eec-204b-4c2f-b7e8-296a70dab67e) as the blocker. Microsoft Support suggested whitelisting several apps, but unfortunately, that hasn’t resolved the issue—likely because the device doesn’t have the compliant state during online registration. We’re currently evaluating whether a dedicated service account with scoped permissions for Autopilot enrollment might be a workaround. Would be great to hear if anyone else has found a reliable solution.
Configuring Intune settings for USB Read Only
Hi Team, After having blocked USB across the estate. We are trying 2 things: USB Read only USB Read and Write access. 2 works as expected but not 1, we aren't able to restrict to only READ into the contents within the USB? Current settings configured: Configuration settings>Administrative Templates>Custom Classes: Deny write access (User): Enabled What am I missing? Do we even need to configure the below? Custom Classes: Deny write access : Enabled?Can't update Intune firewall policy as Global admin
Hello, I tried to update group assignments of existing policy(policy type is Windows Firewall Rules) in Intune with Global administrator role. I add some Entra ID groups and click Save. However, nothing happens even though a notification appears that it was successfully changed. I created new policy and assigned some groups, after that tried to update group list but again the same issue. Does anyone have this experience? It's look like something related to Microsoft. ThanksModern endpoint management—Microsoft Intune at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn why endpoint security and management are critical in today’s hybrid environments. At Ignite, endpoint management sessions and labs will help you secure devices, automate management, and integrate with AI-powered security tools. Featured sessions: BRK242: Top Essentials for an Integrated, AI-Ready Security Foundation Learn what Microsoft Entra and Microsoft Intune bring across the M365 stack to help you reach a Zero Trust security posture with more compliance and control in the era of agentic AI. LAB542: Zero Trust Lab: Securing Identities and Devices with Intune & Entra Explore how Intune and Entra secure identities and devices, with new implementation indicators and cross-pillar guidance. BRK258: Inside Windows Security, from client to cloud Discover the latest innovations across Windows and Intune designed to improve your security posture and protect users, devices, and data. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions Why attend: Ignite is the best place to learn about new Microsoft Entra capabilities for agentic AI, identity governance, and secure access. We will also share its vision for the future of identity and agent management. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >Edge Mobile prompting users to Allow opening app using Custom URI Scheme
Somewhat recently, perhaps with release of IOS 26, Microsoft Edge began prompting users to "Allow" or "Don't allow" a site to open another application when using a Custom URI Scheme. This causes an unnecessary step in our user's authentication process especially when Conditional Access policies are enabled as Edge must be used to pass the CA conditions. This occurs even when the custom-intunemam:// scheme is used to open the Intune enabled application from Edge. I am wondering if there is an Edge Mobile - Intune configuration/setting that we could configure to bypass the prompt. Thanks!
Recent Blogs
- Starting with version 2609, Microsoft Configuration Manager will transition to an annual release cadence. This change is a formalization of the direction we’ve communicated at events and in customer ...Nov 05, 2025
- By: Jon Callahan – Sr Product Manager | Microsoft Intune Cloud services don’t just rely on the network. They redefine it. As organizations adopt Microsoft Intune and advance their Zero Trust st...Nov 03, 2025
