Recent Discussions
Edge displays a splash screen saying ‘Sign in to sync your data’
Hello When the user logs in to a device for the first time and launches Edge, the following splash screen appears, even though we have created the Intune configuration below, which is intended to prevent this. We have following Intune configuration: Why does the splash screen still appear?
Broken functionality of macOSWiFiConfiguration policies
I'm having trouble accessing macOSWiFiConfiguration policies. They are completely inaccessible via the Intune admin portal (no actual data is displayed) and the Microsoft Graph API. When using Graph (/beta/deviceManagement/deviceConfigurations or with policyId) an InternalServerError is returned mid-response, resulting in a truncated and malformed body. This error indicates that the 'wifiRequirePhysicalMacAddressEnabled' property (type Edm.Boolean, Nullable = False) has a null value stored in the back end. The policy also fails to load in the Intune which I suspect is caused by the same underlying issue. ERROR DETAILS: Endpoint: GET https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{policy-id} Error code: InternalServerError Error message: "The property 'wifiRequirePhysicalMacAddressEnabled[Nullable=False]' of type 'Edm.Boolean' has a null value, which is not allowed." STEPS TO REPRODUCE: 1. Create a macOSWiFiConfiguration policy in the Intune admin portal. Additional note: front end will attempt to create the policy multiple times (around 20), even though the back end responds with a 201 HTTP code. 2. Try to GET the policy via Graph API (returns InternalServerError with malformed JSON body) or retrieve it using the WebUI (no data is shown). EXPECTED BEHAVIOR: The policy should be retrievable via Graph API and visible in the Intune admin portal. The property wifiRequirePhysicalMacAddressEnabled should hold a valid boolean value (true or false). ACTUAL BEHAVIOR: Failed to retrieve policy through Graph API and Intune WebUI. Has anyone else encountered this issue? Does anyone know how can I report this directly to Microsoft? All the options I have found lead me to AI chatbots which unfortunately are not helpful at all. Thank you.
Updates Not Installing by Install Deadline
Hello all! We have an organization with about 12,000 Windows 11 Workstations. I'm noticing that even though install deadline is set, and updates are allowed to be installed before install deadline hits, we are noticing in Software Center that updates say "will install after _____" (deadline date). How can I change this? I want updates to install during the maintenance window as well as a reboot. What am I missing? ConnorIs monthly BIOS updates via Intune overkill for enterprise Windows 11
Hey all, Looking for some opinions from others managing BIOS and Drivers on enterprise environments. We’re considering pushing BIOS/firmware updates monthly across our Windows 11 fleet using Intune, but it feels a bit too aggressive. Is anyone actually doing BIOS updates this frequently? Do you see real risk in not updating BIOS regularly? Or do you treat BIOS updates more as “only when needed” (security issue / vendor recommendation)? Any issues you’ve run into pushing BIOS updates at scale via Intune? My concern is stability risk vs actual security benefit — feels like monthly might be overkill unless there’s a critical vulnerability. Keen to hear how others are handling this in production environments.Microsoft #IntuneForMSPs resource guide
Welcome to your home for all things #IntuneForMSPs! Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business by combining productivity apps, intelligent cloud services, and the world-class security of Microsoft 365 with the multi-tenant management capabilities of our partners. Navigate to: Guidance and tutorials | Marketing and business development | Multi-tenant management partners | Application packaging partners | Additional resources #IntuneForMSPs community meetups Gain valuable insights from first-hand experiences with configuring and managing customer tenants. Up next: Hands on with device configuration and policy May 19, 2026 - 8:00 a.m. PT | 3:00 p.m. UTC #IntuneForMSPs Community Meetup: June edition June 16, 2026 - 8:00 a.m. PT | 3:00 p.m. UTC On demand: From box to business‑ready with Windows Autopilot Advanced automation and PowerShell for Intune Planning your customers' Intune migration Getting started with Microsoft #IntuneForMSPs Guidance and tutorials We hear from many MSPs that time for learning is limited. To help you ramp up quickly, we’ve pulled together ready-to-use decks, videos, and interactive demos you can follow step-by-step for the most common scenarios. A great place to begin is the checklist available by downloading Enhancing Security with Microsoft 365 Business: A Hands-on, Effective Guide. Microsoft 365 Business Premium deployment best practices Download PowerPoint decks that build on the videos listed below. They go deeper with additional guidance, context, and tips you can apply in customer environments. Identity and access controls (14.81 MB) Device enrollment (15.92 MB) Email and app protection (38.84 MB) Device security (17.89 MB) Data security (36.49 MB) Videos and demos ▶️ Achieve greater security and productivity with Microsoft Intune and Microsoft 365 - Follow along with each step of the checklist with complementary videos. Watch on one screen and follow along in your own tenant on the other. We’ll keep expanding this playlist with new content that goes beyond the checklist, so follow along on our social channels for the latest updates. 🖱️ Microsoft Intune guided demos - Learn how to configure app protection policies and Conditional Access, update Windows from the cloud, manage corporate devices, deploy and manage line of business (LOB) apps, enable Universal Print, protect corporate resources on personal-owned devices, utilize Windows Autopilot for new device delivery, and reduce update bandwidth consumption. Marketing and business development Step 1: Join Microsoft Partner programs AI Business Solutions for Partners Microsoft Security Partners Step 2: Join the Partner Skilling Hub Go to the Microsoft Partner Skilling Hub and create your free account. Select solution areas of interest. (Hint: Intune content: AI Business Solutions, Security) Explore these recommended modules: Implement with impact: Endpoint management with Microsoft Intune Implement with impact: Implement identity and access management with Microsoft Entra Step 3: Download turnkey campaign assets "Protect my devices" campaign-in-a-box (119.20 MB) Multi-tenant management partners Microsoft Intune is proud to collaborate with leading global providers of multi-tenant Intune management solutions. These companies are building innovative capabilities on top of Microsoft Intune, Microsoft Security solutions, and the broader Microsoft 365 platform. Their companion solutions empower you to: Centrally view and manage all customer tenants and action items through a unified partner dashboard. Take action across environments, leveraging Intune for device management, cloud security, and compliance. Standardize security settings, automate onboarding, and ensure policy consistency at scale-no more repetitive, manual tasks or risky policy drift. Want an introduction to multi-tenant management? ▶️ Watch this video from Jonathan Edwards. AvePoint is the global leader in data protection, unifying data security, governance, and resilience to provide a trusted foundation for AI. More than 28,000 customers rely on the AvePoint Confidence Platform to secure, govern, and rapidly recover data across multi‑cloud environments. Through AvePoint Confidence Platform: Elements Edition, AvePoint extends Microsoft Intune with secured multi‑tenant automation, lifecycle management, and centralized visibility—enabling partners to scale Intune delivery profitably and consistently across customers. With a single platform for governance, lifecycle control, and recovery, partners reduce operational overhead, prevent sprawl, and accelerate Copilot readiness. AvePoint supports a global partner ecosystem of 6,000 MSPs, VARs, and SIs, with solutions available in over 100 cloud marketplaces. CyberDrain CIPP provides MSPs with a centralized, multi-tenant management platform for Microsoft 365. It enables partners to securely manage tenants at scale, automate common administrative tasks, enforce standards across environments, and gain deep visibility into tenant security and configuration. With built-in automation, governance controls, and extensibility, CIPP reduces reliance on custom scripts and manual processes. MSPs can standardize operations, streamline user and tenant management, monitor security posture, and respond quickly to issues across all customers from a single interface. CIPP is supported by one of the largest and most active MSP communities in the Microsoft ecosystem, with thousands of partners contributing feedback, automation ideas, and best practices. As one of the most widely adopted platforms for Microsoft 365 multi-tenant management, CyberDrain CIPP continues to evolve rapidly to meet the needs of modern MSPs. inforcer empowers MSPs to standardize Microsoft 365 and Intune policies across all tenants, automate environment configuration, monitor compliance in real time, and reduce risk through policy drift detection. Its reporting and automation features free teams from manual, error-prone scripting and help deliver consistent, secure customer experiences, setting MSPs up to deliver advanced AI services to their customers. Nerdio brings deep automation and analytics to Intune, Windows 365, Azure Virtual Desktop, and the broader Microsoft cloud. MSPs benefit from multi-tenant dashboards, global policy insights, role-based access, centralized app deployment, and automatic policy versioning with rollback and drift correction. Nerdio’s tooling is designed specifically for MSPs and scales from small teams to large enterprise portfolios. SoftwareCentral Tenant Manager helps MSPs run Microsoft Intune across multiple customer tenants with consistency and control. MSP teams can standardize policies, manage applications and devices across environments, monitor configuration drift, and maintain visibility into changes across tenants from a single platform. The platform runs entirely on Microsoft Azure with region-selectable deployment for your data protection requirements. It includes CIS certified security baselines, helping MSPs deliver secure, repeatable Intune services as their customer portfolios grow, even without in-depth Intune knowledge. Application packaging partners Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI and Copilot era. To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from Configuration Manager to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption Note: These app migration services are offered directly by partners and are subject to their terms. Microsoft makes no guarantees or commitments regarding availability or outcome. Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting. Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT. Additional resources Microsoft 365 Blog: small and medium business content Microsoft 365 Partner on LinkedIn Microsoft Intune Blog: MVP community contentRetrieving the “Device inventory” of iOS devices via the Graph API
We use Microsoft Intune to manage our iOS mobile devices. To achieve the highest possible level of efficiency, we use PowerShell as a supplementary tool for administration. Since our devices may contain two SIM cards, it is important for us to be able to read this information in order to perform relevant processes (e.g., adding phone numbers to address books). In general, it would be desirable to be able to read the information from the “Device Inventory” of iOS devices. For the reasons mentioned above, we would like this information to be made available via the Graph API. Alternatively, there should be a way to provide this information for all devices in a single report.
Company Portal No Longer Installing During Autopilot Enrollment
Up until today, Autopilot enrollment which included Company Portal from the Microsoft Store (NEW) was successful. Starting today, the same enrollment workflow with similar hardware is failing to install Company Portal, reporting an error code of 0x87D1041C ("The application was not detected after installation completed successfully"). The only difference between yesterday and today? Today's enrollment including updating Windows to10.0.26200.8457 (today's Patch Tuesday update). I did find information that there was a similar issue nearly a year ago, where the latest Windows Update resulted in the same errors, and Company Portal requiring an update to fix. Are we looking at the same issue again?BYOD devices can't launch Windows 365 PC because of device compliance check during CA policy check.
We have a device compliance policy for all cloud apps. We would like to allow personal (BYOD) devices to be able to connect to Windows 365 Cloud PC. In the sign in logs we see the failures for application "Windows 365 Client" app id 4fb5cc57-dbbc-4cdc-9595-748adff5f414. We can't exclude that application in the conditional access policy as it's not available. We already added exclusions for Azure Virtual Desktop, Windows 365 and Windows Cloud Login. How can we allow BYOD devices to connect to cloud PCs?
Policy applied allthough it shouldn't
Hi, all of a sudden Intune chaanges its behavior. I have a policy in place that sets persistent browser session. On the device filter tab I excluded devices with this syntax: device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company" Starting last week I have to re-authenticate on a remote Desktop running Windows Server 2025 every 8 hours. Thats what the policy requires. In Entra I see in the logs for my user that this conditional access policy applied. I then extended the filter to this device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company" -or device.operatingSystem -contains "Server" But it did not make a difference. Any idea what is going? This is not specific to my tenant. On a different tenant it behaves the same way.App Enforced Restrictions not working on Chrome
Hi All I hope you are well. Anyway, a strange one here. We have implemented App Enforced Restrictions on unmanaged / BYOD macOS devices. This seems to have taken effect on Edge and Safari browsers but not Chrome. Is there anything we can do to resolve this or force BYOD macOS to use Edge? Info appreciated. SKReporting on Device CPU and Memory
I have a requirement to produce a monthly report on all our Intune managed Windows devices and the applications they have installed. I have written a script that is able to report on UPN, Device Name, Manufacturer, Model, Serial Number, OS, Total HHD and Free space along with all the applications installed. I am however unable to output the devices CPU and Memory details. I have tried using the Get-MgBetaDeviceManagementManagedDevices with the ProcessorArchitecture and PhysicalMemoryInBytes parameters but these just report 0 or NULL. What is the best way to report on the CPU and Memory from Intune?SCCM PXE Boot Deep Dive – Backend Flow & DP Migration
SCCM PXE Boot Deep Dive – Backend Flow & DP Migration I recently worked on a Distribution Point migration and noticed PXE requests were still routing to the old DP due to DHCP/IP helper configuration. I put together a deep dive explaining: PXE flow (DHCP and TFTP sequence) Role of Distribution Points What changes during DP migration Common failure points One key takeaway: PXE issues are almost always network and routing related, not SCCM itself. Curious how others are handling PXE in large environments. Are you standardizing on IP helpers or still using DHCP options? Full article: http://SCCM%20PXE%20Boot%20Deep%20Dive%20–%20Backend%20Flow%20&%20DP%20MigrationProtect org data on BYOD Windows / macOS devices
Hi All I hope you are well. Anyway, I have a need to protect org data on: Window personal / BYOD devices MacOS personal / BYOD devices What's the best way to achieve this? My thinking is: 1 X Conditional Access policy that blocks 1 X Conditional Access policy that allows via Edge, no persistent session, no downloads etc Device filter on both policies that target unmanaged devices Any other suggestions? SKBest approach for migrating AD joined devices to Entra ID without wiping user profiles?
We’ve seen many organizations struggle with device migration when moving from traditional Active Directory (AD) or hybrid environments to Microsoft Entra ID. The biggest challenge is avoiding user disruption especially when wiping devices causes profile loss, app reconfiguration, and downtime. In large environments, wipe-and-reload becomes difficult to scale and impacts productivity significantly. Curious to know how others are handling this: Are you still using wipe/reimage methods, or are you using alternative approaches that preserve user profiles, applications, and settings? Would love to hear practical experiences from the community.Autopilot V1 vs “Device Preparation” (V2): Great direction — but is it enterprise-ready yet?
We evaluated Autopilot v2 but decided to stay on Autopilot v1 for large‑enterprise scale. Group Tags + dynamic groups are still essential for our device naming, segmentation, and governance model. We intentionally limit apps in EAS to speed up provisioning, so EAS‑based app deployment in v2 isn’t a compelling advantage for us. v2 looks promising, but until there’s stronger parity for enterprise‑scale targeting and naming, v1 remains the better fit. Curious how others at scale are balancing provisioning speed vs. segmentation without Group Tags.Autopatch - Microsoft 365 Apps Update Rings
I’m trying to understand how the UpdateDeferredVersions registry value is updated in an Intune Autopatch scenario, specifically the version and FileTime values. Registry path: HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Updates Example value: UpdateDeferredVersions = 16.0.19725.20170:13420719560293 | 16.0.19822.20180:13421142577563 I’ve observed the following and would appreciate any clarification: When I modify deadline or deferral settings via Autopatch (policy changes), the FileTime value does not update. Is there a delay or specific trigger (e.g., policy refresh, scheduled task, CDN sync) that updates this FileTime? How exactly is this FileTime calculated? Is it tied to when the build was released, assigned, or when the policy was applied? Is there any supported way to force or influence this FileTime update? Or is this value simply tracking when the build cap was issued, with deferral logic calculated relative to that timestamp? Additionally, I’ve noticed that updates only seem to apply when the FileTime is approximately 4 days behind the current date, is this expected behavior with Autopatch deferral logic? I was able to successfully test this updating FileTime 4 days behind ((Get-Date).AddDays(-4)).ToFileTime(). Any insights into how this mechanism works under the hood (especially with Click-to-Run + Autopatch interaction) would be really helpful. Below is Autopatch group settings for Microsoft 365 update rings that we set in our environment: Test - Deferral 0 - Deadline 0 Ring 1 - Deferral 1 - Deadline 0 Ring 2 - Deferral 2 - Deadline 0 Last - Deferral 4 - Deadline 1 Thanks in advance!Intune application migration & app management
Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI and Copilot era. Start here Read Face the future today by moving your application to cloud native Bookmark the Microsoft Intune planning guide Navigate to: Why app migration matters | Application packaging partners | Frequently asked questions Why app packaging matters Centralizing application management in Intune can deliver operational benefits such as unified enforcement and improved security posture—while supporting broader modernization goals. Common blockers that slow cloud-native adoption include: App compatibility and dependency complexity Manual repackaging effort at scale Risk of disruption during cutover Application packaging partners To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from Configuration Manager to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption. Note: The app migration services listed on this page are offered directly by partners and are subject to their terms. Microsoft makes no guarantees or commitments regarding availability or outcome. Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting. Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT. Frequently asked questions Q: Is this a Microsoft-managed service? A: No. Partner offers are provided directly by partners and subject to partner terms; Microsoft makes no guarantees regarding availability or outcomes. Q: What kinds of apps can these paths help with? A: The published focus is on helping migrations from Conifguration Manager to Intune, including complex legacy and line-of-business apps. Q: Where do I start if I’m early in planning? A: Start with the Intune Planning Guide and Migration Guide.
Events
Save the date for June's #IntuneForMSPs Community Meetup! These community‑driven events bring together MSPs, Microsoft MVPs, and Intune experts to discuss top‑of‑mind topics shaping device management...
Online
Let's talk about what actually works. Each month, Unpacking Endpoint Management brings you practical tips, proven strategies, and honest discussions. Our goal? To help you optimize and simplify the w...
Online
Recent Blogs
- 5 MIN READSee how the latest Intune updates simplify Android, macOS, and certificate management.May 28, 2026
- By Iris Yuning Ye, Product Manager – Microsoft Intune & Justin Ploegert, Principal Product Manager – Microsoft Entra A new setting ‘Enable Registration During Setup’ for Platform single sign-on (PS...May 14, 2026
