Recent Discussions
Intune, winget, PowerShell
Hello everyone, I'm trying to use Intune to deploy a script that schedules a task to run winget silently to update most of our 3rd party applications automatically. I can get the script to deploy, but not run. I keep getting an error saying "winget not available for system", which I've verified it is. Any ideas? What am I doing wrong? Thanks for your help,
MMP-C Enrollment Failing
I discovered a few of our devices were running into an issue with EPM functioning properly because the devices were enrolled via MDM only enrollment. I've been following some posts to try to rectify that issue and was successful in enrolling of the devices the proper way. However, I'm now running into an issue where the device is failing to enroll in MMP-C with the following error even though the file enrollment exe exists: The scheduled task looks accurate for enrolling the device in MMP-C and I'm out of details on what to do for this. Please help!Custom Compliance to check for Software Version
Hi all, I was trying to implement a custom Windows compliance item using PS/JSON to check for a particular Software version. In my case this was the AntiMalware client (not using Defender). I tried a lot of different aproaches w/o success. I've had results from eval error, ivalid JSON message or the item is simply ignored. Has anyone implemented something similar with success? thx, Miguel
Using REST API to get / set device variables
Hi, I'm trying to set a couple of variables against a machine name, through using the REST API. These are the variables that are set that you can see in the console if you right click properties on a device and go to the 'Variables' tab. These are handy because they can later be referenced during Task Sequences / OSD. I just can't figure out how to do it with the REST API. I have no issues doing it with the powershell module using the 'New-CMDeviceVariable' command, but my solution i'm building at the moment requires the solution to be done with rest api, not with ps modules... I can connect to REST API using powershell using commands such as the below. This all works fine. $ConfigMgrServerURL = "https://SCCMserver.domain.local" $MachineName = "MachineName1" # Following command is a sample GET request, which works. (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/wmi/SMS_R_System?`$filter=Name eq '$MachineName'" -Credential $Credential) #I can also fetch "Custom Properties" via this command (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/v1.0/Device($ResourceID)/AdminService.GetExtensionData" -Credential $Credential) Now i just can't see where i can go to set a variable on the machine. Does anyone have any ideas ? Thanks!
Microsoft Defender (for Business) not showing onboarded device via Intune
I am having some real fun with Devices not being shown in Microsoft Defender (for Business) after following the necessary instructions provided by Microsoft. Devices are not showing in the Microsoft Defender portal. I have used the local onboarding scripting method and gone directly through Intune. Would there be a conflict running the two? The account being used to perform these tasks is a Global Admin (even with Security Administrator rights). In respect of Intune, the Connection service between Intune and Defender for Endpoint (EDR) is fine. I have used a preconfigured EDR policy option to onboard the device, and I have checked the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection, which states an OnboardingInfo value, indicating that a device has been onboarded to Microsoft Defender for Endpoint. I do have an issue relating to Default Device Compliance Policy - Has a compliance policy assigned and a policy issue for 'create local admin user account', but Intune is saying the device is compliant. Would these issues cause an issue, and what else should I check for?Are you unable to open Google Chrome or any other browser?
Cause & Solution: If you are using Microsoft Intune, the Microsoft AI system may have automatically created a rule that blocks third-party browsers such as Chrome and Firefox. To resolve this, you need to deactivate or delete the automatically generated rule under Windows Configuration Policies.
Win11 24H2 slow to restart TS task execution following reboot task in bare metal OS deployment
When comparing OS deployment bare metal task sequence times between Windows 11 24H2 and Windows 10 22H2 I could see that 24H2 was considerably slower even though the task sequences were almost identical other than the OS being laid down on the device. I did a timing comparison and noticed two things in particularly that were taking considerably longer on the 24H2 device: 1) reboot tasks 2) time to finish up the task sequence work after the last step. For reboot tasks, I can see that the delay is between these two events in the SMSTS.log log: Waiting for policy to be compiled in 'root\ccm\policy\machine' namespace and Policy verification done within the OSDSetupHook component. On the Windows 10 device the time between those log entries was 1 second, but on Windows 11 24H2 those log entries vary, but it's usually around 2 minutes. At the end of the task sequence, after executing the last task, following The task execution engine successfully completed the current task sequence step smsts.log entry to when the smsts.log stops being written to, it takes 14 seconds for the Windows 10 device, but it takes 4:29 seconds for the Windows 11 device. The delays are similar, between these two events in SMSTS.log (see attached screen shot): End Task Sequence policy cleanup and Policy evaluation initiated within the TSManager component. Any reason policy work should take considerably longer on Win11 24H2? Any suggestions on where I can look to see as to why it's taking such a longer time to deal with policy work in 24H2? Is this a Win11 24H2 issue, a ConfigMan issue, or ConfigMan configuration issue? I am welcome to entertain any thoughts or suggestions folks have. Anyone else seeing this issue in their environment? Environment details: CM 2503 (5.0.9135.1000) without KB33177653 or KB34503790 installed. Windows 11 = 24H2 customized reference image built from August 2025 ISO. ADK = 21H2 (10.1.22000.1).Microsoft multi-tenant management resource guide
Welcome to your home for all things #IntuneforMSP. Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business with productivity apps, intelligent cloud services, and the world-class security of Microsoft 365 combining with the multi-tenant management capabilities of our partners. So, where to start—and where to go to take the steps after that? Right here! We’ll soon be announcing dates for a series of regular webinars, where Microsoft and our partner share expertise and insights specifically related to the world of the MSP. Until then, here are some resources to help. Follow or favorite this page as we’ll be updating it frequently with new events and new readiness materials. Jump to: Marketing and business development | Demos and tutorials | Partner resources | Microsoft communities | Select content from Microsoft MVPs In the spotlight Click the image below, to watch the Microsoft Intune multi-tenant management video with Jonathan Edwards. Marketing and business development Start here: Microsoft 365 Business Premium Partner Playbook and Readiness Series Sign up for more sales training: Level Up CSP Training: Modern Work and Business Applications Explore similar offers: Microsoft Security Partners And, if you haven’t already, sign up with the Microsoft Partner Center. Demos and tutorials Whether deploying solutions for yourself or for your customers, these resources can help you with prescriptive ‘do this next’ guidance to get you up to speed quickly. Download this guide: Enhancing Security with Microsoft 365 Business: A Hands-on, Effective Guide Follow along with the companion video: Achieve greater security and productivity with Microsoft Intune and Microsoft 365 Explore click-through interactive guides for more advanced instruction: Microsoft Intune guided demos Topics include configuring app protection policies, configuring Conditional Access, updating Windows from the cloud, configuring corporate devices, deploying and managing line of business (LOB) apps, enabling Universal Print, accessing corporate resources on personal-owned devices, setting up Windows Autopilot for new device delivery, and reducing bandwidth consumption with Delivery Optimization. Partner resources Nerdio knowledge hub Inforcer resources Microsoft communities Microsoft 365 Blog small and medium business-related posts Microsoft 365 Partner LinkedIn channel Select content from Microsoft MVPs To find an MVP near you, visit the Microsoft MVP home page. Peter Klapwijk - In The Cloud 24/7 Blog Ugur Koc - Ugur Koc Blog Andy Malone - Andy Malone on YouTube Rudy Ooms - Call4Cloud Blog Somesh Pathak - Intune IRL Blog Oktay Sari - AllThingsCloud Blog Jon Towles - Mobile Jon Blog
Is there a way to see the current operating system version for BYO devices in Intune?
We have a mix of company managed and byo devices in our environment. On the byo side, we have both iOS and Android devices. For COMD devices, Intune shows current operating system information. For BYO devices, Intune only shows the operating system when it was enrolled and doesn't appear to update that info when the operating system version updates. Is there a report or query that would allow me to see the current operating system on BYODs?
Company Portal Installation Deplay/Failed
We have recently observed an issue with the deployment of the Company Portal Application. It either takes a long time to install or fails to install altogether. To address this, could you please provide the following information if available The destinations that need to be allowed via the corporate network, whether it involves the firewall or Proxy? Any specific requirements regarding SSL inspection; does it need to be disabled? The Winget command executed to install CP in the backend; does it depend on any specific version of Winget?SCCM software update install error 0x8007139F
While trying to install the monthly September patch Tuesday updates, e.g. 2025-09 Cumulative Update for Windows 11 Version 24H2 for x64-based Systems (KB5065426) (26100.6584) and 2025-09 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 24H2 for x64 (KB5064401) would often fail on many machines with error code 0x8007139F. Every single time this would happen, the update will always install on a retry. That's if the issue happened at all, but it happened on around 60% of the endpoints this month in the test deployment group. It appeared to happen to both updates. Based on the error description, it states that the group. or resource is not in the correct state to perform the requested operation. I couldn't find any documentation of this issue for other people using SCCM. I already tried resetting windows update components, running sfc /scannow, and the DISM restore image command which all completed successfully, but nothing has fixed the issue so far. Any help would be greatly appreciated.Entra Registered vs Entra Joined
Hello All, In a workgroup environment, all devices are Entra Registered, and Intune enrollment is enabled for the group. I understand that Entra Joined devices have greater management capabilities in Intune than Entra Registered devices. Could you clarify which features or policies are not available for Entra Registered devices compared to Entra Joined by Intune? Please share any relevant Microsoft references. ThanksMS Graph Device OS Reporting
On the Intune android device view, the OS is listed as ‘Android (fully managed)’ or ‘Android (corporate-owned work profile)’. The MS Graph command get-mgdevicemanagement just has ‘Android’ for the OS attribute. Using MS Graph, does anyone know how or where to get the ‘Android (corporate-owned work profile)’ value that shows in the device view?
ADMX drive mapping issue
We have a customer with 12 drive mappings pushed via Intune Import ADMX. We uploaded the admx for windows and the admx for the drivemappings. In the configuration created one policy with al the driveletters configured and pushed this to every device in the environment. Al worked great, untill we changed one drive letter from X to Z i remembered correctly and changed the path to a folder deeper in the folder three. Then it was pushed to everyone and people got issues with the drivermappings. Only 2 or 3 driveletters were showing in file explorer. When you want to add the drive letter via the wizard you can see all the paths to the different drive letters are there. Adding them via that way is not possible. We checked all the settings, like persistent drive mappings, enable linkedeconnections, setting all the drives to not configured, Create separate policy for every driveletter, removed the admx in intune and uploaded again, but nothing is working. currently using a custom script via our minitoring system to get it working again. I have used the ADMX by many customers and never have had these issues. Also opened a microsoft case but they couldn't get it fixed. Only way is a fresh install of the device. But 150 devices is a bit to much time consuming for us and the customer. Love to hear how i can solve this issue.
Brave Browser Intune Deploy
Good Morning/Afternoon/Evening, I am having issues deploying Brave Internet Browser. I have tried following various guides but always end up with installation failures. Verified and double checked all settings, but still the issues persists. The main error I get is either Error unzipping downloaded content. (0x87D30067) or The unmonitored process is in progress, however it may timeout. (0x87D300C9). It seems that the process starts but stops awaiting some kind of approval which does not show. Tried using the recommended silent command but nothing seems to work. Anyone managed to make it work recently? Thanks!No se puede iniciar la sincronización (0x801901f4)
Actualmente en mi organizacion me empezo a salir este error los dispositivos hasta agosto funcionaron correctamente inscritos a intune de manera hibrida, despues del primero de agosto dejaron de reportar el estado a intune estos afecto a mi organizacion por que ya no tenemos visibilidad de los dispositivos en el portal de intune, ademas de ser administrados por intune, aparece en estado no conforme cuando trato de sincronizarlo me sale este error. " No se puede iniciar la sincronización (0x801901f4 error interno del servidor (500).) Googleando aparece un error de microsoft store, lo cual no tiene sentido si esto es intune, la tienda funciona bien y esta e la region correcta. He intentado de todo, el equipo lo elimino completamente de las consolas de administración, lo vuelvo a inscribir, el equipo se registra, y despues de un tiempo no le reporta el estado de cumplimiento a intune. Algo que hasta Agosto funciono perfectamente. No tengo bloqueos de firewall, ni politicas tan restrictivas. Agradezco de su ayuda para solucionar este errorIntune integration with Kaspersky EDR Optimum: can it replace Defender for Business?
Hi everyone, I’m currently evaluating the use of Microsoft Intune together with Kaspersky EDR Optimum, and I have a few questions: Intune natively integrates only with Defender for Business/Endpoint, while I haven’t found any direct connector for Kaspersky EDR Optimum. Using Kaspersky requires an updated Security Center, plugins, and dedicated policies, while Defender is managed directly through Intune and Microsoft 365. So, I’d like to know: What is the real level of integration between Intune and Kaspersky EDR Optimum? Is it recommended and safe to replace Defender for Business with Kaspersky in an Intune-managed environment? What are the practical experiences from anyone who has tried this setup, especially regarding visibility, agent deployment, and policy management? I’d like to understand if going with Kaspersky instead of Defender for Business makes sense, or if management becomes too complicated. Thanks in advance to anyone who can share their experience.Block All Software Installs
Hi All Is there a way to block all software installs on Windows devices except for those we push out via Intune? I have have a look in the Device Config settings but there seems to be some confusing settings in there and some stating set as "Disabled" when disabled isn't an option. Info appreciated.Restrict some devices
Hi All I hope you are well. Anyway, I'm looking for some advice. We have identified some Intune enrolled, Entra ID joined devices that may be security risks (malware) and would like to restrict these devices from accessing things like M365 apps, Azure VPN etc etc. What's the best way to achieve this? Conditional Access and target a group with the devices as members? Info appreciated
Events
Kick off Tech Community Live with updates and insights from Microsoft Intune engineering leaders. They’ll walk you through where Microsoft Intune and the Microsoft Intune Suite are today, discuss tre...
Online
With Microsoft Intune, you can protect cloud-connected endpoints across Windows, Android, macOS, iOS, and Linux. Looking for tips to help you reduce costs and complexity by unifying the way you manag...
Online
Recent Blogs
- Ask us anything about assessing, protecting, and managing devices and apps using cloud-based, unified endpoint management.Sep 19, 2025
