Category: Microsoft Intune | Microsoft Community Hub

Recent Discussions

Intune Confusion
Hey guys, I'm relatively new to Microsoft Intune and have been playing with the platform with a view of potentially using it as our corporate endpoint management solution. I've been playing with it for a few days and I'm a little confused. Within our organisation we have about 25 'hotdesks' shared by Call Centre staff working on shifts - I thought that Intune Plan 1 Device Only would be a good fit for these systems. For the remainder of our staff (circa 250), I was thinking maybe Device Only or maybe User license. I'm not sure we require a full user license for everyone as we have a small amount of corporate software (so no real requirement for corporate software catalogue within the user portal etc) and only really need to manage Windows updates, configuration / security policies and to push / remove software - which I 'believe' is possible with the device only licenses. I've started off by acquiring x4 device only licenses (thus have not assigned them to any users) for testing purposes. My 4 test systems were already AAD joined and so to enroll them I did this using by a Device Enrollment Manager account and joined through 'Settings > Accounts > Access work or school > Enrol only in device management' on each test workstation. All 4 test systems enrolled without issue and are visible within the Intune Portal and are checking in. This is where I get confused: 1 of the 4 test workstations has the IntuneManagementExtension service running in Windows. The other 3 do not. The system that does have the service running also has the IME log directory present = C:\ProgramData\Microsoft\IntuneManagementExtension\Logs - the others do not. Again, all 4 systems are enrolled and checking in and reporting as compliant. Also, I've pushed a test piece of software to all 4 test systems (mandatory push)... none have received it. This was 8 hours ago. I also noticed when running dsregcmd / status that the MDMurl was blank on these workstations. I have a personal M365 tenant with Intune Plan 1 user licenses that I've used for a year or two and have had no problems or oddities experienced with software pushes (probably not oddities but more of a lack of understanding of device licenses on my part perhaps). I checked one of my personal workstations and they do have the Intune service running and the logs directory. Can anyone shine any light on why: A) One system has the service running / the log directory present and the others do not? B) Is there something fundamentally wrong with my understanding of device only licensing perhaps? Is there something wrong with the way in which I have enrolled these systems perhaps? C) Any idea why the software would not install on any of these 'device only' systems (nothing is being reported at all RE the deployment in Intune and I deployed the software about 8 hours ago)? D) Why would the MDMurl be blank but all systems are successfully checking in? Any pointers appreciated as I've been tying myself in knots with this. Pretty certain this is due to a chronic lack of understanding on my part. Greatly appreciate any assistance guys.
Solved
MattyT
Copper Contributor
Sep 12, 2025 Place Microsoft Intune
Intune
169Views
0likes
6Comments
App-Approval for Apps assinged via Intune
Hey there, when deploying Apps via Configuration-Manger (SCCM) there is an Option "An Administrator must approve a request for this application on the Device" where you also got an option for Mail Notification to Approvers: Do you know if there is an equivalent Feature when assigning Intune-Apps to Users? Or is there an alternative Method to reach the same result? Company Portal can handle Approvals from Configuration Manger: Wondering if there is a "Intune-Native" way? Looking forward to your answers.
Solved
fbatuns
Iron Contributor
Sep 02, 2025 Place Microsoft Intune
Intune
mobile device management (mdm)
Software Management
203Views
1like
7Comments
Bitlocker PIN
Hello, I would like to know what your Bitlocker PIN policies are and how you approach them. Do you use a PIN that consists only of numbers, or a PIN that allows the use of characters such as upper and lower case letters, symbols, numbers, and spaces? I am asking this from the perspective of “user acceptance,” but also as an additional layer of device security.
Solved
Bogdan_Guinea
Iron Contributor
Aug 26, 2025 Place Microsoft Intune
Bitlocker Encryption
Intune
mobile device management (mdm)
137Views
0likes
4Comments
Best Approach for Managing Microsoft 365 Apps Policies in Intune
Hi All, Our company is currently operating in a Hybrid Active Directory (AD) environment, with all policies being deployed via Group Policy Objects (GPOs). We have GPOs in place for Microsoft Office and Outlook, and we are planning to transition these to Microsoft Intune. My question is: What is the recommended approach for creating and managing policies related to Office 365 and Outlook (Microsoft 365 Apps) in Intune? Specifically, would it be better to implement these settings using Configuration Profiles, or should we use Policies for Microsoft 365 Apps within Intune? I’d appreciate guidance on the best practice for this migration. Thanks, Dilan
Solved
dilanmic
Iron Contributor
Aug 21, 2025 Place Microsoft Intune
Graph API
Intune
mobile device management (mdm)
Software Management
244Views
0likes
6Comments
Stuck with InTune
Hi, need some help from those that know more than me, I have two devices that were previously enrolled and managed through InTune. We have a hybrid environment. Unfortuantely they were accidentally deleted from InTune and then EntraID in an attempt to get them re-enrolled. The devices are now showing as pending in Entra ID again due to the hybrid sync. I have tried scripts and GPOs to get them to re-enroll but so far nothing has come back. I have found out that on the device side they are still showing as being enrolled in InTune MDM. I am wondering, can I fix this by disconnecting this MDM connection and getting the user to sign into it? Hopefully, I have been clear enough on this, but if not ask and I will try to clarify. Thanks, M
Solved
AlwaysAnIssue951
Copper Contributor
Aug 04, 2025 Place Microsoft Intune
Intune
mobile device management (mdm)
264Views
0likes
8Comments
Initiate Windows Updates devices not logged in by users
Hi All, We have a scenario deploy windows updates for devices enrolled to Microsoft Intune and no user logged in. Our IT administrators keep the newly imaged laptops for about 3-4 weeks on their shelf before hand over to a new user. Because of that during that time those devices report to Intune as non-compliant due to Windows OS version. Therefore we are looking for a way to deploy windows updates for them without depending on logged in users. Appreciate any ideas. thanks in advance! Dilan
Solved
dilanmic
Iron Contributor
Jul 18, 2025 Place Microsoft Intune
Intune
Mobile Application Management (MAM)
mobile device management (mdm)
Software Management
291Views
0likes
4Comments
Subsequent device registration in Intune
Hello Tech Community, We use Entra ID and our devices are fully Entra-joined. Windows 11 devices appear in Entra ID as normal. We now want to manage our devices with Intune. However, the devices do not appear in Intune because the MDM user area was initially configured as 'None'. How can we subsequently move the devices to Intune? Ideally, we would like an automated process to avoid having to move each individual device. Details: Windows 11 Devices - Fully Entra-joined Appear in Entra No other device management in use Problem: Register the devices in intune without manually touch each individual device. Also i don't want to use things like PSRemote. Thanks for your answers. BR
Solved
GriJ
Brass Contributor
Jul 17, 2025 Place Microsoft Intune
Intune
mobile device management (mdm)
131Views
1like
3Comments
AdminService REST API keeps resetting PKI cert
Greetings all, I have a ConfgMgr (2403) Provider that I am trying to bind an internal PKI certificate to for the AdminService. This provider is a dedicated machine and does not have IIS installed, so following the MS docs I use NETSH to bind the PKI cert. It then works for around 5 minutes before the SMS_REST_PROVIDER.log shows the service doing a "health check", deleting the PKI cert completely from the server and then rebinding the self-signed SMS Issuing cert. I have to reissue the internal PKI cert and rebind it and then have it deleted a few minutes later. Does anyone have any thoughts/suggestions about what I might be missing or what is happening here? Thanks Scott
Solved
scott_ip1
Copper Contributor
Jul 07, 2025 Place Configuration Manager
cm current branch
130Views
0likes
3Comments
Autopilot Company owned
We deploy all our Wiindows Laptops with AutoPilot and are Hybrid AD joined. An old sore is that devices are created twice as the device is first Entra AD joined, after which the device is joined as a Hybrid AD joined device (configuration profile), and thus creating two devices which represent one physical device. An Entra-ID joined device which becomes stale over time, as the device stats are no longer updated. And thus becomes Uncompliant. A Entra-ID Hybrid joined device which is managed by Intune, and updated wherefore the device is compliant. This is an old sore and confirmed by Microsoft support, wherefore does not seem to be a sollution. We have in some cases removed the stale Entra-ID joined device, and others we merely disabled the stale device. Yesterday i discovered some devices which show the opposite. The Hybrid AD joined device shows that it is not managed by an MDM, while the Entra-ID joined device showes managed by Intune. This results in that the correct device is no longer updated by Intune. Also when looking the deviceownership i can see that the wrong device states company owned, while the Hybrid AD joined device shows none. Is there anyway to rectify this situation? I confirm that the device is in use.
Solved
TherealKillerbe
Brass Contributor
Jul 04, 2025 Place Microsoft Intune
mobile device management (mdm)
258Views
0likes
6Comments
App Deployment status
App deployment status is not correct as compared to one week back. Installed count has reduced compared to discovered app for windows devices in Intune Portal.
Solved
Ramesh2261
Copper Contributor
Jul 02, 2025 Place Microsoft Intune
Intune
122Views
1like
3Comments
MS Edge deployment - Edge not updating
Hi, I created an app within intune to deploy MS Edge to all registered devices. Instune is showing, that everything is fine: But I notice, that almost all installations are outdated. How come and how to fix that?
Solved
heinzelrumpel
Brass Contributor
Jun 26, 2025 Place Microsoft Intune
Intune
225Views
1like
4Comments
Making my business app (formerly in the MS Business Store available in Intune
Hi guys. I have a business Windows App. It was available in the MS Business Store. It was linked to various organisations which used it via an organisation identifier. One organisation is saying that new users can no longer download the App as it isn't in their organisations Intune. How do you make it available, or do I have to provide them with the files and they make it happen locally? I'd be most grateful for any help. I have limited knowledge of this area. Thanks
Solved
Dixie_Dean
Copper Contributor
Jun 26, 2025 Place Microsoft Intune
Business Apps
Intune
Software Management
98Views
0likes
2Comments
Intune Re-Enrollment Registry Key "MmpcEnrollmentFlag"
Hey there, In the last few weeks, we encountered issues with clients (Entra Hybrid Joined) losing their Intune connection after setting an incorrect group policy. Although the group policy change was quickly reverted, about 10 clients were removed from Intune. I attempted to re-enroll these clients using various methods (MEMC Co-management, GPO, Scheduled Task, and even using psexec to directly start auto-enrollment), but the enrollment process consistently failed with the following error under Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider\Enrollment: Auto MDM Enroll: Device Credential (0x1), Failed (Bad request (400).) and/or following in CoManagementHandler.log Failed to get management URL with error 0x80070002 Eventually, I discovered a registry key that was not present on the working clients: Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments Value: MmpcEnrollmentFlag Data: 0x00000002 After deleting this key and restarting the enrollment, everything worked immediately. I am curious about how and why this registry key is created and what its function is. Looking forward to your input.
Solved
fbatuns
Iron Contributor
Jun 12, 2025 Place Microsoft Intune
autoenroll
comanagement
Entra
HybridJoin
Intune
4.2KViews
2likes
2Comments
Intune Management Extension Deployment
Hi Team, we have had previous issues with the IME deployment not passing through our firewall until a select few urls were added to the whitelist. I have been informed that we are now blocking login.live.com for whatever reason but this is now stopping the agent from deploying internally onto newly enrolled devices!! My question is this, if this block remains in place (out with my control) will agents that are installed still be able to update and communicate correctly with the Azure servers? From my understanding and testing it just needs the connection to the login.live.com once for initial deployment and also the Company Portal needs to make an initial contact but then remaining contact is made via manage.microsoft.com url and possibly another one? hopefully looking form some guidance and advice to take forward to my management team
Solved
JamieMcC1590
Copper Contributor
Jun 06, 2025 Place Microsoft Intune
Intune Management Extension
login.live.com
292Views
0likes
5Comments
Work Profile Contacts in Android Auto BYOD
Hey there, is it possible to List the Contacts from the Android Work-Profile in Android Auto? People in our Organization are not able to search for Work-Profile-Contacts via Android Auto. When Contacts from the Work-Profile are calling, the Name is showing up correctly and is also correctly displayed in the caller history, but when using the Phone app on the cars display it's not possible to find the contacts. What have we tried so far: Installed Android Auto App on Work-Profile Enabled "Connected Apps" Contact Sync via Outlook App Contact Sync via Gmail / Google Contacts Installed Google Phone App on both profiles and set it to the Default call Application Installed Samsung Phone App on both profiles and set it to the Default call Application Enabled the Work Profile Switch in the Android Auto setting (seems only usefull for notifications) Tried different Phone and Car Vendors One more Information: When Using the Call or Contact App on Personal-Profile and searching for Work Contacts, they are showing up as expected. I believe maybe it's not supported by Google? Is anybody facing the same issue or are there some Workaround i have not thought about=
Solved
fbatuns
Iron Contributor
May 23, 2025 Place Microsoft Intune
android
BYOD
Intune
mobile device management (mdm)
255Views
0likes
2Comments
VPP Apps Not Installing via Intune – Error 0x87D127DB Despite Valid Configuration
Hi everyone, We’re currently using Microsoft Intune in combination with Apple Business Manager (ABM) to provision iPhones in our organization. Our setup has worked reliably until recently: in April/May, we successfully deployed 50 iPhones without any issues. However, for the past 10 days, we’ve encountered a persistent issue: VPP apps are no longer installing automatically on newly enrolled devices. ✅ What’s working: Device registration in ABM Syncing devices from ABM to Intune Device renaming, resetting, and syncing via Intune Uninstall Apps using uninstall group of the deployment configuration on existing devices) Disabling devices in ABM and syncing changes to Intune Purchasing new apps in ABM and syncing them to Intune App license counts (total, used, available) are correctly shown in Intune ❌ What’s not working: VPP apps are not being installed. Only one or two icons appear on the home screen with a cloud symbol. Tapping them prompts a message that the app must be downloaded from the App Store. Intune consistently shows the following error: “App installation failed. 0x87D127DB (Unknown)” Occasionally, a message appears stating that VPP licenses could not be found, although all apps have sufficient licenses and Intune reflects this correctly. Troubleshooting steps taken: Devices have been reset multiple times New apps were purchased and assigned with a minimal configuration (one required group) All certificates (MDM push, VPP token, enrollment token, Apple SCIM token) are valid Apple Business Support confirms their services are operational Microsoft Support has not provided a resolution and suspects the issue lies with Apple Apple, in turn, refers us back to Microsoft At this point, we’re stuck between both vendors and are hoping someone in the community has encountered this issue or found a workaround. Has anyone else experienced this behavior or found a solution for the 0x87D127DB error with VPP apps in Intune? Thanks in advance for your help!
Solved
MSThomK
Brass Contributor
May 22, 2025 Place Microsoft Intune
0x87D127DB
ABM
App Deployment
Apple Business Manager
Intune MDM
1.6KViews
0likes
7Comments
Identifying Copilot+ Devices
Hello and greetings from Portugal! I'm trying to create a PBI report with all Copilot+ Devices in our tenant. It's there any way to push this from Intune? Thanks in advance!
Solved
DiogoSousa
Iron Contributor
May 20, 2025 Place Microsoft Intune
Intune
62Views
0likes
1Comment
Intune URLs - Default Category Seems to Include Non-Applicable URLs
I've run a PowerShell script that returns the URLs and IP ranges required by Intune but it seems to return URLs that should not be required such as Cortana.ai, itunes.apple.com, virtualearth.net, assets-yammer.com, platform.linkedin.com and many others. Those listed are in the default category. Does anyone know of a script I can use that just returns URLs and IP ranges essential for Intune, or what I can do to modify the code I am using to do the same. Below is the code I use to collect the IPs\URLs. (invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.urls} Regards, Pete.
Solved
pleeman
Copper Contributor
May 06, 2025 Place Microsoft Intune
Intune
150Views
0likes
4Comments
Android - Device name template
Hi All, Yesterday, I switched this new function on an Android Corp-owned dedicated setup. I enrolled a device this morning, but the template hasn't applied. Has anyone had any success with this feature? Regards
Solved
UpNorthIntune
Iron Contributor
May 01, 2025 Place Microsoft Intune
Intune
217Views
0likes
2Comments
Deleted Device from Intune - Lost recovery key
Hi everyone, Apologies if this has been answered before. Yesterday, I accidentally deleted a laptop from Intune. The result is that it is no longer possible to log into the device, the device record is completely gone from Intune and Entra so I am not even able to find the BitLocker recovery key. Without the BitLocker key, I can't even do a factory reset. Is the device toast? Thank you, Luuk_P
Solved
Luuk_P
Copper Contributor
Apr 25, 2025 Place Microsoft Intune
Intune
1.3KViews
0likes
9Comments

Events

Join us for the Inside Intune Live AMA with product leaders, part of the Tech Community Live, Intune edition!

Inside Intune: Live AMA with product leaders

Kick off Tech Community Live with updates and insights from Microsoft Intune engineering leaders. They’ll walk you through where Microsoft Intune and the Microsoft Intune Suite are today, discuss tre...

Monday, Oct 06, 2025, 08:00 AM PDT

Online

Tech Community Live

1like

112Attendees

3Comments

Join us for the cross-platform management with Microsoft Intune AMA, part of the Tech Community Live, Intune edition!

AMA: Cross-platform management with Microsoft Intune

With Microsoft Intune, you can protect cloud-connected endpoints across Windows, Android, macOS, iOS, and Linux. Looking for tips to help you reduce costs and complexity by unifying the way you manag...

Monday, Oct 06, 2025, 08:30 AM PDT

Online

Tech Community Live

1like

44Attendees

0Comments

Recent Blogs

2 MIN READ
Save the date! Tech Community Live: Intune edition – October 6
Ask us anything about assessing, protecting, and managing devices and apps using cloud-based, unified endpoint management.
Rachelle_Blanchard Microsoft Intune Blog
Sep 19, 2025
microsoft intune
505Views
1like
0Comments
7 MIN READ
Deep dive into Windows Autopilot device preparation: How to deploy and when to use it

Intune_Support_Team Intune Customer Success
Sep 19, 2025
windows
windows autopilot
1.7KViews
0likes
0Comments

Resources

Tags

mobile device management (mdm)2289

Mobile Application Management (MAM)830

Conditional Access464

Software Management454

microsoft intune232

Azure Friday163

cm current branch143