Recent Discussions
Outlook Mobile Stuck in Login Loop on Intune Shared Android Devices
We’re having an issue on our Intune-managed shared Android Enterprise devices that are set up in Dedicated/Kiosk mode. When users try to open the Outlook mobile app, it launches and recognizes the signed-in user through AAD/Intune, but then it just gets stuck in a loop. It keeps showing messages like "Finding your account…" or "Identifying account…", and never actually loads the mailbox or even shows the normal login screen. Has anyone else run into this issue, and is there a known fix or workaround?
Trying to setup CA rules for Mobile devices.
Hi! I'm stuck with a CA policy setup and could really use some help. What I'm trying to do: Enrolled/Compliant devices (Android/iOS): Full access to everything (all cloud apps, browser, native apps - no restrictions) Unenrolled BYOD devices (Android/iOS): Can ONLY access Teams and Outlook through APP-protected mobile apps (no web access, no other Microsoft services, the app protection policies are already setup) My Current CA Policy Setup: Policy 1: Enrolled Devices - Full Access Target resources: All cloud apps Users: My test user Conditions: Device platforms: Android, iOS Client apps: Browser + Mobile apps and desktop clients (both checked) Grant: Require device to be marked as compliant Policy 2: BYOD - Block Everything Except Teams/Outlook Target resources: All cloud apps Exclude: Office 365 Exchange Online, Microsoft Teams Services, Microsoft Outlook Users: My Test user Conditions: Device platforms: Android, iOS Filter for devices: device.isCompliant -ne True Grant: Block access Policy 3: BYOD - Allow APP-Protected Teams/Outlook Only Target resources: Office 365 Exchange Online Microsoft Teams Services Microsoft Outlook Users: My Test user Conditions: Device platforms: Android, iOS Client apps: Only "Mobile apps and desktop clients" checked (Browser unchecked) Filter for devices: device.isCompliant -ne True Grant: Require app protection policy The Problem: When I am logging in from a unenrolled device into the Outlook or Teams mobile app, they get redirected to a web page and see: "You cannot access this right now" "App Name: Microsoft Intune web company portal" What I've Tried: Adding exclusions for "Microsoft Intune Web Company Portal" (can't find it in the cloud apps list) Searching for "Microsoft Mobile Application Management" (doesn't appear) Searching for "Intune Company Portal" (doesn't show up either) I added Microsoft Intune (which I finally found What I think happens: The issue is that APP enrollment requires accessing the Intune Web Company Portal during authentication, but Policy 2 is blocking it. I need to exclude this service from the blocking policy, but I can't find the right app to exclude. Questions: What's the correct cloud app name/ID I need to exclude to allow APP enrollment to work? Is there a better way to structure these policies to avoid this issue? Any help would be greatly appreciated!
Manged Home Screen: Outlook
We are running into issues with the Managed Home Screen and Outlook. Once the user has logged into the Managed Home Screen and tries to access Outlook, it gets stuck in an authentication loop. Loops: Discovering Accounts -> Accounts Found -> Back to Discovering accounts. This is affecting multiple devices/accounts. This only affects
Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: https://www.androidenterprise.community/t5/admin-discussions/android-15-cannot-set-default-password-app/m-p/8827#M2105 Thanks, Tom
Question About Moving SCCM Partially Out of Intune
Good afternoon, I've been given an environment that currently has SCCM integrated into InTune. Our department head would like to partially remove our servers from being managed by InTune, but still be managed by SCCM. Is such a thing possible? If so, could you link what documentation is available to lead me into that? I appreciate it!Autopatch reporting Errors and Conflicts, but I can't find them...
Greetings all. I am fairly new to Intune. I setup Autopatch to do Windows Updates (Quality & Features). I was looking over some of the stats today and noticed that some computers (<10%) have issues. When I click on one of the computers I get a list of Profile Settings... If I click on any of these (even the success, I get Not Found... How do I figure out what the error or conflict is so I can correct it? I thought I might have had another Windows Update policy (Non-Autopatch), but I deleted it a while back when I switched to Autopatch. Thanks in advance for your time. J
Windows Autopilot Error Code 0x800705b4 Preparing device for mobile management
We are implementing a number of Windows Autopilot via Lenovo Thinkbook 15-ITL. These are being deployed to authorised users whether they are at home connected to their home broadband or in the office connect to the Wide Area Network. Despite lots of testing, we randomly see the the error (see attached). If we wipe the device a couple of times, it seems to remedy the issue. I've tried to look online about this about various posts talk about the TPM, which it is not. I've tried to look through the logs from the device - what a minefield of information that means something to someone. Has anyone any ideas? Thanks MartinHP TamperLock(Hardware) - Information in MS Intune
Can someone help me with this: I want to know if a HP hardware TamperLock(Cover removal sensor) feeds it's information into Microsoft Intune or SCCM. If yes, where can I see it? Irrelevant of whether the check boxes in BIOS are checked or not, if someone opens the back cover, then it should trigger in MS Intune.
Zebra OEMConfig APP not in the APP policy list in Intune
Hi, I have a question about adding an APP policy in Intune. I installed the Zebra OEMConfig Powered by MX app through the Intune Google Managed Play Store. When I try to create an app policy for this app, it doesn't show up in the app list. A lot of other apps do, but this one specifically doesn't. The app does appear in the all apps list in Intune. According to Microsoft, the app is fully supported in Intune. Does anyone have experience with this or any tips on how to get the app to appear? I hope someone can help me out! TIA.I no longer have an edit button for assignments on one EndpointSec>DiskEncrypt>Bitlocker profiles
I have two Intune>Endpoint Security>Disk Encryption>Bitlocker policies. One is the 2+ year old deprecated policy everyone is currently on, and the other is a new policy I made two months ago. I am in the process of testing to move the company from old to new. Old policy no longer has an "Edit" button for group assignments and exclusions, much like when you don't have permissions. However, I am still able to edit the actual policy. Has anyone seen this or can help with this? Attached picture. I am using Intune Administrator permissions, and again, it's not a permissions issue as I can edit the actual policy. I have tried different browsers. I have tried another computer. The policy is scoped to default. I was last able to edit group assignments 10/25/25 Solution right now will just be to delete the old profile and move to new with no more testing. Thank you in advance, -ZP
Not able to use derived credentials on android
I have successfully enrolled a Samsung Galaxy S22 ultra using intune. All my apps are installed on the device. I am now trying to use derived credentials but I am not able to scan the QRCode. As soon as the QRCode comes up, the intune app crashes. Wanted to know if anyone else is seeing this issue. The intune app version is 2025.11.02.Uninstalling bundled/preinstall O365 during Autopilot
We recently purchased a bunch of new HP ProBook 400 laptops that come bundled/preinstalled with O365 x64. However, since all staff use a 32-bit line of business application, we need to install and use O365 32-bit. We want to Autopilot the new laptops and have packaged and deployed O365 32-bit as a Win32 app (ie: using the Office Deployment Tool and a custom XML configuration). The XML file contains commands to remove any existing versions of Office before installing O365 32-bit. When we manually run the ODT setup.exe with xml file, it functions correctly (i.e., it uninstalls the 64-bit O365 and then installs the O365 32-bit). However, when we package this up as a Win32 app and set it as a mandatory app in the Autopilot deployment profile, it seems to fail or get ignored. All other Intune apps and configuration profiles install successfully, but the laptops still have O365 64-bit installed. Below is what we included at the top of the ODT XML file. Any suggestions would be greatly appreciated. <Configuration> <Remove All="TRUE"/> <Display Level="None" AcceptEULA="TRUE"/> <Property Name="FORCEAPPSHUTDOWN" Value="TRUE"/>Platform SSO - MacOS Authorization Groups and Additional Groups
Working with Platform SSO...all is well for the most part. Has there been any advancements or continued development for Authorization Groups and Additional Groups? The ability to leverage these groups, IMO, is critical. I do have some scripts granting some general authorizations to users on a device (time, print, network), but leveraging groups to manage authorizations/ permissions with a diverse group of users and needs is the way.Can't find and delete an antivirus exclusion made in MECM.
In the Microsoft Endpoint Configuration Manager current brunch I've added some of the detected malware to exclusions list via right-click in the section "Monitoring-Security-Endpoint protection status - Malware detected" and "Allow this threat". They were excluded for all the computers in a collection. How and where to find this exclusions and delete them? They are appeared on the client computers but not in the MECM Antimalware policies.InTune Enrollment Loop for MacBook loops at i.manage.microsoft.com during setup
Good afternoon, is anyone using InTune seeing issues with enrollment? I have ABM set up with InTune for automatic enrollment. The InTune instance is fairly new and simple. In the last two months, I have rolled out four machines with painless success. I bought a fifth machine and it gets stuck during the Remote Management portion of enrollment, in an endless loop of connecting to http://i.manage.microsoft.com/. Between the last enrollment and now, absolutely nothing was changed in InTune. The machine is a M4 MacBook Air on OS version 15.7.1. I have reset it multiple times to no avail. It doesn't seem to be getting stuck on anything and shows up as responsive in InTune. If I force the machine off and back on, it allows me to complete enrollment, but after a reboot, I get the initial setup screen and when proceeding past that I get a black screen that never progresses. I assume this is an enrollment issue. Where would you suggest starting to troubleshoot this? Has anyone seen it so far? The last successful setup on my tenant before this was around three weeks ago. Thanks in advance! Other things I have tried: Renewing the ABM enrollment token Removing troublesome configuration profiles Creating and using another enrollment program token profile Different networks, including the network I successfully enrolled previously successful machines in Different user accounts with the correct license for InTune management Logging into ABM to make sure that there are no pending terms to accept. I confirmed that I accepted the latest new ABM terms directly from ABM.Configuration profile to set File and browser preferences in Outlook Options > Advanced
Hello, Wondering if anyone has found a way to set these settings in Outlook (classic) via Intune. We do not want hyperlinks from Outlook opening with Edge and likewise we do not want email attachments for office files opening in the browser, we want them to open with the office apps.
Ubuntu 24.04 LTS + Entra ID Authentication + Intune Enrollment
Hi Community I want to combine in Ubuntu 24.04 LTS the new user authentication with Entra ID along with enrollment in Intune using the new version of the intune portal. The goal is that the user can log in Ubuntu with the local user created during the Device Authentication process and then be able to enroll in Intune and sign in to the portal whenever he wish. During my tests, I have seen that if you install the necessary components for authentication with Entra ID, along with Microsoft Edge and the Intune company portal using the Ubuntu installation user, and then authenticate with the Entra ID user after the device authentication process, you get this error when you try to enroll using the company portal: Continuing with my tests, I have seen that if you start Microsoft Edge you can save a default keyring with a password. This security feature is specific to GNOME as far as I have read. With this keyring, it will be possible to enroll the device in Intune later. When starting the company portal, the default keyring password is requested, and after entering it, enrollment can be completed. From then on, the user can sign in to the portal as long as they enter that password However, the generation of this default keyring is a process that we do not want to leave in the hands of the user. The goal is to deliver the device to the user with all the necessary software, so that once they have authenticated the device with Entra ID, they can open the company portal and enroll in Intune. Does anyone know if there is a way to avoid using such keyrings in a scenario like this? On a machine with only Ubuntu and Edge, it is possible to make this process transparent, by disabling user autologin or setting an empty password for this keyring, but in the scenario of Ubuntu + Entra ID + Intune, I can't manage it. Thanks for your help and I wish you a great 2025Managed Home Screen MSAL - severe issuse
Hi Intune Community! We are currently experiencing severe issues with Managed Home Screen and MSAL on our shared Android devices, managed as dedicated with Entra Shared mode. Anyone else experiencing issues? Quite often when a user types her user name at the MHS sign in page and press the Sign In button, the screen only blinks and nothing happens. Only workaround is to restart the device and then it often works to sign in a user once or twice, until same issue happens again. It affects all devices and all users and we have tried both the latest version of MHS and some older version. No difference. Some things that we have seen is: If we exit kiosk mode and start the Intune app it says "Something went wrong" and shows a Register button. This is however gone when restarting the device. (see images below) If we start the Authenticator app, also after exit kiosk, it asks for "organization email" and shows a Register button. This is also back to normal once you restart the device. (see images below) If we let the device be after trying to sign in, 10-20 minutes later it has managed to sign in and asks for setting a Session PIN. The problem is that it is the user who last made a successful sign in who gets signed in. Huge security issue. We also see that Edge and Teams (probably other msal-enabled apps as well) doesn't behave as normal even if you successfully sign in. Teams ask what account to sign in with. Either selecting the suggested account or pressing the Back-button (<) signs you in. (see images below)
Recent Blogs
- By: Roger Southgate - Sr. Product Manager | Microsoft Intune Myth vs reality Myth: Cloud-native Windows devices can’t access on-premises resources such as file shares or legacy applications. Re...Nov 14, 2025
- Starting with version 2609, Microsoft Configuration Manager will transition to an annual release cadence. This change is a formalization of the direction we’ve communicated at events and in customer ...Nov 05, 2025
