Recent Discussions
Site drop down missing when trying to push client
Good afternoon, all. I just changed permissions for my helpdesk. For some reason they were nearly full admins from historical setup. Created a collection that is a copy of "all PC Clients" and called it "All PC clients for deployments" added a new security role called "Helpdesk" Setup a new group in AD and placed the helpdesk in said group under administration > overview > security > Administrative users, i've added the group, gave them security roles as "helpdesk" Set security groups to only the specified collection of "all PC clients for deployments", Security scope for Helpdesk and all unknown computers. Under security roles, i copied the same security role they had previously and created the name "helpdesk" I've looked at everything under both within "permissions" and everything matches as far as i can see. Does anyone know what sets this specific permission? Mine is perfectly fine, but i am a full administrator.
MAM policy and IOS Numbers.
Looking for some advice, have recently applied MAM policy, we have users that use IOS numbers on their iPhones and would like to share these files with Microsoft applications. We have now changed Send org data to other apps to All Apps to get around this but does anyone have experience with creating an exemption for this or any other IOS application? We do not want to open up all apps.[On demand] From admin to standard user with Endpoint Privilege Management
Get actionable insights and practical tips for deploying Endpoint Privilege Management using Microsoft Intune. Watch From admin to standard user with Endpoint Privilege Management – now on demand – and join the conversation at https://aka.ms/AdminToStandardUser. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Intune 'fast lane' - Let's talk about all things latency
What happens from the time you click the save button on an assignment in Microsoft Intune to when your devices receive the updated changes? Watch Intune 'fast lane' - Let's talk about all things latency – now on demand – and join the conversation at https://aka.ms/IntuneFastLane. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Enhance and supercharge IT management with Copilot in Intune
Get valuable tips to help you get the most out of Copilot in Intune—and find an easier path to policy management, troubleshooting, insights, and overall efficiency. Watch Enhance and supercharge IT management with Copilot in Intune – now on demand – and join the conversation at https://aka.ms/SuperchargeITManagement. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.
Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: Re: Android 15 - Cannot set default password app - Android Enterprise Customer Community - 8708 Thanks, Tom
Seeking Advice on Intune Windows Updates Management for Win10 to Win11 Upgrade
We’re preparing to upgrade a group of devices from Windows 10 to Windows 11 using a feature update deployment policy and Ring update policy. Our goal is to provide our users with the most notifications and control possible before the mandatory deadline is reached, allowing them the opportunity to initiate the update themselves. However, I’m confused about the deadline and grace period countdown. According to this article, the countdown starts after the installation completes. Enforce compliance deadlines with policies - Windows Update for Business | Microsoft Learn Is there a way to use Intune Windows Updates management to allow users to control when they launch the Windows 11 upgrade process before it becomes mandatory, while also providing notifications to the user? Thanks in advance for your help!Disable sign in to Windows device (fast)
Hi, When using Intune along with WHfB PIN, what is the best approach to disable sign-in to Windows PC (using WHfB PIN)? Wipe command is not an option in this case, we just need to block access to the PC and do it fast as possible. In my testing blocking user, revoke session, disabling device is not preventing user from using cached PIN to enter and use computer. Yes, it's signed out from Office apps etc, but still has access to local files. I think there should be command in Intune that will efficiently do this. Thanks!Which Windows Licenses are required to manage BitLocker through Intune
License Confusion for Managing BitLocker via Intune Scenario: We are managing BitLocker through Intune, with recovery keys backed up to Entra ID for both Hybrid and Entra ID-joined devices. Our devices run Windows 10/11 Professional, and we have EMS E3 licenses. Confusion: Most Microsoft documents state that Windows 10/11 Professional is sufficient to enable and manage BitLocker. However, one document mentions that Windows 10/11 Enterprise is required to manage BitLocker using CSP (Configuration Service Provider). We need clarification on whether Windows 10/11 Professional is fully capable of BitLocker management via Intune or if Enterprise is required for CSP-based management. I am providing reference Microsoft articles and screenshots to support this. BitLocker Enablement: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/#windows-edition-and-licensing-requirements BitLocker Management: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common#windows-edition-and-licensing-requirements Encrypt Devices with Intune: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#view-details-for-recovery-keys You can find this paragraph in above document. "Information for BitLocker is obtained using the (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, Windows 10 Pro version 1809 and later, and Windows 11." Contradictory Statement Document: https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-cspCannot install macOS Management Profile
Hi, all. I'm trying to get management of a macOS device working. This is the first device being enrolled, in a new setup. The device was pre-enrolled in ABM and synced to Intune. The device registers fine, and get the default management profile. I have added Company Portal, Microsoft 365 and Defender as apps to install. All these are being pushed, except Defender comes up with a missing license. I guess this is related to the issue below. I start up Company Portal and it instructs me to install a new management profile. When trying to install this profile, it fails with the error "Could not obtain final profile using the Encrypted Profile Service...". My guess is that there is a conflict with an already installed Management Profile, which is impossible to remove. Have tried both locked and unlocked enrollment. Any hints on how to resolve this?
Non persistent session on not joined devices
Hi, how do I create a conditional access policy within intunes that requires a non joined device and then specifies the persistent browser session to "never persistent". As I look ath the settings I am only be able to set "Require Microsoft Entra hybrid joined device". Thanks Cheers, heinzelrumpel
Windows 11 upgraded from W10 Rolled back and now no upgrade available!?
Hi I guess there must be some bug in the way Intune detects if Windows 11 is installed or not, when rolled back to Windows 10 after an Windows 11 upgrade. I am testing Update rings with also feature update policy setup. The Upgrade was then available and upgrade to W11 from W10 went without issues. Then I wanted to test roll back (Go back) option used on the client, just to know how to if a user should need that. Roll back to W10 went smoothly. Now no W11 upgrade is available to install anymore. Tried a couple of basic stuff like restart(ofc 🙂 ) , deleted "SoftwareDistribution" folder, ran "sfc /scannow", triggered multiple Intune syncs from different areas like sync from Intune, sync from work/school in windows and from the task schedule "EnterpriseMgmt" -> "Schedule #3 created by enrollment client" Maybe a reg key needs to be deleted or changed manually?
In Grace Period- After Joining in Autopilot
I have 2 surfaces that I joined to Intune through Autopilot but they are showing as "In grace period". It should sync and should be in compliance and not sure why it says as in grace period. The applications are not downloading full that are being pushed. Could it be due to network issue and what about the grace period, how to fix it. thanks in advanceAndroid KIOSK Device - WiFi Browser Login, not appearing
Morning All, I have an Android KIOSK device with managed home screen applied. The device has a WiFi configuration applied for our network. But when the user goes to another customer's site, there WiFi prompts for a login to be made via a browser page. This page isn't displaying. There is a browser deployed to the tablet, and have got the end user to open the browser app before trying to connect to the WiFi, but it still doesn't work. As a temporary measure, I have used the "Remove apps and Configuration" option against the device and removed the Configuration profile. When the tablet is without the profile, the user can successfully connect to the WiFi, the browser appears. I am currently going through my setup that is applied to the device but can't see an option that is blocking the browser when connecting to a WiFi. Anybody come across this issue? Or know of a solution? The device config\setup is used to many different aspect of the business, so I have to be mindful of what change I make. Don't want to give them the ability to exit KIOSK mode etc Thanks
Events
Happening Now
Explore the seamless integration of Microsoft Intune with Microsoft Defender for Endpoint. Get comprehensive endpoint protection, real-time threat intelligence, and streamlined management across devi...
Online
Happening Soon
Come talk to the experts that build the Intune mobile application management (MAM) capabilities for Windows! This is your opportunity to interact live with the product groups to learn more about the...
Online
Recent Blogs
- I'm Catarina Rodrigues and recently, I've had the opportunity to have several conversations with healthcare customers on how Intune can effectively manage devices in frontline critical environments. ...Feb 28, 2025
- So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal ...Feb 28, 2025
