Recent Discussions
Custom Compliance to check for Software Version
Hi all, I was trying to implement a custom Windows compliance item using PS/JSON to check for a particular Software version. In my case this was the AntiMalware client (not using Defender). I tried a lot of different aproaches w/o success. I've had results from eval error, ivalid JSON message or the item is simply ignored. Has anyone implemented something similar with success? thx, Miguel
Intune, winget, PowerShell
Hello everyone, I'm trying to use Intune to deploy a script that schedules a task to run winget silently to update most of our 3rd party applications automatically. I can get the script to deploy, but not run. I keep getting an error saying "winget not available for system", which I've verified it is. Any ideas? What am I doing wrong? Thanks for your help,
Microsoft Defender (for Business) not showing onboarded device via Intune
I am having some real fun with Devices not being shown in Microsoft Defender (for Business) after following the necessary instructions provided by Microsoft. Devices are not showing in the Microsoft Defender portal. I have used the local onboarding scripting method and gone directly through Intune. Would there be a conflict running the two? The account being used to perform these tasks is a Global Admin (even with Security Administrator rights). In respect of Intune, the Connection service between Intune and Defender for Endpoint (EDR) is fine. I have used a preconfigured EDR policy option to onboard the device, and I have checked the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection, which states an OnboardingInfo value, indicating that a device has been onboarded to Microsoft Defender for Endpoint. I do have an issue relating to Default Device Compliance Policy - Has a compliance policy assigned and a policy issue for 'create local admin user account', but Intune is saying the device is compliant. Would these issues cause an issue, and what else should I check for?MMP-C Enrollment Failing
I discovered a few of our devices were running into an issue with EPM functioning properly because the devices were enrolled via MDM only enrollment. I've been following some posts to try to rectify that issue and was successful in enrolling of the devices the proper way. However, I'm now running into an issue where the device is failing to enroll in MMP-C with the following error even though the file enrollment exe exists: The scheduled task looks accurate for enrolling the device in MMP-C and I'm out of details on what to do for this. Please help!
iPads in Single App Mode stuck after Update
Hi, We've got a bunch of iPads that we control via InTune, a bunch are set to Single App Mode. They have auto-update on for iOS updates, however when they restart themselves after completing the update often(not always) they will go back to the lock screen rather than the single app screen. Thankfully we've got the SN displayed on the lock screen and when we reboot from InTune it fixes it, however this isn't a proper solution. Because it's single app mode it won't let the users swipe away the lock screen. Has anyone got a fix for this? Any assistance is greatly appreciated.
PowerShell install updated Sysmon
Attempting to install an updated Sysmon to a computer. Sysmon has been uninstalled prior to updating; however, when running PowerShell in Intune to install it, it appears that Sysmon64.exe is copied to C:\Windows\, but no service is created for Sysmon64. This is running in System context, with WORKGROUP\SYSTEM for a user. Running the following command in a PowerShell script only copies the file, but doesn't create the service: Start-Process -Wait "sysmon64.exe" -ArgumentList "-i -accepteula" Running the above line in PowerShell ISE, as myself outside of the Intune deployment, the service is created without issue. What am I missing? Thanks!
Using REST API to get / set device variables
Hi, I'm trying to set a couple of variables against a machine name, through using the REST API. These are the variables that are set that you can see in the console if you right click properties on a device and go to the 'Variables' tab. These are handy because they can later be referenced during Task Sequences / OSD. I just can't figure out how to do it with the REST API. I have no issues doing it with the powershell module using the 'New-CMDeviceVariable' command, but my solution i'm building at the moment requires the solution to be done with rest api, not with ps modules... I can connect to REST API using powershell using commands such as the below. This all works fine. $ConfigMgrServerURL = "https://SCCMserver.domain.local" $MachineName = "MachineName1" # Following command is a sample GET request, which works. (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/wmi/SMS_R_System?`$filter=Name eq '$MachineName'" -Credential $Credential) #I can also fetch "Custom Properties" via this command (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/v1.0/Device($ResourceID)/AdminService.GetExtensionData" -Credential $Credential) Now i just can't see where i can go to set a variable on the machine. Does anyone have any ideas ? Thanks!Conditional Access Policy Loop with Edge on BYOD Devices – Need Help!
Body: Hello Tech Community, I’m facing an issue with an Azure AD Conditional Access Policy that seems to be causing a loop when users access Office 365 resources using Microsoft Edge on Windows 11 24H2 BYOD devices. Here’s the scenario: Problem: The policy is titled "Require App Protection Policy for Edge on Windows for All Users when Browser and Non-Compliant-v1.0" and continuously prompts users to switch profiles in Edge. These devices are BYOD and intentionally excluded from full Intune management (non-compliant by design). However, Edge repeatedly requests authentication or profile switching, creating a frustrating experience. Policy Details: Applies to: Windows devices using browsers (primarily Edge). Excludes: Compliant devices or those with trustType = ServerAD. Includes: Office 365 applications. Excludes Groups: Certain groups that should bypass the policy. What I’ve Tried: Verified device compliance status in Azure AD and Intune. Checked Azure AD Sign-In Logs for errors or repetitive authentications. Cleared Edge browser cache and cookies. Ensured Edge is configured to use Windows sign-in information. Adjusted the App Protection Policy settings for Edge. Questions: Could this be an issue with how Edge handles profile authentication in Conditional Access scenarios? How can I ensure that BYOD devices remain excluded from full Intune management but still work seamlessly with this policy? Are there specific adjustments I can make to the Conditional Access or App Protection Policy to avoid these loops? Additional Context: My goal is to secure access using App Protection Policies (MAM) for BYOD scenarios without requiring full device enrollment in Intune. Any insights, suggestions, or similar experiences would be greatly appreciated! Thank you in advance for your help!Win11 24H2 slow to restart TS task execution following reboot task in bare metal OS deployment
When comparing OS deployment bare metal task sequence times between Windows 11 24H2 and Windows 10 22H2 I could see that 24H2 was considerably slower even though the task sequences were almost identical other than the OS being laid down on the device. I did a timing comparison and noticed two things in particularly that were taking considerably longer on the 24H2 device: 1) reboot tasks 2) time to finish up the task sequence work after the last step. For reboot tasks, I can see that the delay is between these two events in the SMSTS.log log: Waiting for policy to be compiled in 'root\ccm\policy\machine' namespace and Policy verification done within the OSDSetupHook component. On the Windows 10 device the time between those log entries was 1 second, but on Windows 11 24H2 those log entries vary, but it's usually around 2 minutes. At the end of the task sequence, after executing the last task, following The task execution engine successfully completed the current task sequence step smsts.log entry to when the smsts.log stops being written to, it takes 14 seconds for the Windows 10 device, but it takes 4:29 seconds for the Windows 11 device. The delays are similar, between these two events in SMSTS.log (see attached screen shot): End Task Sequence policy cleanup and Policy evaluation initiated within the TSManager component. Any reason policy work should take considerably longer on Win11 24H2? Any suggestions on where I can look to see as to why it's taking such a longer time to deal with policy work in 24H2? Is this a Win11 24H2 issue, a ConfigMan issue, or ConfigMan configuration issue? I am welcome to entertain any thoughts or suggestions folks have. Anyone else seeing this issue in their environment? Environment details: CM 2503 (5.0.9135.1000) without KB33177653 or KB34503790 installed. Windows 11 = 24H2 customized reference image built from August 2025 ISO. ADK = 21H2 (10.1.22000.1).Are you unable to open Google Chrome or any other browser?
Cause & Solution: If you are using Microsoft Intune, the Microsoft AI system may have automatically created a rule that blocks third-party browsers such as Chrome and Firefox. To resolve this, you need to deactivate or delete the automatically generated rule under Windows Configuration Policies.Microsoft multi-tenant management resource guide
Welcome to your home for all things #IntuneforMSP. Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business with productivity apps, intelligent cloud services, and the world-class security of Microsoft 365 combining with the multi-tenant management capabilities of our partners. So, where to start—and where to go to take the steps after that? Right here! We’ll soon be announcing dates for a series of regular webinars, where Microsoft and our partner share expertise and insights specifically related to the world of the MSP. Until then, here are some resources to help. Follow or favorite this page as we’ll be updating it frequently with new events and new readiness materials. Jump to: Marketing and business development | Demos and tutorials | Partner resources | Microsoft communities | Select content from Microsoft MVPs In the spotlight Click the image below, to watch the Microsoft Intune multi-tenant management video with Jonathan Edwards. Marketing and business development Start here: Microsoft 365 Business Premium Partner Playbook and Readiness Series Sign up for more sales training: Level Up CSP Training: Modern Work and Business Applications Explore similar offers: Microsoft Security Partners And, if you haven’t already, sign up with the Microsoft Partner Center. Demos and tutorials Whether deploying solutions for yourself or for your customers, these resources can help you with prescriptive ‘do this next’ guidance to get you up to speed quickly. Download this guide: Enhancing Security with Microsoft 365 Business: A Hands-on, Effective Guide Follow along with the companion video: Achieve greater security and productivity with Microsoft Intune and Microsoft 365 Explore click-through interactive guides for more advanced instruction: Microsoft Intune guided demos Topics include configuring app protection policies, configuring Conditional Access, updating Windows from the cloud, configuring corporate devices, deploying and managing line of business (LOB) apps, enabling Universal Print, accessing corporate resources on personal-owned devices, setting up Windows Autopilot for new device delivery, and reducing bandwidth consumption with Delivery Optimization. Partner resources Nerdio knowledge hub Inforcer resources Microsoft communities Microsoft 365 Blog small and medium business-related posts Microsoft 365 Partner LinkedIn channel Select content from Microsoft MVPs To find an MVP near you, visit the Microsoft MVP home page. Peter Klapwijk - In The Cloud 24/7 Blog Ugur Koc - Ugur Koc Blog Andy Malone - Andy Malone on YouTube Rudy Ooms - Call4Cloud Blog Somesh Pathak - Intune IRL Blog Oktay Sari - AllThingsCloud Blog Jon Towles - Mobile Jon Blog
Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: https://www.androidenterprise.community/t5/admin-discussions/android-15-cannot-set-default-password-app/m-p/8827#M2105 Thanks, TomRestrict some devices
Hi All I hope you are well. Anyway, I'm looking for some advice. We have identified some Intune enrolled, Entra ID joined devices that may be security risks (malware) and would like to restrict these devices from accessing things like M365 apps, Azure VPN etc etc. What's the best way to achieve this? Conditional Access and target a group with the devices as members? Info appreciated
Is there a way to see the current operating system version for BYO devices in Intune?
We have a mix of company managed and byo devices in our environment. On the byo side, we have both iOS and Android devices. For COMD devices, Intune shows current operating system information. For BYO devices, Intune only shows the operating system when it was enrolled and doesn't appear to update that info when the operating system version updates. Is there a report or query that would allow me to see the current operating system on BYODs?Entra Registered vs Entra Joined
Hello All, In a workgroup environment, all devices are Entra Registered, and Intune enrollment is enabled for the group. I understand that Entra Joined devices have greater management capabilities in Intune than Entra Registered devices. Could you clarify which features or policies are not available for Entra Registered devices compared to Entra Joined by Intune? Please share any relevant Microsoft references. Thanks
Company Portal Installation Deplay/Failed
We have recently observed an issue with the deployment of the Company Portal Application. It either takes a long time to install or fails to install altogether. To address this, could you please provide the following information if available The destinations that need to be allowed via the corporate network, whether it involves the firewall or Proxy? Any specific requirements regarding SSL inspection; does it need to be disabled? The Winget command executed to install CP in the backend; does it depend on any specific version of Winget?SCCM software update install error 0x8007139F
While trying to install the monthly September patch Tuesday updates, e.g. 2025-09 Cumulative Update for Windows 11 Version 24H2 for x64-based Systems (KB5065426) (26100.6584) and 2025-09 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 24H2 for x64 (KB5064401) would often fail on many machines with error code 0x8007139F. Every single time this would happen, the update will always install on a retry. That's if the issue happened at all, but it happened on around 60% of the endpoints this month in the test deployment group. It appeared to happen to both updates. Based on the error description, it states that the group. or resource is not in the correct state to perform the requested operation. I couldn't find any documentation of this issue for other people using SCCM. I already tried resetting windows update components, running sfc /scannow, and the DISM restore image command which all completed successfully, but nothing has fixed the issue so far. Any help would be greatly appreciated.Intune APK Upload Error
Good morning. Since Monday 8th June I have been unable to upload a private APK within our Intune Managed PlayStore portal. When uploading the APK file it errors, "Can't publish app. Try again in a few minutes." The error message is very generic and suggests its just a system global error but it's been on going for a few days now. I have also tried uploading a previously successful APK file with the same error returned and several different browsers. Is anyone else having this issue or has any idea on how to fix or contact for support?Intune Assignment Checker - Get All Assigned Policies, Profiles and Applications
Hello everyone, I published a script that will provide a detailed overview of assigned Intune Configuration Profiles, Compliance Policies, and Applications for user, groups and devices. I have also added a option that will list all Assignments to "All users" and "All devices". Download and Setup Guide: https://intuneassignmentchecker.ugurkoc.de/ I hope that this little script will be helpful for you 🙂 Best regards Ugur
Events
Kick off Tech Community Live with updates and insights from Microsoft Intune engineering leaders. They’ll walk you through where Microsoft Intune and the Microsoft Intune Suite are today, discuss tre...
Online
With Microsoft Intune, you can protect cloud-connected endpoints across Windows, Android, macOS, iOS, and Linux. Looking for tips to help you reduce costs and complexity by unifying the way you manag...
Online
Recent Blogs
- Ask us anything about assessing, protecting, and managing devices and apps using cloud-based, unified endpoint management.Sep 19, 2025
