Recent Discussions
Restrict some devices
Hi All I hope you are well. Anyway, I'm looking for some advice. We have identified some Intune enrolled, Entra ID joined devices that may be security risks (malware) and would like to restrict these devices from accessing things like M365 apps, Azure VPN etc etc. What's the best way to achieve this? Conditional Access and target a group with the devices as members? Info appreciatedBlock All Software Installs
Hi All Is there a way to block all software installs on Windows devices except for those we push out via Intune? I have have a look in the Device Config settings but there seems to be some confusing settings in there and some stating set as "Disabled" when disabled isn't an option. Info appreciated.How to deploy M365 Companion app through Intune
Hi All, I have a requirement of deploying M365 companion app to a few users in the company. However, when I tried with Win32 apps in Intune, it gets failed every time even though the scripts success manually. Does anyone know how to deploy M365 companion app from Intune? I have downloaded the app from below link and used the below command: https://learn.microsoft.com/en-us/microsoft-365-apps/companions/overview#set-up-the-companion-apps Echo OFF m365companionsetup.exe /quiet Thanks in advanced, DilanApp-Approval for Apps assinged via Intune
Hey there, when deploying Apps via Configuration-Manger (SCCM) there is an Option "An Administrator must approve a request for this application on the Device" where you also got an option for Mail Notification to Approvers: Do you know if there is an equivalent Feature when assigning Intune-Apps to Users? Or is there an alternative Method to reach the same result? Company Portal can handle Approvals from Configuration Manger: Wondering if there is a "Intune-Native" way? Looking forward to your answers.
Managed Home Screen MSAL - severe issuse
Hi Intune Community! We are currently experiencing severe issues with Managed Home Screen and MSAL on our shared Android devices, managed as dedicated with Entra Shared mode. Anyone else experiencing issues? Quite often when a user types her user name at the MHS sign in page and press the Sign In button, the screen only blinks and nothing happens. Only workaround is to restart the device and then it often works to sign in a user once or twice, until same issue happens again. It affects all devices and all users and we have tried both the latest version of MHS and some older version. No difference. Some things that we have seen is: If we exit kiosk mode and start the Intune app it says "Something went wrong" and shows a Register button. This is however gone when restarting the device. (see images below) If we start the Authenticator app, also after exit kiosk, it asks for "organization email" and shows a Register button. This is also back to normal once you restart the device. (see images below) If we let the device be after trying to sign in, 10-20 minutes later it has managed to sign in and asks for setting a Session PIN. The problem is that it is the user who last made a successful sign in who gets signed in. Huge security issue. We also see that Edge and Teams (probably other msal-enabled apps as well) doesn't behave as normal even if you successfully sign in. Teams ask what account to sign in with. Either selecting the suggested account or pressing the Back-button (<) signs you in. (see images below)
Windows/Defender Updates not deployed to SCCM server (all clients work fine!)
After battling for a few weeks with this it finally occurred to me to reach out for help, and I found this forum. So here goes… I have a relatively small environment with Windows Updates managed by SCCM. Currently, all clients are receiving updates as expected, the only client that isn’t is the Windows Server that’s hosting SCCM itself. Should I be configuring the winhttp proxy settings on that one server to point to our proxy (I have tried it and it didn’t seem to make a difference)? Without the winhttp proxy set, when I check the Windows update log, it seems to be trying the automatic proxy settings and quite rightly failing. It runs out of options and tries the user proxy as a last resort. I have checked that I can reach the URL configured in the Windows Update settings in Group Policy from the SCCM server and it works fine. Is there something I need to do differently with the SCCM server versus all the other clients? The SCCM client is installed on the SCCM server and is reporting healthy status with expected policies applied like all other managed clients in the estate. The SCCM server is in the same boundary as other servers that are receiving updates. SCCM 2503 running on Windows Server 2019. WSUS is running on the same server. The Software Update Point is configured with proxy settings. Thanks in advance!!
Enrolments referencing old Intune Connector Server for something
Hope all is well. A couple of weeks ago, we moved our Intune Connector to a new server. The new server name has already been showing in the Microsoft Intune Admin Centre as "active" and it's healthy, latest version and syncing since it was installed on the new Intune Connector server. The old Intune server has already passed the 30 days and have been automatically removed from the Microsoft Intune Admin Centre. Enrolments have been going very well. Today we shutdown the old Intune Connector server for decommissioning and suddenly the enrolments failed, until we powered the old Intune Connector server back up then enrolments went ahead again successfully. When I check the Windows Application logs I see the logs for the successful enrolments on the correct server, the new one. My question is, does anyone perhaps have any idea what would still be referencing the old Intune Connector server which will cause enrolments failures when we shut it down? Thank you
Issue with Adjusting Volume in Windows 11 Multi App Kiosk
Hi, I am trying to configure windows 11 Multi App Kiosk mode for 24H2 OS Build 26100.4946 I’ve successfully configured the Multi App Kiosk on Windows 11 24H2, but I can't adjust the volume, unlike in Windows 10.The device does allow me to configure the volume via the function keys in the keyboard but it doesn't allow me to configure it via the option available in the taskbar As a workaround, I have to allow settings in my environment as app and open the volume mixer by right clicking the taskbar Is there a way to enable volume control through the taskbar in this setup?Unable to import drivers into SCCM 2503
While trying to import the LAN drivers into SCCM version 2503, I encountered an error. The errors are, 1. Error: Some driver(s) can not be imported successfully. 2. Error: Failed to import the following drivers: • Realtek PCIe GbE Family Controller - An error occurred while importing the selected driver. Can anyone help me resolve this issue?Bitlocker PIN
Hello, I would like to know what your Bitlocker PIN policies are and how you approach them. Do you use a PIN that consists only of numbers, or a PIN that allows the use of characters such as upper and lower case letters, symbols, numbers, and spaces? I am asking this from the perspective of “user acceptance,” but also as an additional layer of device security.
Application auto upgrade not working
Hello, I'm trying to deploy applications with auto upgrade but nothing happens. Let me explain what I'm doing : App_V1 is deployed as available to a user collection I install the app, nothing special here App_V2 is set to supersede App_V1 with uninstall checkbox (I need that in my environment) I deploy App_V2 as available to the same user collection with the checkbox "Automatically upgrade any superseded versions of the application" In the software center, I can see App_V2 with the install button (App_V1 is hidden, expected), but nothing else happens If I check the logs, I can see in PolicyAgent.log : A line starting with "Compiling policy <deploymentID>/supersedence..." Then a line starting with "Raising event: instance of CCM_PolicyAgent_AssignmentDisabled...<some assignment info> Nothing else I don't know how to further troubleshoot that situation. Can someone give me some clues ? Thanks
Connection Point Server Disconnected
Hello I am new to SCCM and just noticed the issue shown in the screenshot. The screenshot is from the Admin console connected to our SCCMMEM host. We have a SCCMDP01 and 02 hosts as well. I have verified that all three can ping each other and access the internet. The three hosts are on on prem. I would be extremely grateful for some advice to troubleshoot the issue shown in the images. As far as I can tell there's no impact, so I'm confused about the meaning of the error and how to fix. It was Connected, and has changed to Disconnected at some unknown time...
iOS 15.8.x iPad Air 2 Failed to retrieve configuration
We are getting "Failed to retrieve configuration" on all iPad Air 2 devices running iOS 15.8.x. I saw on the https://community.jamf.com/general-discussions-2/failed-to-retrieve-configuration-on-ipados-v15-8-4-48978 forums that it's a known issue by Apple and they are working on a fix but I have doubts that they will actually do anything since they no longer support that product. Has anyone else seen this issue and found a workaround?
Confusion Regarding Filter Precedence
App Deployment/Packaging Here's the scenario I'm facing (VPP app): Group A (Required Assignment): Users: Identical to Group B. Filter: Include only corporate iPhones. Purpose: Auto-install the app on corporate-owned iPhones. Group B (Available Assignment): Users: Identical to Group A. Filter: None. Purpose: Make the app available to all devices (corporate and BYOD) in the Company Portal. Issue: BYOD devices are receiving the required install despite the filter. Filter message: "The app was offered during the last check-in. We couldn't evaluate the device for matching filters because a conflicting assignment didn't require filters." Filter: (device.model -contains "iPhone") and (device.deviceOwnership -eq "Corporate") Evaluation result: Not evaluated due to a conflicting assignment without filters. Business Request: The app should be available to the same list of users. It should be required (auto-installed) only on corporate devices. Overlapping groups are used to simplify automation and avoid complicating the process for the Service Desk, which would need to check if devices are BYOD or corporate-owned. I've been looking at: https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters-reports-troubleshoot#filters-and-assignment-conflict-resolution https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters-reports-troubleshoot#filters-and-assignment-conflict-resolution https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy#how-conflicts-between-app-intents-are-resolved And am admittedly a little smooth-brained. Can anyone explain what's happening here and how to resolve? Is the "no filter" available group taking precedence over the "include" filter and somehow pushing to all devices? How can I rectify this? Can I just add a dynamic group to exclude all BYOD devices in the required assignment and leave the rest the same or use an exclude filter for BYOD device in the required assignment? Any help is appreciated.Microsoft Intune Company Portal for Linux and Conditional Access Issue
Greetings everyone, I have the following scenario implemented regarding conditional access: Rule#1: For pilotuser1, for all cloud apps, for all platforms --> require MFA Rule#2: For pilotuser1, for all cloud apps except Microsoft Intune Enrollment and Microsoft Intune, for all platforms --> Require Device marked as compliant This should allow me to enroll to Intune successfully a non-enrolled device and require the device compliance for the other workloads. For Windows it works just fine. The problem lies with Linux. Following the instructions on Enroll a Linux device in Intune | Microsoft Learn & Get the Microsoft Intune app for Linux | Microsoft Learn I installed Intune App and Edge (Version 109.0.1518.52 (Official build) (64-bit)) on a VM with Ubuntu 22.04. I open the Intune App and try to sign in: First step is to Register the Device on Azure AD, it goes without a problem --> On the next stage I get the following and press continue: At this stage Microsoft Edge opens and I sign in successfully but the Intune App throws an error: The sign in logs on Azure AD show that even though I excluded Intune Enrollment from the CA policy, it is not enough. Sign-in error code: 530003 Failure reason: Your device is required to be managed to access this resource. Additional Details: The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation Application: Microsoft Intune Company Portal for Linux Application ID: b743a22d-6705-4147-8670-d92fa515ee2b Resource : Microsoft Graph Resource ID: 00000003-0000-0000-c000-000000000000 Client app: Mobile Apps and Desktop clients Client credential type: None Resource service principal ID: 01989347-a263-48ef-a8d7-583ee83db9a2 Token issuer type: Azure AD Apparently something is different in the enrollment process of Linux because I had no issues with Windows 10 enrollment . Any thoughts on the subject would be appreciated. Kind Regards, PanosRe-Join SCCM Client to Intune for Co-Managed join Type
Hello, I have been using SCCM for a long time, I have it is setup for Co-management, and all my workloads are moved over to Intune. I have a few clients that for one reason or other have not been added to Intune. I can get them onboarded, but the join type always ends up Intune. I am trying to find out the correct recipe to reenroll an SCCM client to Intune. I have tried uninstalling the SCCM client and reinstalling. I have tried removing registry keys for Intune to ensure it joins again. I have used DSREGCMD to leave and join back. I have completely removed from Domain and deleted from Intune. I have tried combinations of all of these things together. I have yet to come up with a specific order to do them in. I still think there is some remnant that is preventing a rejoin. Does anyone have details that help me to get systems to rejoin via SCCM? Some may say what is the difference. The difference is there are tools that are not present if the Join type is incorrect. Best regards and thanks.Intune Admin Center Filtering Issue
Win32 apps published on 20 Aug 2025 are created successfully in Intune, but they do not appear when using the Platform Windows Type Windows app Win32 filter. Older apps show correctly. As a workaround, search by app name in All Apps or remove the filters until Microsoft fixes the portal issue.
Recent Blogs
- By: Saurabh Sarkar – Product Manager 2 | Microsoft Intune I'm Saurabh Sarkar and I've had the opportunity to collaborate with several customers on effectively managing their Windows kiosk devic...Aug 28, 2025
- Five major updates that reduce operational risk: targeted app control, automated patching, and data-driven insights.Aug 21, 2025
