Recent Discussions
Ubuntu 24.04 LTS + Entra ID Authentication + Intune Enrollment
Hi Community I want to combine in Ubuntu 24.04 LTS the new user authentication with Entra ID along with enrollment in Intune using the new version of the intune portal. The goal is that the user can log in Ubuntu with the local user created during the Device Authentication process and then be able to enroll in Intune and sign in to the portal whenever he wish. During my tests, I have seen that if you install the necessary components for authentication with Entra ID, along with Microsoft Edge and the Intune company portal using the Ubuntu installation user, and then authenticate with the Entra ID user after the device authentication process, you get this error when you try to enroll using the company portal: Continuing with my tests, I have seen that if you start Microsoft Edge you can save a default keyring with a password. This security feature is specific to GNOME as far as I have read. With this keyring, it will be possible to enroll the device in Intune later. When starting the company portal, the default keyring password is requested, and after entering it, enrollment can be completed. From then on, the user can sign in to the portal as long as they enter that password However, the generation of this default keyring is a process that we do not want to leave in the hands of the user. The goal is to deliver the device to the user with all the necessary software, so that once they have authenticated the device with Entra ID, they can open the company portal and enroll in Intune. Does anyone know if there is a way to avoid using such keyrings in a scenario like this? On a machine with only Ubuntu and Edge, it is possible to make this process transparent, by disabling user autologin or setting an empty password for this keyring, but in the scenario of Ubuntu + Entra ID + Intune, I can't manage it. Thanks for your help and I wish you a great 2025
Manged Home Screen: Outlook
We are running into issues with the Managed Home Screen and Outlook. Once the user has logged into the Managed Home Screen and tries to access Outlook, it gets stuck in an authentication loop. Loops: Discovering Accounts -> Accounts Found -> Back to Discovering accounts. This is affecting multiple devices/accounts. This only affects
I no longer have an edit button for assignments on one EndpointSec>DiskEncrypt>Bitlocker profiles
I have two Intune>Endpoint Security>Disk Encryption>Bitlocker policies. One is the 2+ year old deprecated policy everyone is currently on, and the other is a new policy I made two months ago. I am in the process of testing to move the company from old to new. Old policy no longer has an "Edit" button for group assignments and exclusions, much like when you don't have permissions. However, I am still able to edit the actual policy. Has anyone seen this or can help with this? Attached picture. I am using Intune Administrator permissions, and again, it's not a permissions issue as I can edit the actual policy. I have tried different browsers. I have tried another computer. The policy is scoped to default. I was last able to edit group assignments 10/25/25 Solution right now will just be to delete the old profile and move to new with no more testing. Thank you in advance, -ZPManaged Home Screen MSAL - severe issuse
Hi Intune Community! We are currently experiencing severe issues with Managed Home Screen and MSAL on our shared Android devices, managed as dedicated with Entra Shared mode. Anyone else experiencing issues? Quite often when a user types her user name at the MHS sign in page and press the Sign In button, the screen only blinks and nothing happens. Only workaround is to restart the device and then it often works to sign in a user once or twice, until same issue happens again. It affects all devices and all users and we have tried both the latest version of MHS and some older version. No difference. Some things that we have seen is: If we exit kiosk mode and start the Intune app it says "Something went wrong" and shows a Register button. This is however gone when restarting the device. (see images below) If we start the Authenticator app, also after exit kiosk, it asks for "organization email" and shows a Register button. This is also back to normal once you restart the device. (see images below) If we let the device be after trying to sign in, 10-20 minutes later it has managed to sign in and asks for setting a Session PIN. The problem is that it is the user who last made a successful sign in who gets signed in. Huge security issue. We also see that Edge and Teams (probably other msal-enabled apps as well) doesn't behave as normal even if you successfully sign in. Teams ask what account to sign in with. Either selecting the suggested account or pressing the Back-button (<) signs you in. (see images below)Intune Android: Shared Device mode Teams calls
I am currently testing the shared device mode, we would also like to use Teams calls on the devices (Samsung). It rings but the interface does not appear. I can't even accept a call in the app. Do you have the same problem? And how did you solve it? I have already added the following ‘apps’. com.samsung.android.incallui com.android.server.telecom com.samsung.android.app.telephonyui
Entra Application: "Windows Backup and Restore" blocked OOBE autopilot enrollment
I have a Conditional Access policy to block users not on a Compliant Windows PC and the Intune app and Intune enrollment app are excluded from the CA policy for device enrollment. Last night I manually added a reimaged Windows PC to Autopilot (using PowerShell) and during the OOBE user sign-in the app "Windows Backup and Restore" failed for token issuance. This app, Application: Windows Backup and Restore | Application ID: 74d197dc-b84d-4d43-a1b2-b5bf3bb91c11 is not found in Entra Enterprise apps or App registrations. The Windows OS build was 25H2 Pro, looks like a new service. It would be nice if MSFT would add these new apps to Entra. Now I need to manually add the app using PowerShell so I can exclude it from my policy. Anyone have any news about the Application: Windows Backup and Restore | Application ID: 74d197dc-b84d-4d43-a1b2-b5bf3bb91c11?
How to deploy Win11 Security Baseline with Intune?
Hi, usually you can download the Security Baseline via SCT and deploy it via GPOs. How does that work with Intune? I only found this https://learn.microsoft.com/en-us/intune/intune-service/protect/security-baseline-settings-mdm-all?pivots=mdm-24h2 but it only describes the settings used by th ebaseline and which are available through Intune. To be honest I don't want do configure all those 1000 settings manually. Is there an easy and more comfortable way?Microsoft Intune Company Portal for Linux and Conditional Access Issue
Greetings everyone, I have the following scenario implemented regarding conditional access: Rule#1: For pilotuser1, for all cloud apps, for all platforms --> require MFA Rule#2: For pilotuser1, for all cloud apps except Microsoft Intune Enrollment and Microsoft Intune, for all platforms --> Require Device marked as compliant This should allow me to enroll to Intune successfully a non-enrolled device and require the device compliance for the other workloads. For Windows it works just fine. The problem lies with Linux. Following the instructions on Enroll a Linux device in Intune | Microsoft Learn & Get the Microsoft Intune app for Linux | Microsoft Learn I installed Intune App and Edge (Version 109.0.1518.52 (Official build) (64-bit)) on a VM with Ubuntu 22.04. I open the Intune App and try to sign in: First step is to Register the Device on Azure AD, it goes without a problem --> On the next stage I get the following and press continue: At this stage Microsoft Edge opens and I sign in successfully but the Intune App throws an error: The sign in logs on Azure AD show that even though I excluded Intune Enrollment from the CA policy, it is not enough. Sign-in error code: 530003 Failure reason: Your device is required to be managed to access this resource. Additional Details: The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation Application: Microsoft Intune Company Portal for Linux Application ID: b743a22d-6705-4147-8670-d92fa515ee2b Resource : Microsoft Graph Resource ID: 00000003-0000-0000-c000-000000000000 Client app: Mobile Apps and Desktop clients Client credential type: None Resource service principal ID: 01989347-a263-48ef-a8d7-583ee83db9a2 Token issuer type: Azure AD Apparently something is different in the enrollment process of Linux because I had no issues with Windows 10 enrollment . Any thoughts on the subject would be appreciated. Kind Regards, PanosCan't find and delete an antivirus exclusion made in MECM.
In the Microsoft Endpoint Configuration Manager current brunch I've added some of the detected malware to exclusions list via right-click in the section "Monitoring-Security-Endpoint protection status - Malware detected" and "Allow this threat". They were excluded for all the computers in a collection. How and where to find this exclusions and delete them? They are appeared on the client computers but not in the MECM Antimalware policies.
Blocking Bluetooth file transfer
We have created a policy to block Bluetooth file transfer. The policy was created through Attack surface reduction -> Device Control. 1-This seems to "Dim" the option to add a Bluetooth device in windows. Which is not what is needed. Only file transfer is to be blocked. How can this be achieved? 2-In allow Bluetooth, You get the following description: Allows the user to enable Bluetooth or restrict access. Note This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. There is another option "Reserved" There is no documentation for this option, Any Idea?macOS enrollment - prompt to change the Mac login password
Cheers everyone! We are in the pilot phase of our macOS Intune enrollment and I've created the compliance policy which blocks simple passwords and applied this to a few test machines. After the 1st reboot I got a prompt to change the Admin password to meet the requirements. All worked fine until I've changed the "Maximum minutes of inactivity before password is required". After the first reboot, both local admin accounts (one, the IT admin, the 2nd of the actual user) get again a prompt that in order to login the password needs to be changed. Did the changes again and the story repeats itself after changing some other parameter (not something related to the actual password complexity) and ended up in the same loop. It looks like everytime I edit something in the Compliance profile, the user will be prompted to change his password, which doesn't make sense to me. Does anyone know why this is happening and how this behaviour can be changed? I don't want to enable "simple passwords" as just a workaround. Thank you in advance! 🙂InTune Enrollment Loop for MacBook loops at i.manage.microsoft.com during setup
Good afternoon, is anyone using InTune seeing issues with enrollment? I have ABM set up with InTune for automatic enrollment. The InTune instance is fairly new and simple. In the last two months, I have rolled out four machines with painless success. I bought a fifth machine and it gets stuck during the Remote Management portion of enrollment, in an endless loop of connecting to http://i.manage.microsoft.com/. Between the last enrollment and now, absolutely nothing was changed in InTune. The machine is a M4 MacBook Air on OS version 15.7.1. I have reset it multiple times to no avail. It doesn't seem to be getting stuck on anything and shows up as responsive in InTune. If I force the machine off and back on, it allows me to complete enrollment, but after a reboot, I get the initial setup screen and when proceeding past that I get a black screen that never progresses. I assume this is an enrollment issue. Where would you suggest starting to troubleshoot this? Has anyone seen it so far? The last successful setup on my tenant before this was around three weeks ago. Thanks in advance! Other things I have tried: Renewing the ABM enrollment token Removing troublesome configuration profiles Creating and using another enrollment program token profile Different networks, including the network I successfully enrolled previously successful machines in Different user accounts with the correct license for InTune management Logging into ABM to make sure that there are no pending terms to accept. I confirmed that I accepted the latest new ABM terms directly from ABM.
AzureADSharedMode - Teams without PIN
I prepared in Intune profile for Samsung devices in kiosk mode with a multi-app setting. I added Teams, Outlook, Egde and Managed Home Screen as apps. In addition, I also created a configuration profile for the Managed Home Screen application in which I set that it is necessary to configure a PIN for the session. I also set the Require PIN code after returning from screen saver option. Everything works great until the user leaves the Teams app on or someone calls the user logged into Teams. At this point, no PIN is needed to unlock the device. You can easily access Teams of the logged-in user. The user is asked for the session PIN only when he wants to switch to another app. I didn't set screen lock in android settings because in my opinion it's pointless since the device is in shared mode. Have you encountered anything like this? It poses a potential security risk if a logged-in user leaves the Teams app open, puts the phone down and walks away from it, and at that moment someone calls the phone and the person who picks it up without probelm gets access to the logged-in user's teams.Zebra OEMConfig APP not in the APP policy list in Intune
Hi, I have a question about adding an APP policy in Intune. I installed the Zebra OEMConfig Powered by MX app through the Intune Google Managed Play Store. When I try to create an app policy for this app, it doesn't show up in the app list. A lot of other apps do, but this one specifically doesn't. The app does appear in the all apps list in Intune. According to Microsoft, the app is fully supported in Intune. Does anyone have experience with this or any tips on how to get the app to appear? I hope someone can help me out! TIA.Conditional Access and -Online Device registration error
So there was an Issue creating new discussions yesterday and I ended up with a discussion with Heading only. :) We're using the Get-WindowsAutopilotInfo.ps1 script with the -Online switch to register our Entra Joined Devices, and the process is being blocked by Conditional Access. The sign-in logs point to Microsoft Graph Command Line Tools (App ID: 14d82eec-204b-4c2f-b7e8-296a70dab67e) as the blocker. Microsoft Support suggested whitelisting several apps, but unfortunately, that hasn’t resolved the issue—likely because the device doesn’t have the compliant state during online registration. We’re currently evaluating whether a dedicated service account with scoped permissions for Autopilot enrollment might be a workaround. Would be great to hear if anyone else has found a reliable solution.
Company Portal | App installation issues
Anyone else experiencing issues with downloading apps from company portal? Win32 apps, pressing install and just spins on “download pending… your device is syncing and will begin downloading your app shortly” Experiencing this issues with 2 different tenants. In 2 different countries now.
App Protection Policy and Siri Intents
Hello, I know that there is a MAM Policy setting to be checked "areSiriIntentsAllowed" to decide to allow or block a Siri intent for an Intune SDK integrated application but I am not seeing where in the App Protection Policy that I can change this value to allow the Siri intent. Is there an Intune Console setting that dictates what the "areSiriIntentsAllowed" will be set to? Here's the Intune SDK integration reference https://learn.microsoft.com/en-us/intune/intune-service/developer/app-sdk-ios-phase4#siri-intents Thanks!Uninstalling bundled/preinstall O365 during Autopilot
We recently purchased a bunch of new HP ProBook 400 laptops that come bundled/preinstalled with O365 x64. However, since all staff use a 32-bit line of business application, we need to install and use O365 32-bit. We want to Autopilot the new laptops and have packaged and deployed O365 32-bit as a Win32 app (ie: using the Office Deployment Tool and a custom XML configuration). The XML file contains commands to remove any existing versions of Office before installing O365 32-bit. When we manually run the ODT setup.exe with xml file, it functions correctly (i.e., it uninstalls the 64-bit O365 and then installs the O365 32-bit). However, when we package this up as a Win32 app and set it as a mandatory app in the Autopilot deployment profile, it seems to fail or get ignored. All other Intune apps and configuration profiles install successfully, but the laptops still have O365 64-bit installed. Below is what we included at the top of the ODT XML file. Any suggestions would be greatly appreciated. <Configuration> <Remove All="TRUE"/> <Display Level="None" AcceptEULA="TRUE"/> <Property Name="FORCEAPPSHUTDOWN" Value="TRUE"/>
Computer only in Intune receive GPO for Windows Update causing blocking of update
Hello, it's several hours i'm trying to found the origin of this problem. The first symptom i seen is the message in Windows Update "Your organization has turned off automatic update": Windows 10 22h2 In advanced i can see Disable automatic updates Source Administrator Type Group Policy In the registry i can see the key NoAutoUpdate to 1. If i switch it to 0, after reboot or after gpupdate, it's switching back to 1 ?! Something change theses settings . I already tried the MDMWinOverGP with success applying. But in fact in the documentation https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict we can see : Nor does it apply to the https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update for managing Windows updates. It seems not affecting Windows Update. Any idea? Thank you! Julian
Recent Blogs
- Starting with version 2609, Microsoft Configuration Manager will transition to an annual release cadence. This change is a formalization of the direction we’ve communicated at events and in customer ...Nov 05, 2025
- By: Jon Callahan – Sr Product Manager | Microsoft Intune Cloud services don’t just rely on the network. They redefine it. As organizations adopt Microsoft Intune and advance their Zero Trust st...Nov 03, 2025
