Recent Discussions
Windows Hello - optional
Hello community, I'm trying to set Windows Hello as optional (not forced) for users in our org. Currently we have security group for people who asked for Windows Hello to be enabled for them. All devices are Windows 11 fully managed by Intune. Current Win Hello solution is provided by Intune policy - identity protection - "Configure Windows Hello for Business". It works, but as mentioned I would like to make it optional for everyone in our org so users can decide whether use it or not. Is it possible?Microsoft #IntuneForMSPs resource guide
Welcome to your home for all things #IntuneForMSPs! Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business by combining productivity apps, intelligent cloud services, and the world-class security of Microsoft 365 with the multi-tenant management capabilities of you, our partners. Navigate to: Guidance and tutorials | Marketing and business development | Multi-tenant management partners | Application packaging partners | Additional resources #IntuneForMSPs community meetups Gain valuable insights from first-hand experiences with configuring and managing customer tenants. Up next: #IntuneForMSPs Community Meetup: April edition April 21, 2026 - 8:00 a.m. PT | 3:00 p.m. UTC On demand: Advanced automation and PowerShell for Intune Planning your customers' Intune migration Getting started with Microsoft #IntuneForMSPs Guidance and tutorials Microsoft 365 Business Premium deployment best practices Identity and access controls (14.81 MB) Device enrollment (15.92 MB) Email and app protection (38.84 MB) Device security (17.89 MB) Data security (36.49 MB) Videos and demos ▶️ Achieve greater security and productivity with Microsoft Intune and Microsoft 365 🖱️ Microsoft Intune guided demos - Learn how to configure app protection policies and Conditional Access, update Windows from the cloud, manage corporate devices, deploy and manage line of business (LOB) apps, enable Universal Print, protect corporate resources on personal-owned devices, utilize Windows Autopilot for new device delivery, and reduce update bandwidth consumption. Marketing and business development Step 1: Join Microsoft Partner programs AI Business Solutions for Partners Microsoft Security Partners Step 2: Join the Partner Skilling Hub Go to the Microsoft Partner Skilling Hub and create your free account. Select solution areas of interest. (Hint: Intune content: AI Business Solutions, Security) Explore these recommended modules: Implement with impact: Endpoint management with Microsoft Intune Implement with impact: Implement identity and access management with Microsoft Entra Step 3: Download turnkey campaign assets "Protect my devices" campaign-in-a-box (119.20 MB) Multi-tenant management partners Microsoft Intune is proud to collaborate with leading global providers of multi-tenant Intune management solutions. These companies are building innovative capabilities on top of Microsoft Intune, Microsoft Security solutions, and the broader Microsoft 365 platform. Their companion solutions empower you to: Centrally view and manage all customer tenants and action items through a unified partner dashboard. Take action across environments, leveraging Intune for device management, cloud security, and compliance. Standardize security settings, automate onboarding, and ensure policy consistency at scale-no more repetitive, manual tasks or risky policy drift. Want an introduction to multi-tenant management? ▶️ Watch this video from Jonathan Edwards. AvePoint is the global leader in data protection, unifying data security, governance, and resilience to provide a trusted foundation for AI. More than 28,000 customers rely on the AvePoint Confidence Platform to secure, govern, and rapidly recover data across multi‑cloud environments. Through AvePoint Confidence Platform: Elements Edition, AvePoint extends Microsoft Intune with secured multi‑tenant automation, lifecycle management, and centralized visibility—enabling partners to scale Intune delivery profitably and consistently across customers. With a single platform for governance, lifecycle control, and recovery, partners reduce operational overhead, prevent sprawl, and accelerate Copilot readiness. AvePoint supports a global partner ecosystem of 6,000 MSPs, VARs, and SIs, with solutions available in over 100 cloud marketplaces. CyberDrain CIPP provides MSPs with a centralized, multi-tenant management platform for Microsoft 365. It enables partners to securely manage tenants at scale, automate common administrative tasks, enforce standards across environments, and gain deep visibility into tenant security and configuration. With built-in automation, governance controls, and extensibility, CIPP reduces reliance on custom scripts and manual processes. MSPs can standardize operations, streamline user and tenant management, monitor security posture, and respond quickly to issues across all customers from a single interface. CIPP is supported by one of the largest and most active MSP communities in the Microsoft ecosystem, with thousands of partners contributing feedback, automation ideas, and best practices. As one of the most widely adopted platforms for Microsoft 365 multi-tenant management, CyberDrain CIPP continues to evolve rapidly to meet the needs of modern MSPs. inforcer empowers MSPs to standardize Microsoft 365 and Intune policies across all tenants, automate environment configuration, monitor compliance in real time, and reduce risk through policy drift detection. Its reporting and automation features free teams from manual, error-prone scripting and help deliver consistent, secure customer experiences, setting MSPs up to deliver advanced AI services to their customers. Nerdio brings deep automation and analytics to Intune, Windows 365, Azure Virtual Desktop, and the broader Microsoft cloud. MSPs benefit from multi-tenant dashboards, global policy insights, role-based access, centralized app deployment, and automatic policy versioning with rollback and drift correction. Nerdio’s tooling is designed specifically for MSPs and scales from small teams to large enterprise portfolios. SoftwareCentral Tenant Manager helps MSPs run Microsoft Intune across multiple customer tenants with consistency and control. MSP teams can standardize policies, manage applications and devices across environments, monitor configuration drift, and maintain visibility into changes across tenants from a single platform. The platform runs entirely on Microsoft Azure with region-selectable deployment for your data protection requirements. It includes CIS certified security baselines, helping MSPs deliver secure, repeatable Intune services as their customer portfolios grow, even without in-depth Intune knowledge. Application packaging partners Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI and Copilot era. To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from Configuration Manager to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption Note: These app migration services are offered directly by partners and are subject to their terms. Microsoft makes no guarantees or commitments regarding availability or outcome. Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting. Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT. Additional resources Microsoft 365 Blog: small and medium business content Microsoft 365 Partner on LinkedIn Microsoft Intune Blog: MVP community content
ASR Device Control Printing Restrictions Issue.... (blocking unapproved USB Printers)
Good morning, I have a really odd issue that I can't seem to wrap my head around. I have a test ASR Device Control config setup, I have it set to default deny enforcement, I have 4 reusable settings: 1.) Allowed USB Printers (in here I have 3 entries with vid_pid) 2.) Allowed Corporate Printers (I have corporate, network, and file here) 3.) Allow Removable Storage 4.) Block USB printers (nothing else, I did try a * in VID_PID for kicks and giggles) With default deny if I added just reusable settings 2 and 3 everything works, all USB printers are blocked, corporate printers work, and removable storage works. However, as soon as I add reusable setting #1, it seems to allow ALLL USB printers, it isn't allowing just the VID_PID's I have listed in there, I even tried adding reusable setting #4 to the end (with Deny), same result... I can't understand why adding an allow for a reusable setting with explicit VID_PID's entered, it is allowing all USB printers... Any help would be greatly appreciate! Thanks, -CoreyEntra Shared Device Mode Remote Control
Hi All I hope you are well. Anyway, does anyone have any experience of a decent remote control solution for Android based Entra Shared Mode devices? Preferably with the "LEAST" Android permissions to set / and or an App Config that can suppress Android permissions. SK
How to configure Intune to not allow remote wiping of personal devices
I’m a journalist seeking to do a story around best practices for configuring Intune, in the wake of last week’s destructive attack against Michigan-based medical device maker Stryker. It looks like attackers gained admin-level access to Intune and used it to wipe employees’ personal devices that were enrolled in Intune. I was speaking with someone who has recent Intune administration experience, and his take is that like other UEM/BYOD/endpoint management tools, none of this software should be configured with the ability to fully wipe a personal device. Instead, it should be only placing sandboxed apps or directories onto a device. Only this sandboxed stuff should be remotely nuke-able. His supposition is that if personal data can be wiped, then either the Intune admins set it up incorrectly, or their documentation for employees who self-configure didn’t specify how to add their device but not give Intune full wiping capabilities. My questions: 1) Is it possible to configure Intune so that it doesn’t have overly broad permission to wipe an entire, personally owned device? 2) How exactly would one do that (on either Android or iOS)? There’s lots of “ditch Intune” chatter on Reddit now, supposedly tied to CISOs/executives reacting to the Stryker attack. So I’m seeking clarity around whether the tool can be configured to not remotely wipe personal data, even if other defenses that should be in place (such as requiring multiple admins’ approval before wiping devices, setting alerts if more than a few devices get remotely wiped at once, and so on) aren’t there.Issue with creating an issuing CA in Cloud PKI
I have activated an trial license for Cloud PKI a couple of days ago. I follow this guide to create a Root and Issuing CA https://oliverkieselbach.com/2024/03/04/how-to-configure-cloud-pki-certificate-based-wifi-with-intune/ I could create a root certificate successfully, but when i want create an issuing certificate i'm getting this error 'CA failed to be created' I have waited to a couple of hours to try it again but still no luck. What can cause this issue and how to solve this?MECM OSD TS Application Installations fail randomly to download content.
We are experiencing a persistent and well-documented issue with MECM OSD Task Sequences where Applications randomly fail to install after the MECM client has been installed. This behavior seems to affect many environments and has been an ongoing problem for years, yet a definitive solution remains elusive. In our case, we have over 30 Applications included in the OSD Task Sequence. Despite implementing all commonly recommended mitigations—such as inserting an additional restart after the MECM client installation and including a two-minute delay before the Application install task group begins—we still encounter random failures. The issue is not limited to any specific Application; it can be any one of the 30+ Apps, and the failure to download appears to occur entirely at random. Occasionally, most of the Applications install successfully, and only one will fail, which subsequently causes the entire Task Sequence to fail with the same error. Importantly, all of these Applications install without any issues post-OSD, further confirming that the problem lies not with the Applications themselves but with the process during the Task Sequence. The randomness of which App fails also suggests an underlying process, feature, or timing issue—not an App configuration problem. We have thoroughly validated all related infrastructure settings: Boundaries and boundary groups have been triple-checked. No boundary is assigned to multiple groups. Site system assignments are correct. We are using PKI certificates and HTTPS, and the client authentication certificate is present on the device at the time of failure. The issue has been replicated across both Windows 10 and Windows 11, ruling out any specific cumulative updates or OS version anomalies. No additional language packs are being installed—only language fallback is applied via the "Apply Windows Settings" step. One suspicious observation is the lack of any reference to our local Distribution Point in the LocationServices or CAS logs during failure events. Initially, this pointed to a possible boundary misconfiguration, but after multiple checks, no issues have been identified. Unfortunately, we are unable to use the common workaround of converting Applications to Packages, due to internal policies and deployment requirements. Therefore, we need to resolve this while continuing to use Applications in the Task Sequence. Given the number of years this issue has persisted across customer environments, it's surprising there isn’t more formal guidance or documentation available to help isolate the root cause. If anyone has encountered a similar scenario or has any advanced troubleshooting tips, we would greatly appreciate your insight.How to exclude specific machines from Intune compliance policy?
Hi, I need a few virtual machines to be excluded from the Intune compliance policy, I thought that the following setup would be sufficient to accomplish this and be able to access corporate data without the need to make these virtual machines compliant (they all have fixed IPs): Unfortunately this isn't working and I'm wondering how could I exclude this machines from enrolment. Thank you, Ion
Intune does not sync Owner/Compliant state to Entra (iOS)
Dear All, We have the following problem in our environment. Initial situation Company Owned iOS Devices are joined / autoenrollt with Apple Business Manager into our Intune MDM and are fully managed. The devices have all configuration and compliance policies applied. The devices have an primary user and are compliant. During the enrollment the Entra device has been successful created. Problem The Entra device has no owner, no compliant state, no "MDM" value. Thereforce our conditional access policies which refer to the "Compliant"-state are not applied. Analysis Created a Microsoft case. We checked several things: - Intune seems correct configured - Compliance Policies are applied in Intune (as mentioned above) - irrelevant, when device has been enrolled or what models they are Microsoft support confirmed that they received similar feedbacks from other customers. It is indicated as "known issue" Workaround We found out, that when an end user opens the "Company Portal" app on the device and syncs, all Entra device attributes are updated. Then the owner, compliance state, MDM state, etc. is updated and now valid. But this seems to be not the correct behaviour. As far as I understood the Microsoft documentation, it should not require this step (Intune should sync the status to Entra in the backgroud, from service to service) Our objective should be, that it is not necessary to start Company portal. All entra devices should always have the current values from Intune synced. Thanks for your help, ChrisCompany portal says rooted device but it's not - Android
Hi everyone, We came across a situation where one of our Android user is not able to access Outlook and Teams due to rooted device. We configured only App protection (MAM) policy in Intune and blocked access from Jailbroken/rooted devices. Only the MAM policy as been applied on the device and the device is not enrolled with Intune. So far, we have followed below troubleshooting, Rejoined the device again, however after sometime, the error will be appeared again. Check whether the device is rooted or not (Go to Settings > About phone > Status Information > Phone Status). Phone status says official. I believe this means not a rooted device. Below is the error message from the company portal Device Status in Azure AD (Not enroll with Intune) I would appreciate if anyone can help me whether I have anything else try out before I create a support case with Microsoft. Thanks, Dilan
We’re running into an Intune issue where a Win32 app with a dependency sits at "Download Pending"
Setup: Main App: Installs in User Context Dependency: Installs in System Context Dependency Detection: Hosts file modification detection script Direct file detection does NOT work either When the hosts file modification is present (detection is met), detection works, and everything installs fine manually The Problem: If detection passes (exit 0) → Everything installs fine. If detection fails (exit 1) → Intune never moves forward, just stays at "Download Pending" indefinitely. Happens with both file-based detection and script-based detection. Dependency app as well at parent app install fine via Intune on their own as well as manual testing. What We Need to Know: Does Intune get stuck in "Download Pending" instead of moving forward when dependency detection fails? Could the install context mismatch (dependency in SYSTEM, main app in USER) be causing this? Myth or fact? Does Intune break the install process if a dependency app is in system context and the parent app is in user context? Again, both apps work fine independent of each other. Thanks for any help!
Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: https://www.androidenterprise.community/t5/admin-discussions/android-15-cannot-set-default-password-app/m-p/8827#M2105 Thanks, TomIntune Graph API deviceStatuses missing device shown in portal
Hello, I am retrieving device status for an Intune configuration profile using Microsoft Graph API. API request: GET https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{policyId}/deviceStatuses Issue: In the Intune portal, a device shows Success status for the configuration profile under: Devices → Configuration profiles → Device status However, when retrieving the same data using the Graph API endpoint above, that device does not appear in the API response. Observations: In the Intune portal, the policy shows one device with Success status. But the Graph API response returns different devices and does not include the device visible in the portal. Example response (sanitized): deviceDisplayName: Device-A status: unknown deviceDisplayName: Device-B status: unknown Questions: Why would a device appear in the Intune portal device status but not in the Graph API deviceStatuses response? Is there a delay in data synchronization between the Intune portal and Graph API? Is there another Graph endpoint recommended for retrieving all device configuration status results? Additional details: Graph API version: beta Permission used: DeviceManagementConfiguration.Read.All Tested using Graph Explorer Any insights would be appreciated.
Issue with Android iOS Wi-Fi authentication using certificates EAP-TLS with NPS
I am trying to configure Wi-Fi authentication for Android and iOS devices using certificates (EAP-TLS). I followed the guide below Support Tip - How to configure NDES for SCEP certificate deployments in Intune | Microsoft Community Hub, and I am able to successfully deploy certificates to the devices. The certificates are installed correctly on the final devices, so the distribution part seems to be working fine. However, the devices are not able to authenticate to the Wi-Fi network. The connection fails during authentication, and from what I can see the issue seems to be related to NPS. My doubt is specifically about the NPS configuration. In the guide, user or computer groups are usually added in the network policy conditions, but in my scenario I cannot rely on adding users or groups, since authentication should be based only on the certificate. I am unsure how to correctly configure NPS to accept these devices using certificate-based authentication without assigning them to a security group. Has anyone already faced this situation or can explain how NPS should be configured in this case? Any guidance or example configuration would be greatly appreciated. Thank you in advance.Edge for Android Smartscreen
Hi All I hope you are well. Anyway, is it possible to configure Edge for Android Smartscreen to: Prevent end user bypass Block potential risky downloads I can see various methods and guides pointing to Edge App Configuration policies but just cannot seem to get the this to work on Android Enterprise Fully Managed devices. Any help would be great. SKErweiterungsmanagement im Browser
We would like to distribute browser extensions in Edge via Intune in a granular manner. The problem is that assigning two profiles with different extensions leads to a conflict. We would like to be able to assign extensions individually and assign multiple different profiles with different browser extensions to a user. With the current options, it becomes very complex and error-prone when there are multiple extensions with different user groups. Or have I overlooked a possibility?Block Local Logon to enrolling user of an Intune Managed Device
Has anyone successfully managed to deploy a security baseline template or Configuration profile or proactive remediation script that can successfully block any AAD user from being able to logon to an Intune managed device, other than the user who enrolled the device? I have a use case of an industutrial type device where we use a secure shared logon credential who is also the enrolling user, and i want to prevent anyone with an account loggin goff the primary user account and loggingin with their own personal account. The issue i seems to face now is the policy is not able to evaluate the AAD group where i assign the user account/accounts allowed to logon, and i subsequently end up blocking all local logons. ThanksHow to create a dependency using Graph API in PowerShell
hi, I used following documentations to create a dependency via Graph API in Powershell: https://learn.microsoft.com/en-us/graph/api/intune-apps-mobileappdependency-list?view=graph-rest-beta https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.beta.devices.corporatemanagement/new-mgbetadeviceappmanagementmobileapprelationship?view=graph-powershell-beta Both ways give me the same error: New-MgBetaDeviceAppMgtMobileAppRelationship : No OData route exists that match template ~/singleton/navigation with http verb POST for request /AppLifecycle_2602/StatelessAppMetadataFEService/deviceAppManagement/mobileAppRelationships. Status: 400 (BadRequest) ErrorCode: No method match route template Seems like these Endpoints do not support POST/PATCH requests at all. Is there any other way to create a dependency using Graph API in PowerShell?
Events
The series that brings you real discussions and proven tips and tricks is back—and live at Microsoft Technical Takeoff! Let's face it. Some configurations, policies, and approaches work better than o...
Online
Recent Blogs
- Managed service providers and enterprises dealing with multiple tenants now have more options for using Intune.Mar 17, 2026
- Microsoft Intune gives IT and security teams a powerful way to manage endpoints at scale - deploying apps, enforcing security baselines, and configuring the settings that keep users productive and yo...Mar 14, 2026
