Recent Discussions
Intune Device Reset Issue After Recent Update
Hi everyone, We’re currently running into an issue with device reset scenarios in our environment and wanted to check if others are seeing something similar or have identified a reliable workaround. Environment: • Windows 11 25H2 • Windows Autopatch enabled • Devices managed via Intune Issue: When initiating any of the following actions from the Intune portal: • Autopilot Reset • Fresh Start • Wipe …the process consistently fails at around 38–40%. Observations: • Event Viewer logs Event ID 4502 during the failure. • This behavior started after applying a recent update. Troubleshooting performed: • We attempted to repair/rebuild the WinRE partition using the WinRE.wim from the latest Windows 11 ISO. • After this repair, the reset process completes successfully. However: • Post-reset, during re-enrollment, the device fails at the Account Setup (ESP) stage. Support status: • We had a case opened with Microsoft but they said that Reset was triggered from intune and reset process started on device so they cannot check anything further from their end and they have not received any similar cases or not aware of any known issue Has anyone else encountered: • Reset failures around 40% with Event ID 4502? • Issues tied to WinRE after recent updates? • Enrollment failures post-reset (ESP Account Setup stage)? If so, have you found: • A root cause? • A stable remediation or workaround? Appreciate any insights or shared experiences. Thanks!Hybrid to Entra ID WiFi Certificate Authentication NPS via WHfB Cloud Trust & Cloud PKI-Replace ADCS
Hello Team, We are working in moving our devices Hybrid Entra ID Joined to Intune autopilot Entra ID Joined Current scenario: Hybrid Entra ID Joined devices (joined to both on-prem AD and Entra ID) Active Directory with Entra ID Connect for object synchronization AD Certificate Services (ADCS) issuing user and device certificates via GPO auto-enrollment Group Policies to push Wi-Fi configuration (EAP-TLS using device certificate) NPS RADIUS server using EAP-TLS ("Smart Card or Other Certificate") for secure 802.1X authentication On-prem SSO enabled through standard Kerberos authentication Now, I am testing Autopilot Win11 Entra ID Joined with WHfB using Cloud trust to SSO to on-prem resources. The autopilot is working, however, the WIFI is not working as the autopilot device doesn't have any certificate from the on-prem ADCS. What is the best practice to try be as much cloud and begin to decommision on-prem services. I have 2 options to push the User and computer certificate to the AUtopilot device: Option 1: Intune Certificate Connector that will bridge on-prem ADCS and Intune, In Intune a PKCS profile to install the certificate to the autopilot device. Option 2: Intune Cloud PKI and configuration profile PKCS profile to install the certificate to the autopilot device. on-prem install the root CA from the Intune cloud PKI. https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-cloud-pki-deployment For the on-prem SSO I will contine using Cloud Trust. Component Target Device Identity Autopilot + Entra ID Joined only (no domain join) User Sign-In Windows Hello for Business (WHfB) with Cloud Kerberos Trust Certificate Issuance Replace ADCS/GPO with Microsoft Cloud PKI and Intune PKCS Wi-Fi Authentication Retain existing NPS RADIUS using EAP-TLS, but trust both ADCS and Cloud PKI root CAs On-prem SSO Enabled by AzureADKerberos on domain controllers Hybrid Devices Continue current operation during the transition — no immediate impact The 2 network environment needs to coexist: the on-prem and the cloud. Device Type Certificate Issuer Wi-Fi Auth SSO Hybrid AD-joined ADCS via GPO EAP-TLS (device cert) Native Kerberos Autopilot Entra ID Joined Cloud PKI via Intune EAP-TLS (device cert) WHfB + Cloud Trust (AzureADKerberos) How the New Wi-Fi Auth Works: Autopilot devices receive: A device certificate from Cloud PKI via Intune A Wi-Fi profile using EAP-TLS authentication NPS RADIUS server: Validates the device cert Issues access to Wi-Fi WHfB Cloud Trust provides a Kerberos ticket from AzureADKerberos, enabling seamless access to file shares, print servers, etc. This allows Autopilot Entra ID Joined devices to: Connect to Wi-Fi without GPO Access on-prem resources without passwords High-Level Implementation Steps Deploy Microsoft Cloud PKI in Intune Configure PKCS profiles for user and device certificates Deploy WHfB Cloud Trust via Intune + Entra ID (no AD join needed) Configure AzureADKerberos on domain controllers Install Cloud PKI Root CA in NPS server trust store Update NPS policy to accept certificates from both ADCS and Cloud PKI Deploy Wi-Fi profiles to Autopilot devices via Intune (EAP-TLS using device cert) Based on it, what is the best practice to move the device to the cloud as much possible.
SSID connection using intune pushed profile kept prompting manual login
Hi, anyone encountered an issue where users connecting to an SSID with 802.1X authentication using an Intune-pushed Wi-Fi profile (with credential caching enabled) are still being prompted to enter their credentials manually? However, it works fine by configuring the network connection protocol manually. Thank you.
Autopilot Pre Provisioning Stuck at Device Setup
Hello Everyone, I was trying to use Autopilot Preprovisioning for Windows 10 devices that we would like to setup before we deliver it to our end user. We were getting correct Intune Autopilot profile Once we click on Pre provisioning Device Prepration completed in 2 minutes then Device setup never completed and stuck on Identifying for 60 minutes As my ESP setting is set to 60 minute. I am getting that red screen mentioning that provisioning can not be completed. however that device is visible in Endpoint portal with correct name template as per Autopilot profile Not sure why it is getting stuck at Device Setup Unable to identify Apps Configuration profile network Your advise on this issue would be really appreciable. I have tried it on OOBE device and existing device that met all the pre requisite.Hybrid Azure AD joined device not enrolling into Intune
Issue A Windows device successfully registers in Entra ID (Hybrid Azure AD join) but never enrolls into Intune. Result: Device appears in Entra ID Device does not appear in Intune Intune Management Extension is not installed Device remains SCCM‑only (co‑management never starts) Log (CoManagementHandler.log): EnrollmentUrl = (null) Device is not MDM enrolled yet. All workloads are managed by SCCM. Environment Windows 10/11 Hybrid Azure AD Join On‑prem AD + MECM (Cloud Attach / Co‑management enabled) Microsoft 365 E3 (Intune license assigned) Device on corporate trusted network What I’ve done Verified Azure AD join and MDM URL Confirmed MDM user scope = All Verified Intune enrollment restrictions allow Windows Verified user has Intune license Identified Conditional Access policy targeting “Register or join devices” Updated that CA policy to Exclude → Microsoft Intune Enrollment Waited for replication and retried enrollment (deviceenroller.exe /c /AutoEnrollMDM) Question Despite excluding Microsoft Intune Enrollment, the device still does not enroll into Intune.
App Protection: Custom app vs Partner app
Is there any functional difference in using an app protection policy to manage a public partner app versus a custom application? We have an app vendor that says they wrapped their app with the SDK but it is not on the partner list so we cannot pick it from the public app list. Which leaves us with the custom app option. Is the functionality the same? Will it show up on the app protection report, work with conditional access policies, other Microsoft solutions, etc.? Thank you - JessieWindows Autopilot Hybrid Join failing with OOBE error 80004005
Hello everyone, We’re facing a consistent issue with Windows Autopilot user‑driven Microsoft Entra hybrid join where devices are provisioned using a Hybrid Join Autopilot profile, but Hybrid Join does not complete. Setup (High level) Windows Autopilot (user‑driven) Autopilot profile: Microsoft Entra hybrid joined Only one Autopilot profile Domain Join profile configured (domain + OU) Entra Connect: Hybrid Join + device writeback enabled Intune Connector for Active Directory installed and healthy MDM auto‑enrollment enabled Issue During Autopilot OOBE, the device frequently shows: “Something went wrong” Error code: 80004005 Despite this, Autopilot continues and completes. Resulting Device State After provisioning: Device appears in Entra ID as Microsoft Entra joined (not Hybrid) Device is enrolled into Intune and shows compliant Device‑scoped Intune MDM policies do not apply dsregcmd confirms Hybrid Join never completed Understanding So Far From correlating the OOBE error, dsregcmd output, and final device state: Hybrid Join starts but fails mid‑process Windows does not roll back provisioning Device falls back to Entra ID Join Join type is finalized for that run Resetting without fixing the root cause repeats the behavior This explains why devices look healthy but are not Hybrid Joined and why device‑based policies don’t reflect. Questions Is 80004005 during Autopilot OOBE a known indicator of Hybrid Join / Offline Domain Join failure? Is fallback from Hybrid Join → Entra ID Join expected when Hybrid Join prerequisites fail? Once a device ends up Entra joined, is wipe + reprovision the only supported recovery after fixing the root cause? Public Wi‑Fi / offsite scenario: Has anyone successfully completed Hybrid Autopilot using pre‑logon VPN / device tunnel (Always On VPN, GlobalProtect, AnyConnect, etc.) to provide DC line‑of‑sight? Which logs are most useful to confirm the exact failure point (ODJ, dsreg, Intune Connector, ESP)? Thanks in advance for any insights or field experience.
Company Portal Profile installation failed on iPhone - Status code 400
Hello, I've been managing mobile devices through InTune for almost a year. Most of our devices are iOs - I add the phone to the Apple Business Manager - wait for it to appear in InTune - then install company portal, and log my user in. This pushed out software etc to the phone. I successfully set one up on Thursday. Today I'm trying to set a new one up and I can't get the Company Portal profile to install. I get a long error, ending in Status Code 400. This error happens often, but usually if I try again, it works. Recently I thought I had discovered the issue, and have started ensuring the iPhones are updated before installing Company Portal. But nothing works with this phone. Any suggestions? Thanks in advance! Amber
Webinar Cancellation
Hi everyone, The webinar “Re‑Envisioned: The New Single Device Experience in the Intune Admin Console,” originally scheduled for April 7 at 9:00 AM Pacific Time, has been cancelled at this time. We plan to reschedule the session, and when a new date is confirmed, it will be shared at http://aka.ms/securitycommunity We sincerely apologize for the inconvenience and appreciate your continued engagement with the Microsoft Security Community.
Can We Set a Default Font for Office Apps via Intune?
Hello everyone, I would like to know if it’s possible to configure a default font for Word, Excel, PowerPoint, and OneNote using Microsoft Intune. Has anyone implemented this, and if so, what’s the recommended approach? Thanks in advance for your insights!
Windows Hello - optional
Hello community, I'm trying to set Windows Hello as optional (not forced) for users in our org. Currently we have security group for people who asked for Windows Hello to be enabled for them. All devices are Windows 11 fully managed by Intune. Current Win Hello solution is provided by Intune policy - identity protection - "Configure Windows Hello for Business". It works, but as mentioned I would like to make it optional for everyone in our org so users can decide whether use it or not. Is it possible?Microsoft #IntuneForMSPs resource guide
Welcome to your home for all things #IntuneForMSPs! Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business by combining productivity apps, intelligent cloud services, and the world-class security of Microsoft 365 with the multi-tenant management capabilities of you, our partners. Navigate to: Guidance and tutorials | Marketing and business development | Multi-tenant management partners | Application packaging partners | Additional resources #IntuneForMSPs community meetups Gain valuable insights from first-hand experiences with configuring and managing customer tenants. Up next: From box to business‑ready with Windows Autopilot April 21, 2026 - 8:00 a.m. PT | 3:00 p.m. UTC #IntuneForMSPs Community Meetup: May edition May 19, 2026 - 8:00 a.m. PT | 3:00 p.m. UTC #IntuneForMSPs Community Meetup: June edition June 16, 2026 - 8:00 a.m. PT | 3:00 p.m. UTC On demand: Advanced automation and PowerShell for Intune Planning your customers' Intune migration Getting started with Microsoft #IntuneForMSPs Guidance and tutorials Microsoft 365 Business Premium deployment best practices Identity and access controls (14.81 MB) Device enrollment (15.92 MB) Email and app protection (38.84 MB) Device security (17.89 MB) Data security (36.49 MB) Videos and demos ▶️ Achieve greater security and productivity with Microsoft Intune and Microsoft 365 🖱️ Microsoft Intune guided demos - Learn how to configure app protection policies and Conditional Access, update Windows from the cloud, manage corporate devices, deploy and manage line of business (LOB) apps, enable Universal Print, protect corporate resources on personal-owned devices, utilize Windows Autopilot for new device delivery, and reduce update bandwidth consumption. Marketing and business development Step 1: Join Microsoft Partner programs AI Business Solutions for Partners Microsoft Security Partners Step 2: Join the Partner Skilling Hub Go to the Microsoft Partner Skilling Hub and create your free account. Select solution areas of interest. (Hint: Intune content: AI Business Solutions, Security) Explore these recommended modules: Implement with impact: Endpoint management with Microsoft Intune Implement with impact: Implement identity and access management with Microsoft Entra Step 3: Download turnkey campaign assets "Protect my devices" campaign-in-a-box (119.20 MB) Multi-tenant management partners Microsoft Intune is proud to collaborate with leading global providers of multi-tenant Intune management solutions. These companies are building innovative capabilities on top of Microsoft Intune, Microsoft Security solutions, and the broader Microsoft 365 platform. Their companion solutions empower you to: Centrally view and manage all customer tenants and action items through a unified partner dashboard. Take action across environments, leveraging Intune for device management, cloud security, and compliance. Standardize security settings, automate onboarding, and ensure policy consistency at scale-no more repetitive, manual tasks or risky policy drift. Want an introduction to multi-tenant management? ▶️ Watch this video from Jonathan Edwards. AvePoint is the global leader in data protection, unifying data security, governance, and resilience to provide a trusted foundation for AI. More than 28,000 customers rely on the AvePoint Confidence Platform to secure, govern, and rapidly recover data across multi‑cloud environments. Through AvePoint Confidence Platform: Elements Edition, AvePoint extends Microsoft Intune with secured multi‑tenant automation, lifecycle management, and centralized visibility—enabling partners to scale Intune delivery profitably and consistently across customers. With a single platform for governance, lifecycle control, and recovery, partners reduce operational overhead, prevent sprawl, and accelerate Copilot readiness. AvePoint supports a global partner ecosystem of 6,000 MSPs, VARs, and SIs, with solutions available in over 100 cloud marketplaces. CyberDrain CIPP provides MSPs with a centralized, multi-tenant management platform for Microsoft 365. It enables partners to securely manage tenants at scale, automate common administrative tasks, enforce standards across environments, and gain deep visibility into tenant security and configuration. With built-in automation, governance controls, and extensibility, CIPP reduces reliance on custom scripts and manual processes. MSPs can standardize operations, streamline user and tenant management, monitor security posture, and respond quickly to issues across all customers from a single interface. CIPP is supported by one of the largest and most active MSP communities in the Microsoft ecosystem, with thousands of partners contributing feedback, automation ideas, and best practices. As one of the most widely adopted platforms for Microsoft 365 multi-tenant management, CyberDrain CIPP continues to evolve rapidly to meet the needs of modern MSPs. inforcer empowers MSPs to standardize Microsoft 365 and Intune policies across all tenants, automate environment configuration, monitor compliance in real time, and reduce risk through policy drift detection. Its reporting and automation features free teams from manual, error-prone scripting and help deliver consistent, secure customer experiences, setting MSPs up to deliver advanced AI services to their customers. Nerdio brings deep automation and analytics to Intune, Windows 365, Azure Virtual Desktop, and the broader Microsoft cloud. MSPs benefit from multi-tenant dashboards, global policy insights, role-based access, centralized app deployment, and automatic policy versioning with rollback and drift correction. Nerdio’s tooling is designed specifically for MSPs and scales from small teams to large enterprise portfolios. SoftwareCentral Tenant Manager helps MSPs run Microsoft Intune across multiple customer tenants with consistency and control. MSP teams can standardize policies, manage applications and devices across environments, monitor configuration drift, and maintain visibility into changes across tenants from a single platform. The platform runs entirely on Microsoft Azure with region-selectable deployment for your data protection requirements. It includes CIS certified security baselines, helping MSPs deliver secure, repeatable Intune services as their customer portfolios grow, even without in-depth Intune knowledge. Application packaging partners Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI and Copilot era. To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from Configuration Manager to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption Note: These app migration services are offered directly by partners and are subject to their terms. Microsoft makes no guarantees or commitments regarding availability or outcome. Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting. Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT. Additional resources Microsoft 365 Blog: small and medium business content Microsoft 365 Partner on LinkedIn Microsoft Intune Blog: MVP community content
IOS - Embedded Webkit - Not Reporting Correct Device info
It appears that with the latest iOS versions (26.3.1 through 26.4), applications that rely on an embedded WebKit for sign-in are no longer reporting accurate device details within Device Info. Users have company-issued phones that are successfully enrolled in Intune, but when they attempt to sign in to Apple Mail, Conditional Access is denying the login. After reviewing the logs, iOS is reporting the OS version as 18.7.0 to Intune, even though the device is actually running iOS 26.4. Additionally, the device information is coming through as blank, so attributes are not being evaluated. When looking at other logins via the outlook app on that device it all appears normal and works. Has anyone else observed this behavior where WebKit is sending incorrect data to Intune? Does anyone know of a workaround other than relaxing Conditional Access policies?Intune iOS User-Based App Targeting
I’ve noticed an issue with user-based targeting and was wondering if this is an issue, or I'm just using it wrong. Lets say I want an iOS app to be deployed out to a user group, but only to company owned devices of those users. I set the assignment for required user group and assign an Include filter for corporate owned devices. If this app is also Available for All Users, then the app deploys out to all devices from the required user group, even their personal devices. It basically forgets there is a filter for the required user group assignment. Any way around this? It feels like a glitch in how Intune deploys apps.
Intune MAM - Questions about Company Data Removal
Hey all, we're looking to deploy Intune MAM for an organization. The organization only has BYOD devices (users have their own personal phones and company-provided phones are NOT an option.) Our end goal is the ability to wipe company data from a phone once a user has been offboarded (Outlook, Teams, etc.). To reduce friction, we identified that MAM may be the policy to allow for company data removal with little to no friction. Upon doing some reading, we came across a source that said that if a user uninstalls the broker agent (Intune Company for Android and Microsoft Authenticator for iOS), that an App Selective Wipe will NOT complete, especially if the user uninstalls the app BEFORE the wipe or DURING the pending wipe. Has this been the case for anyone else and do you have suggestions as how we can get to our end goal?Intune – Unable to reliably validate application installation status via Microsoft Graph APIs
Hi Everyone, I am working on application deployment and validation using Microsoft Intune, and I am trying to implement an automated validation step to confirm whether applications are successfully installed. My primary requirement Verify application installation status Confirm per‑device installation status Validate installation for specific Intune‑managed devices Use Graph APIs as part of an automation workflow APIs tested so far 1️⃣ App installation status per device (NOT working / not usable) I initially tried using the documented API: HTTP GET https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses Issue: This API is not working for us It either returns no data or behaves as if it is not a valid / usable endpoint It does not return reliable installation status Hence, we cannot use this API for validation in automation At this point, deviceStatuses is not usable as a primary source of truth in our environment. 2️⃣ Detected Apps (secondary confirmation only) We are also using the Detected Apps API: HTTP GET /deviceManagement/managedDevices/{deviceId}/detectedApps This does work, however: It only confirms app presence It does not confirm Intune assignment or installation intent We are using it strictly as a secondary confirmation, not a primary validation method 3️⃣ Intune internal API observed via browser inspection We also tested the API that appears to be used internally by the Intune portal: HTTP GET https://graph.microsoft.com/beta/users/{user-id}/mobileAppIntentAndStates/{device-id} Observations: The API returns data However, installState frequently shows unknown The Intune portal shows a different and final status (Installed / Failed / Pending) This makes the API unreliable for automation It appears to be troubleshooting‑oriented, not intended for reporting or validation Questions I am looking for guidance on Is deviceStatuses known to be unreliable, tenant‑dependent, or effectively unsupported? What is the recommended API to retrieve actual app installation status per device? Are there any v1.0 APIs available for: Device‑level app installation status? User‑level app installation validation? What is Microsoft’s recommended best practice to validate Intune‑installed applications via automation? Is there official documentation that clearly explains: Which API should be used for reporting vs troubleshooting Expected delays or data inconsistencies between Graph APIs and the Intune portal Goal The goal is to build a reliable and supported automation‑based validation mechanism to confirm that Intune‑deployed applications are successfully installed on target devices. Any official guidance, confirmation of known limitations, or alternative approaches would be very helpful. Thanks in advance for your support.Apple business manager deployment - receiving pop-up bout apple account
Hello intune forum, I recently setup apple business manager in our enviroment to work with Intune. I've created the enrollment profile, setup the VPP token, etc. But now, a few of our users, myself included is getting a pop-up on our phones stating : "this apple account cannot make purchases". I made sure only the VPP apps are being pushed to the company phones and not the apps from the store. Anyone else have this issue?Microsoft Managed Home Screen: Unwanted Samsung One UI 8.0 Elements Appearing
Hello Tech Community, Our organization is currently deploying a configuration in Microsoft Intune using a Corporate-owned dedicated device enrollment profile. We’ve applied a device restriction policy to configure Samsung tablets in Multi-app Kiosk mode, with Managed Home Screen set as the launcher. Instead of using an app configuration policy, Managed Home Screen is configured through the device restrictions policy. We’ve left the device navigation options unconfigured, which should hide the following UI elements: Android Overview button Android Home button Android App drawer Once all policies and required apps are installed, Managed Home Screen successfully acts as the launcher for end-users to sign in. Overall, this works well; however, we’ve encountered an intermittent issue: After multiple lock/unlock cycles, the navigation bar sometimes reappears, showing the Overview, Home, and App Drawer buttons. This allows users to access background apps that are not exposed through Managed Home Screen, which defeats the kiosk experience. Device details: Samsung Galaxy Tab S10 FE Android 16, One UI 8.0 Managed Home Screen version: 2.2.0.107721 Has anyone experienced this behavior or have recommendations to prevent these UI elements from reappearing? I’ll gladly provide additional details about our configuration if needed. Thank you!
Events
Join us for the April #IntuneForMSPs community meetup featuring Microsoft MVP Steve Weiner. Steve will share practical, MSP-focused insights on using Windows Autopilot with Microsoft Intune to stream...
Online
Save the date for May's #IntuneForMSPs Community Meetup! These community‑driven events bring together MSPs, Microsoft MVPs, and Intune experts to discuss top‑of‑mind topics shaping device management ...
Online
Recent Blogs
- By: Janusz Gal – Sr Product Manager | Microsoft Intune Azure Log Analytics gives Intune admins a flexible way to create custom reports from diagnostic data, especially when you need longer history ...Apr 07, 2026
- Microsoft Intune now supports the Android XR platform, including management of the Samsung Galaxy XR headset, built on Android XR platform.Apr 07, 2026
