rss.livelink.threads-in-node

Our MacOS Platform SSO deployment

MikeGriz — Thu, 18 Jun 2026 19:23:08 GMT

Naveen Kumar Akkugari wrote up a blog post on how we deployed an early version of the Platform SSO for MacOS devices. We decided to try something a little different in the blog-o-sphere so it was posted up at Deploying Platform SSO for pre macOS 26 with Microsoft Intune: Lessons Learned | Microsoft Community Hub instead of here. Go take a read and see if it is interesting to you.

Deploying Platform SSO for pre macOS 26 with Microsoft Intune: Lessons Learned

MikeGriz — Thu, 18 Jun 2026 17:30:00 GMT

By: Naveen Akkugari, Sr. Service Engineer and Michael Griswold, Principal Service Engineering Manager | Microsoft Intune

Who we are

Our internal Intune administration team at Microsoft is responsible for running Intune and Configuration Manager for the devices used by employees. We receive early access to features for evaluation and feedback using real world usage scenarios. As such, some features may be changed before the public release and be slightly different. The experience should be similar and we wanted to share our learnings when deploying platform single sign-on (PSSO). It is worth noting that since the time of this experience a new method for newer OS versions is available and you can read more about it at: New Platform SSO with registration during Automated Device Enrollment on macOS | Microsoft Community Hub.

Why we implemented Platform single sign-on (PSSO) and what we learned

As IT admins managing a growing Mac fleet, we kept running into the same gap. Our Windows devices had hardware-backed authentication, token protection, and seamless SSO through Windows Hello for Business, but our Macs were still relying on browser-based prompts with no easy way to enforce the same level of security and identity protection. Platform SSO finally closed that gap for us. It’s worth noting that new macOS allows new capabilities in this space and we are evaluating them as well. The new flow can be read about at https://aka.ms/Intune/MacPSSO-Setup.

While there were fewer pip-ups, we found the changes in the security layer to be the real value to our operations. Platform SSO binds authentication tokens (Primary Refresh Tokens) to the device’s Secure Enclave hardware. Even if a PRT is intercepted, it’s designed to not be replayed from another device. For our team, this unlocked two things we couldn’t do on macOS before:

Token protection policies: Conditional Access can now verify that tokens are device-bound, the same enforcement we had been relying on with Windows Hello for Business
Phishing-resistant MFA: Secure Enclave keys act as FIDO2 passkeys, so users authenticate with Touch ID instead of passwords or SMS codes

Getting from documentation to production took real effort for us. A password policy issue that silently blocked registration for half our pilot group, users who swiped away the registration banner without knowing what it was, and macOS updates that broke SSO overnight. This blog post is what we wish someone had written before we started.

How it works under the hood: Intune delivers the SSO extension profile → macOS prompts the user to register → the device registers with Microsoft Entra ID and gets a hardware-bound workplace (WPJ) certificate → a PRT is issued and bound to device hardware (not designed to be exported) → SSO works across Microsoft 365 apps, browsers, and Kerberos resources, all with token protection enforced.

Available authentication methods when we implemented

Capability	Secure Enclave	Smart Card	Password Sync
Passwordless and phishing-resistant	✅	✅	❌
Touch ID / passkey (WebAuthn)	✅	❌ Touch ID only	❌
Local password synced with Microsoft Entra	❌	❌	✅
Minimum macOS	13.0	14.0	13.0

Recommendation: Start with Secure Enclave. Keys are hardware-bound, phishing-resistant, and double as FIDO2 passkeys via WebAuthn, enabling browser-based passwordless login (Touch ID instead of passwords) and meeting Conditional Access multi-factor authentication (MFA) requirements. Unlike iCloud-synced passkeys, these are device-bound, aligning with Zero Trust.

Quick setup using the Intune settings catalog

Prerequisites: macOS 13+, Intune with Microsoft Entra ID, Intune Company Portal v5.2404.0+

In the Intune admin center, navigate to Devices > Configuration > Create > macOS > Settings Catalog > Authentication > Extensible SSO

Setting	Value
Extension Identifier	`com.microsoft.CompanyPortalMac.ssoextension`
Team Identifier	`UBF8T346G9`
Type	Redirect
Registration Token	`{{DEVICEREGISTRATION}}`
Use Shared Device Keys	Enabled
Screen Locked Behavior	`DoNotHandle`
URLs	`https://login.microsoftonline.com` `https://login.microsoft.com` `https://sts.windows.net` `https://login-us.microsoftonline.com`

Users see a “Registration required” notification → sign in → complete MFA → SSO works everywhere.

What the user experience looks like

Knowing what users see on their screen helps you write better rollout communications and cuts down help desk tickets.

First-time registration flow:

Profile arrives silently: After enrollment, Intune pushes the SSO extension profile to the Mac. Nothing visible to the user yet.
Registration banner appears: macOS displays a notification: “Registration required: Your organization requires you to register your device.” The user must click this to proceed. (This is our #1 learning point, users swipe it away, and there’s no simple way to retrigger it.)
Sign-in window: The user enters their Microsoft Entra ID email and password.
MFA challenge: Authenticator app push, phone call, or other configured method.
Secure Enclave key creation: macOS generates a hardware-bound key pair. The user may see a Touch ID or local password prompt to authorize this.
Registration completes: Device registers with Microsoft Entra ID, a WPJ certificate and PRT are issued. User sees a success confirmation.
SSO is active: From here, Microsoft 365 apps, Edge (natively), Chrome (with SSO extension), and Kerberos resources authenticate without prompts. Touch ID replaces password entry.

Missed the registration notification? Here is how to manually register:

This was our most common help desk ticket during rollout. If a user dismissed or missed the banner, they can still register manually through the following options:

(Recommended) System Settings → Users & Groups → Network Account Server: This is the easiest method. Go to System Settings → Users & Groups, scroll down to “Network Account Server” and click “Edit.” This opens a panel showing two sections: Network Servers and Platform single sign-on. If the Platform SSO policy is deployed, “Mac SSO Extension” will be listed under Platform single sign-on. If the device isn’t registered, there will be a “Register” button that can be selected to start the Platform SSO device registration flow.
Lock / Sign out and back in: Performing a lock or signing out of macOS followed by signing back in can retrigger the registration notification upon the next login attempt.
Wait for the notification to reappear: macOS retries the notification periodically around every 15 mins.
Last resort, reprofile: If none of the above work, an IT admin can remove and reassign the SSO extension profile in Intune. Before doing so, ensure any stale device objects are cleared from Microsoft Entra ID to avoid conflicts. Once the new profile lands on the device, the registration notification reappears.

How to verify Platform SSO registration

One of the first questions we got after rollout was “how do I know it’s actually working?” Here’s how both users and IT admins can confirm.

For IT admins (Microsoft Entra ID & Intune admin centers):

What to check	Platform SSO registered device	Non-registered device
Microsoft Entra ID → Devices	Join Type shows Microsoft Entra joined	Join Type shows Microsoft Entra registered
Intune → Device configuration	SSO extension profile shows Succeeded	Profile may show Pending, Error, or not assigned

For users (on the Mac):

System Settings → Users & Groups → Network Account Server: Scroll down in Users & Groups to “Network Account Server” and click “Edit.” If the Platform SSO policy is deployed, they will see “Mac SSO Extension” listed under Platform Single Sign-on. A registered device shows a green dot with “Registered” status and a “Repair” button (useful if registration gets into a bad state). If not registered, they will see a “Register” button instead. This is the quickest at-a-glance check for users.
System Settings → Users & Groups: Click on the user account name in Users & Groups (on macOS 14+, click the info button “i” next to the user name). When Platform SSO registration is complete, a “Platform Single Sign-on” section will be listed under the account. If Platform SSO is active, the user account shows the Microsoft Entra ID identity linked to the local account.
Company Portal app → Devices: The device should show as “Compliant” and “Microsoft Entra ID registered.” If registration failed, it shows “Registration required.”
Terminal command: Run app-sso platform -s to check Platform SSO status.

Troubleshooting Platform SSO errors

If you run into issues during deployment, here’s how you can diagnose and fix issues.

Step 1: Check the Platform SSO profile in Intune device management

Before troubleshooting on the Mac itself, confirm the profile reached the device:

In Intune: Go to Devices → select the device → Device configuration. The SSO extension profile should show “Succeeded.” If it shows “Pending” or “Error,” the device hasn’t received the policy. Check assignment groups, sync status, and whether the device is enrolled.

Then on the Mac: Go to System Settings → General → Device Management (or Profiles on older macOS). Look for the SSO extension profile (com.apple.extensiblesso). It should show as “Installed” with no errors. If the profile isn’t listed, it hasn’t been delivered yet. Check Intune assignment and device sync.

Step 2: Check registration status on the Mac

Refer to the previous section “How to verify Platform SSO registration” for steps.

Step 3: Check SSO extension logs

Run in Terminal for real-time logs:

log stream --predicate 'subsystem == "com.apple.AppSSO"' --level debug

Then prompt a sign-in (open Edge or Outlook). Look for:
Error 10002: Duplicate SSO profiles. Remove the extra one from Intune.
Error 10003: Registration failed. Usually a network issue or TLS inspection blocking auth URLs.
User cancelled: User dismissed the registration banner.
Token refresh failed: PRT could not refresh. Check network and whether the Microsoft Entra ID password was recently changed.

Step 4: Verify from the admin side

Check	How	What It Tells You
Profile delivery	Intune > Devices > select device > Device configuration	Whether the SSO profile reached the device and its install status
Registration state	Entra ID > Devices > search device > Properties	Whether the device has PSSO registration and NGC credential
Sign-in failures	Entra ID > Sign-in logs > filter by user	Error codes like `AADSTS50076` MFA required, `AADSTS700024` token issue, or `AADSTS7000218` client assertion
Token protection	Entra ID > Sign-in logs > Conditional Access tab	Whether token protection policy was applied or skipped
Company Portal version	Intune > Apps > macOS > Company Portal	Must be v5.2404.0+ for PSSO; older versions silently fail

Common error codes and fixes:

Error	Cause	Fix
`10002`	Multiple SSO extension profiles assigned	Remove duplicate profiles; keep only the Settings Catalog policy
`10003`	Registration failed network/TLS	Allowlist Apple and Microsoft auth URLs from TLS inspection
`AADSTS50076`	MFA required but not completed	User needs to complete MFA during registration
`AADSTS700024`	Client assertion invalid	Password likely needs reset; have user reset Entra ID password and retry
`AADSTS7000218`	Request body must contain `client_assertion`	Company Portal version too old; update to v5.2404.0+

Best practices

Have newer OS devices and use the new flow: New Platform SSO with registration during Automated Device Enrollment on macOS.
Have users reset their password before Platform SSO registration. During initial enrollment, if password configuration or compliance policies are applied, users are required to reset their password after device enrollment and prior to initiating Platform SSO registration. Skipping this step can result in silent registration failures that are difficult to diagnose. Ensure this is communicated as the first step in your rollout guidance.
Assign the SSO profile during enrollment, not after. Deploying during enrollment means the registration prompt shows up at first login, a natural part of setup. Retrofitting existing devices forces users to notice and click a notification banner. Many will not. macOS Tahoe (26) Simplified Setup will auto-register, removing this friction.
One SSO profile per device, no exceptions. Duplicate profiles cause Error 10002. If you are migrating from a Device Features template to Settings Catalog, remove the old one first.
Pilot with realistic scenarios. Don’t just test “can I open Outlook.” Test registration, SSO to Microsoft 365, on-prem file shares, password change mid-session, reboot behavior, and what happens when a user dismisses the registration banner. We found issues in every one of these.
Align password policies end-to-end. For Password Sync, Intune compliance and Microsoft Entra ID password policies must match: length, complexity, expiration.
Integrate legacy Kerberos properly. If you run a standalone Kerberos SSO extension, set usePlatformSSOTGT = true in its ExtensionData to reuse Platform SSO TGT instead of running duplicate flows. Requires macOS 14.6+ and Company Portal 5.2408.0+.
Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos Resources in Platform SSO.
Allowlist auth URLs from TLS inspection. Apple and Microsoft authentication endpoints must be excluded from proxy/TLS inspection. If they are not, registration fails silently with no error.

Challenges we faced

Challenge	What we experienced	Solution
Password must be reset before registration during the new enrollment	Half our pilot group could not register after the new enrollment as their Entra ID password had not been reset.	Require a password reset before rollout; make this step 1 in user communications
Users dismiss the registration banner	The notification is easy to swipe away. Once dismissed, there is no simple way to retrigger it.	Send screenshots and instructions before rollout; macOS Tahoe auto-registers via Simplified Setup
SSO breaks after macOS updates	After point updates, SSO stopped working until re-registration.	Restart `swcd` process; some cases required full re-registration; check release notes
Password policy mismatch	Users changed Microsoft Entra password, but local Mac password did not sync, causing lockouts.	Match Intune compliance and Microsoft Entra ID password policies exactly; test end-to-end
Browser SSO inconsistency	Edge worked natively, Chrome needed extension, Safari varied by OS.	Deploy Chrome SSO extension via Intune; test Safari on each target OS version

Conclusion

Platform SSO delivers phishing-resistant passwordless authentication, seamless cross-platform SSO, and Conditional Access compliance with hardware-backed identity. Start your implementation with Secure Enclave, deploy via Intune Settings Catalog, pilot small, then scale.

If you have questions on implementing Platform SSO, leave a comment below or reach out to us on X @IntuneSuppTeam.

Join our community! Discuss real-world scenarios, get expert guidance, connect with peers, and influence the future of Microsoft Security products. Learn more at https://aka.ms/JoinIntuneCommunity.

IT experts weigh in: Advanced Intune capabilities coming to Microsoft 365 E3 and E5

Lior_Bela — Thu, 18 Jun 2026 16:00:00 GMT

Back on December 4th, we shared that advanced capabilities from the Microsoft Intune Suite were coming to Microsoft 365 E3 and Microsoft 365 E5. These packaging changes become effective on July 1st, with existing eligible customers expected to receive the capabilities in their tenants by August¹. So you can understand how these capabilities will help your organization, we’ve pulled together a select set of guides and reviews from IT experts who have earned Microsoft “Most Valuable Professionals” (MVP) status. These MVPs from across segments and industries have real-world experience and lots of hands-on time with Intune.

So, whether you're a security admin sizing up Endpoint Privilege Management, an IT pro curious what Advanced Analytics reveals about your fleet, a help desk lead rethinking Remote Help, or someone just getting started with Intune, there's something here for you. This roundup is packed with practical, honest, in-practice perspectives from the people who know these capabilities best.²

The focus now is on the practical details: what each capability does, where it fits, and what to consider before deployment. The MVP resources below help answer those questions with implementation guidance, technical context, and comparisons that can help teams evaluate the right approach for their environment.

Here’s a quick refresher on the Microsoft 365 plan changes related to Microsoft Intune:

Microsoft 365 plan²

Newly included Intune capabilities 

EMS E3  
(Included in Microsoft 365 E3) 

Intune Remote Help  
Intune Advanced Analytics  
Intune Plan 2 

Microsoft 365 E5 

All the above plus

Intune Endpoint Privilege Management  
Microsoft Cloud PKI   
Intune Enterprise App Management 
Microsoft Security Copilot 

One place to manage it all

Customers have been clear that they want to make full use of the capabilities already included in their licenses and manage them from a more centralized platform. They also want to understand the tradeoffs: how consolidation changes day-to-day operations, how these capabilities work with Cloud PCs, and what it means to reduce reliance on multiple vendors, contracts, and support models.

The Microsoft MVP resources below tackle those questions directly such as what's included in your license and how integrated endpoint management plays out in practice.

Microsoft Intune Suite in E3 vs E5: What's Included from July 2026 – Dean Ellerby
Intune Suite: Not an Add-on but a part of your Microsoft 365 Suite – Johan Adreaan (Arno) van Dijk
One Console, Every Endpoint: Why 2026’s Microsoft 365 Update Actually Matters for Your Cloud PCs – Jon Jarvis
Windows 365 x Intune Suite: Looking Beyond the Feature List – Jeroen Burgerhout

Our MVPs have also taken deep dives into the individual capabilities that are coming to E3 and E5 (and are still available to other license holders as an add-on).

Advanced Analytics

Advanced Analytics gives IT teams a clearer view of endpoint health and performance, with capabilities like device query, anomaly detection, and battery health reporting that build on endpoint analytics. For Microsoft 365 E3 and E5 customers, troubleshooting and fleet-wide visibility are now part of the plan. See the official documentation here.

Get Ready for Advanced Analytics in M365 E3 and E5 – Florian Salzmann & Jannik Reinhard
Microsoft Intune Advanced Analytics more than Endpoint Analytics – Sander Rozemuller
Using Intune Suite Advanced Analytics to Solve Issues Faster – Panu Saukko
Intune Advanced Analytics: How It Compares to Other Tools – Jannik Reinhard

Remote Help

Remote Help is a cloud-based solution that enables secure, role-based help desk connections to managed devices, with support for unattended scenarios and compliance with Intune's RBAC model. See the official documentation here.

How to Implement Intune Remote Help – Thant Zin Phyo
You have Intune Remote Help already, you might as well use it – Gerry Hampson
Microsoft Intune Remote Help: My Overview – Nicklas Ahlberg

Endpoint Privilege Management

Endpoint Privilege Management (EPM) lets organizations elevate permissions for specific, IT-approved tasks on a just-in-time basis, avoiding the need to create users with ‘admin’ privileges for routine activities, directly supporting a Zero Trust, least-privilege posture. See the official documentation here.

Microsoft Intune Endpoint Privilege Management Overview – Jorgen Nilsson
The end of local admin - How Intune Endpoint Privilege Management solves a problem IT has lived with for decades – Mattias Melkersen Kalvåg & Simon Skotheimsvik
When Intune Endpoint Privilege Management Wins, and When It Does Not – Florian Salzman

Just getting started with Intune?

If all this is new to you, you don’t need to absorb every advanced capability at once. A great place to begin is Albin Klinaku's guide, which walks through what these E3 and E5 changes mean for someone getting started and breaks down the fundamentals in an approachable way. From there, the official Microsoft Intune overview on Microsoft Learn provides tutorials. Start there, explore at your own pace, and you'll be ready to make the most of everything coming to your tenant.

A special thanks to our contributors

None of this guidance would exist without the community behind it, which brings me to the people who made this roundup possible. A big thank you to the MVPs who took the time to share their perspectives on this important news:

Your expertise, generosity, and willingness to share continue to elevate the entire Intune community. Thank you for everything you do. Stay secure, stay innovative, and be well.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

Triage vulnerabilities with the Vulnerability Remediation Agent, now in public preview

Intune_Support_Team — Tue, 16 Jun 2026 21:27:48 GMT

As automation and AI accelerate the pace of vulnerability discovery, the window between disclosure and exploitation continues to shrink. For IT and security teams, the challenge is no longer just finding vulnerabilities - it's prioritizing the ones that matter and acting on them before they can be exploited. To help organizations close that gap, we're pleased to announce that the Vulnerability Remediation Agent for Security Copilot in Microsoft Intune is now in public preview and rolling out to all customers.

Following a successful limited preview, the agent is now broadly available. This release brings agentic vulnerability remediation out of an early-access cohort and into the hands of every eligible organization - an important step in our continued investment in helping admins reduce exposure faster and with greater confidence. View eligibility prerequisites here.

How the agent helps you identify and triage vulnerabilities

The Vulnerability Remediation Agent uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) across your Intune-managed Windows devices and apps, then prioritizes them for remediation. Rather than leaving admins to sift through lengthy CVE lists with little context, the agent surfaces a prioritized set of recommendations directly in the Intune admin center - accessible from both the Agents and Endpoint security pages.

When the agent runs, it evaluates vulnerability data and ranks threats based on factors such as CVSS scores, exposure impact, and affected device count, so the most critical issues rise to the top. Drilling into any suggestion provides:

The count of associated CVEs
A Copilot-assisted summarized impact analysis
Suggested actions and affected systems
Exposed devices and potential impact
Step-by-step guidance for remediating the threat using Intune

After acting on a recommendation, admins can mark it as applied, allowing the agent to retain a record for tracking remediation actions over time. The result is a meaningful reduction in the time it takes to investigate, prioritize, and remediate - strengthening overall security posture.

Introducing agentic identity for the Vulnerability Remediation Agent

With this release, the agent now operates under Microsoft Entra agentic identity - a meaningful advancement in how autonomous agents are governed and secured.

What it is. Agentic identity is a specialized identity in Microsoft Entra ID that allows the agent to operate securely and independently. During setup, the agent provisions a dedicated agentic identity and a corresponding agentic user in your tenant's Microsoft Entra directory. The agent then runs under the permissions delegated to that agentic user rather than under a human user account.

Why it matters. Agentic identity decouples the agent from any one person, ensuring its behavior is strictly bound to the permissions and scope you delegate to it. This delivers clearer accountability, a cleaner audit trail, and enterprise-grade governance for autonomous operations.

How it helps. Admins remain firmly in control. After setup, delegate the required read permissions to the agentic user in the Microsoft Intune and Microsoft Defender admin centers, then use the built-in Readiness Check to confirm everything is configured correctly before the agent runs.

Learn more in Agent identity.

Getting started: Connect → Enable → Run → Remediate → Track

One of the design goals behind the Vulnerability Remediation Agent is to make agentic security approachable, not complex. Rather than stitching together signals across multiple tools and admin centers, the agent guides admins through a clear, repeatable flow - from connecting your data to tracking measurable improvement over time.

Connect — bring Defender and Intune data together. The agent draws on Microsoft Defender Vulnerability Management for CVE intelligence and Microsoft Intune for device and configuration context. With the required Microsoft Defender and Microsoft Intune plugins in place, your vulnerability and management signals work as one. Learn more on what is needed to connect the experience.
Enable — turn on the agent. From the Agents node in the Microsoft Intune admin center, set up the agent in a few guided steps. During setup, the agent provisions its Microsoft Entra agentic identity and surfaces the permissions and plugins it needs, so you know exactly what to delegate before the first run.
Run — let automated prioritization do the heavy lifting. Once permissions are delegated and the Run Readiness Check passes, you can configure the agent to run on demand or schedule it to run automatically in the background on a cadence you define; scheduling is a unique capability that helps teams stay ahead of emerging risks without requiring constant manual intervention. Each run analyzes your environment and produces a prioritized list of recommendations ranked by CVSS score, exposure impact, and affected device count so the most critical risks rise to the top automatically.
Remediate — act with guided, Intune-ready actions. Each recommendation includes a Copilot-assisted impact summary, exposed devices, and step-by-step guidance for remediating the threat using Intune. Admins move directly from insight to action, without leaving the admin center.
Track — measure improvement over time. Recommendations can be marked as applied, and the agent retains a record of your remediation actions.

The outcome is a streamlined operating model: connect once, enable with confidence, and let the agent drive a continuous cycle of prioritization, remediation, and view progress. For full prerequisites, licensing, plugin, and role requirements, see Vulnerability Remediation Agent overview and set up.

The Vulnerability Remediation Agent represents a meaningful step toward a more proactive, AI-assisted security posture, one where admins spend less time sifting through CVE lists and more time acting on what matters most. We invite you to try the public preview today, connect your Defender and Intune data, and experience how agentic remediation can help your team stay ahead of emerging threats. As always, we'd love to hear your feedback as we continue investing in making security in Intune faster, smarter, and more accessible. Share your tips and lessons learned in the comments below or reach out to us on X @IntuneSuppTeam.

enrolling in Intune MacBook Pro with an M5 Pro

miguMac — Tue, 16 Jun 2026 15:17:50 GMT

Hi everyone

We have tested the Wi-Fi and ethernet profile without success with Apple businesses manager.

The Wi-Fi and the ethernet connection itself works, but the enrollment process into Intune does not complete successfully.

At this stage, we cannot sign in, and neither the Wi-Fi nor the Ethernet connection appears to be working.

The device is a 14-inch MacBook Pro with an M5 Pro chip, running macOS 26.5.1 the device connects to the server, the settings begin to apply, but the process suddenly stops, and we are then unable to log in.

These are steps followed :
Synchronize the device from Apple Business Manager to Intune.

Assign the enrollment profile to the device.

Perform a device wipe/reset.

Start Automated Device Enrollment (ADE).

Complete the device setup and user sign-in.

The device successfully enrolls into Intune.

Intune begins deploying configuration profiles, compliance policies, security policies, and applications.

During the policy application process, Wi-Fi connectivity stops responding.

The device loses network connectivity and cannot continue synchronizing policies. We are unable to sign in because the enrolment process has not been finalized. As a result, we have to wipe the Mac and start the process again each time.

We have disabled some policies, but we are still experiencing the same issue.

Have anyone experienced any issues like that ?

Regards,

How Enterprise App Management secures your App Catalog from ingestion to device

Intune_Support_Team — Mon, 15 Jun 2026 17:10:22 GMT

By: Joe Lurie, Sr. Product Manager | Microsoft Intune

One of the most common questions I get from customers when I talk about Enterprise App Management is some version of: "Okay, but how do I know these apps are safe?"

It's a fair question. You're trusting a catalog of pre-packaged Win32 apps to land on thousands of managed devices across your organization. If you're responsible for endpoint security, you should be asking that question. This post explains how Enterprise App Management works behind the scenes, how apps get into the catalog, what happens before they're visible to your tenant, and why the architecture matters for your security posture.

The architecture: Not a new system, but an extension of what you already trust

An important design decision with Enterprise App Management is that it's not a separate app delivery system. It's an extension of the existing Intune Win32 app architecture.

From the admin perspective, everything starts in the Intune admin center. But behind the scenes, there's a clean separation between the control plane and the data plane:

Control plane: For each app being added to the Enterprise App Management catalog, Intune curates app metadata, including app version, install commands, uninstall commands, detection logic, requirements, and supported configurations. This metadata is validated and normalized before it shows up in your tenant. That's why catalog apps behave consistently whether you're deploying to 50 devices or 50,000.
Data plane: Once an app is assigned by an admin, it flows through the same Win32 app delivery and enforcement pipeline you already rely on. Your devices don't know they're installing an "Enterprise App Management app" - they're enforcing a Win32 app with well-defined intent. Same Enrollment Status Page support, same reporting, same retry logic, same Intune Management Extension. No new agent. No new runtime. And finally, Enterprise App Management apps have the same support for App Control for Business with Managed Installer which can automatically tag the apps as safe.

This is important because it means Enterprise App Management inherits all the trust and operational maturity of Win32 app management in Intune. Curated content is delivered through established, reliable infrastructure.

How Enterprise App Management apps are delivered: The ingestion pipeline

This section walks through what happens from the moment an app is sourced to the moment it appears in your catalog.

Content ingestion

It starts with the catalog. Microsoft receives app metadata, including install and uninstall commands, version info, and download URLs. The data is then ingested, flattened, transformed, and Microsoft's own identifiers are applied. After the data lands in the database, eligibility and filtering gates are applied through allow and deny lists. Apps on the allow list are permitted to download content from controlled internet locations. This process handles both net-new apps and version updates to apps already in the catalog.

Security and functional validation

This is the part that answers the "how do I know it's safe?" question. Once content ingestion is complete, every app is submitted for security and functional validation. This is a queue-driven service that runs two parallel tracks:

Static malware detection scans the installer and related artifacts for malicious content, assigning a VirusTotal score. If an app receives a non-zero score, it's blocked from proceeding, full stop. Static scanning is about establishing baseline trust before deployment. It validates that binaries are intact, that they originate from trusted sources, and they don't carry known indicators of malware or tampering. This process catches embedded malicious payloads, corrupted binaries, and known bad signatures before they can impact any device.
Dynamic analysis (detonation) runs in parallel. The app is installed and uninstalled inside a VM detonation chamber, producing install results, logs, and artifacts. This is about validating behavior, not just files. Modern threats don't always look malicious at rest; some issues only surface when an installer or application runs or interacts with the system. Dynamic evaluation catches unexpected system changes, unsafe persistence mechanisms, and activity inconsistent with enterprise deployment expectations.

If an app fails automatic validation, it goes through manual validation by Intune engineering.

Both layers are required. Static scanning provides speed and broad coverage, while dynamic scanning provides depth and behavioral assurance.

After publication: Ongoing scanning

The security story doesn't end at publication. Apps already in the catalog are periodically re-scanned. If a version that previously passed validation is later found to fail a malware scan, it's flagged and removed from the catalog. This is a critical detail - the catalog isn't a snapshot-in-time trust decision. It's a continuously validated inventory.

Update velocity

Once a new app version is received, the target is to have it available in the catalog within 24 hours. Around 80–90% of apps hit that timeline. The remainder are apps that don't pass automatic validation and require manual review, which takes longer. But the pipeline processes updates through the exact same ingestion and validation flow as new apps - no shortcuts.

Where Zero Trust fits in

If you've been following Microsoft's Zero Trust model, this pipeline should feel familiar. Zero Trust is built on three principles: verify explicitly, use least-privilege access, and assume breach. EAM's validation pipeline maps directly to these:

Verify explicitly: Every app is verified through multiple independent signals, including source integrity, static malware scanning, and dynamic behavioral analysis, before it's ever exposed to a tenant. No app gets a pass based on reputation or publisher name alone. Trust is earned through evidence, every time.
Use least-privilege access: Enterprise App Management catalog apps ship with prefilled, scoped install and uninstall commands, detection rules, and requirements. You're not handing an installer broad system access and hoping for the best. The deployment surface is defined and constrained by design.
Assume breach: This is why the pipeline doesn't stop at initial validation. Ongoing re-scanning means that even apps that previously cleared every check are continuously re-evaluated. If an app that was clean six months ago is later found to carry a risk, it's flagged and pulled from the catalog. The system assumes that trust is perishable, exactly the way Zero Trust says it should be.

In practice, this means Enterprise App Management gives you an app lifecycle that's not just convenient - it follows the same security framework your organization is likely already adopting for identity, network, and device access. The app layer is often the last piece to catch up, and Enterprise App Management closes that gap.

Here's the ingestion flow that shows how all of this fits together:

Figure 1: The Enterprise App Management ingestion pipeline: from source metadata through content ingestion, static and dynamic security validation, manual review for failures, periodic re-scanning, and finally publication to the catalog.

Takeaways

If you're evaluating Enterprise App Management or explaining it to your security team, here's what I'd suggest that you land on:

Enterprise App Management reduces the packaging tax. Pre-packaged apps with prefilled install details, detection rules, requirements, and restart behavior mean you spend less time building the same scaffolding repeatedly and more time on policy and rollout strategy.
Patching becomes more predictable. Guided update flows using supersedence and a documented expectation of 24-hour update availability give you a cadence you can plan around, not react to.
The security model is layered and continuous. Static scanning, dynamic detonation, manual review fallback, and ongoing re-scanning mean the catalog maintains a high trust bar - not just at ingestion, but over time. And it's all built on the same Win32 delivery infrastructure that you and your devices already trust.

The bottom line: Enterprise App Management isn’t just about convenience. It shifts the app lifecycle from a manual, error-prone process to one with built-in security validation, operational consistency, and governance you can defend to your security team. Rather than manually sourcing installers and creating detection rules, use this approach to streamline the process.

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam!

Want to go deeper? Check out the Enterprise App Management documentation and keep an eye out for upcoming changes to Intune Suite licensing that will make Enterprise App Management available in the Microsoft 365 plans you may already own. And as always, drop feedback at aka.ms/IntuneFeedback.

CanReset value flipping on cloud only devices

Mariusz_80 — Fri, 12 Jun 2026 07:06:37 GMT

Hello,

I have a problem with cloud only Windows 11 devices configured with passwordless policy. I have noticed that when you run dsregcmd /status command, CanReset value under User State is flipping between "No" and "DestructiveAndNonDestructive". When it's latter, everything works fine, users can start wizard for facial recognition or make PIN changes under Sign In options in Windows. But when it flips to No, everything is blocked. It seems to happen randomly, you can leave device untouched for few hours and just check dcregcmd and the value will change. CanReset is the only value that changes in the dsregcmd report.

It happens for different devices located on different networks. Also, I have disabled web gateway completely for one device just for testing but no change. Any suggestions would be welcome.

Windows App Update Notification

malithamadushan — Wed, 10 Jun 2026 00:08:45 GMT

Hi everyone,

We have deployed the Windows App for a client. Currently, when an update is available, users are seeing an in app banner that says: "Click here to update the app. Meanwhile you can use the app."

If the user clicks it, the update finishes successfully. However, our organization requires a completely hands off, automated update process. We do not want end-users to have to interact with a notification or manually click a button to keep the app up to date.

Is there a specific Group Policy, registry key or Intune configuration that completely suppresses this in app notification and forces the MSIX package to install silently in the background when the app or machine is idle?

Any advice on how to bypass this "Notification" behavior and enforce touchless updates enterprise wide would be greatly appreciated.

Thanks!

Intune Install Printer Driver

tonybap1 — Tue, 09 Jun 2026 10:12:13 GMT

I am trying to install a Printer driver via a Win32app using System to install.

Have set configuration as below:

Its a simple powershell script which runs perfectly when installing on a device as an administrator.

$printdriver = "PCL6 V4 Driver for Universal Print"

C:\Windows\system32\pnputil.exe /add-driver "r4600.inf" /install

Add-PrinterDriver -name $printdriver

However installing it via Intune I get an event id 215 with failed error code 0x0 HRESULT 0x80070705 on the device.

Any help appreciated.

MDOP is out of support: What to do next with Microsoft Intune

Intune_Support_Team — Mon, 08 Jun 2026 16:58:58 GMT

By: Joe Lurie – Sr. Product Manager | Microsoft Intune

On April 14, 2026, the Microsoft Desktop Optimization Pack (MDOP) reached the end of extended support. Microsoft no longer provides security updates, bug fixes, or technical support for MDOP components. For more information, refer to: Microsoft Desktop Optimization Pack (MDOP) support extended.

If your organization still relies on parts of MDOP, it’s time to move to supported options. In most cases, including Windows desktop management, app virtualization, BitLocker administration, and Group Policy change control, you can handle the same workloads with capabilities in Microsoft Entra ID, Intune, Windows 11, and Configuration Manager.

Moving these workloads to the cloud does more than keep you supported. It removes on-premises server infrastructure you have to stand up and patch, brings management of cross-platform devices into a unified console, and connects capabilities like encryption and recovery into a Zero Trust framework with Conditional Access.

Quick start checklist

Inventory what you actually use. Confirm whether Application Virtualization (App-V) server components, Microsoft BitLocker Administration and Monitoring (MBAM), Diagnostics and Recovery Toolset (DaRT), User Experience Virtualization (UE-V), or Advanced Group Policy Management (AGPM) are still in production.
Prioritize BitLocker Management first. If you still rely on MBAM, plan your move to BitLocker management in Intune and confirm recovery key escrow is working as expected.
Plan your App-V exit. Keep existing App-V packages running where needed but shift net-new packaging work to MSIX.
Validate your PC recovery story. Document how you’ll handle common break/fix scenarios using Quick Machine Recovery, WinRE, bootable media, and Intune remote actions.
Decide how you want to handle policy change management. For cloud policy, we recommend Multi Admin Approval for sensitive actions and policy-as-code practices for versioning and review.

App-V

App-V let you virtualize applications so they could run in isolated environments without a traditional install, which helped avoid app conflicts. It was especially useful for legacy line-of-business apps that were hard to install or update cleanly.

Important
The App-V server components (Management Server, Publishing Server, Reporting Server) reached end of extended support in April 2026. The App-V client and sequencer are still included with Windows Enterprise and Education editions. They will continue to receive security fixes for the support lifecycle of the Windows versions they ship with. If you are distributing App-V packages today via Configuration Manager, that can still work. The key change is that you should not plan on using the standalone App-V server infrastructure going forward. For more details refer to: App-V in Windows support policy.

What to do instead: For new packaging work, we recommend moving to MSIX. MSIX is a modern packaging format that supports clean install and uninstall and more predictable updating. The MSIX Packaging Tool can help you convert existing installers. In Azure Virtual Desktop, MSIX App Attach can deliver apps without baking them into the base image. A good starting point is to inventory your App-V packages, identify the ones you still need, and prioritize candidates to convert to MSIX.

MBAM

MBAM gave IT admins centralized control over BitLocker, including policy enforcement, compliance reporting, and a self-service recovery portal. Many organizations used MBAM as their standard management solution.

What to do instead: We recommend replacing MBAM with Microsoft Intune’s BitLocker policy management through an Endpoint security policy. Intune management provides backup of recovery keys to Microsoft Entra ID, reporting, and Conditional Access integration so you can require encryption for access to company resources. If you already manage devices with Intune, you may only need to create a disk encryption policy and confirm recovery keys are being escrowed. For detailed guidance, review Encrypt Windows devices with BitLocker using Intune.

DaRT

DaRT provided a bootable recovery environment with advanced tools like file recovery, registry editing, and offline troubleshooting. You typically used DaRT when a machine wouldn’t boot and you needed to repair it or recover data without reimaging.

What to do instead: Windows includes the Windows Recovery Environment (WinRE) with tools like Startup Repair, System Restore, command prompt, and reset options. For many scenarios DaRT covered, WinRE is enough. You can also boot from a Windows installation USB, select "Repair your computer," and use the recovery tools for tasks like offline troubleshooting.

For managed devices, you can pair recovery options with Intune remote actions, such as restart, wipe, or collect diagnostics, or use Quick Machine Recovery. Additionally, Quick Machine Recovery can automatically detect and fix boot failures using cloud-based remediation delivered through Windows Update, with no hands-on IT intervention required for managed devices running Windows 11 version 24H2 or later. You can enable and configure it through the settings catalog in Intune, and Windows Autopilot scenarios for redeployment. These don’t replace every DaRT capability, but they cover many common use cases and work without shipping a separate recovery toolkit.

UE-V

UE-V roamed (synchronized) some user application and OS settings to persist across devices so users could sign in to a different Windows PC and keep a familiar experience. This was often used in shared workstation scenarios.

What to do instead: For Windows settings roaming, Windows Backup for Organizations syncs certain Windows settings across Microsoft Entra ID joined devices. Review the latest guidance to confirm which settings are covered and how to enable it in your environment.

Important:

Windows Backup for Organizations syncs Windows settings (theme, password, language) but doesn’t roam per-application settings for Win32 apps. Some apps may provide their own cloud-based sync. Windows Backup for Organizations is not a direct replacement for UE-V.

For user files, we recommend OneDrive Known Folder Move to back up Desktop, Documents, and Pictures so content follows the user. Many Microsoft applications also sync their own settings through the cloud, which reduces the need for an OS-level roaming solution.

Another option is to use a virtualized solution, like Azure Virtual Desktop or Windows 365. With a Cloud PC, users connect to the same environment from any device, so settings and apps are already there when they sign in. For scenarios where UE-V mattered most, like shared workstation environments, Windows 365 can be a practical alternative. And for Azure Virtual Desktop, FSLogix is a viable option.

Important:

Enterprise State Roaming does not roam per-application settings for traditional Win32 desktop apps the way UE-V did. So, Windows 365 may not be the right fit if you need settings roaming across multiple physical devices.

AGPM

AGPM brought version control, change tracking, and approval workflows to Group Policy management. Instead of an admin changing Group Policy Objects (GPOs) directly in production, AGPM enforced a check-out and check-in model with full audit history. This mattered most in environments with strict change management requirements.

What to do instead: Move to cloud-managed endpoints and replace Group Policy settings with Intune configuration profiles and security baselines. The settings catalog in Intune includes thousands of settings, including many ADMX-backed policies. If you use custom ADMX files for third-party or internal applications, you can import them into Intune. For settings that aren’t available in the catalog, custom OMA-URI profiles can sometimes be used, depending on the CSP support for that setting.

For change management, Intune offers Multi Admin Approval for certain policy changes, which can add a second-admin approval step. If you want deeper versioning and review workflows, we often see teams using Configuration as Code. Teams practicing Configuration as Code define Intune policies as code or structured data, such as in a JSON file stored outside the Intune admin center. This can be stored in version control like Azure DevOps or GitHub, and use Microsoft Graph – directly or via tooling – to deploy and reconcile the service. This enables deep versioning, peer review, and repeatable, auditable changes. And with Intune, you can use Graph API to get two years of audit events.

Summary

MDOP tool	What it did	Cloud-native replacement
App-V (Server)	Application virtualization and streaming	MSIX packaging and Intune deployment (client still supported in Windows)
MBAM	BitLocker management and recovery	Intune management of BitLocker and Microsoft Entra ID key escrow
DaRT	Bootable diagnostics and recovery	Windows Recovery Environment (WinRE), bootable USB, and Intune remote actions
UE-V	User settings roaming	Windows 365 Cloud PC, Windows Backup for Organizations, OneDrive Known Folder Move, app-native sync
AGPM	GPO version control and approval workflows	Intune settings catalog, Multi Admin Approval, policy-as-code in source control

Moving forward

By moving to cloud endpoint management, most MDOP scenarios are covered through Microsoft Intune and Microsoft Entra ID supported capabilities with less infrastructure to maintain, making it easier for you to manage.

If you haven’t started planning yet, we suggest starting with MBAM since Intune is the most direct replacement. Then, you can work through App-V, DaRT, UE-V, and AGPM based on what’s still in use.

If you’re in the middle of an MDOP exit and need help leave a comment below or reach out to us on X @IntuneSuppTeam. Tell us which components you still have and how you manage endpoints today (Intune, Configuration Manager, hybrid, or other). We can help you sanity-check dependencies, choose an order of operations, and avoid common migration pitfalls.

Moving from Windows Server 2022 to 2025

GabeCz — Sat, 06 Jun 2026 03:50:02 GMT

And by moving I mean stand up a completely fresh Windows Server 2025 as the old server was patched for one too many times. (painfully slow and stuffy)

What I figured out so far, is to

install Windows Server 2025, and the exact same SQL Server 1:1 to the build #
install ODBC v18
update current MECM to the latest and its OS (update other Microsoft products with windows update)
go to sites / maintenance tasks and do an export
robocopy the "software" folder as is

Now next would be to shut down old MECM server, rename new to the old's hostname, and start the "recover site"

What my concern is as always "What if" can I at this point or once I set up the new MECM up and running go back by shutting down this new server, and powering on the old (leave and rejoin domain for trust) and go back to business as usual?
That if anything goes sideways, or things won't get better. By that i mean speeding up things which is the main reason of the 'move' which now I do not wish to troubleshoot. Our environment, database size is 7.9 Gb, which is far from being big. The reason must be the update over upgrade over update over 15 years or more no and never brand new OS.

I can take care of the "how to" I know exactly how to recover a site 'on paper'. I just want to know there's no such thing as point of no return. (when not making a single change in the Db/console)

I also understand I should not make any changes in the Db (console) while testing, which is no problem at all. All we use MECM for is staging computers. Nothing else really. Like nothing else at all. PXE. The end.

Thanks for the inputs.

(I hope I picked the right tags)

Intune macOS ADE: support for minimum macOS version enforcement before Platform SSO registration

KacperM — Thu, 04 Jun 2026 20:56:14 GMT

Hi everyone,

I would like to ask whether Microsoft Intune has any supported method, roadmap, or recommended workaround for enforcing a minimum or target macOS version during Automated Device Enrollment before Setup Assistant continues.

The scenario is macOS zero-touch deployment with Intune, Automated Device Enrollment, Setup Assistant with modern authentication, Await final configuration, and Platform SSO registration during ADE.

Platform SSO registration during Setup Assistant depends on newer macOS capabilities. In addition, some macOS deployment scenarios, such as Platform SSO password sync and macOS LAPS, may require or strongly benefit from a specific macOS version being installed before the user completes enrollment.

Today, Intune can manage macOS software updates after enrollment using Declarative Device Management software update policies. However, that does not fully solve the issue where the Mac starts ADE on an older macOS version. In that case, the device may begin Setup Assistant and Platform SSO registration before the required macOS version is installed.

What I am looking for is an Intune-native equivalent of enforcing a minimum or target macOS version during ADE, before Setup Assistant continues.

Ideally, the macOS ADE enrollment profile in Intune would support options such as:

- Minimum required macOS version

- Target specific macOS version

- Target specific build, if supported

- Latest eligible macOS version for the device

- Apply the OS update before Platform SSO registration and final configuration

- Reporting in Intune showing whether the ADE OS update was required, started, completed, skipped, or failed

Without this capability, organizations using Intune-only macOS deployment may still need manual IT staging or macOS restore/update before handing devices to users. This weakens the zero-touch deployment model, especially when adopting Platform SSO registration during Automated Device Enrollment.

1. Is there currently any supported way in Intune to enforce a minimum or target macOS version during ADE before Setup Assistant continues?

2. Is this capability on the Intune roadmap?

3. Are there any recommended workarounds for organizations deploying Platform SSO registration during ADE where a specific macOS version is required?

Thanks in advance for any guidance from the Intune team or the community.

8 hour wait time for Intune when "Configuring team site libraries to sync automatically"

bdenison — Tue, 02 Jun 2026 21:54:41 GMT

I hate this, we dont want to wait for this long to find out it doesnt work because we forgot a curly bracket!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Fix this or give us a solution to manually push this config policy out so we can see it working immediately!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

More exclamation marks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Thanks!

AMA: Visibility and control across devices with Intune

Heather_Poulsen — Tue, 02 Jun 2026 18:31:07 GMT

This AMA is designed for IT teams looking to cut through the noise and gain clearer insight into what’s really happening across their device estate.

You can’t secure or manage what you can’t fully see. As organizations support more users, more device types, and more ways of working, endpoint management has become increasingly complex. Windows, macOS, iOS, Android, personally-owned devices, frontline workers, remote teams: every layer adds new challenges when it comes to visibility, monitoring, compliance, and troubleshooting.

Come ready to talk through the sometimes messy realities of endpoint management in today's world. Let's talk about inconsistent reporting, missing signals, compliance blind spots, alert fatigue, cross-platform management, and the challenge of turning raw data into meaningful action. Want to know if your reporting is giving you the full picture? Curious where organizations typically lose visibility or struggle with enforcement at scale? Wondering how others are approaching analytics, monitoring, and troubleshooting across multiple platforms? Bring your toughest questions and compare notes directly with Microsoft experts and peers navigating the same challenges in Intune every day.

I'm in. How do I participate?

Sign in to the Tech Community, select Add to Calendar and Attend to receive event reminders. Post your questions (early and often!) in the Comments below.

This session is part of the Tech Community Live: Intune Edition. View the full agenda for more AMAs! This session will also be recorded and available on demand shortly after conclusion of the live event.

AMA: Keeping up with security, compliance, and the pace of change

Heather_Poulsen — Tue, 02 Jun 2026 18:29:22 GMT

Security and compliance aren’t standing still—and neither is Intune. With new features, enforcement changes, SDK requirements, and evolving security expectations arriving at a rapid pace, IT teams are under constant pressure to stay current without disrupting productivity or overwhelming administrators. Join this Ask Microsoft Anything (AMA) session to discuss the challenges of managing security, compliance, and updates at scale in a fast-moving cloud environment.

This is an interactive event so you guide the discussion. From patching strategies, compliance policies, and app protection to reducing operational overhead while maintaining a strong security posture, we'll be here to answer your questions. Whether you’re navigating changing compliance requirements, trying to simplify policy management, or working to balance security with a seamless user experience, come explore practical approaches for staying secure, compliant, and ready for what’s next with Intune.

I'm in. How do I participate?

Sign in to the Tech Community, select Add to Calendar and Attend to receive event reminders. Post your questions (early and often!) in the Comments below.

AMA: Deployment made easy with Intune and Windows Autopilot

Heather_Poulsen — Tue, 02 Jun 2026 18:27:34 GMT

Join this Ask Microsoft Anything (AMA) to dive into the real-world deployment scenarios organizations are navigating every day.

A successful Intune deployment is about more than getting devices enrolled. You want a reliable, secure, and frustration-free experience from day one yet even experienced IT teams can run into unexpected challenges during rollout and ongoing management. Small missteps can quickly impact productivity and user trust.

Have questions about Windows Autopilot configuration, dynamic groups, enrollment strategies, app packaging and delivery, troubleshooting failed deployments, deployment rings, and avoiding policy conflicts that can lock users out or disrupt workflows? Whether you’re just getting started or refining a mature deployment strategy, this AMA is your opportunity to connect directly with Microsoft experts, share challenges, and learn practical approaches for building a smoother, more resilient deployment experience with Intune.

I'm in. How do I participate?

Sign in to the Tech Community, select Add to Calendar and Attend to receive event reminders. Post your questions (early and often!) in the Comments below.

On premises to cloud native: Your Intune setup AMA

Heather_Poulsen — Tue, 02 Jun 2026 18:27:53 GMT

Moving to Intune isn’t just about replacing legacy management tools; it’s about rethinking how devices are deployed, secured, and managed in a cloud-first world. But where should you start? How do you avoid recreating old processes that add complexity, slow down users, or limit the value of cloud-native management? Join our Ask Microsoft Anything (AMA) session to explore the strategies, lessons learned, and real-world considerations that can help you build a simpler, more scalable endpoint management approach with Intune.

Bring your questions about device strategy, co-management vs. cloud-only management, policy design, security baselines, user experience tradeoffs, and more. Whether you’re planning a new deployment, modernizing existing processes, or trying to reduce administrative overhead, this AMA is an opportunity to talk directly with Microsoft experts about the decisions, challenges, and best practices shaping modern endpoint management today.

I'm in. How do I participate?

Sign in to the Tech Community, select Add to Calendar and Attend to receive event reminders. Post your questions (early and often!) in the Comments below.

Tech Community Live: Microsoft Intune edition

Heather_Poulsen — Tue, 02 Jun 2026 18:42:42 GMT

Save your spot and tune in for a brand-new Intune edition of Tech Community Live! Whether you need help with your cloud-native management strategy, tackling Windows Autopilot and enrollment challenges, strengthening security and compliance, or trying to gain better visibility across your device fleet, this event is your chance to get real-world guidance and ask the questions top of mind for your organization.

Bring your toughest deployment scenarios, policy debates, troubleshooting pain points, and “how are other IT teams handling this?” questions for a lively, practical conversation designed to help you optimize endpoint management with more confidence—and maybe learn a few new tricks along the way.

I'm in. How do I participate?

Excited for three hours of interactive Ask Microsoft Anything (AMA) sessions with the engineers, product experts, and teams behind Microsoft Intune? Great!

Sign in to the Tech Community, select Add to Calendar and Attend to receive event reminders. Visit each AMA page and do the same. Post your questions (early and often!) in the Comments section on each AMA page.

Agenda: June 23, 2026

TIME	TOPIC
8:00 AM PDT 3:00 PM UTC	On premises to cloud native: Your Intune setup AMA
9:00 AM PDT 4:00 PM UTC	AMA: Deployment made easy with Intune and Windows Autopilot
10:00 AM PDT 5:00 PM UTC	AMA: Keeping up with security, compliance, and the pace of change
10:30 AM PDT 5:30 PM UTC	AMA: Visibility and control across devices with Intune

Intune App inventory Graph

RobV — Tue, 02 Jun 2026 12:46:44 GMT

Hi All,

I've enabled the configuration profile to receive app inventory data in Intune.

In the GUI the data I can view the data just fine, but I would like to use Graph to automate this data and create custom reports.

When I use the following https://graph.microsoft.com/beta/deviceManagement/managedDevices/[device-id]/deviceInventories('ApplicationProperties') I get an error: "Forbidden - 403 - 199 ms Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab" even though the docs I can find about permissions are OK.

Add Security Key Support to Microsoft Authenticator and Managed Home Screen

AbeSummers — Fri, 29 May 2026 13:57:01 GMT

undefined