Microsoft Intune topics

Erweiterungsmanagement im Browser

Regine147 — Thu, 05 Mar 2026 07:13:49 GMT

We would like to distribute browser extensions in Edge via Intune in a granular manner.

The problem is that assigning two profiles with different extensions leads to a conflict. We would like to be able to assign extensions individually and assign multiple different profiles with different browser extensions to a user.

With the current options, it becomes very complex and error-prone when there are multiple extensions with different user groups.

Or have I overlooked a possibility?

How to create a dependency using Graph API in PowerShell

DamianIntune — Tue, 03 Mar 2026 09:10:51 GMT

hi,

I used following documentations to create a dependency via Graph API in Powershell:

https://learn.microsoft.com/en-us/graph/api/intune-apps-mobileappdependency-list?view=graph-rest-beta

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.beta.devices.corporatemanagement/new-mgbetadeviceappmanagementmobileapprelationship?view=graph-powershell-beta

Both ways give me the same error:

New-MgBetaDeviceAppMgtMobileAppRelationship : No OData route exists that match template ~/singleton/navigation with http verb POST for request /AppLifecycle_2602/StatelessAppMetadataFEService/deviceAppManagement/mobileAppRelationships.
Status: 400 (BadRequest)
ErrorCode: No method match route template

Seems like these Endpoints do not support POST/PATCH requests at all. Is there any other way to create a dependency using Graph API in PowerShell?

Block Local Logon to enrolling user of an Intune Managed Device

Chris Snell — Mon, 02 Mar 2026 13:41:56 GMT

Has anyone successfully managed to deploy a security baseline template or Configuration profile or proactive remediation script that can successfully block any AAD user from being able to logon to an Intune managed device, other than the user who enrolled the device?

I have a use case of an industutrial type device where we use a secure shared logon credential who is also the enrolling user, and i want to prevent anyone with an account loggin goff the primary user account and loggingin with their own personal account.

The issue i seems to face now is the policy is not able to evaluate the AAD group where i assign the user account/accounts allowed to logon, and i subsequently end up blocking all local logons.

Thanks

Will Intune device-only subscription get additional value in FY27

ATEdeBer — Thu, 19 Feb 2026 15:07:11 GMT

Will the Intune device-only subscription (Microsoft Intune announces device-only subscription for shared resources | Microsoft Community Hub) get the additional features which Intune P1 will get in FY27 (Microsoft 365 adds advanced Microsoft Intune solutions at scale - Microsoft Intune Blog), Intune Remote Help, Intune Advanced Analytics and Intune P2?

This would have a huge impact of our planning how to manage special purpose devices in production environments without any user affinity. Deploying security and configuration settings, Windows Autopilot for Windows IoT Enterprise LTSC kiosk deployment, Windows Autopatch (servicing), Remote Help and FOTA for Zebra devices would be drivers to add these production devices to Intune.

How to Disable Self-Service Passcode Reset for Standard Users in Microsoft Intune

tarunograa29 — Wed, 18 Feb 2026 07:17:18 GMT

Hi,

We are using Microsoft Intune to manage Android corporate-owned devices. Currently, standard users can reset their own device passcode remotely. The problem is:

Users reset the passcode themselves
Then they get confused
They call IT saying they cannot open their phone

We want to prevent users from doing self-service passcode reset. Only admin should be able to reset the device passcode. I already checked configuration profiles and compliance policies in Intune, but I cannot find any setting to disable this.

Has anyone successfully disabled this feature?

Thank you.

Edge for Android Smartscreen

StuartK73 — Sun, 15 Feb 2026 05:50:03 GMT

Hi All

I hope you are well.

Anyway, is it possible to configure Edge for Android Smartscreen to:

Prevent end user bypass
Block potential risky downloads

I can see various methods and guides pointing to Edge App Configuration policies but just cannot seem to get the this to work on Android Enterprise Fully Managed devices.

Any help would be great.

Intune - ASR Rules - exclusion

Jendislav — Fri, 13 Feb 2026 13:16:01 GMT

Hello, please can anybody give me an advice about Intune exception? We are using N-Able client for computer management and Intune ASR is blocking it. I tried to add exception in rule setting but it has not helped so far.

I am getting defender popup with info that

risky action blocked

Your admin blocker this action.

Blocked app or process - winagent.exe

Blocked by - surface attack reduction

Rule - Block using of copied or personified system tools.

There is my exception but it did not helped.

Thank you.

Help creating Device groups

MaxRebo — Fri, 13 Feb 2026 10:25:44 GMT

Hi,

I'm new to using Intune on a day to day basis, after adding our devices to Intune via our On-prem Active Directory.

What's the best practice for organizing our Devices, such as Staff devices and Student devices?

I want to create a group for all staff devices and another for student devices.

Also, is there any way to auto enroll these pcs in to the correct groups once they're new ones added via our on Prem AD and Entra?

Replacing Complex GPO Item-Level Targeting with Intune

dilanmic — Fri, 13 Feb 2026 02:58:17 GMT

Hi All,

I’m looking for some advice on the best way to handle this scenario.

We’re running a hybrid environment and currently have a GPO that creates 1,000+ registry entries across 150+ user groups using item-level targeting with security groups.

Now we need to move this over to Intune, and that’s where things get tricky. Intune doesn’t really offer the same item-level targeting flexibility as GPO. So far, the only workable option seems to be creating 150+ platform scripts or Proactive Remediation scripts, which obviously isn’t ideal from a management perspective.

I’m thinking it might be much easier long-term to create one large PowerShell script that checks the logged-in user’s group membership and then applies the appropriate registry settings dynamically.

Has anyone dealt with something similar? Is there a cleaner or more scalable approach in Intune?

Thanks in advance!

Dilan

Controlling Excel Add-ins and Microsoft Store App Installations

dilanmic — Thu, 12 Feb 2026 19:25:40 GMT

We have a requirement to block users from adding add-ins to Excel and Installing certain application directly which utilize Microsoft Store apps. Below are the two scenarios we need to address. I would appreciate any guidance or recommendations on how to implement these controls.

1) Blocking Excel Add-ins from Microsoft Store

Users are currently able to add add-ins such as “Claude by Anthropic in Excel” directly from the Microsoft Store apps. For example, if a user accesses the URL: https://marketplace.microsoft.com/en-us/product/saas/wa200009404?tab=overview they can proceed to add the add-in to Excel.

So, We need a method to prevent users from adding Office add-ins from the Microsoft Marketplace or external sources.

2) Blocking Installation of Microsoft Store Apps (e.g., WhatsApp)

We are currently blocking Microsoft Store apps on OS level. However, users can still download and install applications such as WhatsApp directly from the vendor website, which utilize Microsoft store apps in backend: https://www.whatsapp.com/download

We are considering configuring the Intune policy “Only Private Store is enabled.” However, we noticed that enabling this setting prevents users from accessing certain built-in applications (e.g., Notepad). Is there any other way to block access Microsoft Store apps directly?

Thank you in advance for your assistance.

Dilan

Creating a successful intune deployment using an installer exe combine with XML configuration file.

XSupramanX — Thu, 12 Feb 2026 15:25:27 GMT

I am having issue creating a successful intune deployment package involving MathCad Prime 11 and XML file, this might be cause my powershell scripting is very weak.

This is the current script I am trying to used, but it does not seem to deploy successfully, the errors I am seeing from intune is "The unmonitored process is in progress, however it may timeout. (0x87D300C9)."

Perhaps someone has come across this and point me in the right direction on how to handle installer with exe and using XML for configuration.

"

# Get the current script directory to locate setup.xml

$CurrentDir = $PSScriptRoot

# Define the installer path and the XML argument file

$ExePath = Join-Path -Path $CurrentDir -ChildPath "setup.exe"

$XmlPath = Join-Path -Path $CurrentDir -ChildPath "mathcad.p.xml"

# Adobe command-line parameters for silent installation with a deployment file

$Arguments = "--mode=silent --deploymentFile=`"$XmlPath`""

# Start the installation process and wait for completion

$Process = Start-Process -FilePath $ExePath -ArgumentList $Arguments -Wait -PassThru

# Return the exit code to Intune (0 is success)

Exit $Process.ExitCode

"

Autopilot enrollment through serial number

HarisNadeem1 — Wed, 11 Feb 2026 21:21:57 GMT

I’m working for a reseller, and one of my customers has asked us to enroll their device serial numbers into their Intune/Autopilot tenant.
We only have permission to upload devices because we are not their CSP partner.

Now the customer wants us to enroll the devices, including their Purchase Order (PO) number, in the Purchase Order field in Intune.

The issue is:
Because we are not their CSP, the tenant does not allow us to enter or modify the Purchase Order field when we upload devices.

My question:

Is it possible for a non‑CSP reseller or partner to add a Purchase Order number during Autopilot device enrollment?
If not, what options exist for a reseller to ensure that the Purchase Order field is populated?

Unmanaged Microsoft 365 Applications in Intune-Managed Windows 11 Devices

Ibteea — Wed, 11 Feb 2026 15:14:23 GMT

Hello Everyone,

We have identified in our Intune environment that several users have installed Microsoft 365 applications outside of Intune on their managed Windows 11 devices (Corporate).

Could you please confirm whether these users receive configuration profiles (for Microosft 365 app update enforcement for example)?

Additionally, we would appreciate guidance on the best practices for addressing unmanaged application replacements.

Thank you for your assistance. :)

Best regards,

Configure the Device with Microsoft Entra Hybrid Joined

harpreet-singh-him — Wed, 11 Feb 2026 05:01:36 GMT

Hi, Can you share the best practices to configure the device with Microsoft Entra Hybrid Joined. Thanks

Entra Shared Mode - Force App Stop

StuartK73 — Mon, 09 Feb 2026 23:27:15 GMT

Hi All

I hope you are well.

Anyway, I was asked this yesterday and think I already might know the answer, but here goes.

We had an instance of Microsoft Excel stuck in "getting things ready" on an Android Entra Shared Mode Device.

Technical Support wondered if there was a way to Force Stop Excel or clear the app data.

We had a look in Exit Kiosk Mode, Android Settings, and the Force Stop of Excel said "Action not allowed" and the clear the app data said "Unable to delete data for app"

So, my question(s) would be, is going into Exit Kiosk Mode and even trying to force stop / clear data on apps even a valid option, or is this by design?

Would adding Excel to this setting help?

Any help or confirmation would be greatly appreciated.

Stuart

Intune MAM BYOD: Remove Account message for iOS devices

rahulc9222 — Fri, 06 Feb 2026 07:35:18 GMT

Hello,

I am seeing an issue for Intune MAM BYOD(iOS) users. After a user account password reset, it causes Intune to remove the account configured from mobile applications like MS Outlook, Work, OneDrive, etc.

Current Intune Configuration:

Done - App Protection Policy

Done - Conditional access policy --> Grant --> Requires app protection policy (checked)

Users had to re-enrol to access his/her data.

Here is the screenshot,

Thank you,

Windows Autopilot API

DarshilBhatt24 — Fri, 06 Feb 2026 06:10:17 GMT

Hello Members,

Is it possible to configure the Windows Autopilot API to generate the "skiptoken" based on a different attribute (such as a unique ID or a field guaranteed to be whitespace-free)?

Any info or pointers would be great.

Thanks.

Cannot enroll azure vm(windows 24H2) in Microsoft company portal

yanxxu — Wed, 04 Feb 2026 05:57:07 GMT

I created a windows VM in Azure. To access company resources on this machine, I attempted to enroll the device through the Company Portal. However, the enrollment failed while setting up the work or school account, with the error message “This connection isn’t secure.”

How should I fix this issue?

intune constantly tries to re-install Chrome everyday when it is already installed

Sasan29 — Tue, 03 Feb 2026 21:25:00 GMT

Hi,

We have set Intune to install few applications including Google Chrome for users but Intune constantly tries to re-install Google Chrome everyday. What could be wrong with detection rule setting for Google Chrome and how to fix it?

Your assistance will be greatly appreciated!

Cheers,
Sasan

LAPS Intune policies

SebCerazy — Tue, 03 Feb 2026 13:19:53 GMT

So it seems that there are legacy LAPS policies (via Configuration/Policies/New/Windows 10/Settings catalog Search for LAPS = Administrative templates/LAPS

Well, I did configure them & added my device group.

Then I realize that it is NOT this LAPS I need (by then quite few devices got the policy)

I unlinked the group, deleted this policy & created NEW LAPS policy via Endpoint Security/Account Protection/Create policy/Windows/Windows LAPS

Here I can setup new settings (especially Password Complexity = Passphrase)

While lots of my devices get the local admin password reset to correct Passphrase, there are quite a few that have complex password (leftover from previous attempt?)

No matter what I do, I cannot get this local admin password changed to Passphrase

Any idea how to get ALL the local admin passwords to be in same format?

Thanks

Seb