Microsoft Intune topics

Best approach for migrating AD joined devices to Entra ID without wiping user profiles?

Pranavsethuraman10 — Fri, 24 Apr 2026 08:12:47 GMT

We’ve seen many organizations struggle with device migration when moving from traditional Active Directory (AD) or hybrid environments to Microsoft Entra ID.

The biggest challenge is avoiding user disruption especially when wiping devices causes profile loss, app reconfiguration, and downtime.

In large environments, wipe-and-reload becomes difficult to scale and impacts productivity significantly.

Curious to know how others are handling this:

Are you still using wipe/reimage methods, or are you using alternative approaches that preserve user profiles, applications, and settings?

Would love to hear practical experiences from the community.

Autopilot V1 vs “Device Preparation” (V2): Great direction — but is it enterprise-ready yet?

christiandominguezjp — Fri, 24 Apr 2026 06:39:18 GMT

We evaluated Autopilot v2 but decided to stay on Autopilot v1 for large‑enterprise scale.

Group Tags + dynamic groups are still essential for our device naming, segmentation, and governance model.

We intentionally limit apps in EAS to speed up provisioning, so EAS‑based app deployment in v2 isn’t a compelling advantage for us.

v2 looks promising, but until there’s stronger parity for enterprise‑scale targeting and naming, v1 remains the better fit.

Curious how others at scale are balancing provisioning speed vs. segmentation without Group Tags.

Autopatch - Microsoft 365 Apps Update Rings

PaulJebastin — Thu, 23 Apr 2026 10:49:32 GMT

I’m trying to understand how the UpdateDeferredVersions registry value is updated in an Intune Autopatch scenario, specifically the version and FileTime values.

Registry path:

HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Updates

Example value:

UpdateDeferredVersions = 16.0.19725.20170:13420719560293 | 16.0.19822.20180:13421142577563

I’ve observed the following and would appreciate any clarification:

When I modify deadline or deferral settings via Autopatch (policy changes), the FileTime value does not update.
Is there a delay or specific trigger (e.g., policy refresh, scheduled task, CDN sync) that updates this FileTime?
How exactly is this FileTime calculated? Is it tied to when the build was released, assigned, or when the policy was applied?
Is there any supported way to force or influence this FileTime update?
Or is this value simply tracking when the build cap was issued, with deferral logic calculated relative to that timestamp?

Additionally, I’ve noticed that updates only seem to apply when the FileTime is approximately 4 days behind the current date, is this expected behavior with Autopatch deferral logic? I was able to successfully test this updating FileTime 4 days behind ((Get-Date).AddDays(-4)).ToFileTime().

Any insights into how this mechanism works under the hood (especially with Click-to-Run + Autopatch interaction) would be really helpful.

Below is Autopatch group settings for Microsoft 365 update rings that we set in our environment:

Test - Deferral 0 - Deadline 0

Ring 1 - Deferral 1 - Deadline 0

Ring 2 - Deferral 2 - Deadline 0

Last - Deferral 4 - Deadline 1

Thanks in advance!

Intune application migration & app management

Lior_Bela — Tue, 21 Apr 2026 15:50:59 GMT

Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI and Copilot era.

Start here

Read Face the future today by moving your application to cloud native
Bookmark the Microsoft Intune planning guide

Navigate to:
Why app migration matters | Application packaging partners | Frequently asked questions

Why app packaging matters

Centralizing application management in Intune can deliver operational benefits such as unified enforcement and improved security posture—while supporting broader modernization goals.

Common blockers that slow cloud-native adoption include:

App compatibility and dependency complexity
Manual repackaging effort at scale
Risk of disruption during cutover

Application packaging partners

To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from Configuration Manager to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption.

Note: The app migration services listed on this page are offered directly by partners and are subject to their terms. Microsoft makes no guarantees or commitments regarding availability or outcome.

Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting.

Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT.

Frequently asked questions

Q: Is this a Microsoft-managed service?
A: No. Partner offers are provided directly by partners and subject to partner terms; Microsoft makes no guarantees regarding availability or outcomes.

Q: What kinds of apps can these paths help with?
A: The published focus is on helping migrations from Conifguration Manager to Intune, including complex legacy and line-of-business apps.

Q: Where do I start if I’m early in planning?
A: Start with the Intune Planning Guide and Migration Guide.

Adobe reader update deployment via Intune

KarthickJokirathinam — Mon, 20 Apr 2026 06:28:32 GMT

Hi Team, can we integrate and deploy Adobe reader update automatically via Intune or we need to create package and deploy latest version every month.

Edge update deployment via Intune

KarthickJokirathinam — Mon, 20 Apr 2026 06:25:02 GMT

Hi Team, I am planning to deploy edge stable channel update from intune every month. Can anyone share the process & configuration settings in intune

Which Entra account are you supposed to use to connect to a managed Google Play account?

RyanSteele-CoV — Fri, 17 Apr 2026 20:47:42 GMT

At Connect Intune account to managed Google Play account - Microsoft Intune | Microsoft Learn, it says:

We recommend using the Microsoft Entra account you're signed into to create the Google Admin account.

So I used my Entra account to set it up. Now, though, when I look at the Managed Google Play item in Intune under Devices > Android > Enrollment, it has my email address under "Linked account".

Was I supposed to create a shared Entra account to make this connection? What happens when I leave the org?

How to repair an application deployed via Intune with no admin rights

sylsimp1 — Fri, 17 Apr 2026 15:42:40 GMT

Hi,

I would like to know how to repair an applcation deployed by Intune. User has no admin rights , so via control panel is not an option. User is not set as primary user on device.

Thks for all comments

Platform SSO "Page not found" on macOS Tahoe 26.4 — Company Portal 5.2602

mek-a2 — Wed, 15 Apr 2026 06:49:42 GMT

Environment:

macOS Tahoe 26.4
Company Portal 5.2602.0 (latest as of April 2026)
Microsoft Intune — Automated Device Enrollment (ADE)
Platform SSO with Secure Enclave (UserSecureEnclaveKey)
SSO Extension: com.microsoft.CompanyPortalMac.ssoextension / Team ID: UBF8T346G9
URLs configured: https://login.microsoftonline.com, https://login.microsoft.com, https://sts.windows.net
Device: MacBook Pro 14" (Apple Silicon), supervised, ADE-enrolled

Issue:

During Platform SSO registration, after the user authenticates successfully in the SSO registration prompt, Company Portal crashes with a "Page not found" error. The registration never completes — no WPJ certificate is created, no SSO registration key is stored in the Secure Enclave.

Console logs show:

CompanyPortalMac: URL(filePath:) API misuse — usingass old file path API which does not support security scoped bookmarks

The error occurs specifically at the token exchange step after authentication, suggesting the Company Portal binary is calling a deprecated macOS file URL API that Tahoe 26.4 now enforces more strictly.

What we tried:

Full wipe and re-enrollment via ADE
Removing and reinstalling Company Portal via Intune
Different user accounts
Verified SSO extension profile is correctly applied (confirmed via profiles show -type configuration)
Verified network connectivity to Microsoft identity endpoints
Tested on a clean macOS Tahoe 26.4 install — same result

Expected behavior:

Platform SSO registration completes, WPJ certificate is created, and SSO token is cached for seamless authentication.

Actual behavior:

"Page not found" after authentication in the SSO registration flow. Console shows the URL(filePath:) API misuse warning. Registration fails silently — no error surfaced to the user beyond the page not found screen.

Question:

Is this a known bug in Company Portal 5.2602 with macOS Tahoe 26.4? Is there a newer build or hotfix addressing the URL(filePath:) deprecation? Any workaround available?

Tags: Platform SSO, macOS, Company Portal, ADE, Intune

Intune enroll on redhat 10 KDE

Brike — Fri, 10 Apr 2026 10:05:44 GMT

**intune-portal 1.2603.31 fails to authenticate on RHEL 10 KDE Plasma — Misconfiguration(0) in gtk4/actions.rs**

**Environment**

- OS: Red Hat Enterprise Linux 10

- Desktop: KDE Plasma (Wayland, XDG_SESSION_DESKTOP=plasma)

- intune-portal: 1.2603.31-1.el10.x86_64

- microsoft-identity-broker: 3.0.1-1.el10.x86_64

- xdg-desktop-portal-kde: 6.4.5-1.el10_1.x86_64

- webkitgtk6.0: 2.50.4-2.el10_1.x86_64

**Summary**

The Intune portal fails to complete authentication on KDE Plasma. The same machine, same user account, and same tenant works correctly under GNOME on the same RHEL 10 install. The only difference between the working and non-working sessions is XDG_SESSION_DESKTOP (gnome vs plasma).

**Error**

The portal throws the following Rust error when attempting to start a login:

```

[intune-portal/src/gtk4/actions.rs:103:29] e = Error {

context: "Starting a new login",

source: Misconfiguration(

}

```

The OneAuth logs show:

- `No accounts found in the OneAuth account store`

- `Auth params authority is empty`

- `MATS device telemetry disabled`

This results in a [4kv4v] error in the Microsoft auth window with Code: 0.

**Additional findings during investigation**

1. On RHEL 10, the KDE portal service is named `plasma-xdg-desktop-portal-kde.service` rather than the expected `xdg-desktop-portal-kde.service`. This means it is not auto-discovered without explicitly starting it, which is a secondary issue.

2. Overriding `XDG_SESSION_DESKTOP=gnome` at launch does not resolve the Misconfiguration(0) error, suggesting the portal reads the session desktop variable at startup rather than at auth time.

3. The auth flow reaches the broker, the broker starts MSAL, but the portal fails to pass authority parameters, so the login flow never presents a credential prompt to the user.

**Steps to reproduce**

1. Install intune-portal 1.2603.31 on RHEL 10

2. Log into a KDE Plasma Wayland session

3. Launch intune-portal and attempt to sign in

4. Observe Misconfiguration(0) error — no login prompt is shown

5. Log out, log into GNOME on the same machine

6. Launch intune-portal — authentication completes successfully

**Expected behaviour**

Authentication should work on KDE Plasma in the same way it does on GNOME.

**Workaround**

None found. Using GNOME is the only current option on this machine.

SSID connection using intune pushed profile kept prompting manual login

SSChew — Thu, 09 Apr 2026 07:18:13 GMT

Hi, anyone encountered an issue where users connecting to an SSID with 802.1X authentication using an Intune-pushed Wi-Fi profile (with credential caching enabled) are still being prompted to enter their credentials manually? However, it works fine by configuring the network connection protocol manually. Thank you.

Intune Device Reset Issue After Recent Update

Parth49 — Wed, 08 Apr 2026 17:40:55 GMT

Hi everyone,

We’re currently running into an issue with device reset scenarios in our environment and wanted to check if others are seeing something similar or have identified a reliable workaround.

Environment:

• Windows 11 25H2

• Windows Autopatch enabled

• Devices managed via Intune

Issue: When initiating any of the following actions from the Intune portal:

• Autopilot Reset

• Fresh Start

• Wipe

…the process consistently fails at around 38–40%.

Observations:

• Event Viewer logs Event ID 4502 during the failure.

• This behavior started after applying a recent update.

Troubleshooting performed:

• We attempted to repair/rebuild the WinRE partition using the WinRE.wim from the latest Windows 11 ISO.

• After this repair, the reset process completes successfully.

However:

• Post-reset, during re-enrollment, the device fails at the Account Setup (ESP) stage.

Support status:

• We had a case opened with Microsoft but they said that Reset was triggered from intune and reset process started on device so they cannot check anything further from their end and they have not received any similar cases or not aware of any known issue

Has anyone else encountered:

• Reset failures around 40% with Event ID 4502?

• Issues tied to WinRE after recent updates?

• Enrollment failures post-reset (ESP Account Setup stage)?

If so, have you found:

• A root cause?

• A stable remediation or workaround?

Appreciate any insights or shared experiences.

Thanks!

Hybrid Azure AD joined device not enrolling into Intune

Ankido88 — Wed, 08 Apr 2026 16:14:54 GMT

Issue

A Windows device successfully registers in Entra ID (Hybrid Azure AD join) but never enrolls into Intune.

Result:

Device appears in Entra ID
Device does not appear in Intune
Intune Management Extension is not installed
Device remains SCCM‑only (co‑management never starts)

Log (CoManagementHandler.log):

EnrollmentUrl = (null) Device is not MDM enrolled yet. All workloads are managed by SCCM.

Environment

Windows 10/11
Hybrid Azure AD Join
On‑prem AD + MECM (Cloud Attach / Co‑management enabled)
Microsoft 365 E3 (Intune license assigned)
Device on corporate trusted network

What I’ve done

Verified Azure AD join and MDM URL
Confirmed MDM user scope = All
Verified Intune enrollment restrictions allow Windows
Verified user has Intune license
Identified Conditional Access policy targeting “Register or join devices”
Updated that CA policy to Exclude → Microsoft Intune Enrollment
Waited for replication and retried enrollment (deviceenroller.exe /c /AutoEnrollMDM)

Question

Despite excluding Microsoft Intune Enrollment, the device still does not enroll into Intune.

App Protection: Custom app vs Partner app

hw2B440 — Wed, 08 Apr 2026 13:24:25 GMT

Is there any functional difference in using an app protection policy to manage a public partner app versus a custom application?

We have an app vendor that says they wrapped their app with the SDK but it is not on the partner list so we cannot pick it from the public app list. Which leaves us with the custom app option. Is the functionality the same? Will it show up on the app protection report, work with conditional access policies, other Microsoft solutions, etc.?

Thank you -

Jessie

Webinar Cancellation

emilyfalla — Tue, 07 Apr 2026 01:46:53 GMT

Hi everyone,

The webinar “Re‑Envisioned: The New Single Device Experience in the Intune Admin Console,” originally scheduled for April 7 at 9:00 AM Pacific Time, has been cancelled at this time.

We plan to reschedule the session, and when a new date is confirmed, it will be shared at http://aka.ms/securitycommunity

We sincerely apologize for the inconvenience and appreciate your continued engagement with the Microsoft Security Community.

Company Portal Profile installation failed on iPhone - Status code 400

AmberH675 — Mon, 06 Apr 2026 21:58:24 GMT

Hello,

I've been managing mobile devices through InTune for almost a year.

Most of our devices are iOs - I add the phone to the Apple Business Manager - wait for it to appear in InTune - then install company portal, and log my user in. This pushed out software etc to the phone.
I successfully set one up on Thursday.

Today I'm trying to set a new one up and I can't get the Company Portal profile to install. I get a long error, ending in Status Code 400.
This error happens often, but usually if I try again, it works. Recently I thought I had discovered the issue, and have started ensuring the iPhones are updated before installing Company Portal. But nothing works with this phone.

Any suggestions?

Thanks in advance!
Amber

Intune iOS User-Based App Targeting

Braaaaaad — Thu, 02 Apr 2026 19:48:09 GMT

I’ve noticed an issue with user-based targeting and was wondering if this is an issue, or I'm just using it wrong.

Lets say I want an iOS app to be deployed out to a user group, but only to company owned devices of those users. I set the assignment for required user group and assign an Include filter for corporate owned devices. If this app is also Available for All Users, then the app deploys out to all devices from the required user group, even their personal devices. It basically forgets there is a filter for the required user group assignment.

Any way around this? It feels like a glitch in how Intune deploys apps.

Intune MAM - Questions about Company Data Removal

lilbopeeps — Tue, 31 Mar 2026 17:32:01 GMT

Hey all, we're looking to deploy Intune MAM for an organization.

The organization only has BYOD devices (users have their own personal phones and company-provided phones are NOT an option.)

Our end goal is the ability to wipe company data from a phone once a user has been offboarded (Outlook, Teams, etc.).

To reduce friction, we identified that MAM may be the policy to allow for company data removal with little to no friction.

Upon doing some reading, we came across a source that said that if a user uninstalls the broker agent (Intune Company for Android and Microsoft Authenticator for iOS), that an App Selective Wipe will NOT complete, especially if the user uninstalls the app BEFORE the wipe or DURING the pending wipe.

Has this been the case for anyone else and do you have suggestions as how we can get to our end goal?

Data Removal using MAM Policies

lilbopeeps — Tue, 31 Mar 2026 17:25:25 GMT

undefined

IOS - Embedded Webkit - Not Reporting Correct Device info

NexusEgo — Mon, 30 Mar 2026 20:36:33 GMT

It appears that with the latest iOS versions (26.3.1 through 26.4), applications that rely on an embedded WebKit for sign-in are no longer reporting accurate device details within Device Info.

Users have company-issued phones that are successfully enrolled in Intune, but when they attempt to sign in to Apple Mail, Conditional Access is denying the login. After reviewing the logs, iOS is reporting the OS version as 18.7.0 to Intune, even though the device is actually running iOS 26.4. Additionally, the device information is coming through as blank, so attributes are not being evaluated. When looking at other logins via the outlook app on that device it all appears normal and works.

Has anyone else observed this behavior where WebKit is sending incorrect data to Intune? Does anyone know of a workaround other than relaxing Conditional Access policies?