Microsoft Intune topics

CanReset value flipping on cloud only devices

Mariusz_80 — Fri, 12 Jun 2026 07:06:37 GMT

Hello,

I have a problem with cloud only Windows 11 devices configured with passwordless policy. I have noticed that when you run dsregcmd /status command, CanReset value under User State is flipping between "No" and "DestructiveAndNonDestructive". When it's latter, everything works fine, users can start wizard for facial recognition or make PIN changes under Sign In options in Windows. But when it flips to No, everything is blocked. It seems to happen randomly, you can leave device untouched for few hours and just check dcregcmd and the value will change. CanReset is the only value that changes in the dsregcmd report.

It happens for different devices located on different networks. Also, I have disabled web gateway completely for one device just for testing but no change. Any suggestions would be welcome.

Windows App Update Notification

malithamadushan — Wed, 10 Jun 2026 00:08:45 GMT

Hi everyone,

We have deployed the Windows App for a client. Currently, when an update is available, users are seeing an in app banner that says: "Click here to update the app. Meanwhile you can use the app."

If the user clicks it, the update finishes successfully. However, our organization requires a completely hands off, automated update process. We do not want end-users to have to interact with a notification or manually click a button to keep the app up to date.

Is there a specific Group Policy, registry key or Intune configuration that completely suppresses this in app notification and forces the MSIX package to install silently in the background when the app or machine is idle?

Any advice on how to bypass this "Notification" behavior and enforce touchless updates enterprise wide would be greatly appreciated.

Thanks!

Intune Install Printer Driver

tonybap1 — Tue, 09 Jun 2026 10:12:13 GMT

I am trying to install a Printer driver via a Win32app using System to install.

Have set configuration as below:

Its a simple powershell script which runs perfectly when installing on a device as an administrator.

$printdriver = "PCL6 V4 Driver for Universal Print"

C:\Windows\system32\pnputil.exe /add-driver "r4600.inf" /install

Add-PrinterDriver -name $printdriver

However installing it via Intune I get an event id 215 with failed error code 0x0 HRESULT 0x80070705 on the device.

Any help appreciated.

Intune macOS ADE: support for minimum macOS version enforcement before Platform SSO registration

KacperM — Thu, 04 Jun 2026 20:56:14 GMT

Hi everyone,

I would like to ask whether Microsoft Intune has any supported method, roadmap, or recommended workaround for enforcing a minimum or target macOS version during Automated Device Enrollment before Setup Assistant continues.

The scenario is macOS zero-touch deployment with Intune, Automated Device Enrollment, Setup Assistant with modern authentication, Await final configuration, and Platform SSO registration during ADE.

Platform SSO registration during Setup Assistant depends on newer macOS capabilities. In addition, some macOS deployment scenarios, such as Platform SSO password sync and macOS LAPS, may require or strongly benefit from a specific macOS version being installed before the user completes enrollment.

Today, Intune can manage macOS software updates after enrollment using Declarative Device Management software update policies. However, that does not fully solve the issue where the Mac starts ADE on an older macOS version. In that case, the device may begin Setup Assistant and Platform SSO registration before the required macOS version is installed.

What I am looking for is an Intune-native equivalent of enforcing a minimum or target macOS version during ADE, before Setup Assistant continues.

Ideally, the macOS ADE enrollment profile in Intune would support options such as:

- Minimum required macOS version

- Target specific macOS version

- Target specific build, if supported

- Latest eligible macOS version for the device

- Apply the OS update before Platform SSO registration and final configuration

- Reporting in Intune showing whether the ADE OS update was required, started, completed, skipped, or failed

Without this capability, organizations using Intune-only macOS deployment may still need manual IT staging or macOS restore/update before handing devices to users. This weakens the zero-touch deployment model, especially when adopting Platform SSO registration during Automated Device Enrollment.

1. Is there currently any supported way in Intune to enforce a minimum or target macOS version during ADE before Setup Assistant continues?

2. Is this capability on the Intune roadmap?

3. Are there any recommended workarounds for organizations deploying Platform SSO registration during ADE where a specific macOS version is required?

Thanks in advance for any guidance from the Intune team or the community.

8 hour wait time for Intune when "Configuring team site libraries to sync automatically"

bdenison — Tue, 02 Jun 2026 21:54:41 GMT

I hate this, we dont want to wait for this long to find out it doesnt work because we forgot a curly bracket!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Fix this or give us a solution to manually push this config policy out so we can see it working immediately!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

More exclamation marks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Thanks!

Intune App inventory Graph

RobV — Tue, 02 Jun 2026 12:46:44 GMT

Hi All,

I've enabled the configuration profile to receive app inventory data in Intune.

In the GUI the data I can view the data just fine, but I would like to use Graph to automate this data and create custom reports.

When I use the following https://graph.microsoft.com/beta/deviceManagement/managedDevices/[device-id]/deviceInventories('ApplicationProperties') I get an error: "Forbidden - 403 - 199 ms Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab" even though the docs I can find about permissions are OK.

Add Security Key Support to Microsoft Authenticator and Managed Home Screen

AbeSummers — Fri, 29 May 2026 13:57:01 GMT

undefined

Edge displays a splash screen saying ‘Sign in to sync your data’

staeheli — Fri, 29 May 2026 08:59:51 GMT

Hello

When the user logs in to a device for the first time and launches Edge, the following splash screen appears, even though we have created the Intune configuration below, which is intended to prevent this.

We have following Intune configuration:

Why does the splash screen still appear?

Broken functionality of macOSWiFiConfiguration policies

MikolajKornas — Thu, 28 May 2026 11:07:01 GMT

I'm having trouble accessing macOSWiFiConfiguration policies. They are completely inaccessible via the Intune admin portal (no actual data is displayed) and the Microsoft Graph API. When using Graph (/beta/deviceManagement/deviceConfigurations or with policyId) an InternalServerError is returned mid-response, resulting in a truncated and malformed body. This error indicates that the 'wifiRequirePhysicalMacAddressEnabled' property (type Edm.Boolean, Nullable = False) has a null value stored in the back end. The policy also fails to load in the Intune which I suspect is caused by the same underlying issue.

ERROR DETAILS:

Endpoint: GET https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{policy-id}

Error code: InternalServerError

Error message: "The property 'wifiRequirePhysicalMacAddressEnabled[Nullable=False]' of type 'Edm.Boolean' has a null value, which is not allowed."

STEPS TO REPRODUCE:

1. Create a macOSWiFiConfiguration policy in the Intune admin portal. Additional note: front end will attempt to create the policy multiple times (around 20), even though the back end responds with a 201 HTTP code.

2. Try to GET the policy via Graph API (returns InternalServerError with malformed JSON body) or retrieve it using the WebUI (no data is shown).

EXPECTED BEHAVIOR:

The policy should be retrievable via Graph API and visible in the Intune admin portal. The property wifiRequirePhysicalMacAddressEnabled should hold a valid boolean value (true or false).

ACTUAL BEHAVIOR:

Failed to retrieve policy through Graph API and Intune WebUI.

Has anyone else encountered this issue? Does anyone know how can I report this directly to Microsoft? All the options I have found lead me to AI chatbots which unfortunately are not helpful at all.

Thank you.

Is monthly BIOS updates via Intune overkill for enterprise Windows 11

ER2025 — Thu, 21 May 2026 04:28:42 GMT

Hey all,

Looking for some opinions from others managing BIOS and Drivers on enterprise environments.

We’re considering pushing BIOS/firmware updates monthly across our Windows 11 fleet using Intune, but it feels a bit too aggressive.

Is anyone actually doing BIOS updates this frequently?
Do you see real risk in not updating BIOS regularly?
Or do you treat BIOS updates more as “only when needed” (security issue / vendor recommendation)?
Any issues you’ve run into pushing BIOS updates at scale via Intune?

My concern is stability risk vs actual security benefit — feels like monthly might be overkill unless there’s a critical vulnerability.

Keen to hear how others are handling this in production environments.

MS InTune - packaging Amazon DCV client

learnazure_ad — Wed, 13 May 2026 14:01:55 GMT

Hi,

I used the InTune prep tool to bundle the Amazon DCV client. Everything seems to work correctly, bundle created and it uploads well. When I use the company portal to install, it looks like it pushes\installs properly but the DCV client does not run on the laptop after install. This is a .msi package so all the settings are in place when i create the InTune APP in the portal.

Has anyone succesfully bundled DCV in InTune?

Am I missing anything? or anything to try?

Thank you,

Retrieving the “Device inventory” of iOS devices via the Graph API

ATroester — Wed, 13 May 2026 08:46:36 GMT

We use Microsoft Intune to manage our iOS mobile devices.

To achieve the highest possible level of efficiency, we use PowerShell as a supplementary tool for administration.

Since our devices may contain two SIM cards, it is important for us to be able to read this information in order to perform relevant processes (e.g., adding phone numbers to address books).

In general, it would be desirable to be able to read the information from the “Device Inventory” of iOS devices.
For the reasons mentioned above, we would like this information to be made available via the Graph API. Alternatively, there should be a way to provide this information for all devices in a single report.

BYOD devices can't launch Windows 365 PC because of device compliance check during CA policy check.

wcaetano — Mon, 11 May 2026 19:33:33 GMT

We have a device compliance policy for all cloud apps. We would like to allow personal (BYOD) devices to be able to connect to Windows 365 Cloud PC. In the sign in logs we see the failures for application "Windows 365 Client" app id 4fb5cc57-dbbc-4cdc-9595-748adff5f414. We can't exclude that application in the conditional access policy as it's not available. We already added exclusions for Azure Virtual Desktop, Windows 365 and Windows Cloud Login.

How can we allow BYOD devices to connect to cloud PCs?

Policy applied allthough it shouldn't

heinzelrumpel — Tue, 05 May 2026 05:52:11 GMT

Hi,

all of a sudden Intune chaanges its behavior. I have a policy in place that sets persistent browser session. On the device filter tab I excluded devices with this syntax:

device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company"

Starting last week I have to re-authenticate on a remote Desktop running Windows Server 2025 every 8 hours. Thats what the policy requires. In Entra I see in the logs for my user that this conditional access policy applied. I then extended the filter to this

device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company" -or device.operatingSystem -contains "Server"

But it did not make a difference.

Any idea what is going? This is not specific to my tenant. On a different tenant it behaves the same way.

App Enforced Restrictions not working on Chrome

StuartK73 — Thu, 30 Apr 2026 18:14:53 GMT

Hi All

I hope you are well.

Anyway, a strange one here.

We have implemented App Enforced Restrictions on unmanaged / BYOD macOS devices.

This seems to have taken effect on Edge and Safari browsers but not Chrome.

Is there anything we can do to resolve this or force BYOD macOS to use Edge?

Info appreciated.

Reporting on Device CPU and Memory

StuartW — Wed, 29 Apr 2026 07:31:50 GMT

I have a requirement to produce a monthly report on all our Intune managed Windows devices and the applications they have installed. I have written a script that is able to report on UPN, Device Name, Manufacturer, Model, Serial Number, OS, Total HHD and Free space along with all the applications installed. I am however unable to output the devices CPU and Memory details.

I have tried using the Get-MgBetaDeviceManagementManagedDevices with the ProcessorArchitecture and PhysicalMemoryInBytes parameters but these just report 0 or NULL.

What is the best way to report on the CPU and Memory from Intune?

Protect org data on BYOD Windows / macOS devices

StuartK73 — Mon, 27 Apr 2026 07:38:28 GMT

Hi All

I hope you are well.

Anyway, I have a need to protect org data on:

Window personal / BYOD devices
MacOS personal / BYOD devices

What's the best way to achieve this?

My thinking is:

1 X Conditional Access policy that blocks
1 X Conditional Access policy that allows via Edge, no persistent session, no downloads etc
Device filter on both policies that target unmanaged devices

Any other suggestions?

Best approach for migrating AD joined devices to Entra ID without wiping user profiles?

Pranavsethuraman10 — Fri, 24 Apr 2026 08:12:47 GMT

We’ve seen many organizations struggle with device migration when moving from traditional Active Directory (AD) or hybrid environments to Microsoft Entra ID.

The biggest challenge is avoiding user disruption especially when wiping devices causes profile loss, app reconfiguration, and downtime.

In large environments, wipe-and-reload becomes difficult to scale and impacts productivity significantly.

Curious to know how others are handling this:

Are you still using wipe/reimage methods, or are you using alternative approaches that preserve user profiles, applications, and settings?

Would love to hear practical experiences from the community.

Autopilot V1 vs “Device Preparation” (V2): Great direction — but is it enterprise-ready yet?

christiandominguezjp — Fri, 24 Apr 2026 06:39:18 GMT

We evaluated Autopilot v2 but decided to stay on Autopilot v1 for large‑enterprise scale.

Group Tags + dynamic groups are still essential for our device naming, segmentation, and governance model.

We intentionally limit apps in EAS to speed up provisioning, so EAS‑based app deployment in v2 isn’t a compelling advantage for us.

v2 looks promising, but until there’s stronger parity for enterprise‑scale targeting and naming, v1 remains the better fit.

Curious how others at scale are balancing provisioning speed vs. segmentation without Group Tags.

Autopatch - Microsoft 365 Apps Update Rings

PaulJebastin — Thu, 23 Apr 2026 10:49:32 GMT

I’m trying to understand how the UpdateDeferredVersions registry value is updated in an Intune Autopatch scenario, specifically the version and FileTime values.

Registry path:

HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Updates

Example value:

UpdateDeferredVersions = 16.0.19725.20170:13420719560293 | 16.0.19822.20180:13421142577563

I’ve observed the following and would appreciate any clarification:

When I modify deadline or deferral settings via Autopatch (policy changes), the FileTime value does not update.
Is there a delay or specific trigger (e.g., policy refresh, scheduled task, CDN sync) that updates this FileTime?
How exactly is this FileTime calculated? Is it tied to when the build was released, assigned, or when the policy was applied?
Is there any supported way to force or influence this FileTime update?
Or is this value simply tracking when the build cap was issued, with deferral logic calculated relative to that timestamp?

Additionally, I’ve noticed that updates only seem to apply when the FileTime is approximately 4 days behind the current date, is this expected behavior with Autopatch deferral logic? I was able to successfully test this updating FileTime 4 days behind ((Get-Date).AddDays(-4)).ToFileTime().

Any insights into how this mechanism works under the hood (especially with Click-to-Run + Autopatch interaction) would be really helpful.

Below is Autopatch group settings for Microsoft 365 update rings that we set in our environment:

Test - Deferral 0 - Deadline 0

Ring 1 - Deferral 1 - Deadline 0

Ring 2 - Deferral 2 - Deadline 0

Last - Deferral 4 - Deadline 1

Thanks in advance!