Microsoft Intune Company Portal for Linux and Conditional Access Issue
Greetings everyone, I have the following scenario implemented regarding conditional access: Rule#1: For pilotuser1, for all cloud apps, for all platforms --> require MFA Rule#2: For pilotuser1, for all cloud apps except Microsoft Intune Enrollment and Microsoft Intune, for all platforms --> Require Device marked as compliant This should allow me to enroll to Intune successfully a non-enrolled device and require the device compliance for the other workloads. For Windows it works just fine. The problem lies with Linux. Following the instructions on Enroll a Linux device in Intune | Microsoft Learn & Get the Microsoft Intune app for Linux | Microsoft Learn I installed Intune App and Edge (Version 109.0.1518.52 (Official build) (64-bit)) on a VM with Ubuntu 22.04. I open the Intune App and try to sign in: First step is to Register the Device on Azure AD, it goes without a problem --> On the next stage I get the following and press continue: At this stage Microsoft Edge opens and I sign in successfully but the Intune App throws an error: The sign in logs on Azure AD show that even though I excluded Intune Enrollment from the CA policy, it is not enough. Sign-in error code: 530003 Failure reason: Your device is required to be managed to access this resource. Additional Details: The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation Application: Microsoft Intune Company Portal for Linux Application ID: b743a22d-6705-4147-8670-d92fa515ee2b Resource : Microsoft Graph Resource ID: 00000003-0000-0000-c000-000000000000 Client app: Mobile Apps and Desktop clients Client credential type: None Resource service principal ID: 01989347-a263-48ef-a8d7-583ee83db9a2 Token issuer type: Azure AD Apparently something is different in the enrollment process of Linux because I had no issues with Windows 10 enrollment . Any thoughts on the subject would be appreciated. Kind Regards, Panos
Deploying Win32 Apps that use scripts to install - first install takes forever
I am trying to deploy some apps that use scripts packed in the intunewin package and deployed to Company Portal as Win32 apps. So far I use both .cmd and .ps1 script files, and at deployment to Intune these script files are called as the Install and Uninstall commands. My problem is that the first attempt to Install these apps through Company Portal takes forever to install, usually sitting in the "download pending... your device is syncing" stage for well over 30 minutes. However, once that first install completes, and thankfully it usually completes successfully, any subsequent app install that uses a script installer finishes with a much more appropriate speed where it is not sitting at "download pending" for a more than 1-2 minutes. The IME log does not have anything jumping out (TBH I don't really know what to look for though). Based on this article https://call4cloud.nl/win32app-ime-installation-phases-intune-troubleshoot/ it does not even look like any of the Win32 install steps begin until the long "download pending" cycle ends We also have both MS Store and Win32 apps that are straight up MSIs or EXEs. None of these exhibit the same first run "download pending" delay. This is only happening on the intunewin-wrapped installs that call a script to install the application. As mentioned before, this is exclusively a problem for the first time a script based application attempts to install from Company portal. Subsequent installers with scripts proceed without the excessive "download pending" delay. Can anyone help me figure what is causing this excessive "Download Pending" delay when installing Win32 apps that use a bundled script to install? Thanks!Allow non-admins to install apps from Company Portal
How to allow users without local administrator permissions to install Microsoft Remote Help ? The Microsoft Remote Help application is featured on Company Portal (app & Web). Users can click "Install", but then they get a UAC credential prompt, asking them for an admin username & password. This is not what is expected from InTune: Another important layer is security. Normally, installing apps would require installation rights, for example, local administrator permissions on your Windows 10 Enterprise endpoint. Delivering your app via Microsoft Endpoint Manager allows you to assign and install apps – in a modular fashion – without the need to make the user a local administrator. [https://subscription.packtpub.com/book/cloud-and-networking/9781801078993/11/ch11lvl1sec81/application-delivery-via-microsoft-endpoint-manager]App installation failed: Company Portal (Error code: 0x8024001E)
Operating system: Windows 11 Enterprise Operating system version: 10.0.22631.3737 Machine: Latitude 5540 Hi All, I'm having trouble with one of our machines failing to install Company Portal. Can you shed any light on this? The error message from Managed Apps is: App installation failed 18/06/2024 09:37:27 Hide details Error code: 0x8024001E Unknown I've gone through the IntuneManagementExtension logs and can see these messages which relate to the Company Portal app ID "dc644022-cb6b-4c8a-b083-005392143a58" [Win32App][WinGetApp][WinGetAppDetectionExecutor] Completed detection for app with id: dc644022-cb6b-4c8a-b083-005392143a58. WinGet operation result: Operation result = NotDetected Installed version = Reboot required = False Installer Error code = Extended error code = Detection result: Action status: Success Detection state: NotDetected Detected version: Error code: IntuneManagementExtension 24/06/2024 10:10:01 21 (0x0015) [Win32App] Toast message with: "C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe" -toast "ToastFailureMessage" "ODk3LU9TLUNvbXBhbnkgUG9ydGFs" "eyJDb21wYW55TmFtZSI6IkJyb3duIGFuZCBCcm93biwgSW5jIiwiQ29sb3JCYWNrZ3JvdW5kTG9nb1VyaSI6Imh0dHBzOi8vZmVmLm1zdWEwMS5tYW5hZ2UubWljcm9zb2Z0LmNvbS9Db250ZW50U2VydmljZS9TQ1NlcnZpY2UvQ29udGVudHMvYjBiMmQyNTgtOWM1YS00NDNjLWJiOTEtZTlmZGI1ZmE4YmZhIiwiV2hpdGVCYWNrZ3JvdW5kTG9nb1VyaSI6Imh0dHBzOi8vZmVmLm1zdWEwMS5tYW5hZ2UubWljcm9zb2Z0LmNvbS9Db250ZW50U2VydmljZS9TQ1NlcnZpY2UvQ29udGVudHMvMGE3NWZhYzUtYzE4NS00NTE3LWFiNWUtODkxNjY5ZDQwZWU3IiwiQWNjZW50Q29sb3IiOi0xNjc0NzgzNH0=" "0" IntuneManagementExtension 24/06/2024 10:10:01 21 (0x0015) [Win32App][ReportingManager] Sending status to company portal based on report: {"ApplicationId":"dc644022-cb6b-4c8a-b083-005392143a58","ResultantAppState":2,"ReportingImpact":{"DesiredState":3,"Classification":2,"ConflictReason":0,"ImpactingApps":[]},"WriteableToStorage":true,"CanGenerateComplianceState":true,"CanGenerateEnforcementState":true,"IsAppReportable":true,"IsAppAggregatable":true,"AvailableAppEnforcementFlag":0,"DesiredState":2,"DetectionState":2,"DetectionErrorOccurred":false,"DetectionErrorCode":null,"ApplicabilityState":0,"ApplicabilityErrorOccurred":false,"ApplicabilityErrorCode":null,"EnforcementState":5000,"EnforcementErrorCode":-2145124322,"TargetingMethod":0,"TargetingType":2,"InstallContext":2,"Intent":3,"InternalVersion":1,"DetectedIdentityVersion":null,"RemovalReason":null} IntuneManagementExtension 24/06/2024 10:10:02 21 (0x0015) [Win32App][WinGetApp][WinGetAppApplicabilityExecutor] Completed applicability check for app with id: dc644022-cb6b-4c8a-b083-005392143a58. WinGet operation result: Operation result = Ok Installed version = Reboot required = False Installer Error code = Extended error code = Applicability result: Action status: Success Applicability state: Applicable Applicability state message: Applicable Error code: IntuneManagementExtension 24/06/2024 10:09:59 21 (0x0015) [Win32App][WinGetApp][AppPackageManager] An error occurred during app install or upgrade. Installer error code: -2145124322. Exception: System.Exception: Exception from HRESULT: 0x8024001E. IntuneManagementExtension 24/06/2024 10:10:01 16 (0x0010) [Win32App][WinGetApp][WinGetAppExecutionExecutor] Completed execution for app with id: dc644022-cb6b-4c8a-b083-005392143a58. WinGet operation result: Operation result = InstallError Installed version = Reboot required = False Installer Error code = -2145124322 Extended error code = -2145124322 Execution result: Action status: Failed Enforcement state: Error Reboot status: Clean Error code: -2145124322 IntuneManagementExtension 24/06/2024 10:10:01 21 (0x0015)
Company Portal on Windows 10 Installs OK but then reports Error installing itself
Hi, I have an odd issue where the Company Portal app installs fine from Intune to the customers Windows 10 devices, but then when the users launch the Company Portal, it reports an error installing itself. The logs seem to show an unknown error with the detection method but that can't be right or everyone would have the same problem. The customer is not content to ignore the error for their production roll-out and wants it fixed despite it not being a show-stopper. The Intune Management Portal shows no errors on the App itself though - just successful installs. The App is targeted as a SYSTEM installation to devices so that it can be installed in future during Autopilot. Has anyone any ideas or assistance to give on this one? Relevant bits from the IntuneManagementExtension.log where the Company Portal AppID is ff4f4f74-e468-4078-958f-8610c1ca5afd: [Win32App][ReportingManager] App with id: ff4f4f74-e468-4078-958f-8610c1ca5afd and prior AppAuthority: V3 has been loaded and reporting state initialized. ReportingState: {"ApplicationId":"ff4f4f74-e468-4078-958f-8610c1ca5afd","ResultantAppState":null,"ReportingImpact":null,"WriteableToStorage":true,"CanGenerateComplianceState":true,"CanGenerateEnforcementState":false,"IsAppReportable":true,"IsAppAggregatable":true,"AvailableAppEnforcementFlag":0,"DesiredState":0,"DetectionState":null,"DetectionErrorOccurred":true,"DetectionErrorCode":null,"ApplicabilityState":null,"ApplicabilityErrorOccurred":true,"ApplicabilityErrorCode":null,"EnforcementState":null,"EnforcementErrorCode":null,"TargetingMethod":0,"TargetingType":2,"InstallContext":2,"Intent":3,"InternalVersion":1,"DetectedIdentityVersion":"11.2.448.0","RemovalReason":null} IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][V3Processor] Processing subgraph with app ids: ff4f4f74-e468-4078-958f-8610c1ca5afd IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][GRSManager] Reading GRS values from storage path: 5a8f478b-517d-4a63-b97f-f33987b05153\GRS\twv3BIJb4WsoddzXod/pwqNlo19+s+LPLUdZhY6q4LA=\. IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][GRSManager] App with id: ff4f4f74-e468-4078-958f-8610c1ca5afd has no recorded GRS value which will be treated as expired. Hash = twv3BIJb4WsoddzXod/pwqNlo19+s+LPLUdZhY6q4LA= IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][ReevaluationScheduleManager] Subgraph reevaluation interval is not expired. Hash = twv3BIJb4WsoddzXod/pwqNlo19+s+LPLUdZhY6q4LA= IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][GRSManager] Found GRS value: 12/21/2023 06:21:19 at key 5a8f478b-517d-4a63-b97f-f33987b05153\GRS\PVGpxHzXpHKuoPdrvcewPLbyQfOF+gAOmQqXqXWH5sU=\ff4f4f74-e468-4078-958f-8610c1ca5afd. [StatusService] Returning status to user with id: 5a8f478b-517d-4a63-b97f-f33987b05153 for V3-managed app with id: ff4f4f74-e468-4078-958f-8610c1ca5afd and install context: System. Applicability: Unknown, Status: Failed, ErrorCode: 0
Company Portal Stuck In Download Pending/Device Syncing Loop
Hi all, We published our first internal app and are attempting to distribute it with the Company Portal. I have it set to be available to all users. When I try to install it, it says "Download pending... Your Device Is Syncing and will begin downloading your app shortly". After a few seconds, it just says "Download pending..." for a few seconds and then goes back to "Download pending... Your Device Is Syncing and will begin downloading your app shortly". It repeats in this loop forever. If I go to settings in the app, will appear to be syncing, then it will appear to complete (with success). I can manually sync with no errors. Thoughts? TWDAC Managed Installer: Company Portal
Hello, I've successfully created and pushed our WDAC policy using Intunes & OMA-URI. In the WDAC policy I've enabled installations through a "Managed Installer" and want to add Intunes\Company Portal as the managed installer, but I have not been able to. The only instructions I have found to accomplish this is this link (https://www.msworkplace.blog/en-us/entry/windows-defender-application-control-part-2), The script offered on the page executes, but errors out (even locally with an admin/elevated powershell). It fails with this error: Does any know why it is failing, or have a better solution to "whitelist" Intunes/Company Portal as a Managed Installer? Thanks, Brandon
Win32 applications are not appearing in the company portal
Hello, I am new to Intune and am experiencing an issue with Win32 apps not appearing in the company portal application. I can upload line-of-business apps and these apps do appear the company portal application and I can install them successfully. However, I seem to be missing something when uploading Win32 apps. To clarify, the Win32 application's Assignment is set under "Available for all enrolled devices" to a group that contains the Intune user who is logged in to the company portal. Any ideas why I can upload LOB apps to the company portal but not Win32? Thanks Joe FForce user to choose device category after autopilot process
Hi at all 🙂 Is there a possibility to force the user to choose a device category after the autopilot process? My vision: - the company portal app starts after the first login - the user can't do anything in other apps/windows (only choose the device category in company portal) - then the user can use the device without limitations Thx for your help 🙂
