Windows Hello - optional
Hello community, I'm trying to set Windows Hello as optional (not forced) for users in our org. Currently we have security group for people who asked for Windows Hello to be enabled for them. All devices are Windows 11 fully managed by Intune. Current Win Hello solution is provided by Intune policy - identity protection - "Configure Windows Hello for Business". It works, but as mentioned I would like to make it optional for everyone in our org so users can decide whether use it or not. Is it possible?
Intune Graph API deviceStatuses missing device shown in portal
Hello, I am retrieving device status for an Intune configuration profile using Microsoft Graph API. API request: GET https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{policyId}/deviceStatuses Issue: In the Intune portal, a device shows Success status for the configuration profile under: Devices → Configuration profiles → Device status However, when retrieving the same data using the Graph API endpoint above, that device does not appear in the API response. Observations: In the Intune portal, the policy shows one device with Success status. But the Graph API response returns different devices and does not include the device visible in the portal. Example response (sanitized): deviceDisplayName: Device-A status: unknown deviceDisplayName: Device-B status: unknown Questions: Why would a device appear in the Intune portal device status but not in the Graph API deviceStatuses response? Is there a delay in data synchronization between the Intune portal and Graph API? Is there another Graph endpoint recommended for retrieving all device configuration status results? Additional details: Graph API version: beta Permission used: DeviceManagementConfiguration.Read.All Tested using Graph Explorer Any insights would be appreciated.
Issue with Android iOS Wi-Fi authentication using certificates EAP-TLS with NPS
I am trying to configure Wi-Fi authentication for Android and iOS devices using certificates (EAP-TLS). I followed the guide below Support Tip - How to configure NDES for SCEP certificate deployments in Intune | Microsoft Community Hub, and I am able to successfully deploy certificates to the devices. The certificates are installed correctly on the final devices, so the distribution part seems to be working fine. However, the devices are not able to authenticate to the Wi-Fi network. The connection fails during authentication, and from what I can see the issue seems to be related to NPS. My doubt is specifically about the NPS configuration. In the guide, user or computer groups are usually added in the network policy conditions, but in my scenario I cannot rely on adding users or groups, since authentication should be based only on the certificate. I am unsure how to correctly configure NPS to accept these devices using certificate-based authentication without assigning them to a security group. Has anyone already faced this situation or can explain how NPS should be configured in this case? Any guidance or example configuration would be greatly appreciated. Thank you in advance.Edge for Android Smartscreen
Hi All I hope you are well. Anyway, is it possible to configure Edge for Android Smartscreen to: Prevent end user bypass Block potential risky downloads I can see various methods and guides pointing to Edge App Configuration policies but just cannot seem to get the this to work on Android Enterprise Fully Managed devices. Any help would be great. SK
Erweiterungsmanagement im Browser
We would like to distribute browser extensions in Edge via Intune in a granular manner. The problem is that assigning two profiles with different extensions leads to a conflict. We would like to be able to assign extensions individually and assign multiple different profiles with different browser extensions to a user. With the current options, it becomes very complex and error-prone when there are multiple extensions with different user groups. Or have I overlooked a possibility?Block Local Logon to enrolling user of an Intune Managed Device
Has anyone successfully managed to deploy a security baseline template or Configuration profile or proactive remediation script that can successfully block any AAD user from being able to logon to an Intune managed device, other than the user who enrolled the device? I have a use case of an industutrial type device where we use a secure shared logon credential who is also the enrolling user, and i want to prevent anyone with an account loggin goff the primary user account and loggingin with their own personal account. The issue i seems to face now is the policy is not able to evaluate the AAD group where i assign the user account/accounts allowed to logon, and i subsequently end up blocking all local logons. ThanksHow to create a dependency using Graph API in PowerShell
hi, I used following documentations to create a dependency via Graph API in Powershell: https://learn.microsoft.com/en-us/graph/api/intune-apps-mobileappdependency-list?view=graph-rest-beta https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.beta.devices.corporatemanagement/new-mgbetadeviceappmanagementmobileapprelationship?view=graph-powershell-beta Both ways give me the same error: New-MgBetaDeviceAppMgtMobileAppRelationship : No OData route exists that match template ~/singleton/navigation with http verb POST for request /AppLifecycle_2602/StatelessAppMetadataFEService/deviceAppManagement/mobileAppRelationships. Status: 400 (BadRequest) ErrorCode: No method match route template Seems like these Endpoints do not support POST/PATCH requests at all. Is there any other way to create a dependency using Graph API in PowerShell?
Domain Join Configuration Profile suddenly erroring out.
Good morning, I have never posted on here, so I hope this goes through. I have been working on getting HAADJ Autopilot setup in my organization the past few weeks and it has been going well so far, except for yesterday. In my testing I have successfully deployed a few machines using HYAAD Autopilot process with not many issues. Yesterday I pre-provisioned a laptop with no issues, it domain joined and Entra joined and I was able to reseal. A few minutes later I tried a different machine and then it didn't work on that machine. Since then I have been trying multiple machines, and it seems to not be working now at all. I am not sure what broke or changed in my environment that caused this to change. I am very new at Intune and picked up this environment from a team that left a few months ago, so it is a miracle I have gotten this far by myself, but now I am at a complete loss. This just broke on me and I have no lead as to what may have caused this. Please if anyone has ANY ideas on where to start for this please let me know. Google has not been much help. This is what I see when I check the report on the domain join config profile:Microsoft #IntuneForMSPs resource guide
Welcome to your home for all things #IntuneForMSPs! Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business by combining productivity apps, intelligent cloud services, and the world-class security of Microsoft 365 with the multi-tenant management capabilities of you, our partners. Join us for #IntuneForMSPs community meetups to hear first-hand experiences with configuring and managing customer tenants, gain best practices, and get answers to your questions, live and on demand. Upcoming monthly #IntuneForMSPs meetups: Advanced automation and PowerShell for Intune - March 17th, 2026 at 8:00 a.m. PT (3:00 p.m. UTC) Past #IntuneForMSPs meetups – now available on demand! Planning your customers' Intune migration - February 17th, 2026 Getting started with Microsoft #IntuneForMSPs - January 20th, 2026 Jump to: Marketing and business development | Demos and tutorials | Multi-tenant management partners | Application packaging partners | Microsoft communities | Select content from Microsoft MVPs In the spotlight Download the Business Premium best practice deployment guides: Identity and access controls best practice deployment Device enrollment best practice deployment Email & App Protection best practice deployment Device security best practice deployment Data security best practice deployment Marketing and business development Start by joining Microsoft Partner programs AI Business Solutions for Partners Microsoft Security Partners Join the Partner Skilling Hub for Free Go to Microsoft Partner Skilling Hub Create your free account Select Solution areas of interest Intune content: AI Business Solutions, Security Recommended modules Implement with impact: Endpoint Management with Microsoft Intune | Microsoft Partner Skilling Hub Implement with impact: Implement Identity and access management with Microsoft Entra - Modules Download this customizable campaign in a box Protect My Devices BoM Demos and tutorials Whether deploying solutions for yourself or for your customers, these resources can help you with prescriptive ‘do this next’ guidance to get you up to speed quickly. Download the Business Premium best practice deployment guides: Identity and access controls best practice deployment Device enrollment best practice deployment Email & App Protection best practice deployment Device security best practice deployment Data security best practice deployment Follow along with the companion videos: Achieve greater security and productivity with Microsoft Intune and Microsoft 365 Explore click-through interactive guides for more advanced instruction: Microsoft Intune guided demos Topics include configuring app protection policies, configuring Conditional Access, updating Windows from the cloud, configuring corporate devices, deploying and managing line of business (LOB) apps, enabling Universal Print, accessing corporate resources on personal-owned devices, setting up Windows Autopilot for new device delivery, and reducing bandwidth consumption with Delivery Optimization. Multi-tenant management partners Microsoft Intune is proud to collaborate with leading global providers of multi-tenant Intune management solutions. These companies are building innovative capabilities on top of Microsoft Intune, Microsoft Security, and the broader M365 platform. Their companion solutions allow MSPs to: Centrally view and manage all customer tenants and action items through a unified partner dashboard. Take action across environments, leveraging Intune for device management, cloud security, and compliance. Standardize security settings, automate onboarding, and ensure policy consistency at scale-no more repetitive, manual tasks or risky policy drift. Importantly, this is a collaboration. These solutions are independent companions, offering their unique workflows and advanced automation features alongside the Intune platform. Click the image below to watch the Microsoft Intune multi-tenant management video with Jonathan Edwards. Nerdio overview Nerdio brings deep automation and analytics to Intune, Windows 365, Azure Virtual Desktop, and the broader Microsoft cloud. MSPs benefit from multi-tenant dashboards, global policy insights, role-based access, centralized app deployment, and automatic policy versioning with rollback and drift correction. Nerdio’s tooling is designed specifically for MSPs and scales from small teams to large enterprise portfolios. Get more details at Nerdio’s landing page: aka.ms/IntuneforMSPs/Nerdio. Nerdio knowledge hub inforcer overview inforcer empowers MSPs to standardize Microsoft 365 and Intune policies across all tenants, automate environment configuration, monitor compliance in real time, and reduce risk through policy drift detection. Its reporting and automation features free teams from manual, error-prone scripting and help deliver consistent, secure customer experiences, setting MSPs up to deliver advanced AI services to their customers. Learn more at: aka.ms/IntuneforMSPs/inforcer Inforcer resources Application packaging partners Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI Copilot era. To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from ConfigMgr to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption. Please note: These app migration service offers are made directly by partners, are subject to their terms, and Microsoft makes no guarantees or commitments regarding their availability or outcome. Application packaging partner solution overviews Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting. Learn more at: aka.ms/IntuneRimo3Package Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT. Learn more at: aka.ms/IntuneRobopackPackage Microsoft communities Microsoft 365 Blog small and medium business-related posts Microsoft 365 Partner LinkedIn channel Select content from Microsoft MVPs Essential Intune reading list: MVP community content for 2025 - Microsoft Intune Blog
