MEM
11 TopicsIntune marks Not Compliant if device does not sign in regularly, then permanently blocks the device
I'm using Intune's Conditional Access to block non-compliant devices on my O365 tenant. A problem I'm encountering is that the "Built-in Device Compliance Policy" turns Not Compliant if the device fails to log in for a long period of time. When this happens, the device gets blocked for being Not Compliant, so is unable to refresh the Built-in Device Compliance Policy that would make it compliant again. The only solution I've found is to stop enforcing CA on the user until the device is able to sign in successfully again. Then I can resume CA. This is obviously not an ideal solution. Am I the only one dealing with this?Solved31KViews0likes32CommentsBest practice for the managed Google Play Account in Intune/MEM
Hi All, I'm looking for some advice on the best practice for setting the first step of Android enrollment in Microsoft Intune/MEM. What is the best practice for security and management, when we choose the managed Google Play account for Intune/MEM ? Using an AzureAD account (with or without exchange online licence), a Google account, or other external account ? Does this account need to have access to a mailbox and MFA can be used with this account ? Thanks !Solved12KViews0likes10CommentsEPM Service Account Breaks User Context In Apps
Hi, I am working with a customer who is wanting to make use of EPM for their developer team to run some applications with elevated permissions. They have noticed that when elevating certain applications with EPM that a service account is used (see MEM\AzureAD_AdeleVance_$ below), which therefore runs the app with a new user profile, removing things like user preferences, context and also breaks some apps that rely on domain permissions/credentials. From my testing, this service account only seems to be used by EPM when elevating already installed applications, not application installers. Is this by design and is there a possible workaround that avoids EPM using this service account?Solved1.4KViews0likes5CommentsIntune 403 error - When accessing InTune Portal
Hi Intune Community, I have two users who I have given them theApplication Manager role with full access, under Tenant Admin --> MEM roles but they are receiving following access error when they try to reach Intune/Endpoint Manager: I readhttps://techcommunity.microsoft.com/t5/microsoft-intune/401-and-403-error-when-logging-into-endpoint-admin-center/m-p/1713817#M5226link, which does not apply to our environment. As we already have the MDM set-up and running. Any thoughts/help appreciated.Solved62KViews0likes8CommentsHow to remove MDE managed devices in MEM?
Hi, I had two windows server VMs with MDE(Microsoft Defender for Endpoint) onboarded. For test purpose, I turned on thesecurity settings management in MDE to let MEM deploy some security policies to them. It worked fine. I got corresponding device entries in AAD and MEM and was able to manage the VMs like other Intune managed devices. After I deleted the VMs, I found the device entries are somehow lingering. For MDE, I knew there is a data retention time which is 30 days in my case. I waited for a month and the VMs do disappear from MDE. But I can still see them in AAD and MEM till now. I can't do anything to them in MEM, while I can temporarily delete them in AAD and see them respawn next day. According to the doc, there is a way to solve this problem, but I can't see how. Use Intune to manage Microsoft Defender for Endpoint Security on devices not enrolled with Microsoft Intune | Microsoft Learn Does anyone know what "be removed from the scope of Configuration Management in the Security Center" means and how to perform it? Thanks for reading this post.Solved7.3KViews0likes2CommentsiOS DEP enrolled devices missing Enrollment Profile (breaking dynamic group and filter logic)
Starting 31/05/2022 new iOS enrollments via Apple Business Manager Device Enrollment do not have an Enrollment Profile attribute assigned under Hardware, generally we use this attribute to define dynamic groups/filters. I have seen this on at least two different customer tenants so far. Example of a filter no longer matching a device enrollment. (previous enrollments still show the correct Enrollment Profile Note: Testing 3 tenants we only see two in APAC impacted so far. Asia Pacific 0101 Asia Pacific 02013.2KViews0likes6CommentsWIP blocks data connections between Excel and Access
Hi everyone, I'm reposting this here from Microsoft Community. I hope that's not bad form. I'm trying to get WIP working, but am experiencing a lot of frustration. I have an Excel XLSX file that connects to an Access MDB database for updates. I do the update manually by opening the XLSX file and clicking Data -> Refresh All. Unfortunately, WIP blocks this connection, giving me this error: [DataFormat.Error] The Microsoft Access database engine cannot open or write to the file. It is already opened exclusively by another user, or you need permission to view and write its data. When I remove WIP, the connection works without issue. If I change the ownership of the MDB file to Personal, it also works without issue. Both the XLSX and MDB files are on a single user's OneDrive. Both show Enterprise ownership. Both are available offline. I'm working on a fresh Windows 10 Hyper-V VM with all current updates and patches. Ditto for Excel and Access. The VM is cloud-managed by Intune. Excel has been added to the Protected Apps list via the Office-365-ProPlus AppLocker policy in the Intune "Recommended Apps" drop-down menu. Access has been added to the Exempt apps list as directed inthis article. Excel runs in Enterprise Context as an "Enlightened, Permissive" app. Access runs as "Exempt". Access has no problem opening this protected MDB, but Excel cannot. I hope someone can point me in the right direction. Thanks.1.2KViews0likes2CommentsisManaged but mdmdDisplyaName (blank)
Hola! Would like to understand difference between "isManaged" and really getting managed by an MDM, in this case MEM. isManaged = True I'm onboarding devices to MEM Intune, currently only worried about Hybrid devices. Hybrid environment (AD Connect configured), MDM Enrollment GPO deployed. After 3 weeks only 262 out of 462 units have enrolled to MDM, needle is not moving at all. Might be a lot of options. For now I would only like to understand what does it mean that an Azure AD "Device" object has the "isManaged" attribute set to True when not already enrolled to intune, is this a clue that it has started the procees? is it just nothing? Thanks in advance for feedback and/or comments. Best regards, Manuel2.4KViews0likes3Comments