Company Portal Stuck In Download Pending/Device Syncing Loop
Hi all, We published our first internal app and are attempting to distribute it with the Company Portal. I have it set to be available to all users. When I try to install it, it says "Download pending... Your Device Is Syncing and will begin downloading your app shortly". After a few seconds, it just says "Download pending..." for a few seconds and then goes back to "Download pending... Your Device Is Syncing and will begin downloading your app shortly". It repeats in this loop forever. If I go to settings in the app, will appear to be syncing, then it will appear to complete (with success). I can manually sync with no errors. Thoughts? T
Microsoft Intune Company Portal for Linux and Conditional Access Issue
Greetings everyone, I have the following scenario implemented regarding conditional access: Rule#1: For pilotuser1, for all cloud apps, for all platforms --> require MFA Rule#2: For pilotuser1, for all cloud apps except Microsoft Intune Enrollment and Microsoft Intune, for all platforms --> Require Device marked as compliant This should allow me to enroll to Intune successfully a non-enrolled device and require the device compliance for the other workloads. For Windows it works just fine. The problem lies with Linux. Following the instructions on Enroll a Linux device in Intune | Microsoft Learn & Get the Microsoft Intune app for Linux | Microsoft Learn I installed Intune App and Edge (Version 109.0.1518.52 (Official build) (64-bit)) on a VM with Ubuntu 22.04. I open the Intune App and try to sign in: First step is to Register the Device on Azure AD, it goes without a problem --> On the next stage I get the following and press continue: At this stage Microsoft Edge opens and I sign in successfully but the Intune App throws an error: The sign in logs on Azure AD show that even though I excluded Intune Enrollment from the CA policy, it is not enough. Sign-in error code: 530003 Failure reason: Your device is required to be managed to access this resource. Additional Details: The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation Application: Microsoft Intune Company Portal for Linux Application ID: b743a22d-6705-4147-8670-d92fa515ee2b Resource : Microsoft Graph Resource ID: 00000003-0000-0000-c000-000000000000 Client app: Mobile Apps and Desktop clients Client credential type: None Resource service principal ID: 01989347-a263-48ef-a8d7-583ee83db9a2 Token issuer type: Azure AD Apparently something is different in the enrollment process of Linux because I had no issues with Windows 10 enrollment . Any thoughts on the subject would be appreciated. Kind Regards, Panos
Intune/Company Portal Constant popups
Hey We're trying to use intune for our mostly catalina and Bigsur macos fleet, and we're noticing on multiple peoples machines that they'll get regular popups mentioning they need to approve Profiles/MDM. Even after using their finger/password to approve the changes, they'll get new pop ups. I don't see any mention in the system.log regarding this popup. If I look in the Intune MDM logs the only regular errors that i see are regarding a "microsoft.com requires a client cert" but i'm not sure if this is related. NSLocalizedDescription=The Internet connection appears to be offline., NSErrorFailingURLStringKey=https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, NSErrorFailingURLKey=https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, _kCFStreamErrorDomainKey=1}) error 1: authenticationError(Error Domain=NSURLErrorDomain Code=-1206 "The server “manage.microsoft.us” requires a client certificate." UserInfo={NSLocalizedDescription=The server “manage.microsoft.us” requires a client certificate., NSErrorFailingURLStringKey=https://manage.microsoft.us/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, NSErrorFailingURLKey=https://manage.microsoft.us/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, _NSURLErrorRelatedURLSessionTaskErrorKey=( _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <####.>.<####>, NSUnderlyingError=0x7fe4e552daf0 {Error Domain=kCFErrorDomainCFNetwork Code=-1206 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x7fe4e565bb30 [0x7fff807deb70]>{length = 16, capacity = 16, bytes = 0x100201bb17610d070000000000000000}}}}) error 5: authenticationError(Error Domain=NSURLErrorDomain Code=-1206 "The server “manage-selfhost.microsoft.com” requires a client certificate." UserInfo={NSLocalizedDescription=The server “manage-selfhost.microsoft.com” requires a client certificate., NSErrorFailingURLStringKey=https://manage-selfhost.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, NSErrorFailingURLKey=https://manage-selfhost.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, _NSURLErrorRelatedURLSessionTaskErrorKey=(Allow non-admins to install apps from Company Portal
How to allow users without local administrator permissions to install Microsoft Remote Help ? The Microsoft Remote Help application is featured on Company Portal (app & Web). Users can click "Install", but then they get a UAC credential prompt, asking them for an admin username & password. This is not what is expected from InTune: Another important layer is security. Normally, installing apps would require installation rights, for example, local administrator permissions on your Windows 10 Enterprise endpoint. Delivering your app via Microsoft Endpoint Manager allows you to assign and install apps – in a modular fashion – without the need to make the user a local administrator. [https://subscription.packtpub.com/book/cloud-and-networking/9781801078993/11/ch11lvl1sec81/application-delivery-via-microsoft-endpoint-manager]Company Portal on Windows 10 Installs OK but then reports Error installing itself
Hi, I have an odd issue where the Company Portal app installs fine from Intune to the customers Windows 10 devices, but then when the users launch the Company Portal, it reports an error installing itself. The logs seem to show an unknown error with the detection method but that can't be right or everyone would have the same problem. The customer is not content to ignore the error for their production roll-out and wants it fixed despite it not being a show-stopper. The Intune Management Portal shows no errors on the App itself though - just successful installs. The App is targeted as a SYSTEM installation to devices so that it can be installed in future during Autopilot. Has anyone any ideas or assistance to give on this one? Relevant bits from the IntuneManagementExtension.log where the Company Portal AppID is ff4f4f74-e468-4078-958f-8610c1ca5afd: [Win32App][ReportingManager] App with id: ff4f4f74-e468-4078-958f-8610c1ca5afd and prior AppAuthority: V3 has been loaded and reporting state initialized. ReportingState: {"ApplicationId":"ff4f4f74-e468-4078-958f-8610c1ca5afd","ResultantAppState":null,"ReportingImpact":null,"WriteableToStorage":true,"CanGenerateComplianceState":true,"CanGenerateEnforcementState":false,"IsAppReportable":true,"IsAppAggregatable":true,"AvailableAppEnforcementFlag":0,"DesiredState":0,"DetectionState":null,"DetectionErrorOccurred":true,"DetectionErrorCode":null,"ApplicabilityState":null,"ApplicabilityErrorOccurred":true,"ApplicabilityErrorCode":null,"EnforcementState":null,"EnforcementErrorCode":null,"TargetingMethod":0,"TargetingType":2,"InstallContext":2,"Intent":3,"InternalVersion":1,"DetectedIdentityVersion":"11.2.448.0","RemovalReason":null} IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][V3Processor] Processing subgraph with app ids: ff4f4f74-e468-4078-958f-8610c1ca5afd IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][GRSManager] Reading GRS values from storage path: 5a8f478b-517d-4a63-b97f-f33987b05153\GRS\twv3BIJb4WsoddzXod/pwqNlo19+s+LPLUdZhY6q4LA=\. IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][GRSManager] App with id: ff4f4f74-e468-4078-958f-8610c1ca5afd has no recorded GRS value which will be treated as expired. Hash = twv3BIJb4WsoddzXod/pwqNlo19+s+LPLUdZhY6q4LA= IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][ReevaluationScheduleManager] Subgraph reevaluation interval is not expired. Hash = twv3BIJb4WsoddzXod/pwqNlo19+s+LPLUdZhY6q4LA= IntuneManagementExtension 2024-03-01 13:49:48 61 (0x003D) [Win32App][GRSManager] Found GRS value: 12/21/2023 06:21:19 at key 5a8f478b-517d-4a63-b97f-f33987b05153\GRS\PVGpxHzXpHKuoPdrvcewPLbyQfOF+gAOmQqXqXWH5sU=\ff4f4f74-e468-4078-958f-8610c1ca5afd. [StatusService] Returning status to user with id: 5a8f478b-517d-4a63-b97f-f33987b05153 for V3-managed app with id: ff4f4f74-e468-4078-958f-8610c1ca5afd and install context: System. Applicability: Unknown, Status: Failed, ErrorCode: 0
App installation failed: Company Portal (Error code: 0x8024001E)
Operating system: Windows 11 Enterprise Operating system version: 10.0.22631.3737 Machine: Latitude 5540 Hi All, I'm having trouble with one of our machines failing to install Company Portal. Can you shed any light on this? The error message from Managed Apps is: App installation failed 18/06/2024 09:37:27 Hide details Error code: 0x8024001E Unknown I've gone through the IntuneManagementExtension logs and can see these messages which relate to the Company Portal app ID "dc644022-cb6b-4c8a-b083-005392143a58" [Win32App][WinGetApp][WinGetAppDetectionExecutor] Completed detection for app with id: dc644022-cb6b-4c8a-b083-005392143a58. WinGet operation result: Operation result = NotDetected Installed version = Reboot required = False Installer Error code = Extended error code = Detection result: Action status: Success Detection state: NotDetected Detected version: Error code: IntuneManagementExtension 24/06/2024 10:10:01 21 (0x0015) [Win32App] Toast message with: "C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe" -toast "ToastFailureMessage" "ODk3LU9TLUNvbXBhbnkgUG9ydGFs" "eyJDb21wYW55TmFtZSI6IkJyb3duIGFuZCBCcm93biwgSW5jIiwiQ29sb3JCYWNrZ3JvdW5kTG9nb1VyaSI6Imh0dHBzOi8vZmVmLm1zdWEwMS5tYW5hZ2UubWljcm9zb2Z0LmNvbS9Db250ZW50U2VydmljZS9TQ1NlcnZpY2UvQ29udGVudHMvYjBiMmQyNTgtOWM1YS00NDNjLWJiOTEtZTlmZGI1ZmE4YmZhIiwiV2hpdGVCYWNrZ3JvdW5kTG9nb1VyaSI6Imh0dHBzOi8vZmVmLm1zdWEwMS5tYW5hZ2UubWljcm9zb2Z0LmNvbS9Db250ZW50U2VydmljZS9TQ1NlcnZpY2UvQ29udGVudHMvMGE3NWZhYzUtYzE4NS00NTE3LWFiNWUtODkxNjY5ZDQwZWU3IiwiQWNjZW50Q29sb3IiOi0xNjc0NzgzNH0=" "0" IntuneManagementExtension 24/06/2024 10:10:01 21 (0x0015) [Win32App][ReportingManager] Sending status to company portal based on report: {"ApplicationId":"dc644022-cb6b-4c8a-b083-005392143a58","ResultantAppState":2,"ReportingImpact":{"DesiredState":3,"Classification":2,"ConflictReason":0,"ImpactingApps":[]},"WriteableToStorage":true,"CanGenerateComplianceState":true,"CanGenerateEnforcementState":true,"IsAppReportable":true,"IsAppAggregatable":true,"AvailableAppEnforcementFlag":0,"DesiredState":2,"DetectionState":2,"DetectionErrorOccurred":false,"DetectionErrorCode":null,"ApplicabilityState":0,"ApplicabilityErrorOccurred":false,"ApplicabilityErrorCode":null,"EnforcementState":5000,"EnforcementErrorCode":-2145124322,"TargetingMethod":0,"TargetingType":2,"InstallContext":2,"Intent":3,"InternalVersion":1,"DetectedIdentityVersion":null,"RemovalReason":null} IntuneManagementExtension 24/06/2024 10:10:02 21 (0x0015) [Win32App][WinGetApp][WinGetAppApplicabilityExecutor] Completed applicability check for app with id: dc644022-cb6b-4c8a-b083-005392143a58. WinGet operation result: Operation result = Ok Installed version = Reboot required = False Installer Error code = Extended error code = Applicability result: Action status: Success Applicability state: Applicable Applicability state message: Applicable Error code: IntuneManagementExtension 24/06/2024 10:09:59 21 (0x0015) [Win32App][WinGetApp][AppPackageManager] An error occurred during app install or upgrade. Installer error code: -2145124322. Exception: System.Exception: Exception from HRESULT: 0x8024001E. IntuneManagementExtension 24/06/2024 10:10:01 16 (0x0010) [Win32App][WinGetApp][WinGetAppExecutionExecutor] Completed execution for app with id: dc644022-cb6b-4c8a-b083-005392143a58. WinGet operation result: Operation result = InstallError Installed version = Reboot required = False Installer Error code = -2145124322 Extended error code = -2145124322 Execution result: Action status: Failed Enforcement state: Error Reboot status: Clean Error code: -2145124322 IntuneManagementExtension 24/06/2024 10:10:01 21 (0x0015)Manually adding FileVault Recovery Key as an Administrator
I'm not sure I have the right forum for this question, please redirect me if necessary. I'm new to using Microsoft Endpoint Manager and am assuming responsibility for an environment that was not completely set up. I have two Macs joined to InTune where they had previously initiated FileVault encryption prior to being managed. The FileVault recovery key was not captured for display on the admin center page, so I found guidance to run: sudo fdesetup changerecovery -personal thinking that while the device is now actively managed that it would capture the key, but it did not. I see a manual way to upload the keys but want to be able to do that on the Company Portal as an admin rather than having the users do that. When I log in to the Company Portal with a Global Administrator account, I only see the devices that InTune has marked as assigned to me. Is there an Administrator View that I can use to access and administer devices not assigned to my account so I can manually upload the Recovery Key?Enrolling Devices with iPadOS 13
Hey Folks, I've just started testing the iPadOS 13 beta and experienced an initial issue with enrollment via Intune Company Portal. The app would fail to download the MDM enrollment profile and instead display the page below. To fix this, go to Settings > Safari > Request Desktop Website and toggle off All Websites. This setting is enabled by default in iPadOS 13, unlike iOS 13 which has it off by default. Hope this is helpful for some of you, cheers!
