How to exclude specific machines from Intune compliance policy?
Hi, I need a few virtual machines to be excluded from the Intune compliance policy, I thought that the following setup would be sufficient to accomplish this and be able to access corporate data without the need to make these virtual machines compliant (they all have fixed IPs): Unfortunately this isn't working and I'm wondering how could I exclude this machines from enrolment. Thank you, Ion
Intune does not sync Owner/Compliant state to Entra (iOS)
Dear All, We have the following problem in our environment. Initial situation Company Owned iOS Devices are joined / autoenrollt with Apple Business Manager into our Intune MDM and are fully managed. The devices have all configuration and compliance policies applied. The devices have an primary user and are compliant. During the enrollment the Entra device has been successful created. Problem The Entra device has no owner, no compliant state, no "MDM" value. Thereforce our conditional access policies which refer to the "Compliant"-state are not applied. Analysis Created a Microsoft case. We checked several things: - Intune seems correct configured - Compliance Policies are applied in Intune (as mentioned above) - irrelevant, when device has been enrolled or what models they are Microsoft support confirmed that they received similar feedbacks from other customers. It is indicated as "known issue" Workaround We found out, that when an end user opens the "Company Portal" app on the device and syncs, all Entra device attributes are updated. Then the owner, compliance state, MDM state, etc. is updated and now valid. But this seems to be not the correct behaviour. As far as I understood the Microsoft documentation, it should not require this step (Intune should sync the status to Entra in the backgroud, from service to service) Our objective should be, that it is not necessary to start Company portal. All entra devices should always have the current values from Intune synced. Thanks for your help, Chris
Intune MAM BYOD: Remove Account message for iOS devices
Hello, I am seeing an issue for Intune MAM BYOD(iOS) users. After a user account password reset, it causes Intune to remove the account configured from mobile applications like MS Outlook, Work, OneDrive, etc. Current Intune Configuration: Done - App Protection Policy Done - Conditional access policy --> Grant --> Requires app protection policy (checked) Users had to re-enrol to access his/her data. Here is the screenshot, Thank you,How to Seamless Transition from Local Active Directory to Microsoft Intune?
Our organization currently operates with a Local Active Directory (AD) setup, using Azure AD Connect to sync directories with Azure Entra. All organizational devices are domain-joined and managed via Local AD. We are planning to transition device management to Microsoft Intune while ensuring a seamless process with no user intervention and no loss of user data. What are the industry best practices for achieving this transition?Microsoft Graph Command Line Tools Blocked by CA
Hi All I hope you are well. Anyway, I recently turned ON a Conditional Access Policy Template, "Require MDM-enrolled and compliant device to access cloud apps for all users (Preview)" this seems to work fine until our IT Admins try to use the AutoPilot script which gets blocked based on: Microsoft Graph Command Line Tools Any ideas on how to allow AutoPilot / Microsoft Graph Command Line Tools through CA? Info appreciatedConflict status after having 2 Local user group membership Policy
Hello, I have an issue with applying two "Local User Group Membership" policies on a PC. The Intune policy report shows a conflict between having two "Local User Group Membership" policies despite having different configurations. For example, one is a Global Policy, which applies an admin privilege to all PCs, and the other one is more specific to a certain group, and it is just about giving remote access to the PCs on this group. So, my question is, why does Intune mark these two policies as a conflict of each other? If it is not possible to have two "Local User Group Membership" policies applying to the PC. Is there a way to have a global policy for admin users on the PC and one more private policy for remote user access using "Local User Group Membership"?
How to foce intune client in Ubuntu to synch automatically
Hello, in my company we have enrolled Devs Ubuntu devices to control some security setting and allow or not the access to our company apps and content. We have set compliance policies and enabled conditional access to check its. i have been surprised this morning by the last checking date of my Ubuntu laptops and ask my Devs of last signin in company portal client and the date match with the last checking date. I concluded, the company portal is synching only when the user open it and signin. This is a big problem for us because we are certified ISO27001 and we must check all devices compliance. Somebody has a script to deploy on those ubuntu devices and force a synch every day waiting for a Microsoft evolution of this process. Thanks a lot and regards Majid
Conditional Access Policy Not Allowing Users to Access AVD
We have an existing conditional access policy which requires a users' device to be marked as "compliant" in order to access "All Agent Resources". We are trying to deploy an AVD as an alternative to allowing users to use personal devices, but this CA policy seems to be interfering with users being able to access the AVD via Windows App. Yhe device they're accessing from isn't "Compliant" with Intune enrollment being one of the requirements for being compliant. Again, we do not want to allow personal devices into Intune which the MSP allowed previously. For the CA policy it's applied to all users EXCEPT for specific users in an exclusion group. Putting users in this exclusion group allows them to access the AVD via Windows App but at this point they can just access all resources from their personal machine defeating the purpose of the AVD. Target Resources Include All Resources Exclude: The AVD Itself, Windows 365, Azure Virtual Desktop, Azure Windows VM Sign-in Conditions Device Platforms - Windows, MacOS Client apps - Browser, Mobile apps and desktop clients, exchange ActiveSync clients, other clients are checked Grant Access Require MFA and Require device to be marked as compliant are both checked. Access to the AVD works in the browser but not in Windows App.
