enrollment
24 TopicsPartner enrollment issue - Duplicate Legal Entity
Greetings, I'm trying to enroll to the Microsoft Partner Program (CSP) and I've previously worked with the partner center. Because of this, some time long ago my company was registered with Microsoft. When I'm trying to register again now, I recieve an error message "Exception while creating legal entity : Duplicate Legal Entity" in the company information part of the enrollment process. Now I thought I could just contact Microsoft, verify myself as the owner of the company and have this sorted. That would be IF Microsoft had made it possible for themselves to be contacted. "Just raise a ticket via the partner center". Cant create a workspace, dont have a workspace, therefore cant create ticket with support. Has anyone else had issues with the same? Kind of in a dead lock here and Microsoft doesn't have any contact point unless you're already a partner, it seems...New policy implementation and web enrollment for Android personally owned work profile
We’re happy to announce two improvements for the management of Android personally owned work profile devices with Microsoft Intune, which will be released later this year. A new implementation for how Intune delivers policies to devices Web based enrollment These updates modernize how Microsoft Intune manages devices and improves the enrollment flow. Action may be required by you as we move to the new implementation. Keep reading to understand what’s changing, actions, and timelines you need to know. What’s changing New implementation We’re finalizing our work on moving the Android personally owned work profile implementation to the latest and greatest available – Google’s Android Management API (AM API). It has been almost a decade since Intune released support for Android personally owned work profile management. At that time, we accomplished this by building a custom device policy controller (DPC), in the form of the Intune Company Portal app. A lot has changed since then. Google released AM API and its companion app, Android Device Policy, which enforces AM API policy on devices. This is now Google’s recommended implementation, which we used to deliver the three corporate Android Enterprise management methods: corporate owned work profile, fully managed, and dedicated. Google no longer recommends use of custom DPCs and they’re deprecating associated functionality. The benefits of moving personally owned work profile management to AM API include: Faster release of new features across all four Android Enterprise management options. Consistent behaviors across all four Android Enterprise management options. The Microsoft Intune app will replace the Company Portal app as the user app (to manage devices, contact their IT department, collect logs, and more), providing an updated user experience and aligning it with the corporate Android Enterprise management options. Enables Intune to support the latest Android platform management capabilities, which are unavailable with custom DPC implementations. Web based enrollment The move to AM API also enables us to build a web-based enrollment flow for personally owned work profile devices, similar to web based device enrollment for iOS. The benefits of this include: Users don’t need to manually install an app to start Intune enrollment since they can start enrollment from a webpage instead. Users can access enrollment from any of the four different entry points which all launch the same webpage: Productivity apps (when the user is required to enroll before accessing corporate resources) The Company Portal app The Microsoft Intune app (new!) A URL (new!) This gives you more options for how to guide your users to get set up. 3. Android enrollment is more consistent with the iOS web-based enrollment flow. How to prepare We recommend you make these changes to prepare for the upcoming release and provide the most streamlined experience for users. Replace custom policies: Intune is ending support for custom configuration polices for personally owned work profile devices on April 1, 2025. Custom policies are not supported in the new implementation. Replace all custom policies with equivalent policies using this setting mapping. Certificate authentication for Wi-Fi: If you’re using username and password authentication for Wi-Fi policies, we strongly encourage you to move to certificate authentication instead. Devices that are connected to corporate Wi-Fi with username and password authentication will lose access to corporate Wi-Fi when they are moved to AM API until the user signs into the corporate Wi-Fi network again. Devices using certificate authentication for Wi-Fi won’t lose access, and it’s also a more secure authentication method. Evaluate biometric configuration: Devices on the new implementation won’t apply polices that prevent users from using face, fingerprint, iris, or trust agent to unlock their device. However, policies that prevent this at the work profile level are still supported. If you have this configured at the device level, consider blocking face, fingerprint, iris, and trust agents at the work profile level to protect work resources in an equivalent way. Update Android OS: Intune currently supports Android 10 and later on personally owned work profile devices and plans to maintain support for the four most recent Android versions going forward. We recommend you guide users to update to their device’s latest supported Android version for the best experience. Helpdesk preparation: Inform your helpdesk teams of these coming changes so they know what to expect. For devices on the new implementation, diagnostic logs are collected using the Microsoft Intune app (instead of the Company Portal). We’ll publish more information about the new enrollment flow before it’s released so you can prepare. Plan to update any user instructions you have once we release the web-based enrollment flow and devices are managed with the new implementation. iOS web based enrollment: We recommend you consider setting up web based device enrollment for iOS now or when we release Android web based enrollment for a more consistent and improved user experience. Changes to be aware of A few defaults will change as part of the move to the new implementation. Required app installation behavior: In the custom DPC implementation, users can uninstall required apps, but they are reinstalled automatically within a few hours. In the new implementation, users won’t be able to uninstall required apps from their device, which is the same experience as on corporate Android Enterprise devices. Caller ID and contact search: In the custom DPC implementation, the settings to “Display work contact caller-id in personal profile” and “Search work contacts from personal profile” are two independent settings. In AM API, they are controlled with a single setting. If you have blocked either, Intune automatically blocks both for devices on the new implementation. Intune will update the policy user interface to have a single setting once all devices are on the new implementation. Screen timeout: In the custom DPC implementation, you can configure screen timeouts either for the full device or for the work profile under “Maximum minutes of inactivity until work profile locks.” In AM API, you can only configure this at the work profile level. Intune will set this to the lesser of the two when devices move to the new implementation. We will remove the device level setting from policies when all devices are on AM API. How to configure and monitor Web based enrollment No action is needed to turn on or configure web-based enrollment for personally owned work profile devices. When we release it, it will replace the current Company Portal enrollment flow and all new enrollments will use the web-based enrollment flow. New implementation Devices enrolled before web-based enrollment releases aren't immediately impacted by the new implementation. We’ll release a new setting that allows you to migrate device groups to the new implementation. As a best practice, we encourage admins to evaluate migrating a smaller device set before migrating all devices. Before moving devices to the new implementation, you may want to email users or configure custom notifications to inform them of what to expect. In 2026, we’ll automatically migrate all remaining devices using the custom DPC implementation over to the new AM API implementation. Monitoring There’ll be a new report that will show how many personally owned work profile devices are on the new implementation, how many still need to move, how many are targeted and pending moving (since it may roll out over hours or days), and how many attempted to move but hit an error. Using this new report, you can see which devices are in each state. How this will affect your users Web based enrollment Users who enroll devices after release will see the new web-based enrollment flow. Their devices will be managed with AM API. After enrollment, Intune will install a few apps automatically to ensure streamlined management. Microsoft Intune: User-facing app to manage devices, contact the IT department, collect diagnostic logs, and more. Company Portal: For mobile app management (MAM). Android Device Policy: To enforce AM API policies. This app is installed in a “hidden” state, so users don’t see it in their app list and can’t launch it. New implementation Devices on the new implementation (either through admin configuration or the later automatic move), will install the Microsoft Intune app and the Android Device Policy app, and users will see notifications on their device about these app installs. The devices will not unenroll and users won’t lose access to corporate resources on these devices because of this change. The only exception to this is for devices that are connected to corporate Wi-Fi with username and password authentication. When they move to AM API, they will lose access to corporate Wi-Fi until they sign in to the corporate Wi-Fi again. To avoid any potential disruption, we encourage you to move to certificate Wi-Fi authentication instead (as mentioned above). Timeline We'll update these timelines to provide more specific timeframes in the coming months. First half of 2025: Use this time to revise any relevant policy configurations, update your internal documentation, and prepare your helpdesk teams, as advised above. Second half of 2025: All enrollments of personally owned work profile devices will use web-based enrollments on AM API. You’ll be able to set a configuration policy to migrate previously enrolled devices over to the new implementation. First half of 2026: All devices on the custom DPC implementation will be automatically moved over to AM API. Stay tuned to this blog for updates! If you have any questions or feedback on this change, leave a comment on this post or reach out on X @IntuneSuppTeam.5.9KViews2likes4CommentsCloud-native Windows endpoints: Begin by beginning
By: Jason Sandys – Principal Product Manager | Microsoft Intune Cloud-native is Microsoft’s goal for all commercial Windows endpoints. By definition, a cloud-native Windows endpoint is joined to Microsoft Entra ID and enrolled in Microsoft Intune. It represents and involves a clean break from on-premises related systems, limitations, and dependencies for device identity and management. This clean break from on-premises dependencies might align with larger organizational goals to reduce or eliminate on-premises infrastructure but doesn’t prevent users from accessing or using existing on-premises resources like file shares, printers, or applications. Cloud-native for Windows endpoints is a large change in thinking for most organizations and thus poses an initial challenge of how to even begin on this journey. This article provides you with guidance on how to begin and how to embrace this new model. For additional guidance that includes a higher-level discussion of what to do with existing endpoints, see: Best practices in moving to cloud native endpoint management | Microsoft 365 Blog to learn more. Proof of concept The first step is to begin with a proof of concept (POC). For any new technology, methodology, or solution, POCs offer numerous advantages. Specifically, they enable you to evaluate the new “thing” with minimal risk while building your skills and gaining stakeholder buy-in. Because the exact end state of Windows endpoints is highly variable among organizations and even within an organization, a POC for cloud-native Windows enables you to take an iterative approach for defining and deploying these endpoints. This iterative approach involves smaller waves of users and endpoints within your organization. It’s ultimately up to you to define which endpoints or users should be in each wave, but you should align this to your endpoint lifecycle and refresh plan. Aligning to your endpoint lifecycle allows you to minimize impact to your users by consolidating the delivery of new endpoints with the changeover from hybrid join to Microsoft Entra join, which requires a Windows reset or fresh Windows instance. Additional significant criteria to consider for which users and endpoints to include in each wave are the organizational user personas and endpoint roles. An iterative POC enables you to break work effort and challenges into more manageable pieces and address them individually or sequentially. This is important since some (often many) challenges related to adopting cloud-native Windows endpoints are isolated or not applicable to all endpoints or users in the organization. Some challenges may even remain unknown until they arise, and the only way to learn about them is by conducting actual production testing and evaluation. You don’t need to address or solve every challenge to successfully begin your journey to cloud-native Windows endpoints. An easy example for this is users that exclusively use SaaS applications: these users’ endpoints already have limited (if any) true on-premises service or application dependencies, and they likely face few, if any, challenges in moving to cloud-native Windows endpoints. Initial cloud-native Windows configuration There are some common activities that need to occur before you deploy your first cloud-native Windows endpoints. Keep in mind that this list is simply the steps to begin the iterative process, it’s not all-inclusive or representative of the final state. For a detailed walkthrough on configuring these items (and more), see the following detailed tutorial: Get started with cloud-native Windows endpoints. Identify the user personas and endpoint types within your organization. These typically vary among organizations, so there’s no standard template to follow. However, you should align your POC to these personas and endpoint types to limit each wave’s impact and scope of necessary change. Configure your baseline policies. Implement a minimum viable set of policies within Intune to deploy to all endpoints. Base these policies on your organizational requirements rather than what has been previously implemented in group policy (or elsewhere). We strongly suggest starting as cleanly as possible with this activity and initially including only what is necessary to meet the security requirements of your organization. Configure Windows Autopatch. Keeping Windows up to date is critical, and Windows Autopatch offers the best path to doing this (whether a Windows endpoint is cloud-native or not). Configure Windows applications. As with policies, this should be a minimal set of applications to deploy to your POC endpoints and can include Win32 based and Microsoft Store based applications. Configure Windows Autopilot. Windows Autopilot enables quick and seamless Windows provisioning without the overhead of classic on-premises OS deployment methods. With Windows Autopilot, the provisioning process for cloud-native Windows endpoints is quick and easy. Configure Delivery Optimization. Windows uses Delivery Optimization for downloading most items from the cloud. By default, Delivery Optimization leverages peers to cache and download content locally. Edit the default configuration to define which managed endpoints are peers or to disable peer content sharing. Enable Windows Hello for Business and enforce multi-factor authentication (MFA) using Conditional Access. Enable Cloud Kerberos Trust for Windows Hello for Business to enable seamless access to on-premises resources. These items significantly increase your organization’s security posture and place your organization well on the Zero Trust path. As the iterative POC process evolves to include more user personas and endpoint roles, you can add more functional policy requirements and applications. This will involve some discovery as you learn about the actual needs of these various personas and roles. Since you aren’t targeting everything from day one, you don’t need to have all requirements defined up front or solutions for every potential issue. Additional suggestions, tips, and guidance Don’t assume something does or doesn’t work on cloud-native Windows endpoints. The POC process enables you to iteratively test and evaluate applications, services, resources, and everything else in your environment – most of which isn’t typically documented. It might simply be part of the tacit or tribal knowledge within your organization. In general, you’ll find that nearly everything works just as it did before Windows cloud-native. Document everything. As you implement, document the “what” as well as the “why” for everything you configure. This allows you and your colleagues to come back at any time and understand or refresh your memory for your cloud-native Windows implementation, as well as many other things in the environment. Microsoft doesn’t expect organizations to rapidly convert their entire estate of Windows endpoints to cloud-native. Instead, we recommend taking it slow, being deliberate, and using the iterative approach outlined above by aligning to your hardware refresh cycle to minimize impact on users. This also provides you with time to prove the solution, address gaps, and overcome challenges as you discover them without disrupting productivity. Use the built-in Conditional Access policy templates to quickly get started with MFA and other Conditional Access capabilities. The templates enable you to implement Conditional Access policies that align with our recommendations without experimentation. Accessing on-premises resources including file shares from a cloud-native Windows endpoint works with little to no configuration. Refer to the documentation for more details: How SSO to on-premises resources works on Microsoft Entra joined devices. Call to action Begin exploring your cloud-native Windows POC today. Taking this first step now will allow your organization to start reaping the benefits of enhanced security, streamlined management, and improved user experience sooner. Every organization is unique, so there’s no blueprint for comprehensively implementing cloud-native Windows. However, you don’t need a comprehensive blueprint to be successful, you just need to begin and slowly expand adoption throughout your organization when and where it makes sense. The guidance provided above along with the getting started tutorial should give you the information, tools, and confidence to move forward with decoupling your endpoints and users from your on-premises anchors and fully embrace cloud-native Windows. For a more detailed and in-depth discussion on adopting cloud-native Windows, including planning and execution, see Learn more about cloud-native endpoints. If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam. Additional Blogs 3 benefits of going cloud native | Microsoft 365 Blog How to achieve cloud-native endpoint management with Microsoft Intune | Microsoft 365 Blog Myths and misconceptions: Windows 11 and cloud native | Windows IT Pro Blog (microsoft.com)4.6KViews2likes3CommentsHow to resync deleted Intune device by Clean-Up Rules?
Hi Guys, I set up the Clean-Up Rules on Intune to delete devices after 60 days. Now, I have a notebook that has been off for over 4 months and I no longer see it on Intune but it is on Entra and Autopilot. How can I bring it back as Intune managed? I read some articles that talk about clean Enrollments regedit keys and run some powershell commands but what is the correct procedure? Thank you so much. Luca94Views0likes1CommentMicrosoft Intune Company Portal for Linux and Conditional Access Issue
Greetings everyone, I have the following scenario implemented regarding conditional access: Rule#1: For pilotuser1, for all cloud apps, for all platforms --> require MFA Rule#2: For pilotuser1, for all cloud apps except Microsoft Intune Enrollment and Microsoft Intune, for all platforms --> Require Device marked as compliant This should allow me to enroll to Intune successfully a non-enrolled device and require the device compliance for the other workloads. For Windows it works just fine. The problem lies with Linux. Following the instructions on Enroll a Linux device in Intune | Microsoft Learn & Get the Microsoft Intune app for Linux | Microsoft Learn I installed Intune App and Edge (Version 109.0.1518.52 (Official build) (64-bit)) on a VM with Ubuntu 22.04. I open the Intune App and try to sign in: First step is to Register the Device on Azure AD, it goes without a problem --> On the next stage I get the following and press continue: At this stage Microsoft Edge opens and I sign in successfully but the Intune App throws an error: The sign in logs on Azure AD show that even though I excluded Intune Enrollment from the CA policy, it is not enough. Sign-in error code: 530003 Failure reason: Your device is required to be managed to access this resource. Additional Details: The requested resource can only be accessed using a compliant device. The user is either using a device not managed by a Mobile-Device-Management (MDM) agent like Intune, or it's using an application that doesn't support device authentication. The user could enroll their devices with an approved MDM provider, or use a different app to sign in, or find the app vendor and ask them to update their app. More details available at https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-device-remediation Application: Microsoft Intune Company Portal for Linux Application ID: b743a22d-6705-4147-8670-d92fa515ee2b Resource : Microsoft Graph Resource ID: 00000003-0000-0000-c000-000000000000 Client app: Mobile Apps and Desktop clients Client credential type: None Resource service principal ID: 01989347-a263-48ef-a8d7-583ee83db9a2 Token issuer type: Azure AD Apparently something is different in the enrollment process of Linux because I had no issues with Windows 10 enrollment . Any thoughts on the subject would be appreciated. Kind Regards, Panos13KViews1like16CommentsThere is light at the end of the tunnel - be persistent in securing your verification
Good morning everyone, If you read my previous post and the unfortunate response I received from Jill, you might thing that my situation was hopeless. Her response was basically telling me it was never going to happen. For some reason, the post was then immediately locked and no further discussion was allowed. I I did not let that deter me. I opened yet another support ticket. This time providing them with all the same information and a plea to please contact me for anything that they needed to verify that I was who I said I was. While waiting over a week for support to provide any assistance, I can across a similar situation with HPE and their partner program. They were more open about the issues than Microsoft had been. It would seem that the verification with them failed as well. The reason for this is that I had not secured a DUNS number for the business. This is a free number you can get simply by applying. US or Canada. I was left wondering if that is what Microsoft was also using for business verification. I may never know the answer, but my persistence paid off. As of an hour ago, I am now a verified Microsoft Partner. 3 weeks, 2 support tickets, unlimited frustration, and a dash of perseverance was the correct recipe for my success. Good luck everyone!macOS enrollment - prompt to change the Mac login password
Cheers everyone! We are in the pilot phase of our macOS Intune enrollment and I've created the compliance policy which blocks simple passwords and applied this to a few test machines. After the 1st reboot I got a prompt to change the Admin password to meet the requirements. All worked fine until I've changed the "Maximum minutes of inactivity before password is required". After the first reboot, both local admin accounts (one, the IT admin, the 2nd of the actual user) get again a prompt that in order to login the password needs to be changed. Did the changes again and the story repeats itself after changing some other parameter (not something related to the actual password complexity) and ended up in the same loop. It looks like everytime I edit something in the Compliance profile, the user will be prompted to change his password, which doesn't make sense to me. Does anyone know why this is happening and how this behaviour can be changed? I don't want to enable "simple passwords" as just a workaround. Thank you in advance! 🙂1.1KViews0likes0CommentsSupport Tip: Company Portal Prompt
First published on TechNet on Mar 13, 2018 Microsoft Intune and Mobile Device Management (MDM) for O365 both use certificates to ensure there’s a secure communication channel to send mobile device management policies between the service and managed end user devices.1.8KViews0likes0Comments