Outlook cache mode set to download 3 months of emails
Hi ladies and gents, We have a requirement to set Outlook cache mode set to download 3 months of emails. The environment consists of Exchange Online, Intune and M365 and the devices are cloud native Win 11. Could you please advise the best way to achieve this. GPO is not an option, and Intune does not have a policy for this.Remed Script to delete Reg Value
Hi All I hope you are well. Anyway, pulling hair out this one, so could someone help me compile a Detect and Remed script to delete the following Reg key please: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate Value I need removed is the SetActiveHours one as below Any help would be greatly appreciated.
Enroll existing macOS devices to Intune
Hey, How do you handle/enroll existing business macOS devices, which are not yet managed by Intune or any other MDM? I believe if i somehow add them to ABM: if reseller adds them i can run enrollment profile, no wipe needed i can add them with configurator for iPhone, wipe needed Is for direct enrollment (without user affinity) device license needed? And user (with Intune license) will then use device. As stated here :https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/licenses#device-only-licenses no direct enrollment is mentioned (manual install profile). What other options do i have for properly manage macOS devices (not byod but corporate) ? Thanks, Tom
InTune policies blocking callback from Edge browser
InTune policies blocking callback from Edge browser I'm using a BYOD Android phone enrolled in our company's InTune company portal. A few months ago, I ran into an issue where I'm unable to authenticate to a MatterMost chat server from the MM app in my work profile. When I enter the server address and click log in, it takes me to a browser window inside the MM app (but using Edge) to authenticate using the host organization's SSO. Once I enter my credentials, it sends a callback using this URI scheme: mmauth://callback?MMAUTHTOKEN=<token>&MMCSRF=<more data>. However it looks like Edge prevents this callback from reaching the MM app because I get a popup saying: No available apps There are no apps currently configured on this device that your organization allows to open this content. Please ensure you are signed in with your work or school account to your managed apps or contact your organization's support team. I assume this is because our IT has either "Restrict web content transfer with other apps" or "Allow app to transfer data to other apps" policy settings enabled. In general things are pretty locked down so that data can't be shared between non-Microsoft apps, and even then some things can't be copied and pasted from one Microsoft app to another. I reached out to our company IT support but he seemed to think the only possible solution was to allow Chrome inside the Work profile to bypass the Edge restrictions. For obvious reasons, no one in IT or the company leadership wanted to implement this solution. Are there any other solutions where MatterMost or even just that specific "mmauth" URI can be white-listed in InTune to allow MatterMost to complete the authentication? Not looking to try to get around policies, but would like to have a informed discussion with our IT on maybe adjusting the policy to be more functional.
Update Entra ID Device Extension Attributes via PowerShell & Create Dynamic Security Groups.
2) Overview of Extension Attributes and Updating via PowerShell What Are Extension Attributes? Extension attributes (1–15) are predefined string fields available on Entra ID device objects. They are exposed to Microsoft Graph as the extensionAttributes property. These attributes can store custom values like department, environment tags (e.g., Prod, Dev), or ownership details. Why Use Them? Dynamic Group Membership: Use extension attributes in membership rules for security or Microsoft 365 groups. Policy Targeting: Apply Defender for Endpoint (MDE) policies, Conditional Access or Intune policies to devices based on custom tags. For details on configuration of the policies refer below documentation links. https://learn.microsoft.com/en-us/defender-endpoint/manage-security-policies https://learn.microsoft.com/en-us/intune/intune-service/ https://learn.microsoft.com/en-us/entra/identity/conditional-access/ Updating Extension Attributes via PowerShell and Graph API Use Microsoft Graph PowerShell to authenticate and update device properties. Required permission: “Device.ReadWrite.All”. 3) Using PowerShell to Update Extension Attributes create app registration in Entra ID with permissions Device.ReadWriteall and Grant admin Consent. Register an app How to register an app in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn Graph API permissions Reference. For updating Entra ID device properties you need “Device.ReadWrite.all” permission and Intune administrator role to run the script. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn Below is the script Important things to note and update the script with your custom values. a) update the path of the excel file in the script. column header is 'DeviceName' Note: You may want to use CSV instead of excel file if Excel is not available on the admin workstation running this process. b) update the credential details - tenantId,clientId & clientSecret in the script. Client id and client secret are created as a part of app registration. c) update the Externsionattribute and value in the script. This is the value of the extension attribute you want to use in dynamic membership rule creation. ___________________________________________________________________________ #Acquire token $tenantId = "xxxxxxxxxxxxxxxxxxxxx" $clientId = "xxxxxxxxxxxxxxxx" $clientSecret = "xxxxxxxxxxxxxxxxxxxx" $excelFilePath = "C:\Temp\devices.xlsx" # Update with actual path $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/ $tenantId/oauth2/v2.0/token" -Method POST -Body $tokenBody $accessToken = $tokenResponse.access_token # Import Excel module and read device names Import-Module ImportExcel $deviceList = Import-Excel -Path $excelFilePath foreach ($device in $deviceList) { $deviceName = $device.DeviceName # Assumes column header is 'DeviceName' Get device ID by name $headers = @{ "Authorization" = "Bearer $accessToken"} $deviceLookupUri = "https://graph.microsoft.com/beta/devices?`$filter=displayName eq '$deviceName'" try { $deviceResponse = Invoke-RestMethod -Uri $deviceLookupUri -Headers $headers -Method GET } catch { Write-Host "Error querying device: $deviceName - $_" continue } if ($null -eq $deviceResponse.value -or $deviceResponse.value.Count -eq 0) { Write-Host "Device not found: $deviceName" continue } $deviceId = $deviceResponse.value[0].id # Prepare PATCH request $uri = "https://graph.microsoft.com/beta/devices/$deviceId" $headers["Content-Type"] = "application/json" $body = @{ extensionAttributes = @{ extensionAttribute6 = "MDE" } } | ConvertTo-Json -Depth 3 try { $response = Invoke-RestMethod -Uri $uri -Method Patch -Headers $headers -Body $body Write-Host "Updated device: $deviceName"} catch { Write-Host "Failed to update device: $deviceName - $_" } } Write-Host "Script execution completed." ________________________________________________________________________________________________________________________ Here’s a simple summary of what the script does: Gets an access token from Microsoft Entra ID using the app’s tenant ID, client ID, and client secret (OAuth 2.0 client credentials flow). Reads an Excel file (update the path in $excelFilePath, and ensure the column header is DeviceName) to get a list of device names. Loops through each device name from the Excel file: Calls Microsoft Graph API to find the device ID by its display name. If the device is found, sends a PATCH request to Microsoft Graph to update extensionAttribute6 with the value "MDE". Logs the result for each device (success or failure) and prints messages to the console. 4) Using Extension Attributes in Dynamic Device Groups Once extension attributes are set, you can create a dynamic security group in Entra ID: Go to Microsoft Entra admin center → Groups → New group. Select Security as the group type and choose Dynamic Device membership. Add a membership rule, for example: (device.extensionAttributes.extensionAttribute6 -eq "MDE") 4. Save the group. Devices with extensionAttribute6 = MDE will automatically join. 5) Summary Extension attributes in Entra ID allow custom tagging of devices for automation and policy targeting. You can update these attributes using Microsoft Graph PowerShell. These attributes can be used in dynamic device group rules, enabling granular MDE policies, Conditional Access and Intune deployments. Disclaimer This script is provided "as-is" without any warranties or guarantees. It is intended for educational and informational purposes only. Microsoft and the author assume no responsibility for any issues that may arise from the use or misuse of this script. Before deploying in a production environment, thoroughly test the script in a controlled setting and review it for compliance with your organization's security and operational policies.
How to foce intune client in Ubuntu to synch automatically
Hello, in my company we have enrolled Devs Ubuntu devices to control some security setting and allow or not the access to our company apps and content. We have set compliance policies and enabled conditional access to check its. i have been surprised this morning by the last checking date of my Ubuntu laptops and ask my Devs of last signin in company portal client and the date match with the last checking date. I concluded, the company portal is synching only when the user open it and signin. This is a big problem for us because we are certified ISO27001 and we must check all devices compliance. Somebody has a script to deploy on those ubuntu devices and force a synch every day waiting for a Microsoft evolution of this process. Thanks a lot and regards Majid
Intune, winget, PowerShell
Hello everyone, I'm trying to use Intune to deploy a script that schedules a task to run winget silently to update most of our 3rd party applications automatically. I can get the script to deploy, but not run. I keep getting an error saying "winget not available for system", which I've verified it is. Any ideas? What am I doing wrong? Thanks for your help,Microsoft multi-tenant management resource guide
Welcome to your home for all things #IntuneForMSP. Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business with productivity apps, intelligent cloud services, and the world-class security of Microsoft 365 combining with the multi-tenant management capabilities of our partners. So, where to start—and where to go to take the steps after that? Right here! We’ll soon be announcing dates for a series of regular calls, where Microsoft experts and guests will share expertise and insights specifically related to the world of the MSP. Until then, here are some resources to help. Follow or favorite this page as we’ll be updating it frequently with new events and new readiness materials. Jump to: Marketing and business development | Demos and tutorials | Partner resources | Microsoft communities | Select content from Microsoft MVPs In the spotlight Click the image below to watch the Microsoft Intune multi-tenant management video with Jonathan Edwards. Marketing and business development Start here: Microsoft 365 Business Premium Partner Playbook and Readiness Series Sign up for more sales training: Level Up CSP Training: Modern Work and Business Applications Explore similar offers: Microsoft Security Partners And, if you haven’t already, sign up with the Microsoft Partner Center. Demos and tutorials Whether deploying solutions for yourself or for your customers, these resources can help you with prescriptive ‘do this next’ guidance to get you up to speed quickly. Download this guide: Enhancing Security with Microsoft 365 Business: A Hands-on, Effective Guide Follow along with the companion video: Achieve greater security and productivity with Microsoft Intune and Microsoft 365 Explore click-through interactive guides for more advanced instruction: Microsoft Intune guided demos Topics include configuring app protection policies, configuring Conditional Access, updating Windows from the cloud, configuring corporate devices, deploying and managing line of business (LOB) apps, enabling Universal Print, accessing corporate resources on personal-owned devices, setting up Windows Autopilot for new device delivery, and reducing bandwidth consumption with Delivery Optimization. Partner resources Nerdio knowledge hub Inforcer resources Microsoft communities Microsoft 365 Blog small and medium business-related posts Microsoft 365 Partner LinkedIn channel Select content from Microsoft MVPs To find an MVP near you, visit the Microsoft MVP home page. Peter Klapwijk - In The Cloud 24/7 Blog Ugur Koc - Ugur Koc Blog Andy Malone - Andy Malone on YouTube Rudy Ooms - Call4Cloud Blog Somesh Pathak - Intune IRL Blog Oktay Sari - AllThingsCloud Blog Jon Towles - Mobile Jon Blog
Intune Management Agent (v1.95.103.0) crashing
We’re seeing repeated crashes of the Intune Management Agent (Microsoft.Management.Services.IntuneWindowsAgent.exe) after updating to version 1.95.103.0. No such crashes are identified in previous versions. Symptoms: Faulting application name: Microsoft.Management.Services.IntuneWindowsAgent.exe, version: 1.95.103.0 Faulting module name: WindowsPackageManager.dll_unloaded, version: 1.26.430.0 Exception code: 0xc0000005 (Access violation) Crash counts are high, with variations pointing to WindowsPackageManager.dll, wintypes.dll, icu.dll, ucrtbase.dll, and others (often marked as “_unloaded”). In some cases, we also see ucrtbase.dll with 0xc0000409 (stack buffer overrun) and ntdll.dll with 0xc0000374 (heap corruption). The agent establishes new connections not seen in 1.94.153.0 (Teams endpoints, OCSP/CRL checks, agents.msub01.manage.microsoft.com, etc.). Crashes are not consistent but occur frequently during app management tasks. Questions: Is this a known issue or under investigation? Are there recommended mitigations (e.g. App Installer stable vs preview, disabling WinGet integration, rollback to previous IME)? Some statistics:
