Not able to use derived credentials on android
I have successfully enrolled a Samsung Galaxy S22 ultra using intune. All my apps are installed on the device. I am now trying to use derived credentials but I am not able to scan the QRCode. As soon as the QRCode comes up, the intune app crashes. Wanted to know if anyone else is seeing this issue. The intune app version is 2025.11.02.Platform SSO - MacOS Authorization Groups and Additional Groups
Working with Platform SSO...all is well for the most part. Has there been any advancements or continued development for Authorization Groups and Additional Groups? The ability to leverage these groups, IMO, is critical. I do have some scripts granting some general authorizations to users on a device (time, print, network), but leveraging groups to manage authorizations/ permissions with a diverse group of users and needs is the way.
Manged Home Screen: Outlook
We are running into issues with the Managed Home Screen and Outlook. Once the user has logged into the Managed Home Screen and tries to access Outlook, it gets stuck in an authentication loop. Loops: Discovering Accounts -> Accounts Found -> Back to Discovering accounts. This is affecting multiple devices/accounts. This only affects
Configuration profile to set File and browser preferences in Outlook Options > Advanced
Hello, Wondering if anyone has found a way to set these settings in Outlook (classic) via Intune. We do not want hyperlinks from Outlook opening with Edge and likewise we do not want email attachments for office files opening in the browser, we want them to open with the office apps.
Ubuntu 24.04 LTS + Entra ID Authentication + Intune Enrollment
Hi Community I want to combine in Ubuntu 24.04 LTS the new user authentication with Entra ID along with enrollment in Intune using the new version of the intune portal. The goal is that the user can log in Ubuntu with the local user created during the Device Authentication process and then be able to enroll in Intune and sign in to the portal whenever he wish. During my tests, I have seen that if you install the necessary components for authentication with Entra ID, along with Microsoft Edge and the Intune company portal using the Ubuntu installation user, and then authenticate with the Entra ID user after the device authentication process, you get this error when you try to enroll using the company portal: Continuing with my tests, I have seen that if you start Microsoft Edge you can save a default keyring with a password. This security feature is specific to GNOME as far as I have read. With this keyring, it will be possible to enroll the device in Intune later. When starting the company portal, the default keyring password is requested, and after entering it, enrollment can be completed. From then on, the user can sign in to the portal as long as they enter that password However, the generation of this default keyring is a process that we do not want to leave in the hands of the user. The goal is to deliver the device to the user with all the necessary software, so that once they have authenticated the device with Entra ID, they can open the company portal and enroll in Intune. Does anyone know if there is a way to avoid using such keyrings in a scenario like this? On a machine with only Ubuntu and Edge, it is possible to make this process transparent, by disabling user autologin or setting an empty password for this keyring, but in the scenario of Ubuntu + Entra ID + Intune, I can't manage it. Thanks for your help and I wish you a great 2025Managed Home Screen MSAL - severe issuse
Hi Intune Community! We are currently experiencing severe issues with Managed Home Screen and MSAL on our shared Android devices, managed as dedicated with Entra Shared mode. Anyone else experiencing issues? Quite often when a user types her user name at the MHS sign in page and press the Sign In button, the screen only blinks and nothing happens. Only workaround is to restart the device and then it often works to sign in a user once or twice, until same issue happens again. It affects all devices and all users and we have tried both the latest version of MHS and some older version. No difference. Some things that we have seen is: If we exit kiosk mode and start the Intune app it says "Something went wrong" and shows a Register button. This is however gone when restarting the device. (see images below) If we start the Authenticator app, also after exit kiosk, it asks for "organization email" and shows a Register button. This is also back to normal once you restart the device. (see images below) If we let the device be after trying to sign in, 10-20 minutes later it has managed to sign in and asks for setting a Session PIN. The problem is that it is the user who last made a successful sign in who gets signed in. Huge security issue. We also see that Edge and Teams (probably other msal-enabled apps as well) doesn't behave as normal even if you successfully sign in. Teams ask what account to sign in with. Either selecting the suggested account or pressing the Back-button (<) signs you in. (see images below)
Entra Application: "Windows Backup and Restore" blocked OOBE autopilot enrollment
I have a Conditional Access policy to block users not on a Compliant Windows PC and the Intune app and Intune enrollment app are excluded from the CA policy for device enrollment. Last night I manually added a reimaged Windows PC to Autopilot (using PowerShell) and during the OOBE user sign-in the app "Windows Backup and Restore" failed for token issuance. This app, Application: Windows Backup and Restore | Application ID: 74d197dc-b84d-4d43-a1b2-b5bf3bb91c11 is not found in Entra Enterprise apps or App registrations. The Windows OS build was 25H2 Pro, looks like a new service. It would be nice if MSFT would add these new apps to Entra. Now I need to manually add the app using PowerShell so I can exclude it from my policy. Anyone have any news about the Application: Windows Backup and Restore | Application ID: 74d197dc-b84d-4d43-a1b2-b5bf3bb91c11?Blocking Bluetooth file transfer
We have created a policy to block Bluetooth file transfer. The policy was created through Attack surface reduction -> Device Control. 1-This seems to "Dim" the option to add a Bluetooth device in windows. Which is not what is needed. Only file transfer is to be blocked. How can this be achieved? 2-In allow Bluetooth, You get the following description: Allows the user to enable Bluetooth or restrict access. Note This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. There is another option "Reserved" There is no documentation for this option, Any Idea?
Conditional Access and -Online Device registration error
So there was an Issue creating new discussions yesterday and I ended up with a discussion with Heading only. :) We're using the Get-WindowsAutopilotInfo.ps1 script with the -Online switch to register our Entra Joined Devices, and the process is being blocked by Conditional Access. The sign-in logs point to Microsoft Graph Command Line Tools (App ID: 14d82eec-204b-4c2f-b7e8-296a70dab67e) as the blocker. Microsoft Support suggested whitelisting several apps, but unfortunately, that hasn’t resolved the issue—likely because the device doesn’t have the compliant state during online registration. We’re currently evaluating whether a dedicated service account with scoped permissions for Autopilot enrollment might be a workaround. Would be great to hear if anyone else has found a reliable solution.
