Intune Shared-Device Configuration - Disallow Entra Login
Hello everyone, I am encountering an issue with our shared device setup in Intune. Our organization manages devices through Intune, and we have configured shared devices specifically for external guests who only need access to a laptop and Microsoft Office products. While the setup generally works as expected, we’ve noticed an issue where users are still able to log in using Entra (Azure AD) accounts from our tenant, despite setting the Guest account configuration to "Guest" in Intune. We would like to restrict access solely to the local guest account and prevent users from logging in with Entra accounts. Our current configuration for the shared device profile is as follows: Shared multi-user device settings: Shared PC mode: Enabled Guest account: Guest Account management: Enabled Account Deletion: At storage space threshold and inactive threshold Start delete threshold (%): 20 Stop delete threshold (%): 50 Inactive account threshold: 30 Local Storage: Enabled Power Policies: Enabled Sleep timeout (in seconds): 600 Sign-in when PC wakes: Enabled Maintenance start time (minutes from midnight): 60 Education policies: Disabled Is there a way to enforce this restriction, allowing only the local guest account and blocking Entra user access? Any guidance on this matter would be greatly appreciated. Thank you for your assistance.
Disable automatic app updates for specific apps in Intune
Hi, In our organization, I have enabled all three options below to install and manage traditional Android applications through Intune, However, we have encountered a situation where certain specific Android applications, such as the Google Play Private App, only work with lower versions of the OS. The higher version is not compatible, and Google Play Store is reporting it as an unsafe app and blocking it. Is there any option available in Intune that allows us to block automatic app updates for specific applications?
Disable sign in to Windows device (fast)
Hi, When using Intune along with WHfB PIN, what is the best approach to disable sign-in to Windows PC (using WHfB PIN)? Wipe command is not an option in this case, we just need to block access to the PC and do it fast as possible. In my testing blocking user, revoke session, disabling device is not preventing user from using cached PIN to enter and use computer. Yes, it's signed out from Office apps etc, but still has access to local files. I think there should be command in Intune that will efficiently do this. Thanks!Error running on-premises Intune Connector for Active Directory (ODJ Connector).
Hi, I trying add AAD joined devices hybrid at my AD DS local whit Autopilot. I downloaded the ODJConnectorBootstrapper.exe file from the Microsoft Endpoint Manager > Devices > Enroll devices portal, the installation was successful, but after trying to sign in, an error occurred in the log file (C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorUI\ODJConnectorUI. log) and also in the Event Viewer (Application and Servecies Logs > ODJ Connector Service) .. ODJRequestHandlingPipelineDownload_Failure: Failed to download ODJ requests. InstanceId:We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."], DiagnosticCode:514AE631-B83B-409A-9056-6095ADE99F21, DiagnosticText:Unknown_Error The IE Enhanced Security Configuration is already OFF, I've removed everything related to Intune and reinstalled only the ODJConnector, I've restarted the server, but the problem persists.
Deploying a Local Admin Account to Multiple Targets
Hello, Thanks for this forum and your time. I recently started using Intune to manage mobile devices for an organization. I recently went to do some admin work on intuned laptops and found that I could not make administrative changes even with a domain admin account. I learned that the way our Intune is set up if I want to make admin changes on a device, I have to set the device to an admin device for admin users. Then, when finished, set it back to a user device for standard users. I'm new to Intune but this seems a bit convoluted, so my first thought was how can I make it possible to do admin work on an Intune device without needing to change those settings each time? I decided the best way would be to use Intune to add local admin accounts on all the devices. Researching this, I found there are two common ways to do this. 1. Add a Powershell script that will create a local admin account on the device/s of my choice. Though my Powershell script worked when I ran it on the local machine, it wouldn't work using Intune. Either it would deploy but no admin account was created on the target machine, or it just wouldn't deploy. Because of this, I tried the other way of doing it which is Intune's LAPS (Local Administrator Password Solution). But after setting this up, it would never enable to built-in admin account, nor could I find any system-generated password in Intune for that account. In the end, I just want local admin accounts on all our surface pros deployed en masse.Cannot install macOS Management Profile
Hi, all. I'm trying to get management of a macOS device working. This is the first device being enrolled, in a new setup. The device was pre-enrolled in ABM and synced to Intune. The device registers fine, and get the default management profile. I have added Company Portal, Microsoft 365 and Defender as apps to install. All these are being pushed, except Defender comes up with a missing license. I guess this is related to the issue below. I start up Company Portal and it instructs me to install a new management profile. When trying to install this profile, it fails with the error "Could not obtain final profile using the Encrypted Profile Service...". My guess is that there is a conflict with an already installed Management Profile, which is impossible to remove. Have tried both locked and unlocked enrollment. Any hints on how to resolve this?
Android KIOSK Device - WiFi Browser Login, not appearing
Morning All, I have an Android KIOSK device with managed home screen applied. The device has a WiFi configuration applied for our network. But when the user goes to another customer's site, there WiFi prompts for a login to be made via a browser page. This page isn't displaying. There is a browser deployed to the tablet, and have got the end user to open the browser app before trying to connect to the WiFi, but it still doesn't work. As a temporary measure, I have used the "Remove apps and Configuration" option against the device and removed the Configuration profile. When the tablet is without the profile, the user can successfully connect to the WiFi, the browser appears. I am currently going through my setup that is applied to the device but can't see an option that is blocking the browser when connecting to a WiFi. Anybody come across this issue? Or know of a solution? The device config\setup is used to many different aspect of the business, so I have to be mindful of what change I make. Don't want to give them the ability to exit KIOSK mode etc Thanks
Allow my android app to update itself
I'm going to do a project for machines that will have a monitor, I'm using an Android tablet, but it shouldn't have access to common actions of a conventional tablet, it should only be for monitoring, so I configured in Devices/Configuration a Device restrictions in kiosk mode single app, it worked as expected but in my app it has a part that has an apk update via wifi, but for some reason when I configure it for kiosk mode single app it messes up the process, I'll show the screens that appear when I don't configure it for kiosk mode single app (the images are in Portuguese, sorry, I'll translate): 1) Translation: For your security, the smartphone does not have permission to install unknown apps from this source. You can change this in the settings. After I click on settings, it redirects to another screen, which will be the next one: 2) Translation: title = install unknown apps. Allow from this source, and not in front there is the swith to click, after clicking on the swith it opens the pop up to click on update, and this is working correctly. But as I said at the beginning when I set it to kiosk mode single app these two pop ups do not appear and it is not possible to continue the update, I do not know if it is possible but I thought of two solutions that would be: something that allowed it to appear even in kiosk mode single app and the other that would be ideal that it already gave permission to download in the first pop up, then it has to redirect to settings and after this whole process it updates, so I do not know if it is possible to already grant this permission (I have already configured in Devise restricts applications/Allow installation from unknown sources and also in Apps/Configuration I created a Managed devices and automatically granted all permissions and none of it worked). Thank you for your attention and I will wait, if you have any questions or if you need more details I am at your disposal.
