Recent Discussions
Intune compliance issues Windows 11 22H2
We have unboxed several new "HP ProBook 450 G9" devices and connected them to MDM with AutoPilot. We installed these devices and they should be marked compliant based on the settings we have applied to other devices as well. But these devices are all having the same issue with compliance, because they get "Require BitLocker" and "Require Secure Boot" failed. We have installed all updates, we upgraded these devices to W11 22H2. We have checked but the disk is encrypted and we also checked the steps written on this page Secure boot enabled Windows 10 device shows Not Compliant in Intune - Intune | Microsoft Learn. "manage-bde -protectors -get C:" returns TPM: PCR Validation Profile: 7, 11 "Get-Tpm" returns TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True TpmOwned : True RestartPending : False ManufacturerVersion : 7.2.3.0 ManufacturerVersionFull20 : 7.2.3.0 "Get-BitLockerVolume -MountPoint C" returns VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protection Point Percentage Enabled Status ---------- ----- ---------- ------------ ---------- ------------ ---------- ---------- OperatingSystem C: 237,29 FullyEncrypted 100 {RecoveryPassword, Tpm} On "Confirm-SecureBootUEFI" returns True What can we do to fix this?Apps are not installing at the time of enrollment
Hi People, I am new in enrollment of the android devices. I have a few devices which I need to enroll as Corporate-owned, fully managed user device. In order to do so, I completed the steps below: 1. Scan the code 2. Login as company credentials. 3. Setup the pin number. After that I am stuck at installing the apps. As Microsoft Authenticator and Microsoft Intune are required apps, without that I can't do anything. Installation of that apps are just going for ever. Please see the screenshot and help me if you can .Thanks
Endpoint privilege management, deployment unsuccessful with "device health monitoring" error
Hello all, I'm testing Endpoint privilege management on a few machines in a test environment. The elevation settings policy isn't deploying when "send data to microsoft" is selected, the error received mentions an "Allow Device Health Monitoring" error, but that settings is correctly deployed via configuration profiles. Also can't find any info about that in the logs. If I deselect "send data to microsoft" then the policy is deployed successfully, but in reality the app is not installed on the target devices (so no right click options about EPM). Anyone facing the same issue, and what steps could we try to fix it?Intune Management Extension not installing
I am testing Intune/EMS on Windows 10 (1709) PCs and trying to get Powershell scripts to run without success. I think the issue is with the Intune Management Extension not installing but cant find much information on how to troubleshoot this particular issue. Can anyone advise how I get Powershell scripts to run ? TIA Scott
Intune App Protection Policies (The apps on this device are already managed)
Hi One of our users got this error for some reason. The device is an iPhone, enrolled into Intune. When the user opens Microsoft Teams they get the following error. Remove Account The apps on this device are already managed. Only a single managed account is allowed on a device. Select the account you want to remove. This account and all associated data will be removed from all managed apps. Then it displays two identical work accounts for the user. (Example) user @ domain.com user @ domain.com No matter what we delete this just goes on and on for Teams, no other apps has this issue and no other user has this issue, and it just started happening today.Cannot Reseal Windows 11 device while pre-provisioning
Before I reinvent the wheel, I thought I’ll post the issue here. I have a AP profile configured as below. Deployment mode User-Driven Join to Azure AD as Azure AD joined Language (Region) Dutch (Netherlands) Automatically configure keyboard Yes ( In know.. please read on) Microsoft Software License Terms Hide Privacy settings Hide Hide change account options Hide User account type Standard Allow pre-provisioned deployment Yes Apply device name template Yes Enter a name XXXX-%SERIAL% I know I’ve set the auto keyboard to yes, but here me out. As far as I understood the previously known issue is fixed in Windows 11. Windows Autopilot for pre-provisioned deployment | Microsoft Docs In Windows 10, version 2004 and later, if the Autopilot deployment profile Language/Region setting is not set to User Select, then OOBE will progress past the language/region/keyboard selection screens. This causes the pre-provisioning technician to arrive at the Azure AD login page, which is too late to enter pre-provisioning. This issue is fixed in Windows 11. For the pre-provisioning part: On Windows 10 21H2 (10.0.19044.1645) I can pre-provision the device successfully. The technician flow completes and I have a green screen giving me the option to reseal. After reboot, the normal user flow follows, and the device is ready to go before you know. AAD joined and MDM enrolled with user affinity. However, on Windows 11 (10.0.22000.675) the technician flow starts OK. I’m presented with the AP profile that is selected, and I can continue pre-provisioning. But it never shows me the green screen and I’m not able to reseal the device. It also does not show any errors what so ever during pre-provisioning. The device simply reboots and ends up at the login screen. The user flow does not seem to start and from the login screen, I’m also not able to sign-in with any account. At this stage, I checked the device in the AP portal. The interesting thing is, that the device seems to be AAD joined and MDM enrolled. And as expected, there is no primary user yet in Intune. So I looked up the device in Azure AD and confirmed it is AAD joined. Although I don’t believe the info presented. I also looked up the device in MEM/Intune and collected the diagnostics logs from the device. Still in the process of diving into the logfiles but here are some of my findings: intunemanagementextension.log shows some interesting things: GetAADJoinInfo - Failed to get Azure AD Join information using NetGetAadJoinInformation 
Error 65000 with Settings Catalog
Hello Community! This is my first posting looking for answers. I'm pretty new to Intune and Endpoint Manager. In doing some testing, I have created a configuration profile using the settings catalog. I'm trying to disable the News and Interests from the taskbar. I have applied this to my testing group. Below is a screenshot of the settings I used. After the policy pushes to the device, it errors out. I get the following Error details for this device. I've tried looking for information on this error with no luck. Any help would be appreciated! Duncan
installing a exe but not working
Hi all, I am trying to install an emulator which is an exe with a license key but when installing it fails. I have been told that the install command is: But this doesnt seem to work via intune. I have packaged the .intunewin file pointing to the exe but no luck any ideas?
Intune Doesn't Install Win32 Apps Until a User Logs On?
Hi, I'm using autopilot in self-deployment mode to provision devices. I have about 10 apps assigned to a dynamic security group that contains my devices. I have ESP configured to allow the user to "Continue Anyway" because some of the apps have known reasons for failing (e.g. doing I'm testing on a Surface device but trying to install an nVidia driver/app) so I had to enable the ability to move on from ESP when those apps fail, or I'd be waiting all year for ESP to finish. (doesn't seem to time out at 60 min as it should) So after hitting the "Continue Anyway" button, Autopilot completes, and I'm left at a logon screen. I noticed that the only app that installed was an MSI. None of my Win32 apps installed until I logged in. Even after logging in, it's still pretty flaky. This is a "video wall" device, sort of like a kiosk but not as locked down and it is logging in with a local user account. I'm getting lots of "Failed to get AAD token" errors in the IntuneManagementExtension.log file and I'm not sure if that's why app deploy is so unreliable. Reboots seem to help or deleting the IntuneManagementExtension reg key and restarting the service. App deploy seems to be more reliable when I log in with my AAD account. This is a completely standalone tenant - no hybrid, pretty basic. Is this to be expected that Win32 apps don't install until a user is logged in? I know there are kiosk/autologon device config profiles available and intended for similar scenarios but in my case, those would be a bit too restrictive for this particular scenario. I really need zero touch deployment and app install using a local account with auto logon. Am I swimming upstream? One of my win32 apps is a powershell script that creates the autologon user and uses autologon64.exe to configure autologon. (and a powershell detection script to look for the reg entries) thanks, DanPlatform SSO for macOS not working
(Update after long troubleshooting: the two main issues until now were: Leading and/or trailing spaces in the configs > They lead to visible and unvisible errors! When using in europe you need to remove some URLs (detailed information in this thread)) Hi folks, i'm working hard on implementing Platform SSO for macOS (MSlearn) (2nd Link: Join a Mac device with Microsoft Entra ID during the out of box experience with macOS PSSO (preview) for ourselves and our customers. I worked all the way through the Microsoft Learn Articles as well as 3rd Party blog posts or reddit discussions. (MS Intune Support think they need to forward my ticket to the Azure Support. I don't get it :D) The issue is: The Platform SSO Profile in Intune is always on error code 100001. I tested this with different tenants, in every single one the issue is the same. The config profile is configured as followed: When looking at the device this is what should appear: But this doesn't happen on the device. What i'm also wondering about: When signin in on a mac device enrolled via ADE, after i log in to the company portal app (current version), it states that it is unable to register the device. Is this an expected behaviour? I don't think so, isn't it? It would be so great to come into contact with others of you having the same issue or, even better, that solved this issues. 🙂 Thank you very much in advance Regards Patrick Ps.: Maybe some of the mslearn article contributors have any idea? Mandi Ohlinger, arnabbiswas ? 🙂
Intune Compliance Policy: Device not compliant because of missing machine risk score: deactivated?
Dear all, I have this curious compliance issue for which I cannot find any information online or on docs.microsoft.com. Any help or suggestions are appreciated. We are testing Windows Defender ATP in combination with Intune compliance policies on a limited amount of devices. We had a first test group of three devices, and a second test group of four devices. So 7 in total. In Intune our 'second wave' of test devices is somehow marked as "non compliant" because a violation of our rule that "Require the device to be at or under the machine risk score = clean, low,...". However, these machines are onboarded in Windows Defender ATP and are showing to have no issues. In Intune the table in Device Compliance -> Device Compliance shows that for these machines the Device Threat Level is "Deactivated". (Our other test machines report "Secured", machines outside the test group are reporting "Unknown".) I cannot find any documentation where this state of "deactivated" is discussed. We identified three other differences between or first test group and the second test group: - License level was on Microsoft E3 for the non-compliant machines, instead of E5 - Windows version was 1803 for the non-compliant machines, instead of 1809 - The very first test group was onboarded in Windows Defender ATP using a script. The second non-comliant group was onboarded using a configuration policy in Intune. To test if any of these three differences could have caused the issue I did three separate tests: 1) I moved one user to Microsoft E5, as I understand for Windows Defender ATP this is required. 2) I had one other machine upgraded to Windows 10 1809 3) I ran the manual onboarding script once more on a third machine But none of these machines would be compliant afterwards. I onboarded the first test group to ATP using a script downloaded from ATP. They were active for a few weeks with just the ATP link. I then assigned both the compliance policy and the final ATP configuration at the same time to this first group. The second group was onboarded by the ATP configuration policy in Intune. I assigned the identical compliance policy a day later. I assume that the compliance check fails because the machines do not communicate their threat level (shown as "deactivated" in the Intune portal) properly. One widget in the device compliance screen does show 5 of the 7 devices to be clean: I do not understand why it counts 5 devices. What with the remaining two? And if these 5 are indeed clean, why do at least two of them (7 minus 5) report as having a threat level "deactivated" and "non-compliant"? Does anyone know why the Device Threat Level of the second test group is "deactivated"? What causes this? How can I solve this? Thanks for your help! Best regards, WimDevice Compliance
Hi All, Is anyone else see incorrect reporting of device compliance due to the "System Account"? As per Microsoft documentation: "Windows 10 devices that are Azure AD joined may show the System Account as a non-compliant user. This is expected behavior and doesn't affect the overall device compliance." This seemed to be working OK until about 2 weeks ago. We are using: Hybrid joined device in a co-managed state - Windows 10 1709 and SCCM 1806. The slider for device compliance is set completely to Intune. We end up with results like this: and the device is then overall marked as non-compliant: This example is just ridiculous, as everything is actually compliant yet the System Account is marked Not Compliant and the device is as well. Seems to be so inconsistent... and we are using CA policies which are locking out users.Intune Company portal on androids continue to give me an error
I have removed the user and reset him up in the company portal. I continue to get a message "your company needs you to adjust these settings to comply with organizational policies. Set a longer device password, A device password must be at least 4 characters long. I have changed it and have done a resolve and it still does not work. It is an Android Samsung Galaxy S10e version 11 with the Knox version 3.7. Could you please help!Device Registration - Run Company Portal in Single App Mode until authentication
I have having an issue starting today 10/24 - Company Portal update was released 10/23 Any new enrollments are stuck with the Company Portal in Single App mode by design and enrollment policy. After the user completes enrollment, the device remains in Single App mode. The devices are reporting as non-compliant at first with no Compliance Policy. After the compliance policy is set, the device is still locked in single app mode waiting for the Password to be brought into compliance. The password change prompt is hidden being the Single App mode and cannot be accessed. No matter what I do, the Company Portal is locked in single app mode. I have no option but to turn off this feature which prevents my devices from being stolen. Has anyone seen this same issue and been able to get past if without turning off this feature 'Run Company Portal in Single App Mode until authentication' during enrollment?
Recent Blogs
- I'm Catarina Rodrigues and recently, I've had the opportunity to have several conversations with healthcare customers on how Intune can effectively manage devices in frontline critical environments. ...Feb 28, 2025
- So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal ...Feb 28, 2025
