Recent Discussions
Does the Intune Management Extension enroll the Windows PC in InTune?
Intune Management Extension fails to install. The device is not visible in InTune. It IS visible in EntraID and Defender. Is the install failing because it's not enrolled in InTune or is it the opposite? This is a remote device, so I don't have direct access.Solved101Views1like5Comments
Intune Security baseline - Defender settings
Hello All, We're configuring the Security Baselines policy for Windows in Intune and noticed a section for Defender settings. We have Intune Plan 1 license, and don't have a Defender for Endpoint license and are using the default Windows Defender on Windows 10/11. After we enroll the device to Intune and configure the Security baseline policy, can someone confirm if settings like ASR, Network Protection, Cloud Protection, Local Admin Merge, etc., under the Defender section, will apply to our devices if configured? Thanks,Solved62Views0likes5Comments
Android App for different enrolments
Hi Most of our Android devices on Intune are registered as Corporate owned, fully managed and the apps are all installed as 'required' assigned to user groups. I have been asked to set up BYOD for Android so I am trying to create the Work profile set up. The problem is that it automatically installs all apps we've assigned for corporate owned devices. How do I separate the apps from each type of enrolment bearing in mind that the same app (eg Outlook), might be installed on both types of enrolment? We are assigning apps by user so I can't think of a way to prevent it. ThanksSolved48Views0likes3Comments
Intune Endpoint Privilege Management - FIDO2
we have begun testing out Intune EPM as a replacement for local admin accounts in our org. We have users that authenticate with PIV certs via Smartcard as well as FIDO2 with Yubikeys. PIV authentication works no problem, but i cannot find a way to enable FIDO2 to work with EPM. Has anyone found a solution for this?Solved46Views0likes3Comments
Block iMessage backup to iCloud
Hello. Trying to block the backup of messages on some iPhones. ABM managed, ADE-enrolled devices. I see through both the restrictions template and settings catalogue, this is not available. So I thought maybe I could do this through an App configuration policy. Turns out, no - because Messages is not listed under public apps. Then I thought to do it through App Protection policies... but again, Messages does not appear. But I noticed App Protection policies can apply to managed apps, so why not just add Messages to my managed apps? And conveniently, the "Add app" tool has a "built-in app" button. But none of those apps are built-in apps. Not one of them, from what I can tell. Anyone able to help out here? This seems.. bizarre.Solved59Views1like2CommentsDynamic device group from InTune user groups
We've onboarded a number of users into InTune, and we're all new to it. Previously, they were on MaaS360, which had both device groups and user groups, and you could assign to either individually. A bit shocked InTune can only assign down to the group level. (I know Filters exist, but these only filter by Devices, and take longer than just creating a new group)... Anyway, trying to rebuild things as closely to MaaS as possible. For onboarding, we created user groups, so when a user enrolled, they would automatically get the right policies. We couldn't create a device group until the devices were enrolled AND logged in, and showing in Entra. However, the tenant actually wants the groups to be by DEVICE for various reasons (replacing people, for example). So I have two questions - Is there a way to dynamically generate the device groups, based off each user's group association? Also, since devices can't be grouped without an associated Entra ID (either dynamically or manually), if a user leaves/signs out, will that device automatically lose all it's group associations? if there is another way to get the structure the tenant wants, I'm all ears. But essentially, the devices have different hardware, and they want their department to be tracked even if they have no user.Solved245Views0likes3Comments
Unable to access devices | configuration
Hi All! HNY to you all. Just trying to access devices\configuration from the Intune Admin Console, and get this error. And no policies are displayed. I have tried accessing via an Incognito window and get the same message. Everything else is working and accessible. Anyone else got this issue or seen it before? ThanksSolved389Views0likes4CommentsLocal admin creds via Powershell via Intune
Hello! I have what I hope is a fairly simple question. I am trying to run the Winget upgrade process using a Powershell script deployed in Intune. The problem is that it fails on laptops because it requires elevated privileges. It works for those who are local admins but not for those who are not. Has anyone deployed this successfully? Using the command below in the PS1 file.... winget upgrade -h --all Or as an alternative, has anyone any good advice running Winget from Intune across all users within a specific security group? Thanks all!Solved68Views0likes1Comment
Intune - Multi-App Kiosk Mode Android - Managed Home Screen - How to Toggle Between Open Apps?
Hi there, We use Intune - Multi-App Kiosk Mode for Android - Managed Home Screen quite a bit. However, we'd like to be able to see open Apps and switch between them like you can on a standard Android phone (using the 3 vertical lines icon). I can't find an equivalent function in Managed Home Screen. Any ideas? Ta, Ian HearnesSolved65Views0likes3CommentsIntune - Phishing-Resistant MFA
Good Afternoon, So sorry but I'm quite novice. I am trying to merge all Intune users to phishing-resistant MFA (PR-MFA) only (excluding break-the-glass users/admins). On Entra, I do this by disabling Microsoft-Managed MFA and setting a new authentication strength with all three (PR-MFA) modalities selected as the only allowable MFA. Then, I set a conditional access policy to grant all users to access all resources only if they have PR-MFA registered, because I don't want them to use other MFA like SMS. This makes all existing users switch over and disables weaker methods (like text messages), but I can't onboard new users. I reviewed the log for a test user who I could not register, and I saw that the issue is that during registration, the passkey must already exist BEFORE the new user can set up a passkey or other PR-MFA method, which is impossible. Is there a way to let Intune use just the new user's password alone for initial PR-MFA registration?Solved164Views0likes2CommentsIssue with SharePoint and Teams access
Hello everyone, I have the following question. My device is being currently involved in two different tenants (my main work and customer environment). When I try to login in azure portal, or devOps, I have no issue with the access. When I try to open customer's SharePoint page, or use Teams with the account registered in customer environment, I experience an issue with authentication. Firstly, I get a window where it is stated " Tenant Name requires you to secure this device before you can access email, files and data. If you go to other apps or sites, they may recognize that you are signed in. You can enroll your device with...". When I continue, I got another error with error code: 530003. Device Platform is: macOS. Device state: unregistered. Thanks in advance for your assistance!Solved172Views0likes2CommentsiOS Screenshots not working (BYOD)
Hi All! I am having reports back from our iOS BYOD user's that they can not capture screenshots. Our policy and config for BYOD hasn't changed recently and we all don't restrict the taking of screenshots. I have also checked the App config and protection polices , but can't see anything in there, also they haven't changed. I know iOS has had updates recently , could this be the cause? Anyone else got this issue? Many ThanksSolved3.6KViews1like4CommentsIntune/Defender Firewall Policies
Coming from an environment where the Windows Firewall had been disabled, and having seen the light, we finally got approval to enable the firewall, but I am hitting a learning curve with Intune behaviors; I have a device where the firewall is enabled, and I get an admin prompt for an app that wants access. I cancel the admin prompt and do a little digging on what app wants access, and to what etc. and then create the policy to allow traffic inside of Intune. I thought the policies were not applying, but after poking around, I found that they are applied and listed under Monitoring > Firewall instead of the normal Inbound or Outbound Rules sections. However, because I canceled the admin prompt to allow the traffic, it automatically created a Block policy on the Inbound Rules section. Inside of Monitoring > Firewall I can see both the Block policy from the Inbound Rules, but also the Allow policy from Intune. Question: Is there a way to use the cloud Intune/Defender policy to wipe out the Block on the Inbound Rules section? Or do I need to make a remediation script to clean these up? Or is there some other 'best practice' way to clean up the unintended blocks from the local policy?Solved26Views0likes1Commentintune MDM, IOS device after a restore skips remote Management screen
I am using Intune MDM to enrol the devices. Enrolling a new device with Manged apple ID works without any issues and I can install profile getting all the apps installed via VPP Apps on the device When restoring a device from iCloud or a local computer backup taken on iTunes don’t seems to work as expected after a restore, device skips remote management screen and loads into the phone welcome screen. I am taking the backup of the same device and restoring it back, keeping in mind the device was never MDM managed therefore no management profile has been restored. We are using managed apple id’s so no VPP apps downloaded but due to managed Apple id this blocks the store capability of downloading any apps from app store. The device was added into MDM Intune via apple configurator therefore visible on Intune 1 - Backup to iCloud to keep all data 2 - wiped the device via Erase all content and settings. 3- Added the phone using Apple configurator 4- In ABM I assign the device to the MDM server. 5- kicked in manual sync from Intune. Once the device visible in Intune and profile assigned. start the setup process and select to restore from iCloud or backup from computer. I expected it to restart after the restore and show the remote management screen, but it does not. The only way around this is to restore via iCloud to a different device. This is not ideal Please let us know if you can recommend a better way of doing this therefore restoring the backup on same device and getting remote management configuration to enrol the device on MDMSolved234Views0likes1CommentApp Protection Policy Intune iOS Restrict Cut Copy Paste but allow certain third party apps only
The restriction of cut copy and paste is chosen as Microsoft apps only. Even if we push the apps from Company portal as managed apps, even VPP apps, the App protection policy is not getting applied on those apps. Apps are like SAP, Concur, Salesforce, etc,. were used global and widely across many organisations and how are you overcoming these policy restriction by MS Intune on iOS Devices. We have to secure - so that no data should be moved out to any third party apps, also in the meanwhile, we have Business apps like above mentioned to get things done. Tried methods and not working- Sending the UPN as app configuration policy using the third party apps also. Added Custom bundle-id for those apps in the App protection policy. in App PP - under Data Protection - add apps to exempt - also tried with no results. In our existing policy we have chosen "selected apps mode" for app protection policy. and all these apps were selected as Microsoft apps, and its working fine as expected. The cut copy and paste will work only on those apps which we have chosen as selected apps. Remaining all apps the cut copy and paste will be blocked. Now we have a scenario of business apps usage and we have deployed those via Company portal as iOS Store app, users downloaded and using it already. From app management, it shows as managed apps. Requirement here is to have cut, copy and paste from Outlook, Teams to those business apps.Solved727Views0likes6Comments
Best Practices for Managing Autopilot Profiles Across Multiple Locations
Hello everyone, I have a question, and I’d like to get your thoughts on it. In a scenario where an organization manages Hybrid Join devices using Autopilot, distributed across different locations, each with its own Autopilot profile, how do you prefer to manage groups and profile assignments? The options I’m considering are: Option 1 Using a single dynamic group (e.g., “All Autopilot Devices”), with a query like: (device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]")) to include all corporate devices, and then assigning profiles using Scope Tags. Option 2 Creating multiple dynamic groups, one for each location (e.g., “Location 1 Autopilot Devices,” “Location 2 Autopilot Devices,” etc.), with queries like: (device.devicePhysicalIds -any (_ -eq "[OrderID]: Location 1")) and then assigning the respective Autopilot profile to each dynamic group. What’s your approach, and what advantages/disadvantages have you encountered? Thank you to anyone willing to share their experience!Solved213Views0likes4CommentsWinget in Remediation scripts
Does the remediation scripts and the execution envrionment support winget? Running this returns nothing: $version = winget --version | Out-String Have also tried to use the Start-Process approach: # Define the path to winget.exe $WingetPath = "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\winget.exe" Start-Process -FilePath $WingetPath.... Is it even possible to get winget working in detection- and remediation scripts?Solved183Views0likes1Comment
Firewall Rules: Transitioning from GPO to Intune
I migrated the firewall rules from a GPO to Intune and successfully applied them to my devices. Now I want to remove the firewall rules from the GPO. My question is: will the firewall rules deployed via Intune be automatically applied to my devices once I remove those from the GPO? For security reasons, I don’t want to leave certain ports open when removing the GPO.Solved214Views1like6CommentsIntune Reporting
I am new to Intune having used Group Policy for many years. I understand the basics, but one thing that I can't see is reporting and logging of what in tune is doing on the computer? I can see event viewer entries but there doesn't seem logging? Am i missing something or is there no logging?Solved79Views1like2Comments
Events
Recent Blogs
- I'm Catarina Rodrigues and recently, I've had the opportunity to have several conversations with healthcare customers on how Intune can effectively manage devices in frontline critical environments. ...Feb 28, 2025728Views3likes2Comments
- So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal ...Feb 28, 2025697Views1like0Comments
