Recent Discussions
Bizarre reinstall loop for M365 365 Apps
Hi All, We have deployed M365 Apps x32 bit version to all devices (app type is Microsoft 365 Apps (Windows 10 and later)). We have experienced random reinstallation for some users for last 1 to 2 months even the M365 apps has already been installed successfully on the devices. I have tried to find a any Intune logs related to this reinstallation but unfortunately I am not able to find any logs either by application ID or application name. However, I Checked that MSIInstaller logs in event viewer, I could find the successful installation about every 5-6 days (Image01, Image02). even in control panel keep updating the installation date accordantly. Again, When I checked the deployment status for the specific app in Intune, it says as install pending (Image03, Image04, Image05). I would appreciate it any hep to find what happening in the background and anywhere that I can find logs for M365 apps installation from Intune. Thanks, DilanMGP Keep apps on certain version
Hi All I hope you are well. Anyway, a wee urgent one here. Is there any way to keep apps from the Managed Google Play to a certain version number? Apparently, the latest version of one of our apps is flawed. This is an app that is available publicly and not an LOB / APK etc. Info appreciated. Stuart
Immediate Restart from Intune
Hi everyone, I'm looking for a way to remotely restart a Windows device enrolled in Intune—but with one key requirement: it needs to happen immediately, or as close to real-time as possible. Here’s the situation: All devices are Windows 10/11 and fully enrolled in Intune. I have admin access and can use PowerShell, Graph API, or Power Automate. I want to be able to trigger a restart from a script or flow, without requiring user interaction. The goal is to restart a specific user’s computer on demand, ideally within seconds or a minute—not hours later when the device checks in. I’ve tried: Using the Intune Admin Center > Devices > Restart option — but it’s not immediate. Triggering a sync first still not fast enough unless the user has company portal open on their machine Exploring Power Automate and Graph API to call /restartNow or /wipe — but again, it depends on the device check-in. Is there any way to: Force a device to check in immediately, or Push a restart command that executes instantly, assuming the device is online? Bonus points if this can be done via a script or automated flow (e.g., triggered by a manager request or security event). Any help, scripts, or creative workarounds would be hugely appreciated! Thanks in advance!Initiate Windows Updates devices not logged in by users
Hi All, We have a scenario deploy windows updates for devices enrolled to Microsoft Intune and no user logged in. Our IT administrators keep the newly imaged laptops for about 3-4 weeks on their shelf before hand over to a new user. Because of that during that time those devices report to Intune as non-compliant due to Windows OS version. Therefore we are looking for a way to deploy windows updates for them without depending on logged in users. Appreciate any ideas. thanks in advance! Dilan
Intune - AutoPilot - Self-Deployment Mode
Hi everyone, We’ve been using self-deployment mode for Windows devices, and everything had been working fine until it suddenly stopped working. Since yesterday afternoon, all devices have been unable to deploy properly during the Autopilot process. Has anyone else experienced this issue recently? Just wondering if there have been any changes to the self-deployment process that could be causing this. Thanks in advance for any help or insights!
Microsoft Intune Connector for Active Directory security update
Hi i read this article to update our Intune Connector Microsoft Intune Connector for Active Directory security update | Microsoft Community Hub (version 6.2505.2001.2 downloaded from Intune portal) After installing when i click on Sign In we have an issue with Webview on 2016 (with new Edge/webview install) or 2019 server (with webview already installed)... any ideas ? i tryed to resintall, launch as Admin, reboot ... same issue thanks for your help :)Excluding Windows Hello for Business (WHfB) for Windows 10 using Intune assignment filter
Good morning, I'm experiencing a persistent issue with applying an exclusion policy for Windows Hello for Business (WHfB) on Windows 10 devices (actually a testing VM) managed through Microsoft Intune. Despite configuring the assignment filter and verifying its correct evaluation in Intune, Windows 10 devices continue to allow WHfB PIN creation, and the option to remove the PIN is disabled. Scenario and objective: My goal is to enable Windows Hello for Business for all users except when they log in from a Windows 10 device (already enrolled in Intune). Therefore, the intention is to disable WHfB specifically for Windows 10 devices. Current configuration: WHfB policy: I have a device configuration profile named “WHfB” (Platform: Windows) which enables Windows Hello for Business. Policy assignment: This policy is assigned to a “WHfB Dynamic Group” that contains users with the “manager” attribute. Assignment filter (exclusion): I created and applied an assignment filter named “Windows 10 Device Filter” to the policy mentioned above. Filter mode: Exclude. Filter definition: (device.osVersion -contains "10.0.1") Observed behavior: Filter evaluation in Intune (as shown in the previously provided screenshot): For the problematic Windows 10 device, in the “Filter Evaluation” section of the “WHfB” policy, the “Windows 10 Device Filter” shows “Evaluation Result: Match” and “Mode: Exclude.” The message states “Policy not delivered.” This confirms that the filter is working correctly in Intune and that the WHfB policy is not applied to the Windows 10 device. Behavior on the Windows 10 device: Despite the exclusion, the user (AdeleV) can still modify and use the WHfB PIN. The “Remove” PIN option is disabled (greyed out) in sign-in options. Windows Event Logs (HelloForBusiness/Operational): The log displays several errors (Event IDs 7054, 8203, 7204) and informational events (8210, 8200, 8202, 5060 “PIN required”). Event 7054 specifically indicates error 0x1 (or 0x80000000000000001), which is a generic error. Troubleshooting steps performed: Forced sync and restarts: executed multiple times on the Windows 10 device. Sync status in Intune for the “WHfB” policy sometimes shows “Unavailable,” but filter evaluation is always “Match/Exclude.” OS version verification: The OS version on the device (10.0.19045.3803) confirms that the string “10.0.1” is contained, so the filter syntax is correct. Policy conflict search: I reviewed the device’s configuration profiles and compliance policies applied via Intune, but didn’t identify any obvious conflicts or other policies that explicitly enable WHfB. Question: Given that my WHfB exclusion filter works correctly, but WHfB is still enabled on the Windows 10 device (and the PIN can’t be removed, with a generic error in the log), what could be the root cause?
Subsequent device registration in Intune
Hello Tech Community, We use Entra ID and our devices are fully Entra-joined. Windows 11 devices appear in Entra ID as normal. We now want to manage our devices with Intune. However, the devices do not appear in Intune because the MDM user area was initially configured as 'None'. How can we subsequently move the devices to Intune? Ideally, we would like an automated process to avoid having to move each individual device. Details: Windows 11 Devices - Fully Entra-joined Appear in Entra No other device management in use Problem: Register the devices in intune without manually touch each individual device. Also i don't want to use things like PSRemote. Thanks for your answers. BR
How can I get the Operating System Build Number for an Android device in Intune
Hello all, I am trying to pull information about an Android devices Operating System Build Number from Intune using PowerShell, however - the closest information I can find is the Operating System Version. I've been successful in connecting to Microsoft Graph via PowerShell, and I'm certain I have permissions to access all the device information. However, I cannot find information about how to pull the data I'm looking for. Google suggested that I need to include 'hardwareInformation' as an ExtendProperty of Get-MgManagedDeviceManagedDevices but I receive an error stating: "Parsing OData Select and Expand failed: Could not find a property named 'hardwareInformation' on type 'microsoft.graph.managedDevice'" Can someone please help me find how to select the Operating System Build Number from Intune or MgGraph? I've included an image of the exact data I'm looking for as it shows up in IntuneIntune - Issues with Account-Driven User Enrollment Issues on iOS 18.5
Hello everyone, Since the release of iOS 18, Apple has deprecated profile-based user enrollment via the Company Portal app, requiring the use of Account-Driven User Enrollment. While this change enhances user experience, I'm encountering challenges in implementing it. Steps Taken: Apple Business Manager (ABM) Account: Created and linked the ABM account to Intune using the token. Corporate devices are successfully appearing in Intune. MDM Server Configuration: Set Intune as the default MDM server for all devices in ABM. Domain Federation: Established Entra ID federation in ABM to synchronize all users. Intune Enrollment Profile: Created an 'Enrollment Type Profile' of type 'Account-Driven User Enrollment.' MDM Push Certificate: Configured and validated the MDM Push certificate. Issue Encountered: According to https://support.apple.com/guide/deployment/account-driven-enrollment-methods-dep4d9e9cd26/web, starting with iOS 18.2, hosting a service discovery file on a web server is no longer mandatory. The device should automatically contact the ABM organization associated with the Managed Apple ID if no web server is found. On an iOS 18.5 device, I navigate to: Settings > General > VPN & Device Management > Sign in to Work or School Account After entering my Microsoft email address (which matches my Managed Apple ID due to federation), I consistently receive the error: "Your Apple ID does not support the expected services on this device." In ABM, under "Access Management" > "Apple Services," all services are activated. Could I be missing a crucial step in the configuration? Any guidance or insights would be greatly appreciated. Thank you in advance for your help. Best regards,
Subject: Best Practices for Aligning UPNs in Hybrid Entra ID + Intune Environment
Hello, I’m seeking guidance on best practices for aligning user identities in a hybrid Microsoft 365 environment, particularly regarding UPN consistency and device enrollment into Intune. Environment Overview: Client is using a hybrid Azure AD join setup via Entra ID Connect (formerly Azure AD Connect). Devices are domain-joined and enrolled into Microsoft Intune via Group Policy (GPO). Entra ID Connect sync is active with write-back where appropriate. On-premises UPN format: username@domain.local (or .xxx) Entra ID / M365 UPN format: email address removed for privacy reasons (e.g., routable custom domain) Issue: Devices are intermittently failing to enroll into Intune or are not showing up as compliant/joined. Manually updating the on-premises UPN to match the Entra ID UPN (email address removed for privacy reasons) seems to resolve the issue, but this is not yet standardized across the org. It's unclear whether this mismatch is breaking hybrid join and/or interfering with automatic MDM enrollment via GPO. Questions: What is Microsoft’s current best practice regarding UPN alignment between on-prem AD and Entra ID in a hybrid environment? Is it mandatory or strongly recommended to match the on-prem UPN to the Entra UPN (especially when using automatic Intune enrollment)? Could this mismatch be contributing to MDM enrollment issues, and if so, what is the correct process to fix it in bulk? Are there any known caveats or dependencies when changing the UPN on-prem (e.g., impact on Outlook profiles, cached credentials, etc.)? Is there a supported or recommended PowerShell method to audit and align UPNs safely? Goal: We're aiming for consistent, reliable hybrid Entra join with automatic Intune enrollment and minimal end-user disruption. Any insight or guidance is appreciated, especially if there’s documentation or field experience to support it.ActiveX Controls
Hello, I want to enable the exact settings as below: Steps to enable ActiveX controls if you are confident the file is safe While enabling ActiveX controls is not recommended due to security concerns, you can enable them through the Trust Center if necessary. Caution: Changing ActiveX settings will apply to all files in Office applications: Word, PowerPoint, Excel, and Visio – not just the file in which you make the change. Select File, then Options. Select Trust Center, then the Trust Center Settings button. Select ActiveX Settings, then make sure Prompt me before enabling all controls with minimal restrictions. Select OK, then OK again to save your settings and go back to your document. For optimal security, Microsoft strongly encourages leaving ActiveX controls disabled unless absolutely necessary. I have intended to apply this however I am struggling to find the relevant settings for this within intune. One example of a setting I have applied is "ActiveX Control Initialization(user) using value 6. This is still flagging an issue with an excel file, alongside not allowing a prompt to allow it. Anyone got any ideas at settings they may have applied for this? This is to run in the most minimal way as possible. Thank you, Jamie.Application auto upgrade not working
Hello, I'm trying to deploy applications with auto upgrade but nothing happens. Let me explain what I'm doing : App_V1 is deployed as available to a user collection I install the app, nothing special here App_V2 is set to supersede App_V1 with uninstall checkbox (I need that in my environment) I deploy App_V2 as available to the same user collection with the checkbox "Automatically upgrade any superseded versions of the application" In the software center, I can see App_V2 with the install button (App_V1 is hidden, expected), but nothing else happens If I check the logs, I can see in PolicyAgent.log : A line starting with "Compiling policy <deploymentID>/supersedence..." Then a line starting with "Raising event: instance of CCM_PolicyAgent_AssignmentDisabled...<some assignment info> Nothing else I don't know how to further troubleshoot that situation. Can someone give me some clues ? ThanksPassword reset via InTunes takes up to 30 minutes
Hello, How can I speed up the password reset for InTunes. It currently takes up to 30 minutes until a password change is active and the user can log in again. According to Intunes, it takes up to 15 minutes - even that is far too long in my opinion. There must be a way to speed this up. ThanksIs it really impossible to force an Intune sync from the command line?
Is it really not possible to force an Intune sync on a client computer from the command line? It seems like such a simple thing to do. Rather than make me dig 3 subpages deep to click a button, just let me fire off a DOS command and get on with my day. I'm familiar with the MS-Graph method, but honestly, clicking a "Sync" button should never be as complicated as that. I'm also familiar with Michael Neihaus' method... Get-ScheduledTask | ? {$_.TaskName -eq 'PushLaunch'} | Start-ScheduledTask That has never worked, but don't tell anyone because there are a lot of admins out there who think it does, and I'd hate to spoil their day. Am I just too dim to figure this out or is there really no way to sync from a CLI? Thanks,
Recent Blogs
- By: Rishita Sarin – Product Manager | Microsoft Intune Microsoft Intune, together with Microsoft Entra ID, facilitates a secure, streamlined process for registering and enrolling devices to ac...Jul 18, 2025
- 4 MIN READBy: Ravi Ashok - Sr. Product Manager & Zineb Takafi - Product Manager | Microsoft Intune Microsoft Security Copilot in Intune advances the way IT admins can accelerate their day-to-day endpoint...Jul 14, 2025
