Recent Discussions
Intune - AutoPilot - Self-Deployment Mode
Hi everyone, We’ve been using self-deployment mode for Windows devices, and everything had been working fine until it suddenly stopped working. Since yesterday afternoon, all devices have been unable to deploy properly during the Autopilot process. Has anyone else experienced this issue recently? Just wondering if there have been any changes to the self-deployment process that could be causing this. Thanks in advance for any help or insights!
Subsequent device registration in Intune
Hello Tech Community, We use Entra ID and our devices are fully Entra-joined. Windows 11 devices appear in Entra ID as normal. We now want to manage our devices with Intune. However, the devices do not appear in Intune because the MDM user area was initially configured as 'None'. How can we subsequently move the devices to Intune? Ideally, we would like an automated process to avoid having to move each individual device. Details: Windows 11 Devices - Fully Entra-joined Appear in Entra No other device management in use Problem: Register the devices in intune without manually touch each individual device. Also i don't want to use things like PSRemote. Thanks for your answers. BRWDAC + App Control For Business + App Control Wizard
Hello All, We are trying to use the following combination—WDAC, App Control for Business, and the App Control Wizard—to create and deploy WDAC policies in our tenant. We have a general base policy derived from a slightly modified 'Allow Microsoft Mode' template, along with a couple of supplemental policies that explicitly allow certain apps by publisher.(Such as PaloAlto, Omnissa/VMware etc). Enabled rules on base policy are as follows: Enabled:Unsigned System Integrity Policy Enabled:Advanced Boot Options Menu Enabled:UMCI Enabled:Inherit Default Policy Enabled:Update Policy No Reboot Enabled:Allow Supplemental Policies Enabled:Managed Installer Basically, we are allowing only those applications that are installed via a managed installer—in our case, the Company Portal. For example, if Palo Alto's GlobalProtect is installed through the Company Portal, it is not blocked by the WDAC policy. However, on some devices where GlobalProtect was installed manually, we have a supplemental policy that allows it by publisher. Despite this, the manually installed version of GlobalProtect is still being blocked by WDAC, which suggests the policy isn't working as expected. Example of such Supplemental policy is below: I'm curious—are there any people or organizations using a similar setup? If so, are you experiencing similar issues? What has the general feedback been regarding this setup?
Jail Broken = Yes
Hi all, I have a Yealink MP56 Teams device reporting back into the portal as being Jail Broken. The device has been checked, and no evidence of it being jailbroken is evident. We have a few hundred of these devices, and they are all set up and running the same. I am in the process of implementing policies for all Android devices that would block rooted devices (all device settings) And have held off after doing a quick check and noticing this one device. Has anyone come across this before? Or have any suggestions? Also I have several hundred devices reporting back a status unknown against being jail broken, but this may be down to their low android os version. Any help is appreciated.Declarative Device Management (DDM) Updates of iOS devices
Hi Everyone, I am currently looking to migrate the update policies from iOS Update policy to DDM update policy. Created a DDM policy and assigned 100+ devices to it. However, the policy is showing as only 7 devices are currently assigned to the policy. No status of the rest. I cannot see them in pending, error or conflict state. Policy settings are quite straight forward Enforce Latest Software Update Version - True Delay in Days Install Time Software Update Settings Rapid Security Response Devices assigned are corporate and MDM managed devices
Windows App Application Protection Policy
I have been testing out an Intune MAM policy to restrict copy/paste and drive redirection to AVD session hosts based on the link here: Require local client device security compliance - Windows App | Microsoft Learn However, I've run into problems (in two separate tenants) that have halted me from being able to test. Setup Intune App Protection Policy targeting Windows Devices & Microsoft Edge\ Conditional Access Policy enforcing App Protection Policy when users access 'Azure Virtual Desktop' target resource via https://windows.cloud.microsoft.com Results First When signing into a user account targeted by the policy, they are prompted to Switch Edge Profile which signs in the user to a new Edge profile for 'Work or School Account'. The account has to sign in again. The account can access Windows App resources When launching a desktop session, this authentication page pops up for an account "local@debugonly" Second When signing into a user account targeted by the policy, they are prompted to Switch Edge Profile which signs in the user to a new Edge profile for 'Work or School Account'. The account has to sign in again. After sign in, the account loops with 'Switch Edge Profile' and gets stuck here I'm curious if anyone has gotten this to work and what was your setup? Or if Microsoft or provide some assistance or if this is in the wrong forum, any help would be appreciated.
Require Fingerprints For Android Personal Devices For Work?
Good day, was hoping I could get help with requiring setting up fingerprints on android to login to apps and Microsoft authenticator. Is this possible. I feel like it would be easier for a employee to setup without additional help if they just have to use one automatically instead of having to figure out how to setup a work fingerprint on their android by going into the settings themselves. Also for security issues in case someone is in public. That way they automatically require a fingerprint rather than typing in their password if there are prying eyes around. Even if it is not public, but just in the office, would be more secure so they don't have to put their password on their phone in around other employees. Is this a setting to setup in intune at all?
Intune is unable to register Ubuntu 24.04.2 device
Hey, Writing this issue since I found no source code/repo, and no other issues here matched my symptoms. Anyone got any hints on how I could proceed? Or maybe even better, where to find the source code and build instructions for `intune-portal` so I can build towards the current libraries... 2025-06-26 08:46:50+02:00: ~ w/❄️ w/🧙 took 2s x10an14@ubuntu ❯ : intune-portal 2025-06-26 08:47:41 INFO Command line arguments args=PortalArgs { common: CommonArgs { interactive: false, socket_path: "/run/intune/daemon.socket" } } version="1.2503.10" 2025-06-26 08:47:45 INFO Starting a new login Could not create default EGL display: EGL_BAD_PARAMETER. Aborting... 2025-06-26 08:47:48 WARN oneauth{tag="9a8hm"}: HTTP status: 404 2025-06-26 08:47:48 WARN oneauth{tag="5fsch"}: Failed to get image from Graph ^CError: nu::shell::terminated_by_signal × External command was terminated by a signal ╭─[entry #143:1:1] 1 │ intune-portal · ──────┬────── · ╰── terminated by SIGINT (2) ╰──── 2025-06-26 08:47:56+02:00: ~ w/❄️ w/🧙 took 14s x10an14@ubuntu ❌-2 ❯ : lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04.2 LTS Release: 24.04 Codename: noble 2025-06-26 08:48:08+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ /etc/apt/sources.list.d/microsoft-prod.list:1:deb [arch=amd64,arm64,armhf signed-by=/usr/share/keyrings/microsoft-prod.gpg] https://packages.microsoft.com/ubuntu/24.04/prod noble main 2025-06-26 08:48:27+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : history | last 11 ───#───┬───────────────────────────────────────────────────────────────────────────────────command──────────────────────────────────────────────────────────────────────────────────── 12135 │ grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ 12136 │ sudo apt purge intune-portal microsoft-edge-stable microsoft-identity-broker 12137 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft-identity*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12138 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12139 │ systemctl --user daemon-reload 12140 │ sudo apt install intune-portal 12141 │ systemctl --user daemon-reload 12142 │ ^find ~/.local ~/.cache ~/.config -iname '*microsoft-*' -or -iname '*intune*' e> /dev/null | lines | tee { each {|d| rm -r $d}} | each {|d| echo $"Deleting: ($d)"} 12143 │ intune-portal 12144 │ lsb_release -a 12145 │ grep -HIRnC 10 'microsoft' /etc/apt/sources.list.d/ 2025-06-26 08:48:48+02:00: ~ w/❄️ w/🧙 x10an14@ubuntu ❯ : Here are the relevant logs I was able to find: x10an14@ubuntu ❯ : sudo journalctl -t intune-portal -t microsoft-identity-broker -f Jun 26 08:47:41 ubuntu intune-portal[261043]: Command line arguments args=PortalArgs { common: CommonArgs { interactive: false, socket_path: "/run/intune/daemon.socket" } } version="1.2503.10" Jun 26 08:47:45 ubuntu intune-portal[261043]: Starting a new login Jun 26 08:47:45 ubuntu microsoft-identity-broker[261088]: I/IdentityBrokerService: [2025-06-26 06:47:45 - thread_id: 1, correlation_id: UNSET - ] Starting DBus Service for Microsoft Identity Broker... Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: Defaulting to no-operation (NOP) logger implementation Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:46 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:46 ubuntu microsoft-identity-broker[261088]: I/MapDbStorage:getDb: [2025-06-26 06:47:46 - thread_id: 1, correlation_id: UNSET - ] Attempting to open DB File at path: /home/x10an14/.local/state/microsoft-identity-broker/broker-data.db Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/IdentityBrokerService: [2025-06-26 06:47:47 - thread_id: 1, correlation_id: UNSET - ] DBus Service for Broker has been started! Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: UNSET - ] Received method call from UID [1000], with correlationId [ffba9791-791b-4237-b485-2101a8cd85b9]. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/MapDbStorage:getDb: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Attempting to open DB File at path: /home/x10an14/.local/state/microsoft-identity-broker/account-data.db Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerUtil:getCacheRecordListFromBrokerCache: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] This client ID is not known to brokerOAuth2TokenCache. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerUtil:getCacheRecordListFromBrokerCache: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] No accounts available in client app cache, trying the FOCI cache. Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerPlatformComponents:getDbFileRootDir: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] STATE_DIRECTORY is /home/x10an14/.local/state/microsoft-identity-broker Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: W/DefaultBrokerApplicationRegistry:getMetadata: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Metadata could not be found for clientId, environment: [b743a22d-6705-4147-8670-d92fa515ee2b, null] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:isAppInBrokerApplicationRegistry: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] App in broker application registry: [false] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:addDeviceAccountIfNeeded: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] App in registry is allowed to access WPJ: [false] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/AuthSdkOperation:addDeviceAccountIfNeeded: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] is a known FoCI App: [true] Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/LinuxBrokerServiceOperation:getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Received get account result for correlation id: ffba9791-791b-4237-b485-2101a8cd85b9 Jun 26 08:47:47 ubuntu microsoft-identity-broker[261088]: I/BrokerDBusV1Impl:getAccounts: [2025-06-26 06:47:47 - thread_id: 39, correlation_id: ffba9791-791b-4237-b485-2101a8cd85b9 - ] Sending result back to calling application for correlation id: ffba9791-791b-4237-b485-2101a8cd85b9 Jun 26 08:47:48 ubuntu intune-portal[261043]: oneauth{tag="9a8hm"}: HTTP status: 404 Jun 26 08:47:48 ubuntu intune-portal[261043]: oneauth{tag="5fsch"}: Failed to get image from Graph
Migrate from SCCM 2012 R2 SP1 to Current Branch
Hey folks I am planning to migrate my System Center 2012 R2 Configuration Manager SP1 to the most recent Current Branch of System Center 2025, because the old version is still running on an old windows server version and we need to upgrade to a new windows Server 2025 and also the most recent current branch of configuration manager. Now the documentation for upgrading Configuration Manager https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/install/upgrade-to-configuration-manager states, that upgrading from 2012 is only supported until Current Branch 2203; from 2303 on, you can't do the upgrade anymore. But since this "Important-Warning" message isn't shown on the migration article for Configuration Manager https://learn.microsoft.com/en-us/intune/configmgr/core/migration/migrate-data-between-hierarchies I am wondering if this only applies to upgrading configuration Manager on the same host? Or does it also apply to the scenario where I do a side by side migration (Install latest windows server on a new VM, install latest Current Branch of Configuration Manager and then do a migration via data gathering and migration job). You would help me a lot, because I can't find official info about it and I am very concerned about not being able to do the migration from 2012 to Current Branch 2503.. :( So if it also applies to migration; I can still do migration to 2203 as described in the "migration" article with the video https://www.youtube.com/watch?v=6_0EwW-5b4E and then do an inplace upgrade from 2203 to 2503?How to Identify and Validate the Current Device's Intune Registration (Android & iOS)
In both Android and iOS environments, which specific device-level field or identifier can we use via Microsoft Intune or Microsoft Graph API to reliably determine: - Whether the current device is registered or managed by Intune - Whether the current device is Intune-compliant Our use case involves validating device trust during app login. So we need to identify the exact device the user is currently using (not just any device associated with their account) and confirm that it is Intune-managed. We are looking for a consistent identifier, such as: Hardware ID Entra ID Device ID device object ID Or any identifier accessible through MSAL, Entra ID claims, or Microsoft Graph API This identifier should allow us to cross-reference with Graph API responses, such as from: /deviceManagement/managedDevices /me/managedDevices What is the best practice or recommended identifier to securely link the current device to its Intune record? Are there any platform-specific differences between Android and iOS we should consider?
Intermittent Non-Compliant Status on Chrome Sessions - Resolved by Switching to Edge
We are experiencing an intermittent issue where certain users' devices are marked as "non-compliant" in Intune, even though there are no visible problems with the Chrome session. Interestingly, the issue resolves itself when users switch to Microsoft Edge and then return to Chrome. Has anyone else encountered this issue? Is there a known root cause or workaround for this behavior? Any guidance on how to prevent this from happening would be greatly appreciated!QR Code Name Changed
Hi All, This is probably the most random post I think I will do. Just performing my daily checks of non-compliant devices, and noticed a few devices that have been enrolled for a while were non-compliant. Did some investigation, and the issue is with the dynamic group looking for the enrolment profile name, and the rule didn't match the name. It took a while for me to notice that an extra space had appeared midway through the QR code name. The time stamp of the change to the QR profile was 14:13 last Friday. This seemed odd as we finished work early on a Friday at 13:30. I checked the audit logs, and there is no entry for that time. Has anybody had an issue similar to this? I have amended the dynamic group to look for the double space so the device is back-compliant. Seems a very strange issue. ThanksMHS Permissions / Samsung OEMConfig
Hi All I hope you are well. Anyway, we are rolling out Android Enterprise ZTE tablets in Entra Shared Device Mode and all seems well. Only thing is the MHS app permissions deployed via the Device config profile just don't seem to have worked and also I can't see anywhere in the OEMConfig file to set Power / Sleep options. Does anyone have the correct working settings for these 2 things? Info appreciated. SKAuth flow between custom iOS app with Intune SDK and Microsoft edge
We have custom iOS app which is integrated with Intune MAM SDK. We are using Microsoft Edge and managing it by applying Intune protection policies. In our's custom app, the authentication flow launches Microsoft Edge and after authentication completion users are redirected back to the custom app using deep links. We can see the Microsoft Edge browser prompts the user to redirect to our's custom app. But after Allowing it, it fails to redirect with some error Something wrong happened. We have applied same Intune MAM protection policy to both custom app and Microsoft Edge where we setting policy as below: Send org data to other apps: Policy managed apps with Open-In/Share filtering and Receive data from other apps: Policy managed apps So, this flow is expected to work. Is it some bug with Microsoft Edge flow due to which it is not able to launch the custom app ? Note: Authentication flow works without protection policies with other browsers like chrome. It also works when we have Send org data to other apps and Receive data from other apps set to All Apps. But as this is not recommended security policy, we are trying to figure out what is going wrong.
SCEP Profile Missing "Challenge password" & "Validity period" Fields
Hello Intune Community / Microsoft Support, We are trying to set up EAP-TLS with Intune-managed Windows devices, using FortiAuthenticator as our CA/RADIUS. Issue: Our SCEP certificate profiles (under Devices > Configuration profiles) are missing the following critical fields: "Challenge password" "Certificate validity period" Additionally, the section for configuring SCEP connectors is also absent under Tenant administration. Impact: FortiAuthenticator requires a static challenge password for SCEP, but Intune provides no field to set this. This incompatibility is blocking certificate issuance and our EAP-TLS deployment. Steps Verified: Confirmed it's a standard SCEP certificate profile for Windows 10 and later. Fields are genuinely not present after thorough checks. Request: Why are these standard SCEP fields and this configuration section missing in our tenant? How can we proceed with SCEP certificate enrollment, especially with a FortiAuthenticator CA? Thank you for your urgent assistance.
Access collections information locally
Is there a way through WMI/Microsoft.SMS.Client comobject to access information from the computer if is in a collection (cached information or otherwise)? I'm not sure if a computer gathers that information somewhere. I can't access that information on the site server or through the AdminService as the account running the commands would be the SYSTEM account. My goal is query if a computer is in a collection and install a piece of software through a task sequence.Intune MAM - Restrict Application Access to Specific Biometric Profiles
We want our employees to be able to restrict access to company apps on private devices to only specific biometric profiles on the devices. If needed: Are you working together with Apple to make this possible? (e.g. via tiered device control levels / admin password in iOS)
bitlocker epm rule
Hello everyone, i tried to create a rule for the management of bitlocker in intune epm so that on the client side it is possible to manage it myself with the evelation “automatic”, the “manage-bde.exe” was released with path and co. but nothing changes. i still need admin credentials. is there any more information about this? lovely regards
Recent Blogs
- By: Rishita Sarin – Product Manager | Microsoft Intune Microsoft Intune, together with Microsoft Entra ID, facilitates a secure, streamlined process for registering and enrolling devices to ac...Jul 18, 2025
- 4 MIN READBy: Ravi Ashok - Sr. Product Manager & Zineb Takafi - Product Manager | Microsoft Intune Microsoft Security Copilot in Intune advances the way IT admins can accelerate their day-to-day endpoint...Jul 14, 2025
