Hi Everyone,

I made a new blogpost on how to store strings of JSON data in Microsoft Intune (Platform Scripts or Remediations) and afterwards create reports with the data in Power BI. In my blog, I am explaining how I am storing information regarding OneDrive as I was curious how many users actually had their OneDrive signed in and their Known Folders Moved.

I've had many uses for this solution, as aside of OneDrive information, I also am using this to collect cyber security data, windows update data, office information and so on.

Hope the solution can be useful for others as well.

Store Custom Data in Remediations and use the data in Power BI - Thom Weide | Intune | Graph API | Power Platform | Microsoft 365

I've gotten our fleet down to a great percentage, low single digits, but it seems near impossible to get devices completely removed from the "Missing multiple security updates" section of WUFB Reports. Mostly because we have a lot of devices that are very infrequently used.

Just out of curiosity, what are your guys' numbers looking like?

Has anyone else experienced this? I've created a feature update policy to make Windows 11 23H2 optional - not required - to our users. However, I've received a few reports that some users had the 10>11 upgrade happen without them going and kicking it off.

The behavior should be that it's just available for them to choose if they go to the Windows Updates page in Settings, but they are reporting they did not do that. On my test devices, I haven't seen the same behavior that is getting reported.

I've also verified these users are not in another feature update ring that forces them to upgrade.. has anyone else experienced this, or do you know where I can look into some logs to see why it happened?

Been trying to set this up for a while. Seems like the issue I am having is when in mutli app kiosk mode the horizon client does not have enough perms in the file system according to event logs. I can run the client but when I go to connect it fails. Using a non-intune build I can use a powershell script to create the kiosk which works perfectly but it would be nice to have a intune managed kiosk.

We are heavily reliant on QuickAssist to support our staff.

We seem to have a permanant QuickAssist 1002 error on our windows 11 intune manged devices.

https://ibb.co/63XTSg7

https://ibb.co/Fq5n0ffM

https://ibb.co/LDN6NTC2

Some time ago QuickAssist moved from C:\windows\system32 to C:\Program Files\WindowsApps\

Which is a folder restricted to trusted installer. So the app was heavily changed and probably due to it moving to the store. I think its this fundamental change that is causing the pain for us.

Regular non local admin users cannot run it. It just fails out with error 1002. This was at first just affecting a few machines. It seems however it now affects all.

As a test I removed a load of policies from a test device just in case the Edge policy or something was affecting it. Still shows the same error.

I decided to try go down the LAPS route. Setup a local admin on the device 'lapsadmin'.

When running it with that it fails out saying EDGE cannot create the files.

After alot of testing and reading up online of other users fixes it seems to be that this program will not really work correctly anymore unless its run as an admin on an local admin logged in account.

Anyone have any smart ways to get around this?

Just to clarify -

we cannot run as .\lapsadmin (a local admin account on the device)

we cannot run it as a regular user

we cannot run it unless the user logged in is a local admin

(which is no good from a security perspective)

Thanks!

I try to make PDFEncrypt available in the Company Portal, but creating the app in Intune fails with Create application failed. An error occurred creating application PDFEncrypt. StatusBarAlreadySet in the sidebar. Regardless of this it appears in the apps list. When viewing it it says Your app is not ready yet. If app content is uploading, wait for it to finish. If app content is not uploading, try creating the app again..

I did that a couple of times with varying assignments and details. In the meantime I have PDFEncrypt three times in Intune - alas, to no success! Does anyone know what's going on here? My only guess is it's related to it being a Win32 app and Win32 apps in the Microsoft Store app (new) are currently in preview. as it also says. I'm gonna wait until tomorrow and see if it changes. Can someone else add it to their Intune?

I have configured our school iPads to use Shared iPad mode for a classroom environment and it is working (we specifically do not used Shared Device Mode). However, there are some things that will become annoying or delays to the class that I'm stuck trying to figure out.

Student logs into the iPad using their federated Microsoft Entra email and passcode. Once logged in, the student can either open the browser (a managed browser by our web filtering company, which is configured to use SSO) or open a Microsoft app, such as Word. When either of these apps are opened, the user is prompted to open the Authenticator app and then sign in again with their Entra credentials. Then SSO works for the apps.

Can it be configured such that the Authenticator app knows who the user is from their federated log in to the iPad, removing the requirement to authenticate again? Or is this not possible?

Edit: My Single sign-on app extension configuration has the following defined:
Key: device_registration. Type: String. Value: {{DEVICEREGISTRATION}}

Key: browser_sso_interaction_enabled. Type: Integer. Value: 1

We've been pushing out Office/Microsoft 365 succesfully as part of the Autopilot onboarding using the Microsoft 365 Apps (Windows 10 and later) method configured through Intune (rather than the XML). We switch off Access, Publisher, Skype for Business. It works fine.

Some users need Project. I've been testing out using an XML config to push it out using config.office.com to generate the XML.

Here is what I am using for Project:

<Configuration ID="redacted"> <Info Description="Add Microsoft Project to existing installations of Office." /> <Add OfficeClientEdition="64" Channel="Current" MigrateArch="TRUE"> <Product ID="ProjectProRetail"> <Language ID="MatchOS" /> </Product> </Add> <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" /> <Property Name="PinIconsToTaskbar" Value="FALSE" /> <Property Name="TenantId" Value="redacted" /> <Updates Enabled="TRUE" /> <RemoveMSI /> <AppSettings> <Setup Name="Company" Value="redacted" /> </AppSettings> <Display Level="None" AcceptEULA="TRUE" /> </Configuration>

When I make this app available to enrolled devices to my test group as I am able to see it and start the install, but it is stuck on the Downloading stage for several hours. I'm not really sure the best way to troubleshoot this - all the documentation I find is either suggesting XML like the above, or focussed on installing the core apps. Or it is from a long time ago, and I'm not sure if things have changed.

Any thoughts?

Has anyone successfully locked a USB drive to their organization with out 3rd party software by the means of a policy? I thought org id would have done it but sadly if you got the password you encrypted with you can decrypt it on any device.

I'm ready to simply block all USB drives for all users unless they have a legitimate reason to need one.

Hi
as per title, we would like to enable option to see our custom detection scripts for users with read-only access, so L1/L2 support could check, what they need to remove to make Intune reinstall app.
Is it even possible? As in order to see it, it's necessary to click on edit.
any ideas how to bypass without granting edit access?

Thanks

Good afternoon,

We are rolling out FIDO2 keys to our users who access intune shared machines and they are working well. One thing i am curious about though, is it possible somehow to manage the strength of the pin code users are putting in? I enrol my users in person and explain to them they need to enter a 5 digit pin thats not 12345 but whats stopping them from resetting it and changing to something as simple as this?

Not sure if i am missing something?

Appreciate any advice

Thank you

Hi,

Anyone else had this, we have configured a policy using the Administration template to push out to bitlocker pin to all our AutoPilot Windows PC's however, we have one device that keeps prompting 'Set BitLoker startup PIN' multiple tiems a day, after i type the PIN it goes away biut then it will prompt again maybe 1 hour later.

This device previously had BitLocker PIN set succesfuly, and was not getting the prompt, and this only occured after a Intune wipe.

I tried to clear the TPM, this broke the laptop and I had to wipe again, and rebuild but the problem came back,

All other 250 devices are not having this issue

The only potential issue could be that it is on the latest build of 24H2 so that could be the issue

Anyone have any suggestions?

I'm currently putting conditional access policies in place that will prevent Android and iOS users from signing in unless they have a compliant device. We are using a third party MDM, but it's one that MS supports for partner device compliance and that's all working - all devices are showing in Entra/Intune as compliant.

The issue is that when the policy is in place, despite all devices being compliant, they get blocked because they're not compliant. Reviewing the sign in logs, under device info, the device ID is blank, join type is blank, and compliant shows "No". The issue is the web browser, Edge works but Chrome, Safari etc don't.

I've managed to get this working in Android, as there were a few additional steps I didn't see in any documentation. Although the device is registered for this in the Authenticator app, you also have to follow the options to "Enable browser access" which creates a certificate and browsers other than Edge will grab the device ID stored in Authenticator and pass that to Entra during sign in. Entra can then look up the device to see it's compliant and then allow the sign in. This is annoying as hell with having 300+ devices and getting my users to do this, but whatever, I can get it to work.

The main issue is with iOS. Same with Android, it works fine with Edge but not with any others. The problem is, there's no "Enable browser access" option in Authenticator for iOS. I could get Edge pushed to all iOS devices, but all MS apps with SSO use Safari for the sign in so none of my users can sign into their apps.

There's a few other posts online relating to this issue but no fix. I don't suspect my third party MDM partner compliance is to blame because that's working fine, so I can only assume this would still be happening if we have Intune as our MDM. How is anyone expected to get this working on iOS?

Hi all, I have a rather insane question. Is it possible to create these three things in Intune via script? I have looked around and can't find much, I am also a newbie when it comes to graph and don't know if its possible that way either.

End goal is to have one script that creates all my defaults, so I can then customise. Saving lots of time!

Thanks all <3

We're looking to change our BYOD from using User driven company portal enrollment, where they used to go Company Portal > I own this device > Secure work related apps and dat etc...

To now being targetted by an App Protection Policy instead. It works great for new setups, however I'm struggling to find a seamless way to migrate ~500 users over to this!

I've got Android working well, as it adds work apps on the old enrollment that users use, so its essentially a clean setup for them. It's the iOS devices i'm struggling with the most.

I've tried: - Retiring the device in Intune, then targetting with protection policy, then user signs in and sets a pin etc. This worked somewhat ok, however in most scenarios you add the account, then it asks you add the account again

• Retiring device in Intune, waiting 12+ hours, then targetting with policy This sat with the Office apps saying they were being protected and it never went any further and an uninstall was required

• Enrolling in protection policy, then retiring device This sometimes had similar situation to the one above, however did work for about an hour then it removes the office data and you have to resign in again

I'm aware the users are going to have to do something to get this to work, but I want to try keep it as simple as possible and as bug free as I can - asking the users to uninstall the apps isn't an option...

I have also considered the "wipe" option, but unfortunately when Microsoft retired the user driven method, it resulted in some users selecting secure entire device - and when I tested the wipe, it did wipe the entire phone...

Hello All,

Could someone help me how can I automatically force users to login to One drive, does not want them to manually clock on one drive and then sign in - password. I want if user will login to the system the one drive automatically login and user can access all one drive files from explorer. Its a plus if desktop items and docs auto sync.

Just researching and did not got any clues how to do this.

I am just so confused trying to enroll IOS devices into intune

I want to use ABM to enroll devices so I follow these instructions
https://learn.microsoft.com/en-us/intune/intune-service/enrollment/device-enrollment-program-enroll-ios

But in order to actually assign the devices into Intune I need apple configurator which means these set of instructions
https://learn.microsoft.com/en-us/intune/intune-service/enrollment/apple-configurator-enroll-ios

Both seems to require setting up an enrollment profile? This is where I get stuck.

If I use Automated device enrollment work , it tells me to create Enrollment Profile A but I need apple configurator inorder to upload the serials into apple business manager which in the instructions from Microsoft tells me to create a Enrollment Profile B.

So we have two sets of different instructions , I'm just so confused.

Also after setting up ABE , how do you enroll the device? The instructions does not say?How do I configure the apps so it deploys using ABE?I can't find this.

I then see youtube videos meaning about MS authenticator to enroll the IOS device?

There are so many instructions I'm overall so confused with the setup

All our Iphones are corporate devices .

I just need to setup a MDM profile, configure apps onto it so it skips apple ID and goes straight to the home screen.

If someone has MDM iphones using Intune , can someone please share the process?

There are 2 ways to distribute user certificates to Intune managed end-user devices:

1) SCEP 2) (Imported) PKCS

In both cases I can revoke an issued certificate, resulting in the certificate no longer being trusted and therefor no longer usable.

However a revoked certificate will always stay on a device. And as such will be for some specific cases still usable. Primarily S/MIME would allow for preciously received encrypted messages to still be decrypted and thus readable.

So my question is: Is there a way for any certificate placed on an end-point via Intune, to also be removed by Intune from the end-point?

Hi everyone,

Has anyone successfully blocked users from launching MSIX (bundle files)? We've blocked the Microsoft Store, but users are still downloading files from sites like https://store.rg-adguard.net/ and installing them.

We have the Store blocked and are using WDAC, I can block the file after its installed, it doesn't prevent the installation. This makes it extremely difficult to keep up with problematic apps. It also uses the Microsoft publisher so I cant put a global block on it.

Any advice or solutions would be greatly appreciated!

MacBook users are experiencing issues with certain applications due to the Network Extension on Defender. Everything works correctly when it is disabled, but the extension keeps re-enabling or reinstalling after that it is manually removed or disabled. Is there a way to configure Intune so that the Network Extension is removed from Defender for specific Organization users?

Hello everyone,

I wanted to share a challenge I’ve encountered while managing Azure Virtual Desktop (AVD) multi-session hosts and their enrollment into Microsoft Intune—specifically when dealing with existing VMs that were provisioned previously, around 2023.

Background

My environment uses Hybrid Azure AD Join and is configured with a Group Policy Object (GPO) to trigger automatic Intune MDM enrollment. This setup works flawlessly when deploying new AVD hosts—they automatically join Entra ID and enroll into Intune as expected.

The Issue with Existing AVDs

The problem arises when I attempt to enroll existing AVD hosts into Intune. These are machines that are: • Domain-joined (on-prem) • Synchronized with Entra ID (Azure AD) • Already configured and in use—so redeployment is not an option

Out of several existing AVDs, I’ve successfully managed to enroll three without any issues. However, the rest are failing to enroll, despite appearing correctly joined.

Troubleshooting So Far

Here’s what I’ve tried: • Verified join status using dsregcmd /status: • AzureAdJoined = YES • DomainJoined = YES • Everything else looks normal • Forced Group Policy update using gpupdate /force — no signs of enrollment initiation • Attempted re-enrollment using PowerShell

• Tried leaving and rejoining Hybrid Azure AD — no effect

Despite these steps, many of the existing AVDs still fail to initiate Intune enrollment. All devices are visible in Entra ID and also present in on-prem AD.

I’m aware that cloning or imaging can cause issues with token and certificate duplication. However, these VMs were not deployed from enrolled images, and Intune token roaming is not in use. So that shouldn’t be the issue here.

If anyone has run into this situation—especially with legacy AVD multi-session VMs and Intune MDM auto-enrollment via GPO—I’d appreciate your insight. Is there a step I’m missing? Could certificates or registry remnants be causing this? Should I be cleaning something manually?

Thanks an advance!!

We are fully remote and want to let employees who leave have the option to keep their device.

What are the proper steps to remote wipe and remove the device completely from intune?

Is it just send the wipe command and then remove it from the autopilot list?

Is there any way to rename a Hybrid Device during the Autopilot ESP using a powershell script packaged as a win32 app.

Unfortunately I have a specific need to rename the device based on what I enter so not a serial number etc. I need it to match the current physical asset tags on the device. Thank you!!

I wiped a device and then added it to the pilot intune collection on SCCM. Other devices also show up twice as comanaged and configmgr on Intune but then after a while it goes away. For this specific one, it stays as two seperate devices one as Configmgr and one as comanaged. How do I delete the configmgr one? I checked on SCCM and there's only one of this device.