Recent Discussions
Intune Reporting
I am new to Intune having used Group Policy for many years. I understand the basics, but one thing that I can't see is reporting and logging of what in tune is doing on the computer? I can see event viewer entries but there doesn't seem logging? Am i missing something or is there no logging?
Solved
andytheit2
Copper Contributor
Nov 25, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
42Views
1like
2Comments
Intune iOS Prevent Screen Capturing in managed or specific apps
Hello, is it possible to block screeen captures in specific apps on iOS? It would be very useful, especially for the Outlook app. We don't want to block all screenshots on the devices. Kind regards
Solved
RSParkway
Copper Contributor
Nov 24, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
Mobile Device Management (MDM)
81KViews
2likes
14Comments
Microsoft Intune Management - Connect securely to Intune with Microsoft Graph and PowerShell!
Dear Microsoft Intune friends, In this article I will show you how to create a "secure" connection to Microsoft Intune with Microsoft Graph and PowerShell! In this example, we use an app registration in Microsoft Entra ID and a certificate created on the local machine. Create and export the certificate. I use Visual Studio Code and PowerShell 7. $certName = 'IntuneGraphAppCert' $cert = New-SelfSignedCertificate -Subject "CN=$certName" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (get-date).AddYears(1) Export-Certificate -Cert $cert -FilePath "C:\certs\$certName.cer" Note: The certificate is created in the local certificate store and exported to the folder C:\certs. The certificate is valid for one year. Create an app registration in Microsoft Azure AD. 1. Go to the Azure portal and create a new app registration in Azure AD. 2. Give the app a name and notice the following. 4. Go to the API permissions and add the following permissions (These serve only as an example). 5. Do not forget to grant admin consent. 6. Go to the certificate and secrets and upload the certificate. Back inVisual Studio Code and PowerShell! 1. Install the Microsoft.Graph. Install-Module -Name Microsoft.Graph -Verbose -Force -AllowClobber 2. Import the Microsoft.Graph module. Import-Module Microsoft.Graph 3. Create some variables. $TenantId = '77e01716-a6a2-4f99-b864-xxxxxxxxxxxx' $AppId = '5c14b994-2290-4f84-9069-xxxxxxxxxxxx' $certName = 'IntuneGraphAppCert' $Cert = Get-ChildItem -Path 'Cert:\CurrentUser\My' | Where-Object { $_.Subject -eq "CN=$CertName" } 4. Connect to Microsoft Graph. Connect-MgGraph -TenantId $TenantId -ClientId $AppId -Certificate $Cert 5. We check the permissions. (Get-MgContext).Scopes HAPPY CONNECTING!! I am fully aware that this is only as good as the physical machine is secured. However, I would like to share my experiences with you. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler
TomWechsler
MVP
Nov 23, 2024
Place Microsoft IntuneMicrosoft IntuneGraph API
Intune
7.3KViews
2likes
2Comments
Firewall Rules: Transitioning from GPO to Intune
I migrated the firewall rules from a GPO to Intune and successfully applied them to my devices. Now I want to remove the firewall rules from the GPO. My question is: will the firewall rules deployed via Intune be automatically applied to my devices once I remove those from the GPO? For security reasons, I don’t want to leave certain ports open when removing the GPO.
Solved
Number1996
Copper Contributor
Nov 23, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
48Views
1like
6Comments
Exclude/Allow Particular non-managed devices from Conditional access policy without enrolling
Hello Experts How to Exclude or Allow some Personal ( Non-company Managed) Particular devices from Conditional access policy without enrolling or joining them to Intune or Entra. For Example I have created some Conditional access polices and now We want to allow some personal devices to be able to Login to Office or Outlook from some two or three personal Android devices which are Unmanaged or not company managed. Can we achieve using these Devices unique ID or ICCID ? If possible please give some hint or clue. Thank you.
prakashx86
Copper Contributor
Nov 22, 2024
Place Microsoft IntuneMicrosoft IntuneConditional Access
Intune
Mobile Device Management (MDM)
Software Management
73Views
0likes
2Comments
intune device disable
Hello Everyone – Help needed I’m supporting SD teams in our company providing automated way to quickly offboard some employees.One of the tasks is to disable Entra device objects.While I can disable the Entra Objects using Intune console, I cannot do that via Graph API nor via Powershell Graph API Is it possible ?
spying1001
Copper Contributor
Nov 21, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
Mobile Device Management (MDM)
17Views
0likes
0Comments
Unable to change MDM Authority to Intune?!
Alright folks, I've been beating my head against a wall for two weeks and I can't do it any longer. I'll preface this with, "I'm new to this." That said, I'm great at figuring stuff out but the documentation on this process is lacking in so many ways. I've come on with a company that was, as far as I can tell, not managing their devices (in this case, Windows devices). I set about learning everything I could about Entra/Azure (whatever we're calling it these days) and Intune, registering devices, enrolling devices, etc. We currently pay for 25 Intune licenses. I have one. My Test User account has one. My DEM user has one (which I've set up as a DEM in Intune). And one of our actual employees has one. I'm trying to enroll two devices as a test. Both were set up as an OOBE (one brand new and one wiped and reset). For one I used 'Work/School' login on startup and signed in with my DEM account. For the other I used 'Work/School' and signed in with my Test User account. I knew to make sure our MDM Authority was set to Intune prior to starting the process. I checked and it's currently reading as "Microsoft Office 365" (see image) I've read about an 'orange bar.' I don't have an orange bar. I read about, "Depending on whether your tenant was pre or post 1911 Service Release, Intune is automatically set as your MDM." and "If Mobile Device Management Authority was set, you cannot change this." If I don't have an orange bar and the MDM Authority reads"Microsoft Office 365" does this mean, at some point, our MDM was set to "Microsoft Office 365?" And, if so, according to the "...if [it] was set, you cannot change this" am I forever stuck with that as our MDM Authority?? This would seem silly. Second. In Entra/Azure the two devices I've been using to try and understand this convoluted process say they are being managed (MDM) by "Office 365 Mobile." What the actual... is Office 365 Mobile really Microsoft Office 365 which is really Intune???? I'm lost. (see image) To make matters worse/more confusing, in Intune when I look at the devices, it says the devices MDM is INTUNE!?!! (see image) *mind blown I don't really know what I'm missing. I keep reading something about adding Intune as an MDM Authority and being able to choose which Authority I am using to manage devices but, as with everything Microsoft, who knows what's changed since all of this documentation, blog posts, etc. were written. I can't, for the life of me, find anywhere to 'add' Intune or change the MDM Authority. Can someone PLEASE help me understand this. I've been at this for weeks, I have a timeline as we're rolling out a bunch of new devices and I don't want to miss this opportunity to do it the right way. I feel like I'm getting close but, on top of being unsure of whether they are even actually being managed by Intune, none of the basic policies I've created are being pushed to the devices regardless of how many times I've checked to make sure the users are in the right group, etc. I feel like I've tried everything. I'm pulling my hair out. UPDATE: I put in a Support ticket with Microsoft as well and received a very quick response/phone call from Microsoft with some explanation and a solution to the first part of this journey. According to the Microsoft technician, at one point there was a Microsoft 365 E5 license in our tenant which comes with Intune (our current licensing only included Office 365 licenses when I started but I have convinced them to add a few Intune licenses) and the MDM Authority was set at that time. He very quickly provided me a link (by email) to the "Change MDM Authority" blade which I have been trying to find for a week! It, apparently, is hidden/gone once your MDM Authority is set. I've now, very easily, been able to change the MDM Authority to Intune! Argh. So, now off to unenroll and re-enroll these test devices and see if it solves the follow-up issues. For anyone having similar issues, here is the link> https://intune.microsoft.com/#view/Microsoft_Intune_Enrollment/ChooseMDMAuthorityBlade
nathanegriffin
Copper Contributor
Nov 21, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
Mobile Device Management (MDM)
599Views
1like
4Comments
Assistance needed to deploy a file on desktop
I need to deploy an executable file (.exe) that does not require installation. Is there a way to deploy this file to each user's desktop via Intune? Any guidance would be appreciated Thank you
Solved
kabamaru
Copper Contributor
Nov 21, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
single file deployment
Software Management
35Views
0likes
2Comments
Intune Licensing - Device Enrolment
I am looking for some information on Intune and Device enrolment licensing. Currently, we have Microsoft Entra ID P1. Our setup is in a Hybrid environment. My account (Device Enrolment Manager) has a Microsoft E3 license, which includes Intune. I have configured Enrollment profiles, app deployment, Intune connector for AD, etc. I can enroll devices in Intune using Automatic Enrolment or Autopilot using a single DEM account; then, this device will be given to a different user. For now, I just want to confirm that if I was able to enrol few devices using my account, and I believe there is a limit of 1000 per DEM, does that mean if we do not require an Intune device-only license and if we don't need additional Intune capabilities I am ok to keep enrolling Devices using single Device Enrolment manager account? I just want to make sure we are not breaking any MS license agreements. Or do you require an Intune license as soon as the device is enrolled in Intune, regardless of whether you require additional Intune features? Thanks!
Dan_101
Copper Contributor
Nov 21, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
Mobile Device Management (MDM)
19Views
0likes
0Comments
MECM - Appoach to Logging in Detection Scripts
'm starting to work with SCCM/MECM and creating a lot of powershelldetectionscripts for application deployments. Most I write are simple and need no logging but some are complex. I of course test them before deploying to MECM but sometimes I need debug them running in the actual MECM client. As such, I need some method of logging from the scripts. My understanding is that if I write to STDOUT/STDERR in a detection script this directly impacts theoutcomeof detectionas per this articlehttps://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-applications#bkmk_dt-detect. If I write to verbose/debug streams in powershell they also end up in stdout unless I re-direct to a file (which is an option). Is anyone doing something in this respect? My thoughts: transcript logging in powershell re-direct another stream to file and write to that write to windows event logs
shocko
Steel Contributor
Nov 21, 2024
Place Configuration ManagerConfiguration ManagerApp Management
CM current branch
General
40Views
0likes
2Comments
WIFI Profile with PCKS certificates in Pending since last service Upgrade
Since the last service update , Intune WIFI Profile with PCKS is in Pending state. The profile was applied over a Users Group and was working successfully over Windows 10 and Windows 11 devices during the last months. Tested that if the Group applied is over a Device Group the profile start working and appears as "Success" ¿The behavior of these type of profiles changed since the last service update?
FernandoConde
Copper Contributor
Nov 21, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
300Views
1like
2Comments
The Android app is being deleted by the administrator; how can I prevent this?
Hello, I am facing the following issue: In Intune, I added an app under "Line-of-Business apps" for Android, assigned it to a group, and then targeted this group to specific devices. However, the automatic deployment of the app via Intune is not working as expected. Therefore, I installed the app manually on each device. After a certain period, however, the devices display a message indicating that the app was removed by the administrator. How can I prevent the app from being automatically uninstalled? Thank you for your assistance.
Mucro
Copper Contributor
Nov 21, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
35Views
0likes
3Comments
Windows 11 23H2 Cumulative Updates not shown in WSUS/SCCM
Hi everyone, I want to start rolling out devices in my company with Windows 11 23H2 via SCCM. However, I first need to update the existing 23H2 image with the November 24 cumulative update (KB5046633). In SCCM and WSUS, I can't find the 23H2 product categories for synchronization, but 24H2 is showing up. What could be the reason for this?
mithiy
Copper Contributor
Nov 20, 2024
Place Configuration ManagerConfiguration ManagerCM current branch
Site Setup and client deployment
47Views
0likes
1Comment
Device Notification
How can we send notifications to specific devices or all devices using Intune?
Salamat_Shah
Brass Contributor
Nov 20, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
55Views
0likes
3Comments
Config protection policy to share with a third-party app only
Hi all, I want to share a document from Teams via third-party app only (Ex: Telegram). I configure Teams using Intune app protection policies. I tried sending to configSend org data to other apps, andusingPolicy managed apps with Open-In/Share filtering. ConfigSelect apps to exempt with Telegram appID and app name but not work. I want to ask if this approach is correct and if Microsoft allows us to do that? Thanks.
pter01
Copper Contributor
Nov 19, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
Mobile Application Management (MAM)
Mobile Device Management (MDM)
24Views
0likes
1Comment
Monitoring Client app install failure
I noticed that we constantly have a couple of apparently random errors in the "Client app install failure" (under Status on the home page). These are Microsoft Store apps installed with the new store (not the legacy Business store). The error message is typically:Client error occurred. (0x87D300CA) These errors appear randomly for any app and any user for a couple of days and then disappear. I suspect that this happens during app updates or during some synch process and they get corrected on the following sync, but I am not sure. We have a total of about 35 users and 7 apps that we push on our computers (Microsoft Whiteboard, Windows File Recovery, etc.). There is always a couple of those errors lingering around. Is this "normal behavior" or is there something that we haven't set up correctly on our side? These errors are not problematic per se, but they add noise to the system, and they make it less obvious to filter actual problems.
giovanni79
Brass Contributor
Nov 19, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
4.3KViews
0likes
3Comments
Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread:Re: Android 15 - Cannot set default password app - Android Enterprise Customer Community - 8708 Thanks, Tom
tngvmd
Copper Contributor
Nov 18, 2024
Place Microsoft IntuneMicrosoft IntuneIntune
401Views
2likes
1Comment
Windows Autopilot and Configuration Management Client Installation Methods
I'm using Windows Autopilot to build my machines with AzureAD hybrid join. Currently as part of the ESP we deploy the configuration manager client and our VPN software (both Win32 apps) to them so we can get them co-managed ASAP. We also do this in ESP as blocking apps to control the device availability to users until they are completed. Our implementation partner advised us to install the Configuration Manager client in this manner to speed up co-management. Autopilot works (albeit slow at _ 60 mins). I am confused though on whether or not adding the configuration manager client into the autopilot build in this manner is supported? Reading this (Co-manage internet-based devices - Configuration Manager | Microsoft Learn) it states: You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for hybrid Azure AD join. This limitation is due to the identity change of the device during the hybrid Azure AD-join process. Deploy the Configuration Manager client after the Autopilot process.For alternative options to install the client, seeClient installation methods in Configuration Manager. So reading this it seems what we are doing is invalid. So question 1: Is it incorrect/unsupported to install the configuration manager client as a Win32 app during autopilot (ESP or otherwise)? Furthermore I read here (Co-manage internet-based devices - Configuration Manager | Microsoft Learn) that it appears there is no longer a need to to deploy configuration manager client as an app at all but it can simply be configured in it viaHome -> Device -> Enroll Devices -> Windows Enrollment > Co-management Authority You no longer need to create and assign an Intune app to install the Configuration Manager client. The Intune enrollment policy automatically installs the Configuration Manager client as a first-party app. The device gets the client content from the Configuration Manager cloud management gateway (CMG), so you don't need to provide and manage the client content in Intune. Is this method only valid post autopilot?
Solved
shockotechcom
Iron Contributor
Nov 18, 2024
Place Microsoft IntuneMicrosoft IntuneAutopilot
Mobile Device Management (MDM)
Software Management
4.5KViews
3likes
7Comments
Firewall Off despite policy being enabled
In Firewall and network protection, It says Firewall is off for all Network types. However it should be on. Is this normal/expected? However, In Sec. providers, Firewall is enabled. ========== In PS, Firewall appears to be enabled too. C:\Windows\System32>netsh advfirewall Show allprofiles Domain Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Private Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Public Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Ok. =========== In the Intune Firewall Policy the three options are enabled:
Solved
AhmedSHMK
Brass Contributor
Nov 18, 2024
Place Microsoft IntuneMicrosoft IntuneDefender 365
Defender AV
firewall
Intune
Mobile Application Management (MAM)
70Views
0likes
6Comments
Monitor low disk space for computers
Hi All, We have a requirement to monitor low disk space, particularly on devices with less than 1GB of available space. We were considering creating a custom compliance policy, but this would lead to blocking access to company resources as soon as the device becomes non-compliant. Therefore, we were wondering if there are any other automated methods we could use to monitor the logical disk space (primarily the C drive) using Intune or Microsoft Graph. Thanks in advance, Dilan
dilanmic
Iron Contributor
Nov 18, 2024
Place Microsoft IntuneMicrosoft IntuneGraph API
Intune
Mobile Application Management (MAM)
Mobile Device Management (MDM)
64Views
0likes
2Comments
Events
Recent Blogs
4 MIN READ
Understanding readiness for Windows 11 with Microsoft Endpoint Manager
Learn how to assess which devices in your organization meet the minimum system requirements for Windows 11.
Nov 25, 2024Zach DvorakMicrosoft Intune Blog
Microsoft Endpoint Manager
178KViews
15likes
25Comments
3 MIN READ
Enhanced hardware inventory in Intune now generally available
Seamlessly find the inventory information you need about your Windows devices.
Nov 25, 2024Lior_BelaMicrosoft Intune Blog
microsoft intune
8.2KViews
6likes
10Comments
Resources
Share
Tags
Intune3879
Mobile Device Management (MDM)2122
Mobile Application Management (MAM)766
Conditional Access447
Software Management393
CM current branch339
Graph API226
microsoft intune194
Software update management153
Azure Friday152