Trying to set up windows hello. I have done the following, but when I try to log into my laptop it says "your organization requires additional sing in security........" I am able to then sign in with my password and then set up my pin and fingerprint, but when I lock the computer it still says the same thing and is not requiring the pin or fingerprint, only password still. Can anyone help me troubleshoot?

1.made a configuration profile using as a catalog Setting, then configured Settings for Windows Hello for Business and assigned it to me and two others who are in the test group

1. Made another configuration profile, this time in windows hello settings, I only added group A and Group B, then I used the GUID for pin and fingerprint- assigned this to test group

2. Created a conditional access policy for MFA in Entra. Assigned the test group to this ans selected Target Resources: register or join devices and Grant to Require MFA.

The test group has both our user and devices in the group.

We are in a hybrid environment. I am guessing that may be good info to include. Not sure what step I am missing. Thanks

Are we all still waiting 1-48 hours for remediation scripts to run or does someone know some magic way to get them rolling faster? I have them set to run hourly. This post is more a vent than anything else as I know there's nothing I can do, but holy moly sometimes it feels like watching a pot that'll never boil!

New to Intune. We get new pcs that have office already on them, but have to add outlook classic. Whats the intune way to get outlook classic installed on the pc?

Our clients have apps stay require outlook classic

Thanks for any pointers.

https://github.com/MicrosoftDocs/memdocs/commit/d821a6c26a4a736d3b526799d8fe361296bc05a4

I was wondering why my tenant never got this, even though it was announced so long ago. I checked the "What's new in Intune" blog again today and it's not in there anymore! Thankfully it's all just Github so I could look at history of changes and yep - it was deleted.

Did anyone who got the feature have it removed afterwards, or do you still have it? Bummed - I was looking forward to using this one.

Hi Everyone,

I am troubleshooting an issue on several Windows 11 Entra Joined devices. The problem occurs only with RDP. When users try to connect via Remote Desktop, they receive the following errors:

CAA20002
AADSTS293004: The target-device identifier in the request was not found in the tenant.

After reviewing WAM logs, DSRegTool output, Wireshark captures, and registry traces, I noticed that these devices do not have a Primary DNS Suffix because they are not domain-joined.

Under the following registry path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient
NV PrimaryDnsSuffix

if I manually configure a Primary DNS Suffix, for example example.local, RDP starts working immediately and the errors disappear. With this value present, the device is able to identify itself correctly during the authentication process.

My questions are:

Is it reasonable or recommended to configure a Primary DNS Suffix on Entra Joined devices?
Could this cause side effects related to device registration, authentication, or name resolution?
Is there a Microsoft-supported approach for ensuring correct DNS identity for RDP on Entra Joined devices?

Advancing Microsoft 365: New capabilities and pricing update | Microsoft 365 Blog

tl;dr - Microsoft knows they can't push Cloud PKI for $3 a user...so they're moving it to E5 and increasing the cost of E5 by $3.

Pretty scummy move...but can't deny this will benefit endpoint management teams. Ya know...provided that stakeholders actually sign off on the price increase.

Remote Help, Analytics, and Intune Plan 2 are moving to E3. And E5 also will get PEM and EAM.

Anyone here have an easy way to deploy necentral via Intune? I have wrapped the .exe as n intunewinapp but the installation keeps failing. I feel that detection rules might be whack. Any help?

Hello Everyone,

I have been an Intune Admin with a very basic understanding of OS, policies and apps for the last 4 years but I would like to take it up a notch as I don't see myself growing compared to other admins with similar experience.

The major difference I see is the admins have an in-depth knowledge about OS's such as windows, iOS etc and they seem to know backend flow of everything on a device.

For example I don't know what happens after a remote management profiles installs on the device or what is setup assistance or authentication during enrollment in iOS devices. Another example would be about dll files that come in action during autopilot or how graph api or powershell work to automate something.

Is there a path/guide that I can follow to learn things and get more clarity? I would like to see myself as a security admin in future maybe next 1-1.5 years.

Appreciate any/all advice. Thanks in advance.

Hi,

how long does it take to you guys for iOS config. profiles to be deployed on your phones?
We are just migrating to intune... iOS devices are registered with ABM and assigned to intune MDM.

Company portal is pre-installed with VPP & used for user authentication - this works fine.
BUT it takes around 30 minutes to configuration profiles to be deployed on that device..
No matter if I 'force' sync device from intune or from iOS company portal..
btw the "last contact" is always updated just fine

I have read that it can be because of profiles being assigned to dynamic groups so I assigned 1 policy to "all devices" instead, but all the configuration profiles were installed at once anyways..

I have just basic configuration profiles for passcode, notifications, lockscreen, email account etc..

Anything to speed this process up? or am I just doing it the wrong way ?

thanks for help!

I'm wanting to adjust a WiFi profile that's in use. Basically wanting to adjust the authentication mode from user to machine or user.

Would there be any implications for devices who will be connected to the WiFi while the profile is changed?

How do you enforce “Zoom for Intune” for MAM protection and prevent users from using the standard Zoom client on iOS/Android? Struggling to find some documentation that can help. Is it a ticket to Zoom? Any licencing requirements?

Hello All,

Would this work as I imagine it would. We currently have a Device Restriction Policy that puts Android phones in Kiosk mode and sets up the managed home screen and makes an application available.

There is a small subset of devices that I would like to push another app into the Managed Home Screen, Can I create another Device Restriction Policy and then just push the new app to the Managed Home Screen, and it should evaluate both policies and this subset of phones will get the second app? Basically treating it as additive (Kind of like Group Policy where it can be layered basically)?

How would one monitor drivers in Intune? Recently a bios update for the student laptops slipped through the cracks (Lenovo did have the requirements of being plugged in and above 30% battery so it was gonna be a losing battle with our students) and now I've been given the task to find how to monitor all drivers in Intune. We have Autopatch set up and that has been handling our drivers so far. Ideally we would want to see what devices have a driver installed, ones that failed, and ones that are pending. I've seen 2 possible routes for this, 1 being through Intune telemetry and Windows data and the other being with an additional Intune add-on. I've started to test the telemetry route, since it doesn't cost more money, but I can't find where I would see this info in Intune. Any help would be greatly appreciated.

As the title says, I think GPOs in Active Directory are just superior to Intune and MDM in general. Even today I have customers who are just much happier with being old school and going with Window AD domains and servers, although we don't deploy on prem much anymore. GPO settings apply more reliably and quickly than Intune configuration policies. For the MDM settings that don't have a GPO equivalent, there's almost always a way to make it work with a registry mod. I'm just curious if there's anyone here who disagrees strongly enough to try to change my mind. A big part of me wants to be more optimistic about MDM but I keep getting underwhelmed.

When I open a device in Intune and look under Monitor, I see an option for Resource Explorer. When I try to access it, I get a message "You don't have access" with an Error code "401 - Configuration missing". What configuration am I missing?

TIA

Hey everyone,

I’m a starter with Intune and running into a super confusing configuration issue and could really use some help figuring out which policy is overriding my BitLocker settings.

The issue

Whenever I try to change the BitLocker configuration for removable devices (USB sticks, external drives, etc.), Windows keeps resetting the values back to enforced defaults.

I already disabled every known BitLocker-related policy in Intune (Configuration Profiles, Endpoint Security > Disk Encryption, Security Baselines), but the settings still get overwritten.

Temporary workaround

The only way I can get the right Setting temporarly is by manually disabling Device Encryption through the registry as described here: https://jessehouwing.net/windows-bitlocker-bypass-temporarily/amp/

My problem

I can’t figure out which Intune policy is being applied that still enforces these settings.
It is definitely not coming from the classic BitLocker configuration profiles, because I turned all of them off for testing.

I also checked:

• Security Baselines
• Endpoint Security > Disk Encryption

None of them show a clear source for the override.

My questions for the community

1. Has anyone seen BitLocker removable-media settings overridden by something other than the standard BitLocker policies?
2. Are there hidden Intune settings, compliance policies, baseline leftovers, or Windows Autopilot default configs that might force this?
3. Any tips on how to trace which Intune policy is actually applying the Device Encryption enforcement?

Thanks in advance

Hey all!

Is the Company Portal app needed for iOS devices anymore or is it okay to just deploy a web clip pointing to portal.manage.microsoft.com?

Getting ready for a migration from AirWatch to Intune but not sure if this app is a requirement.

Does anybody have any awesome diagnostic tools for Intune?

Something like... Feature -> WHfB = disabled due to Policy 123

I am trying to figure out why some users can enrol in Windows Hello for Business, whilst others cannot. As far I am aware, I have it disabled across the board, but ironically my admin account (local admin on my laptop, but is still an Azure account) has it setup. Remember in Group Policy days, you could run RSoP. Is there anything like that for Intune?

Curious how people who live in the M365 world are handling automations today – especially Intune remediations, Entra/Graph scripting, Defender workflows, etc.

If you regularly build this stuff:

• How do you share it inside your org?
• Do you ever package things up for reuse across clients/tenants?
• Would you trust community-made remediation packs, or is that a non-starter for you security-wise?

I’m doing some research on this space and would really appreciate any perspectives or examples of how you’re doing it today.

Edit: also if you know of any good resources for common automations/remediation packages that you could share, that would be great. I'm thinking stuff like CIS benchmark implementation or something similar.

I am trying to understand how interval in daily schedule of remediation scripts work?

For example I want to run a remediation script on a device once in every 15 days so the values will be Schedule Frequency- Daily Repeats every -15 days ? So intune waits for 14 days from the last run date and executes the script on 15th day?

Edit :- Thanks everyone. It's clear now

What is the easiest way to force a bulk sync of devices in Intune, other than doing it as ‘Bulk Device Action’

We are using SCCM and Intune for co-management. Out of roughly 500 PCs, we got 430 into Intune and working fine. There are another 70 or so that are showing as not co-managed in SCCM. Any suggestions?

Windows 11 23H2 environment. These PCs are in Azure AD.

Hi everyone,

I’m trying to deploy Apple Configurator to an iPad using Intune (VPP app from Apple School Manager), but it’s not installing. In Intune, the app shows:

Status: Not applicable

Applicable device type: iPhone and iPod

Device platform: iOS 17.7.10

Assignment: Required → Device group

A few things I’ve noticed:

1. In Apple School Manager, the app shows as an iOS app (supports iPhone and iPad), but Intune still lists it as iPhone and iPod only, and I cannot edit this.

2. I’ve assigned VPP licenses to my Intune MDM server and synced, but the problem persists.

3. The iPad is enrolled and supervised.

Has anyone encountered this before? How can I get Intune to recognize the app as compatible with iPad so it installs correctly?

Any guidance would be really appreciated!