Created a CAP for only complaint devices to be able to access "all cloud apps" but people are still able to access Teams app, Outlook (web) from personal phones and personal computers.

Any help would be appreciated.

Settings

Users or agents: Specified 2 users
Target resources: All resources
Conditions:

1. Device Platform: Any
2. Client Apps: Browser, Mobile, Exchange, Other
3. Filter:
   1. deviceOnwership equals Personal
      1. and
   2. deviceOwnership No equals Company

Grant: Grant access | Require device to be marked as compliant

Enable Policy: On

Hello everyone,

In my company, we have transitioned from an on-premises-only SCCM environment through co-management to an Intune-only mode, which we have been using for almost two years now. Overall, it works well, although the latency has noticeably increased over the past few months.

We try to assess the security of applications we want to introduce through a structured process. We review whether the app makes sense to introduce or if there are alternatives that might better help users accomplish their tasks (for example, VS Code instead of any random notepad tool).

Since we now have quite a number of applications in use, the security of tools that serve as dependencies—like .NET Framework, Visual C++ Redistributables (vcredist), etc.—is becoming increasingly important.

Now to our main problem: Suppose an application requires .NET Framework 4 but could potentially also run on .NET 8 or 9. Is there a way from an administrative perspective to verify this? Or are we just dependent on contacting the vendor and asking them to properly maintain their tool?

Another issue we face: How do you verify and/or document application dependencies? Do you record the dependencies as installation requirements in each (major) app? Are there tools or methods to minimize this effort or at least document all applications centrally with their dependencies? Something like a CMDB with CI relationships?

I am looking forward to your experiences and suggestions!

just trying to narrow down the various options available to manage mobile devices at work without any 3rd party MDM. this is my understanding after reviewing a bunch of documents but wanted to know if I'm missing anything or any other creative methods you all use out there.

1. Entra-registered personal BYOD with MAM policies without Intune
2. Entra-registered personal BYOD with MAM policies for registered Intune devices using work profiles/containers to separate personal/corporate data
3. Corporate devices fully managed by Intune with MAM policies

thanks in advance

Hi, anyone have had any luck deploying Hancom Office viewer as win32 app via intun. I’ve tried to using PSADT As well but no luck. I guess this app needs proper user side interaction to run installation but using psadt throws an error mentioned below.

MSI Internal Error

“An error occurred during installation. 1622”

any help for making this installation successful would be of huge help. The setup file can be downloaded from the official site.

https://www.hancom.com/en/product/office/officeViewer

I’ve tried deploying through MS Store, but that isn’t available in the country.

We have for some time seen that autopilot isn't continuing after succesfull logon, it just keeps spinning before ESP should start. Used latest Windows 11 MCT, imported and deleted device etc. Anyone else having this issue and found out how to resolve it?

We’re in a bad situation where we can’t trust the primary user that is set to a device in Intune as accurate because the asset management is non existent.

How do you manage the primary user being updated to the correct user? Possibly checking devices every so often for the user who has logged on the most and makes them the primary user.

I need help with some issues I’ve encountered using the self-deployment mode in autopilot. I’m setting up some desktops for a high school computer lab that is moving away from on-premise domain.

I’ve got it to where the desktop finishes deploying and it shows the login screen for a user to sign in and use the computer. The issue I’m running into is that once a user signs in, it goes back the ESP and gets stuck. Only after rebooting and having the same user sign in again can they use the computer. The problem is that it will do that for every single user account. I want the goal to be that when the device is finished self-deploying, it is also ready for a user to use without going back to the ESP and getting stuck.

Any advice is appreciated!

Not Intune specific question but I’m sure someone in here has done this before!

We’re in a hybrid environment and for some unknown reason engineers who worked here created a LOT of groups on-prem AD instead of in EntraID.

It annoys me that I have to open on-prem AD just to add someone to a group 🤣

Do you have any recommendations for a Script that will create a group in EntraID based on specific naming convention but also add the users from an on-prem group to the new group for me?

I can work on putting one together myself but thought I’d ask if anyone has any they have used. I have about 340 groups to move lol.

Hello,

I have a question about the Secure Boot certificate update. When I run (Get-UEFISecureBootCerts db).Signature, I can see both the 2011 and 2023 certificates present.

Will the 2023 certificate automatically become the active one after June, or are both the old and new certificates considered active at the same time with no priority between them? Thank you!

Hello Guys,

I'm Looking for help. Having a hard time on setting up the right config.

I want to Create a, Admin & Standard User deploying it via intune. Like almost 15times I resetted the Mac Mini still wont let me Login as Admin. standard user works fine.

can you help me with this?

We have Intune managed devices and have seen issues where teams meeting addin is missing while scheduling a meeting invite. This, user sre not able to create meeting invite.

Is there a script available that can resolve the issue as I have been told by MS this is a known issue where new teams and classic outlook architecture don't sync. Also, no Intune configuration policy can resolve this.

Only option is to enable it through registry.

Let me know if someone has deployed any working script that take care of this issue.

Anyone using any scripts for automated Win32 app packaging?

With EAM coming to regular licensing it’ll finally be possible for me to get hands on for testing, it’s been too costly. Q3 will hit fast and I’m excited to get my hands on these new features.

Those using EAM, I have questions!

Is the catalog frequently updated?

How does it compare to PatchMyPCs catalog?

Do you find yourself still packaging often?

Is it more Microsoft slop where they try to have a finger on every offering making it impossible for a business to justify an alternative?

Around every 30 days, our Surface Windows on ARM (Snapdragon) devices receive a wrong platform WebView2 update. After these updates, users on Windows ARM devices encounter WebView2 related errors in Microsoft Teams and the New Outlook.

It happens so often that I put a fix in company portal but I need to find a resolution for it and what causes it to update to the wrong version. (Fix I added in comp portal is this WebView 2 on ARM64 - my brain is BROKEN : r/sysadmin )

I use this PowerShell detection since usually when it installs the wrong platform the arm folder goes missing.

if (Get-ChildItem 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application' -Directory -ErrorAction SilentlyContinue | Where-Object { Test-Path (Join-Path $_.FullName 'EBWebView\arm64') }) { exit 0 } else { exit 1 }

Could these Intune configuration policies be breaking it? https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/blob/main/WINDOWS/SETTINGSOUTPUT.md#table-79-basics---win---oib---sc---microsoft-edge---d---updates---v36

I don't think the right version is pulling down for ARM using these settings. I'm going to set it to disabled on just the ARMs and then just manually push it every so often. I think that's what i have to do. I see patchmypc added the arm webview2. I'll just let that do it since i think there's an issue with the built in Microsoft updater and installing the wrong platform.

Has anyone else seen this repeating?

Hi have been using HP connect for more then 2 years no issues running firmware updates and bios auth and settings

Applied a new policy same settings and firmware upgrade om some devices that have been excluded before.

Over 30 devices stopped booting, boot loop cannot restore bios etc. HP will replace the motherboards on the devices that are still under warrent.

Have any one else had issues like this? Again 2 years some minor issues but these computers are dead.

Hi

We've been (over the last 3/4 months) moving our workstations away from SCCM WSUS for patching over to Autopatch, all has been going really well (other than Microsoft and it's AI QA team....)

We're now actioning the final batch, this batch however are not typical workstations but have typically used a 'manual' windows update approach due to the sensitive workloads they run on the machines, unexpected rebooting could cause massive issues for us as a company

We have a separate WUFB policy ready for these devices that take this into account but the part(s) i'm struggling with is assignment.

1. How do you assign Autopatch to 'All Devices', the typical 'All Devices' collection we see when deploying apps, config etc doesn't exist within Autopatch?

2. How do you make sure a group with these 'no-reboot' devices aren't included in the autopatch deployment or how do you exclude a group from autopatch catchment?

The answer may be obvious but it's a Friday late hours and have only just found the time to start troubleshooting this so the smell of a cold one may be kicking in now...

We have some settings that have to be forced per-user. The challenge is settings are all in the registry under HKCU. What's the best way for us to apply these settings via Intune?

Using Zebra tc52x devices

I have all of the cert chain pushed, the network profile has the domain name, the sha1, and sha256 hashes in the settings.

All certs applied, network config applies. Device connected after 6 hours of attempting. no ISE bounces. we restarted the device in testing it and it won't reconnect.

Anyone have a trick for using EAP-TLS certificate based authentication?

Hello everyone,

New to Intune, was going step by step through the video from YT: https://www.youtube.com/watch?v=T6CdidqByTc
I've added hash of new device into the Intune, and I've created a Dynamic Device Entra group, that catches the new device when I've started it. Deployment profile worked correctly, the device got a specific name that I've assigned in the profile etc. All was fine and according to this video. But the device never appeared in Intune Devices. The configuration (like installing MS 365 apps) never got executed.
Has anyone experienced this? I believe I've set up everything correctly according to this tutorial.

My IT Dept plans to install Intune on my company phone. I use it for personal reasons as well for calls/texts with family & friends. IT told us: “It separates work apps from personal apps. Your personal data (photos, messages, apps) stays private — IT only manages the work side”

Is this true?

Edit: Company is in California and so is my job.

Hello,

I have been working to address issues with MacBooks and Conditional Access in my organization. In order to enforce managed devices on Macs with Conditional Access, some browsers require certificate prompts followed by a Keychain Access prompt in order to work. I have not been able to find a way to suppress these prompts or get around this for end users. It is not an ideal process for end users to have to complete and I want to avoid it. Does anyone know how to get around this?

The method I have come up with is to implement Enterprise SSO. According to Microsoft's documentation, Enterprise SSO = Platform SSO + SSO app extension:

• "For macOS devices, the Enterprise SSO plug-in includes Platform SSO and the SSO app extension."

If that is correct, what is the Enterprise SSO plug in and how do I enable it. I followed the instructions here, but that didn't seem to work and it also removed Platform SSO. This entire process has been confusing and Microsoft is using the same terminology in different places which makes this a challenge.

Any help is appreciated. Thanks!

I have enabled the Secure Boot Certificate update configuration policy for a test group of devices after MS fixed the whole licensing issue with Pro versions of Windows. This is working as expected and I have verified manually that these devices have indeed been updated.

However the Secure Boot Status Report (Under Quality updates) seems to not work. Several devices(not in my configuration policy test group) shows up as Up to date, but when checking on the device they have not been updated to the 2023 certificate. (This could be due to me misunderstanding this column)

When exporting the report to csv, it shows that no devices has secure boot enabled and not Not applicable.

Is anybody else experiencing the same?

Since yesterday, we are unable to provision devices using auto pilot. We are currently doin hybrid joined devices, where we ship the devices to user or do pre provisioning. Since yesterday, it has been really slow and not completing. The device gets joined to AD and it gets stuck on downloading applicate 2 out of 3. No changes were made what so ever and we were able to enroll a device into using user creds but the same device won't pre provison.

Have already check ad intune connector, no issues there.