Recent Discussions
Hybrid to Entra ID WiFi Certificate Authentication NPS via WHfB Cloud Trust & Cloud PKI-Replace ADCS
Hello Team, We are working in moving our devices Hybrid Entra ID Joined to Intune autopilot Entra ID Joined Current scenario: Hybrid Entra ID Joined devices (joined to both on-prem AD and Entra ID) Active Directory with Entra ID Connect for object synchronization AD Certificate Services (ADCS) issuing user and device certificates via GPO auto-enrollment Group Policies to push Wi-Fi configuration (EAP-TLS using device certificate) NPS RADIUS server using EAP-TLS ("Smart Card or Other Certificate") for secure 802.1X authentication On-prem SSO enabled through standard Kerberos authentication Now, I am testing Autopilot Win11 Entra ID Joined with WHfB using Cloud trust to SSO to on-prem resources. The autopilot is working, however, the WIFI is not working as the autopilot device doesn't have any certificate from the on-prem ADCS. What is the best practice to try be as much cloud and begin to decommision on-prem services. I have 2 options to push the User and computer certificate to the AUtopilot device: Option 1: Intune Certificate Connector that will bridge on-prem ADCS and Intune, In Intune a PKCS profile to install the certificate to the autopilot device. Option 2: Intune Cloud PKI and configuration profile PKCS profile to install the certificate to the autopilot device. on-prem install the root CA from the Intune cloud PKI. https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-cloud-pki-deployment For the on-prem SSO I will contine using Cloud Trust. Component Target Device Identity Autopilot + Entra ID Joined only (no domain join) User Sign-In Windows Hello for Business (WHfB) with Cloud Kerberos Trust Certificate Issuance Replace ADCS/GPO with Microsoft Cloud PKI and Intune PKCS Wi-Fi Authentication Retain existing NPS RADIUS using EAP-TLS, but trust both ADCS and Cloud PKI root CAs On-prem SSO Enabled by AzureADKerberos on domain controllers Hybrid Devices Continue current operation during the transition — no immediate impact The 2 network environment needs to coexist: the on-prem and the cloud. Device Type Certificate Issuer Wi-Fi Auth SSO Hybrid AD-joined ADCS via GPO EAP-TLS (device cert) Native Kerberos Autopilot Entra ID Joined Cloud PKI via Intune EAP-TLS (device cert) WHfB + Cloud Trust (AzureADKerberos) How the New Wi-Fi Auth Works: Autopilot devices receive: A device certificate from Cloud PKI via Intune A Wi-Fi profile using EAP-TLS authentication NPS RADIUS server: Validates the device cert Issues access to Wi-Fi WHfB Cloud Trust provides a Kerberos ticket from AzureADKerberos, enabling seamless access to file shares, print servers, etc. This allows Autopilot Entra ID Joined devices to: Connect to Wi-Fi without GPO Access on-prem resources without passwords High-Level Implementation Steps Deploy Microsoft Cloud PKI in Intune Configure PKCS profiles for user and device certificates Deploy WHfB Cloud Trust via Intune + Entra ID (no AD join needed) Configure AzureADKerberos on domain controllers Install Cloud PKI Root CA in NPS server trust store Update NPS policy to accept certificates from both ADCS and Cloud PKI Deploy Wi-Fi profiles to Autopilot devices via Intune (EAP-TLS using device cert) Based on it, what is the best practice to move the device to the cloud as much possible.Web-based device enrollment vs Company Portal
Hi everyone, Microsoft recommended the web based device registration for IOS, especially bring your own device. I went through the whole process. The main difference is that the user doesn't need to install the company portal and you need to configure the JIT (Just in time registration). The enterprise portal should be delivered as a web application. The user experience: The user goes to the URL https://portal.manage.microsoft.com/enrollment/webenrollment/ios. The profile is loaded, then the user has to go to the settings application and install the profile. The user has access to the company portal with the web application. Microsoft recommends JIT (just in time registration) for web-based device registration. I see the advantage of less logins for the user (thanks to JIT) and no Company Portal app on the device. What is the advantage of web-based device enrolment? Why did Microsoft recommend this method of registration?
Yealink AOSP Phones and Intune Scep certificate configutation Profile
Hi, Im looking for guidance if Yealink Teams phones can have scep certificates deployed via Intune to be used for 802.1x authentication. We can push root certificates to the devices, but even though the scep certificate configuration shows that a certificate has been created it never gets onto the phone.
Problems installing ADD Connect on Server 2022
I have set up a Windows Server 2022 (Hyper-V). I have an M365 DEV tenant from Microsoft. When I install ADD Connect, I am first asked for the local user, which works with the login. Then I am supposed to log in to the DEV tenant with a user. To do this, I made a user a global administrator with Microsoft authentication. I log in and am asked to enter the number displayed on my cell phone. Immediately after that, I see this message and cannot continue. I have installed only Microsoft Edge, last version, all updates are installed. In the Serevr Manager -> Local Server I Disable IE Enhanced Security Configuration. I Login in Edge with this Global admin and have still open this Edge Window. But If I Login again, the same error message. What can I do to fix this problem?
Enable Developer Mode at supervised iPad
We've just started introducing Microsoft InTune. We've managed to get our iPads registered an the onboarding seems to work. Now i've the challenge, that one of our users needs for testing and developing iOS Apps with apple xcode to have the developer mode enabled at his iPad device. XCode is not able to connect to the iPad and i think thats why the swith in Data Security and Privacy Settings doesn't even show up (and can not be enabled cause of this). I worked through all the settings regarding USB connections ("Limitiation") in InTune. No success so far. Is there any setting i can check to enable the user / the device to connect via USB to a Mac ? Any ideas appreciated RegardsAndroid 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: Re: Android 15 - Cannot set default password app - Android Enterprise Customer Community - 8708 Thanks, Tom
We’re running into an Intune issue where a Win32 app with a dependency sits at "Download Pending"
Setup: Main App: Installs in User Context Dependency: Installs in System Context Dependency Detection: Hosts file modification detection script Direct file detection does NOT work either When the hosts file modification is present (detection is met), detection works, and everything installs fine manually The Problem: If detection passes (exit 0) → Everything installs fine. If detection fails (exit 1) → Intune never moves forward, just stays at "Download Pending" indefinitely. Happens with both file-based detection and script-based detection. Dependency app as well at parent app install fine via Intune on their own as well as manual testing. What We Need to Know: Does Intune get stuck in "Download Pending" instead of moving forward when dependency detection fails? Could the install context mismatch (dependency in SYSTEM, main app in USER) be causing this? Myth or fact? Does Intune break the install process if a dependency app is in system context and the parent app is in user context? Again, both apps work fine independent of each other. Thanks for any help!Tunnel EAP-Teap
Hello Guys, I am somehow at a lost here. We have successfully implement Tunnel Teap into a test machine and we want to deploy it into our environment. I have downloaded the .xml wifi profile for the device and since EAP-TEAP is not yet integrated in the configuration policy in Intune, I have uploaded the xml file. I am running into a migration error. I am no sure where to go from there. Did anyone implemented TEAP configuration.iOS MS Edge URLAllowlist configuration
Hi, I've spent many hours to try a lot of ways to allow only 2 URLs on Intune Managed iPads without success. Here is the working Managed Device App Policy : https://i.imgur.com/J4JkW3B.png (every key work). I want to add 2 websites allowed and every others blocked. I read I could do this with the URLAllowlist configuration key without using the URLBlocklist key. Here is what I try in the configuration value (tried with * and www and does not work) : <array> <string> https://\*.google.com </string> <string> https://\*.yahoo.com </string> <string> edge://\* </string> </array> (saw this in a reddit post) <array> <string> https://*.google.com </string> <string> https://*.yahoo.com </string </array> (saw this on official MS docs) https://*.google.com | https://*.yahoo.com I also try a Managed App Configuration policy instead of a Managed Device one. Here is the configuration (which does not work at all) : https://i.imgur.com/k3Osjty.png I'm running out of ideas on how to do this, even though it seems basic. I didn't think I would have trouble doing this specific config as the auto refresh kiosk mode was not too hard to set up. If someone have a clue I would be very grateful. Sorry for my english as it is not my native language.Only allow certain groups to log into machines - Intune
Hello, First time poster here. I was looking to see how (Using Intune) we could restrict interactive login of certain devices to members of groups in Azure AD. The requirement is because we keep getting Staff in schools logging into Student laptops/devices in an attempt to work, which breaks a whole host of different lockdown settings. In a perfect world Staff would just use their Staff devices & not log into students! I know it is possible through Intune to restrict it at a user level (https://www.inthecloud247.com/restrict-which-users-can-logon-into-a-windows-10-device-with-microsoft-intune/ ) But has anyone had any experience or success with Azure AD groups? if so, how? Maybe I'm looking in the wrong place and instead need to set a Conditional Access policy? any guidance is appreciated! Thanks,
Conflict status after having 2 Local user group membership Policy
Hello, I have an issue with applying two "Local User Group Membership" policies on a PC. The Intune policy report shows a conflict between having two "Local User Group Membership" policies despite having different configurations. For example, one is a Global Policy, which applies an admin privilege to all PCs, and the other one is more specific to a certain group, and it is just about giving remote access to the PCs on this group. So, my question is, why does Intune mark these two policies as a conflict of each other? If it is not possible to have two "Local User Group Membership" policies applying to the PC. Is there a way to have a global policy for admin users on the PC and one more private policy for remote user access using "Local User Group Membership"?Intune - Issues with Account-Driven User Enrollment Issues on iOS 18.5
Hello everyone, Since the release of iOS 18, Apple has deprecated profile-based user enrollment via the Company Portal app, requiring the use of Account-Driven User Enrollment. While this change enhances user experience, I'm encountering challenges in implementing it. Steps Taken: Apple Business Manager (ABM) Account: Created and linked the ABM account to Intune using the token. Corporate devices are successfully appearing in Intune. MDM Server Configuration: Set Intune as the default MDM server for all devices in ABM. Domain Federation: Established Entra ID federation in ABM to synchronize all users. Intune Enrollment Profile: Created an 'Enrollment Type Profile' of type 'Account-Driven User Enrollment.' MDM Push Certificate: Configured and validated the MDM Push certificate. Issue Encountered: According to https://support.apple.com/guide/deployment/account-driven-enrollment-methods-dep4d9e9cd26/web, starting with iOS 18.2, hosting a service discovery file on a web server is no longer mandatory. The device should automatically contact the ABM organization associated with the Managed Apple ID if no web server is found. On an iOS 18.5 device, I navigate to: Settings > General > VPN & Device Management > Sign in to Work or School Account After entering my Microsoft email address (which matches my Managed Apple ID due to federation), I consistently receive the error: "Your Apple ID does not support the expected services on this device." In ABM, under "Access Management" > "Apple Services," all services are activated. Could I be missing a crucial step in the configuration? Any guidance or insights would be greatly appreciated. Thank you in advance for your help. Best regards,Android COPE - Google Zero Touch Enrollment - Device Resets automatically
Hello, Encountered a strange behavior of an Android mobile phone, enrolled in Intune through Google's Zero Touch method. Device is a Samsung running Android 15. Device is enrolled, reports that all necessary configurations and compliance policies are met, yet the device is prompted with a pop-up notification saying that it belongs to the company and that in order for the device setup to be complete, it will be reset, with a countdown of ~ 2 hours. Multiple resets occurred, yet it's stuck in the same loop. Any idea what might trigger this behavior? No other COPE enrolled phone does this. The user's current Android 14 device is running properly, but it's enrolled as BYOD.Expedite Install Status in Intune
Hi All, I was curious to know that is there anyway that we can expedite the install status in Intune. I have already tried running "sync" from Settings > Accounts > Access work or School and restart the "Microsoft Intune Management Extension" service. However, as per my experience it will take at least couple of hours to sync the status even after ran Sync from settings and restart the service. Therefore, I was wondering is there any way that we can do manually to get a install status ASAP. thanks in advance, DilanIssues with Intune
I've worked for my current client for just over 2 years. I use my own desktop PC and have Company Portal installed and access their VDI via Windows App. For the last 2 years everything has been okay and the only real impact I've had to accept is the changing of my Windows 10 pin to a long "password" type value i.e. 8 chars minimum + non-alphanumeric. So, my original, easy to use 4 digit pin became a longer password type pin, which seems to defeat the point of having a pin! However, this wasn't an issue as I also had a fingerprint reader installed and used this instead of having to type the long pin. Due to the enforced policies of having to enter the pin after 5 minutes of activity, the fingerprint reader was used a lot! Last week I upgraded my PC, essentially rebuilding it and installing Windows 11, so it is now a new PC. My old fingerprint reader wouldn't work under Windows 11 Hello, so I ordered a new one. Company Portal was installed and after a lot of messing about with the client, it eventually started to work! It seems like the previous registration caused a lot of issues with the new PC, but that's another story. So, now that Company Portal is in place on my new Windows 11 machine, I'm unable to install the fingerprint reader as company polices are preventing any "sign in" changes. The result is I'm having to type a long password type pin very frequently. I understand the need for policies, but preventing me using biometrics and also preventing me changing my pin, seems to be unreasonable. Unfortunately my client is being less than helpful in resolving this issue. Given that I had a working fingerprint reader on my old Windows 10 machine, which was in place prior to Company Portal being installed, I'm wondering if I de-install Company Portal, I would then be able to install the fingerprint reader, then re-install Company Portal and the reader would work? As I'm not that familiar with Company Portal, I'm not sure if deinstalling it will remove the policy restrictions that prevent me from installing the fingerprint reader, and if this is the case, if then re-installing Company Portal will prevent it from being used. I would appreciate your advice.How to determine what a Package ID is associated with
We have hundreds of packages, applications, software update packages, driver packages, OS images, etc. There are times I only have a package ID and I need to determine what it is. A royal pain to manually search each one of those categories in the console. Anyone have a Powershell script to find what the package ID is associated with?Compliant issues with some Poly TC8 in Intunes
Hi, We have a couple of Poly X30/50 with their companion TC8 consoles. Now with the AOSP update finally available for these Poly Devices, I can see that some Poly devices are getting the updates, however, 2 TC8 suddenly stopped working and wont sign in nor pair with the X30 devices anymore The consoles keeps asking to sign in, but after the whole siging in process it'll fail and kicks me back to the sign in screen. On Intune admin portal, I can see that the device is being added but immediately unregistered and deleted due to non-compliant. But how is this possible when all the other TC8 devices are compliant. All Rooms accounts have Rooms Pro license. I called Microsoft Support and they are still investigating. But I have found some differences between the other TC8 that are working. The Authenticator and Microsoft Intune software versions are different. On the TC8 that are working the versions are Authenticator 6.2505.3166 and Intune 25.02.1. On the non working TC8 , it's Authenticator 6.2410.7269 and Intune 24.09.1. But on the TAC, there is NO updates available! Even if I set the update ring to Validation or switch to General then back, no updates are triggered. Factory-reset both devices also didnt solve the issue. Anyone also experiencing this issue?
Recent Blogs
- 6 MIN READZero Trust combined with cloud-native Windows enhances device security, compliance, and manageability.Jul 28, 2025
- Making Apple device management easier: automated passwords, real-time updates, and streamlined controls for IT.Jul 24, 2025
