Hopefully a really quick question.

I've not used Intune Remediations yet, and am planning to make more use of them and just want some clarification on the schedule. I have read through the documentation, but have not received 100% clarification on the below.

I can see that you can set the schedule to run every day or every hour. Is this schedule

• How frequently it runs the detection script?
• How frequently it runs the remediation script once it's detected it?
• Something else?

If you could provide the corresponding source alongside the answer, for further reading, that would be greatly appreciated.

Kind Regards,

Max

I'm using this script but is not working, any suggestion?

$ShortcutName = “YourShortcutName”
$TargetPath = “YourargetPath”
$ShortcutLocation = “$env:APPDATAMicrosoftWindowsNetwork Shortcuts$ShortcutName.lnk”

$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($ShortcutLocation)
$Shortcut.TargetPath = $TargetPath

$Shortcut.IconLocation = “%SystemRoot%system32SHELL32.dll,3”

$Shortcut.Save()

I'm trying to use CA alongside app protection policies to allow BYOD Outlook on iOS & Android only. The issue is I can successfully block everything except Outlook for all platforms & OWA, I have 2 CA policies.

1. For my test group block all resources except Office 365 Exchange Online, device exclusions iOS & Android, all client apps selected.

2. For my test group grant access to Office 365 Exchange Online, include iOS & Android, exclude all other platforms, client apps the option "Mobile Apps and desktop clients is select", Require app protection policy is select.

My group is part of an Outlook app protection policy.

Does anyone know what I'm missing?

Hello

we have Supvised (ADE) and user affinity iOS devices in our company. The users can log on to their device via their Modern Auth and the whole thing is managed with Intune.

As a company, we have access to Azure Virutell clients (Win 11) hosted by our customers. If I now want to access this virtual Azure client via my supervised iPad and the iOS App Windows App, I receive the message: ‘Warning: incorrect configuration. The administrator wants the apps on this device to be managed via the ‘xxx’ account. [...] To access company data via the ‘yyy’ account, you must unregister your device from the company portal’

Is it possible to define exceptions in Intune so that I can log on to the virtual client with credentials other than those stored in the company portal?

Hi all, I have a stack of old computers that are Intune joined and we are looking to give out to users for personal use (free) since they are retired for business use as they are too old.

Most of these machines were purchased as either Windows 10 or 11 Home Editions and upgraded to Pro and joined to Entra/Azure/Intune.

I pushed out a wipe command to them and checked the second box to reset and remove all of the activation/registration with Intune. They reset great.

However, they login to the recovery environment and I get an infinite loop. They do not reinstall windows and bring me back to a fresh login screen as if it was out of the box from best buy and someone can login with their personal devices. I stopped after it happened on two devices.

Any idea why this would happen and what would be the proper procedure to reset these to a new condition for personal use and get them off my network control? I assume it has to do with the fact that they were purchased as home editions and upgraded to pro maybe?

When adding the ipa file I get this message ".ipa has expired. Follow the guidelines provided by Apple to extend the expiration date, then try adding the app again"

In our Apple Developer account it says active and expires 3/29/25, so I'm confused about why Intune is telling me its expired.

We're in the process of moving from MaaS to Intune, and this app is currently working fine in MaaS. Wondering if there is something I'm missing when it comes to Intune?

We have a cloud management solution that automatically creates and manages users, groups, M365 licenses, etc. This previously used an on-premise domain admin account to perform these actions and then they were synced to Azure via Azure AD Connect. However, they have informed me that after some changes made by Microsoft, they now need it to be a cloud-only global admin that can authenticate against the on-premise AD server via conditional access and to bypass MFA.

Our supplier has provided me some instructions on how to create the conditional access policy to bypass MFA, but it doesn't state how it can connect back to the on-premise server. I have reached out to Microsoft via our M365/Intune support agreement, but it's outside of their scope and advised contacting a different department, but we don't have an active support agreement with them. They did provide a list of best practises that suggest syncing the server to Azure, though that seems to go against advice I've read online.

Can anyone help recommend the best way to achieve this? I could move the server to a sub-OU within the server OU and just sync that, or I could just sync the entire servers OU (doesn't include DCs, but does include file servers, SCCM, MIS server and other management servers.

Any help would be greatly appreciated.

Hi r/Intune!

Context: we recently purchased a piece of software that doesn't have a remote license activation feature. The key needs to be either put in the application or added as a parameter to the executable on the first run. That one's supuer simple - just call the application with the key from the Terminal.

Problem: I'd like to make an Intune package that does that for the user - they'd just click "Install" in Company Portal and the target application would do the first run activation.

Didn't have any trouble on the Windows side of things (just run in User context, runs a PowerShell script, easy-peasy).

I thought it'd be equally simple on the Mac side, but it seems it isn't.

I have the .sh file that does the job nicely. I used Platypus to pack that into an .app file and then ran productbuild to make a .pkg out of that.

When I try to run it through Company Portal it takes ages to run and then ends up doing nothing...

Question: is there a way to do this on a Mac with Intune?

Hi all,

We are trying to implement in our environment enrollment of mac devices with Intune. It works fine so far, mac is enrolled, i have implemented PSSO as well to synch password from Entra with local user.

But now my concern is that when user will know that he needs to change the password ? We have policy in on-prem AD which requires users to change passwords every 90 days, and then that password is syched with Entra. How i can make an notification for users that they have to change password before that expiration time ?

Hello Reddit community,

I'm encountering an issue after running Autopilot on some Windows machines. It appears to be affecting the Wi-Fi and NIC (Network Interface Card) functionality. The specific version of Windows impacted is Windows 11, version 10.0.26100.2033.

Before running Autopilot, both the Wi-Fi and NIC work perfectly; I can browse the web and connect to Wi-Fi using Shift + F10. However, once Autopilot completes and the computer restarts, I encounter problems during the Out-Of-Box Experience (OOBE). When I reach the Wi-Fi setup, it prompts me to install a driver. After installing the driver and rebooting, the issue persists, and it asks me to install the driver again.

In the network adapter settings, it shows that the Wi-Fi is disabled. Although I can right-click to enable it, it appears to be stuck in a grayed-out state. Interestingly, performing a factory reset restores the Wi-Fi functionality.

I also tested the same computer with Windows 11, version 10.0.22631.3235, and ran Autopilot on that version without any issues; everything worked seamlessly after the computer restarted.

Has anyone else experienced this problem or have any suggestions for a solution? Thank you!

There is an XML file with specified paths to allowed apps. We need to find out if we are missing anything.

Is there a log you can look at that will show any executables or file paths that are still being blocked and preventing an application or hardware device driver from working properly?

Is there a way to temporarily remove kiosk app restrictions to see if the device or application starts working normally with the restrictions lifted?

Hi

We have set up a custom role to let some users with limited access to intune to be able to view and rotate the local admin password with WIndows laps

We've gotten the custom role to work with showing the local admin password and the been able to just get the rotate local admin password button clickable ( we dont want these users to have access to the other buttons)

but when they initiate the rotatation we get this error

"Initiating Rotate local admin password failed"

Screenshot of the error if this helps:

https://imgur.com/a/LtAa7qe

Screenshot of the custom role permissions:

https://imgur.com/a/eLH306G

Hey guys. My org have a DC spun up in Azure which replaced our on-prem server. My aim is to move us to cloud-only. The only thing we rely on the DC for is the NPS role it holds to allow users to use RADIUS authentication on the office WiFi.

I need to move this away from the server, but what options do I have?

I’m looking to get some knowledge and a certification related to Microsoft Intune. I’m currently in a help-desk role and have a A+ and just got Net+ certified. If this is too advanced for me, what would you recommend I do to start my journey to eventually be able to certify for Intune?

My current job recommended I learn about Intune for promotion opportunities.

Since InTune doesn’t have the retire option for Android devices. Would deleting do the same like with iOS and retire/un-enroll. If so, can the user re-enroll in the InTune app?

Edit: words

We have a in house app that we use for testing, devs sent me the ipa file to update. But when I deploy I’m just getting a failed to install, pulled the logs and just seeing this error: (MDMClientLibrary)[143] <Error>: MDMProvisoningProfileTrust could not find record of managed app 'com.ourapp.appname.inhouse'

Really struck out googling this and not sure if something is wrong with the app and the devs forgot something?

UPDATE

Resolved, they had sent me the wrong file

Hey Everyone,

We are moving to Intune for MDM services. We currently have it configured for mobile (iOS and Android), and will be looking to move Windows devices there as well. We still require an on-premise AD join (for business related purposes). Will this be a "Hybrid-Join" situation? I feel like I'm familiar with the pieces of the setup (compliance polices, etc), I'm just not certain of the order of implementation, etc. Any advice or documentation would be extremely helpful. I've tried to scour reddit and other sites, maybe I'm just making this harder than it needs to be.

Thank you in advance!

Hi All,

Hybrid environment. Autopilot device in a dynamic group and policy error ( Setting Catalog-error) but under the policy Allow Date Time -Succeeded.

But when a user tries to access the Date Time prompt for admin credentials.

What do I do?

The CEO has let IT know a specific VP will be let go and wishes for the employee to keep the laptop, dock, etc. This is fine by us - we don't make those rules. This computer is in autopilot and is actively managed today. The employee is a remote employee, so everything will need to be done through interaction with the employee, when the employee's mental state & patience may not be optimal.

I thought we wanted to "delete", based on https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-admin-center. One of the crew though accidentally deleted a computer from Intune and the old user profile still existed once we get back into the system.

The concern is we have many third party tools installed which we want removed, and don't want Defender reporting back in the future. We also have a LAPS password with changes regularly. We could give the separated employee the password, as it is different for every computer.

The computer is a Dell, so maybe we just have the user perform a clean install with F12. We could tell the user that selecting saving any previous data as a Dell option won't work and it needs to be a clean install. https://www.dell.com/support/kbdoc/en-us/000147155/booting-to-the-advanced-startup-options-menu-in-windows-10.

Given the drama of the situation, especially around this time of year, what is the best approach? I am thinking a "delete" with no LAPS password provided, delete again from the devices in the portal, then the user does an F12 to proceed on his or her own.

I found various blogs with instructions, but I haven’t found anything that explain how to input the time.

It just says enter the time in ISO 8601 format and I can only find ambiguous, arbitrary sample examples.

One thing I never see addressed clearly is whether the time you enter in the configuration profile is being hard coded as a static UTC time or is it using the local device time including DST etc..

For instance, if we wanted the device to reboot daily at 5am every day based on the local time on the device regardless of time zone, what do you enter as the time value?

Hello,
My company PC is managed by Intune and has the Rapid7 application installed. However, every day I receive an annoying notification from the Company Portal saying that the installation failed, even though the application is already installed. I tried uninstalling it via Add/Remove Programs, but the notification keeps appearing even after uninstalling the application.

What can I do? Does anyone have any ideas? Should I try uninstalling and reinstalling Company Portal?
Thanks!

I've recently started using Intune Remediations. I have 2 remediations that are scoped to All Devices. The remediation is PowerShell based, so this is only for Windows devices.

When I go to the Devices section of the Intune portal and filter by Windows, I have 231 devices.

My first remediation, the Detection Status lists 228 without issue, only 1 with issue, and 0 pending (229 total).

My second remediation, the Detection Status lists 103 without issue, 134 with issue, and 0 pending (237 total).

I know I am missing something simple, but I can't figure out why these numbers don't add up? How do you monitor remediations to know when you hit 100%?

Hey guys.

I have a doubt.

I need to upgrade some computers with Windows 11 pro to enterprise.

But, the users already using the computer a few months.

If a assign the windows enterprise to these users and create a profile the computer will be formatted to upgrade to enterprise?

Im searching on the documentation, but I cant found a clearly answer for that.

When purchasing computers from our distributor (CDW) with the Autopilot SKU, it adds a 1-2 week delay in shipping. When the same laptop is purchased without Autopilot, it ships immediately. When we add the Autopilot SKU, it takes an addition 1-2 weeks for the device to ship.

What gives?

Is this just a problem with CDW or does this delay happen with all hardware distributors?

This is destroying our current phone bill. We have about 400 iphone/ipads in our fleet under Intune MDM. The past few months our data usage has skyrocketed, despite device usage not changing. We are trying to figure out what the heck would be considered "General" data in the iOS cellular settings. We pinpointed that our large "Corporate Accounts" usage mainly came from application updates over data, which is annoying, but does "General" include that as well? What else does "Corporate Accounts" include?

I added a screenshot of the data usage here https://ibb.co/4JM4fpj

Hi, I am deploying trusted sites through intune with Device Configuration Profiles - Endpoint Security. It work as expected but on multiple devices, trusted sites disappear. After sync or wait, they come back. What is more weird is that I deploy 10 trusted sites, but not all disappear, there is always two or three trusted sites remaining.

I also have a policy clearing cache when exiting edge, do you think it can impact trusted sites ? IMAGE

This was never an issue in the past. We are an international organization. Our help desk goes through OOBE (obviously not ideal) in one location, then sends computers to end users at their place of work.

As I understand it, all of our new W11 24h2 computers are getting the wrong time zone. This combined with the change in Windows to block standard users from setting their own time zone has become a major issue for new machines.

So far I have tried adding "Users" to the groups allowed to change the time zone using a configuration profile, but it fails on these new machines with a generic error code. However, when I manually add the standard users group (from secpol.msc > Local Policies > User Rights Assignment > Change the Time Zone), then the user can change the time zone.

Here is the issue: https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#1631msgdesc

Attached is a screenshot of the policy.

Currently this is the only fix I have found that's worked and I'll be working on scripting it now.

Open secpol.msc as admin

Navigate to Local Policies > User Rights Assignment > Change the Time Zone

Click "Add user or Group..."

Search for "Users" and click "Check Names"

Click OK > Apply

Open Regedit.exe as admin

Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tzautoupdate

Change Start from value = 4 > value = 3

I currently have a Conditional Access policy set up so a user (who works for a 3rd party) can access their Windows 365 virtual machine (business, not enterprise) from a set of trusted IPs and those IPs only.

However, when running a 'What If' I can see the user is still allowed to access Windows 365 when not within the set of trusted IPs. All other apps are blocked.

My policy is set up as such:

Users: User A

Target Resources: All resources, excl Windows 365 and Azure Virtual Desktop

Network: All locations, excl trusted IPs

Grant: Block

Does this policy mean Windows 365 and AVD are excluded from anywhere? I always thought this policy would ensure access to both is ONLY allowed from the IP ranges excluded in the network section?

Hi everyone, since the day I moved the Windows quality update from Automatic installation for to Notification for testing purposes, the Security intelligence update are also on notification. Is there a way to have those updates installed automatically? I tried different configuration like "Check For Signatures Before Running Scan" and "Schedule Quick Scan Time", "Initiate security intelligence update on startup", "Check for the latest virus and spyware security intelligence on startup" but it's still asking me to download and install the update.

What am I missing?

I'm going insane troubleshooting this problem.
I have a PSADT script utilizing Active-Setup that works flawlessly, just not to users getting new computers.
For some reason, the script simply isn't getting applied to the user who is logged in, when the Win32 containing the script is installed. Everything works exactly as it should in my test environment, but when I install a new machine, the user logged in will never get the script applied. If I install the computer to a dummy user, then switches user to the real user, it works fine.

Does anyone of you have an idea of what might be happening? Thanks a bunch in advance!
Script below:

# Import PSADT Functions
Import-Module "$PSScriptRoot\AppDeployToolkit\AppDeployToolkitMain.ps1" -Force

# Define paths and variables
$ScriptName = "scriptname.ps1"
$PermanentScriptPath = "C:\Program Files\Company\Scripts\$ScriptName"
$ActiveSetupKey = "ActiveSetup-Scriptname"

# Main logic
If ($DeploymentType -ieq "Install") {
    # Ensure the permanent directory exists
    if (!(Test-Path -Path (Split-Path -Path $PermanentScriptPath -Parent))) {
        Write-Log -Message "Creating permanent directory for scripts."
        New-Item -ItemType Directory -Path (Split-Path -Path $PermanentScriptPath -Parent) -Force
    }

    # Copy the script to the permanent location
    Write-Log -Message "Copying $ScriptName to $PermanentScriptPath."
    if (Test-Path "$PSScriptRoot\Files\$ScriptName") {
        Copy-Item -Path "$PSScriptRoot\Files\$ScriptName" -Destination $PermanentScriptPath -Force
        Write-Log -Message "Script copied successfully."
    } else {
        Write-Log -Message "Script not found in source directory: $PSScriptRoot\Files\$ScriptName" -Severity 3
        Exit-Script -ExitCode 1
    }

    # Register Active Setup for future users (do not execute for the current user)
    Write-Log -Message "Registering Active Setup for future user logons."
    Set-ActiveSetup -StubExePath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
        -Arguments "-ExecutionPolicy Bypass -File `"$PermanentScriptPath`"" `
        -Key $ActiveSetupKey `
        -Version '1.0'
        -ExecuteForCurrentUser $False

    Write-Log -Message "Active Setup registered with Key: $ActiveSetupKey and Version: 1.0."
}

If ($DeploymentType -ieq "Uninstall") {
    # Remove the Active Setup registry key
    Write-Log -Message "Removing Active Setup registry entry: $ActiveSetupKey."
    Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\$ActiveSetupKey" -Force -ErrorAction SilentlyContinue

    # Remove the script file
    Write-Log -Message "Removing the script file: $PermanentScriptPath."
    Remove-Item -Path $PermanentScriptPath -Force -ErrorAction SilentlyContinue

    # Remove the directory if empty
    $PermanentDirectory = Split-Path -Path $PermanentScriptPath -Parent
    if (Test-Path $PermanentDirectory -and !(Get-ChildItem $PermanentDirectory)) {
        Write-Log -Message "Removing the empty script directory: $PermanentDirectory."
        Remove-Item -Path $PermanentDirectory -Force -ErrorAction SilentlyContinue
    }

    Write-Log -Message "Uninstallation completed successfully."
}

Exit-Script -ExitCode 0