Hi all,

Is there a way to rejoin a device after it has been retired?

We have a fleet of device that we will need to decommission (remove company data). We also want to be able to allow flexibility to some users to rejoin their retired device into Intune and treat it a 'personal' device and not a 'company' managed device. Essentially, these devices will be treated as a BYOD.

I have a test device which I have first deployed a powershell script to create a local account, then retired - but it will not allow me to rejoin to Intune.

Anybody having issues with trying to download user available app from the CP? I know there was an advisory earlier this week but I'm trying to test install an app for the last half an hour or so and it has been stuck on 0% downloading and I have already tried nuking the registry key to get it to try again.

Hi all,

I’m facing an issue with my windows laptop. When I bought it, I registered it as a company device and not personal. However, when I realized my mistake, I wanted to remove the company account, but I couldnt due to not having admin privileges.

I tried fixing that by adding the admin account to laptop and removing it manually. The admin account was added, however, it wouldn't show up at all on the list of accounts on the device. Moreover, I went on entra and “deleted” the device from the list of devices. Yet still, no luck.

Finally, I went to Intune to try and remove my device, however, i’m almost always met with “error” and “something went wrong! Unable to fetch” and I can’t view anything on there.

I submitted a support request, but Microsoft still hasn't responded, and their AI agent/support is useless.

Please help, I’m stuck unable to install anything on my laptop, not even MS365 to use word natively. Please any suggestion or lead would be very much appreciated

Vendor question here. How are you handling app requests in Intune?

We’ve been building something at PowerStacks and I’m trying to figure out if we’re solving a real problem or just something we’ve convinced ourselves is a problem.

The gap (at least from what we see):

There’s not really a clean way to give users an "app store" experience in Intune without it turning into a bit of a free-for-all.

Company Portal gets you part of the way there, but it doesn’t handle approval workflows.

So, we built something that basically sits in front of Intune:

·       Users can browse and request apps

·       Very robust, highly customizable approval workflows

·       Deployments still happen through Intune

·       Everything runs in your own tenant (App Service, Entra, etc — no SaaS, no agent required)

Before we go much further with it, I’d rather get honest feedback from people who deal with type of thing regularly.

Is this even a real problem in your environment?

If it is:

·       How are you handling it today?

·       What’s the most painful part?

Not trying to sell anything here — just don’t want to build something nobody actually needs.

Hello Everyone

Im trying to set up a simple installation script that installs an application (the App is called Converge) and then it should also set up an Environment variable for a License server:

setx RLM_LICENSE "******@SERVERNAME.NETWORK.NET" /M
Start-Process -FilePath "Converge5.11.exe" -ArgumentList "/S" -Waitsetx RLM_LICENSE "******@SERVERNAME.NETWORK.NET" /M
Start-Process -FilePath "Converge5.11.exe" -ArgumentList "/S" -Wait

The issue is that Intune just skips the Environment command (or it doesn't work properly because I have to run it in System Context). The command does work when I add it manually after the fact over the terminal. Is there any way to circumvent this issue? I also tried it with Powershell, but it doesn't even work manually with powershell,I tried this script here:

Start-Transcript -Path "C:\Windows\Temp\converge_install.log" -Append # Set in current process so installer can use it $env:RLM_LICENSE = "2765@SERVERNAME.NETWORK" Write-Host "RLM_LICENSE in process: '$env:RLM_LICENSE'" Start-Sleep -Seconds 2 # Run installer Write-Host "Starting Converge5.11.exe installer..." 
Start-Process -FilePath "Converge5.11.exe" -ArgumentList "/S" -Wait Write-Host "Installer exited" # NOW set variable via CMD using setx (machine-level) Write-Host "Setting RLM_LICENSE via CMD (setx)..." Start-Process -FilePath "cmd.exe" -ArgumentList "/c setx ******@SERVER.NET /M" -Wait -NoNewWindow # Optional: verify from registry again $check = [Environment]::GetEnvironmentVariable("RLM_LICENSE", "Machine") Write-Host "RLM_LICENSE in registry after CMD setx: '$check'" Stop-Transcript

Thank you guys for your help.

Cheers,

Gabe

I cant deal with it anymore. I need to post and ask how are you guys imaging dell laptops/desktop from factory.

What process are you doing to reimage?

Im trying to install windows 24h2 from factory. Whenever I install it I dell support os recovery as im trying not to use media creation tool. It cloud installs 25h2. Does anyone have a better solution to reinstall 24h2 without resetting it twice.

I know this post is kinda stupid since it been posted many times.

I really refuse to use a USB thumb drive. I do have autopatch configure.

Anyone else having issues loading their device list in Intune?

UK Tennant here.

Just getting "Something went wrong, try again later"

We'd like to use Intune to do all this:

As a governmental entity, we do not want our staff to use the "free" version of Copilot because MS can use the information. Some people have the need for Copilot and for them, we will pay the licence and have them use it. so

• How do I remove all "free" version of Copilot
• How do I enable only the "paid" version

Thanking you all in advance

I’m trying to learn intune shiz on a Mac and iOS. How do I do stuff without Apple Business Manager? Says I need a business and stuff. I’m about to commit identity fraud or something to make it happen. I want to put Mac in supervised mode or something somehow. Idk anything about Mac’s really.

Hi all,

I’m trying to get a sense of how organizations are currently handling application deployment strategies in Intune.

In your environment, roughly what proportion of your applications fall into each category?

Win32 apps (custom packaged)

Microsoft Store apps (Store new / legacy)

Microsoft Intune Enterprise App Management (Microsoft-managed apps)

We currently manage a large number of applications (400+) with varying levels of complexity, and we’re evaluating how far we can realistically leverage Store or Microsoft-managed apps versus maintaining Win32 packaging.

How many applications do you manage in your environment?

I’m particularly interested in real-world ratios and lessons learned.

Thanks!

Greetings folks. I am looking for a bit of guidance in troubleshooting an Intune/BitLocker issue we're having.

We've recently rolled out Intune & Entra to do our machine/id management as we move towards ISO27001 and I'm running into a super frustrating issue.

For context we are a small, fully remote, UK based business with around 15 employees; we have a mixture of Mac & Windows laptops all of which have been enrolled into Intune successfully and until recently showed as being fully compliant with the policies.

All users have a Microsoft 365 Business Premium License assigned to them.

Windows laptops are joined to 365, all users login with their 365 email & password using strong passwords & two-factor authentication in line with current cyber security guidance.

Our BitLocker policy is set to be required on all fixed drives, it gives multiple options for recovery key storage but the default is to escrow the key to Entra, we also have the configuration for BitLocker set to the silent deploy option.

All our machines had BitLocker enabled before we started to roll out Intune, this was just managed as default company policy and as part of the machine configuration, all users stored a local recovery key.

3 of our windows PCs (all Lenovo machines but a mixture of models) updated their BIOS recently and since then the BitLocker on those machines has been in the suspended state, any attempt to resume protection fails with an error saying:P

'Group policy settings require the creation of a recovery key' & when I look in the BitLocker API event log I see and error message that reads 'BitLocker encountered a failure to commit metadata changes for volume C:.'.

If I check the BitLocker panel in Windows it tells me BitLocker is suspended and will restart on the next system reboot.

So far I have checked & tried:

That the TPM shows as valid and active in both the BIOS and Windows (all machines are less than 2 yrs old and have TPM 2.0).

Secure boot is enabled in the BIOS.

I've checked the Entra accounts for the users and they all have a recovery key saved to them, I have also asked the users if they have an offline copy of the key and checked those values are the same and Entra key and that those keys are the correct keys for the machines in question (checked via Powershell).

We have attempted to disconnect a machine and then reconnect it, it rejoins but with the same error.

Temporary upgrade of users accounts to Local Admins in case it was a permission issue (although we do have the InTune policy set to allow non-local admins to start BitLocker).

I've been through the MS documentation and suggested settings and I cannot see anything in our configuration that would be casuing this, there are no conflicting policies in the system and non-bios updated laptops continue to work just fine.

Apologies for the long post but I am approaching my wits end with this and any guidance as to what I have missed would be greatly appreciated.

We are using MS surface laptops which out of box (or wiped & imaged with the Ms Surface recovery image USB) have a bunch of m365 apps on the image (in multiple languages).

How do we go about making sure these OEM installs are removed & instead our App install configuration is used instead?

Hi all,

I am fighting for a long time with configuration of Device Control policy and I was close to give up, but then I remember that I have You - last hope of humanity.

Use case:

- I want to block ALL USB data storage devices (Pendrives, External drives, SD/CF cards etc.)

- I don't want to block: USB Cameras, Optical drives DVD/CD, HID devices (keybord, mice) etc.

- I want to have possibility to whitelist USB devices (dongle keys, some specific Pendrives)

What I have configured:

- I have configured Endpoint Security > ASR > Device Control policy and name it "wdasr-tst-comp-corp-DC-global"

- I have assigned to it my test device which is in group named: "sga-tst-comp-freddyautopilotonly-global"

What is already working:

- blockade of ALL USB data storage devices (pendrive, disk drives etc.)

- rest of the devices are unblocked (cameras, HID devices, optical drives etc.)

What is not working:

- whitelisting USB devices (not fully working, only partly). For example I could whitelist CF Card using Serial Number but I cannot whitelist PNY 16GB pendrive... Reusable setting which are used for these devices: "ALLOWED - USB Sticks": CF Card, USB16GB. USB16GB is not working when i use SerialNumber of it or DeviceId.

Device control policy configuration:

Defender:

Device Control: ENABLED

Device Control:

Name: BLOCK USB MASS STORAGE

• Included devices: "USB Mass storage devices", Access: Type: DENY, Options: None, Access Mask: Read, Write, Execute.

Name: ALLOWED USB DEVICES

• Included devices: "ALLOWED - USB Sticks", Access: Type: ALLOW, Options: None, Access Mask: Read, Write, Execute.

Reusable settings:

1. Setting group name: "USB Mass storage devices": Name: RemovableMediaDevices, PrimaryId: RemovableMediaDevices.
2. Setting group name: "ALLOWED - USB Sticks":
   1. Name: CF Card, Type: removable storage, SerialnumberId: 058F63666479.
   2. Name: USB16GB, Type: removable storage, SerialnumberId: FC8E9096.

Quick summary:

When i try to whitelist USB16GB with Serial number FC8E9096 or deviceId it doesn't work. Always it is blocked.

CF Card has no problem - I can easly whitelist it.

Below I will paste information from Device Manager about my USB Stick/Pendrive that i want to whitelist.

>
Device USBSTOR\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\FC8E9096&0 was configured.
Driver Name: disk.inf
Driver Package ID: disk.inf_amd64_3e3ac488fc4fdb54
Class GUID: {4d36e967-e325-11ce-bfc1-08002be10318}
Driver Date: 06/21/2006
Driver Version: 10.0.26100.5074
Driver Provider: Microsoft
Driver Section: disk_install.NT
Driver Rank: 0xFF0006
Matching Device ID: GenDisk
Outranked Drivers: disk.inf:GenDisk:00FF2002
Device Updated: false
Parent Device: USB\VID_058F&PID_6387\FC8E9096

I would be really glad if someone would help me adjusting existing configuration or providing new working solution.

Thank you in advance for help.

Hi,

Rolling out a new 365 tenant for our new entity. Using LAPS, identity governance, autopilot, app packages and self Service.

We have to come to the stage to design our patching process. Is it realistic to patch enterprise laptops with only Intune? My team suggesting we augment with Patch my PC but I’d like to do as much as possible natively without third parties.

What stack is everyone using for this?

One of our major partners is making a push to deploy Entra within their organization to replace their aged ADFS infrastructure. Being we are also an Entra org (duh), now whenever they try to log on to the partner website - they log in with their corp credentials rather than the partner one, and get the error of being unable to log in as there is no cross-tenant relationship to their Entra app.

There is a 0% chance of us working with them to implement SCIM for their Entra app - so I need a way to suppress our passkey when on a login.microsoftonline.com page within Microsoft Edge. Realistically, all the existing Microsoft 365 services and other SSO apps we utilize will use the PRT from the browser session - so I don't expect any damage from doing this.

Since the passkey in Windows cannot be removed as it's tied to the Entra Join state - suppression is the best thing I can think of. Anyone else know if this is possible, or maybe a better way?

I can't find anything from their SAML request that allows me to use a domain hint - which would potentially stop the key from appearing.

I also do have passkeys disabled as an authentication strength within my Entra tenant.

Hi everyone,

I'm running into a confusing issue on an Intune-managed device and hoping someone has seen this before.

Situation:

The device is enrolled in Intune and was previously connected/syncing fine as BYOD device, not as an Autopilot registered..

The sync is still functional when accessed through the Company Portal.

However, under Settings → Accounts → Work or School account, the "Info" button is completely missing..

Without the Info button, there's no way to manually trigger a sync or check the sync status from that menu — only the option to disconnect the account is shown

What I've checked so far:

The device is still enrolled and shows up correctly in Intune!!

No obvious error messages or compliance issues

My questions:

Is this a known behavior after a specific Windows update or Intune policy change?

Is there a way to restore the Info button without re-enrolling the device?

Any insights would be greatly appreciated!

I’m trying to migrate end-user devices from on-prem AD joined to Entra ID joined. I tried Autopilot, but Microsoft’s suggestion is basically wipe and reload, which is a painfull process and very challenging.

The biggest issue is that end users are not happy because they lose their profile settings and personal setup. Doing a wipe and reload for around 3,800 devices is a really painful process.

Has anyone dealt with this before? Any suggestions or better options?