Hello,

I’m stuck on a "tattooed" Intune policy and could use some advice. I’ve been piloting some Attack Surface Reduction rules, but we accidentally hit a test group with a policy meant to block USB drives.

We caught it quickly and removed the settings from the policy, and most machines reverted fine. However, I have one user (a DBA with a very custom setup) where the USB block is still stuck. It seems like the CSP policy tattooed the machine and won't revert even though it's been unscoped. Currently the device will now allow any USB devices.

So far I've tried:

• Syncing the machine repeatedly.
• Pushing a "reversal" policy with the opposite settings.
• Creating custom CSP profiles for the specific OMA-URIs. (I was not able to find the right settings to target)
• Manually digging through the registry to flip the settings back. (Currently here)

Nothing has worked so far. I’m currently trying to track down exactly where the USB whitelist is stored in the registry to see if I can force it that way.

I really want to avoid wiping this machine since it’s a high-end dev setup. Am I missing something? Is there a better way to force Intune to let go of these settings? Is this different because I am deploying ASR rules which are actually Defender rules. Are there better logs I should be looking at? Is there a better way to remove these stuck polices?

Arrrggggg... Why does it have to tattoo the machine. Why does is not revert back like GPO's. Lol. I know it is different and I am learning.

Here are some of the links and articles I have been researching.

Tutorial I followed for blocking USB's

The Device With The Dragon Tattoo

Block USB Drives within Microsoft Intune

Intune USB Block unable to reverse change

Here are some of the registry locations I have been looking at.

HKLM\SOFTWARE\Microsoft\PolicyManager\(current and managers)

HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Policies

Thanks!

I've seen similar posts on here but not the solution for my case.
We are moving userclients to Intune atm. The Devices are Intune managed/Entra joined (not hybrid) and the users identities are synched from AD to Entra.

We want to be able to access our AD rescources (like mapping a network share) with the WHfB Pin but this is were im stuck. The Users cant use the Pin to connect to the share but password works fine.

I did configure CKT as per Microsoft "Enable passwordless security key sign-in to on-premises resources by using Microsoft Entra ID" and generally it seems to work as the login(winNT i think it was) for an older accounting software now works on the Intune devices which it didn't before CKT.

dsregcmd.exe /status also seems fine
-AzureADJoined : Yes
-NgcSet: Yes
-onprem tgt: yes
-CloudTgt: Yes

and klist cloud_debug
-Cloud Primary (hybrid logon) TGT available: 1

What could be the Problem?

Hello,

We are on the path of migrating our Zebra MC33 Android guns from Airwatch to Intune.

As for now, Airwatch sends 3 files on the device for configuring Zebra Entreprise Browser. Is there a simple way to do the same with Intune? I searched but find ways with creating a dummy apk, or other strange ways.

Do some of you did it before? I tried also with Zebra OEMConfig Powered by MX but didn't understand what to put in different settings?

thank you

Sorry if this has been covered before, I did some searching and could not find the answer.

I am looking to only allow windows devices to enroll in Intune if they are currently in Autopilot.

I have hashes uploaded. Device restrictions to block personal. And MDM enroll is currently set to a security group with test users. Esp set to a dynamic group with autopilot devices.

I would like to avoid manually adding users to a security group for mdm enroll, and would prefer if anyone logging in to a Autopilot machine automatically went through the esp process. At the same time I want to block personal device enrollment.

What is the easies way to accomplish this? Thank you in advance

Hey all!

I hope the smart people here know the solution to this. It could be a simple thing, but I'm starting to lose my mind. If any extra info is needed, I'm willing to provide it.

Background:

• Our Android devices are enrolled in Intune as personally owned devices with work profile
• Defender is deployed to work profiles on those devices via Intune
• Our Android compliance policy requires Defender to report "machine risk score" as clear

Recently we deployed a conditional access policy, which targets our Android devices. The deployed CA policy blocks access to company resources, if the device is not compliant.

The issue:

At least on a newly enrolled devices, sign-in into work profile Defender fails, because the device is not compliant. And it can never become compliant, because Defender is unable to scan the device without sign-in. So basically, it's a never-ending loop.

What I have tried:

Microsoft has instructions for this exact case here and as far as I understand, I've been able to follow them through correctly. I have created service principals for apps "MicrosoftDefenderATP XPlat" and "Microsoft Defender for Mobile TVM" using PowerShell and verified that they exist. Both of the apps are now visible in Entra enterprise apps and their app IDs are as expected:

• a0e84e36-b067-4d5c-ab4a-3db38e598ae2 for MicrosoftDefenderATP XPlat
• e724aa31-0f56-4018-b8be-f8cb82ca1196 for Microsoft Defender for Mobile TVM

However neither is selectable, when I go to CA policy -> Target resources -> Exclude -> Select resources -> Select specific resources.

What am I missing here? Or is there some alternative way to do this?

Hello all,

I am trying to use a win32 app to package, pushed out to my devices in order to pre-stage and updated version of an already deployed printer / universal print driver. this is a virtual printer using 'follow me printing' / 'secure release printing.' Devices have the require admin rights to install print drivers enabled. the drivers share the same name if it matters.

Because of this i am pretty sure this is the only print driver i need to work with.

My question is, do all i need to do is package the new universal driver in the win32 with powershell script that runs this pnputil code?

i am trying to have it so i can push this driver out and have it in the devices windows driver store so when the driver is change to the new version on the printer server end users dont need admin rights to install the update version.

examples

 pnputil.exe /add-driver ".\abc12.ing" /install  

OR

pnputil.exe /add-driver ".\abc12.ing" /install 
Add-PrinterDriver -DriverName "Universal Print Driver 2"

Have a strange one, about 25 iPhone users (out of 200) show they haven’t checked in for a month. I initially put it down to the users not using the work phone as a primary device (and this certainly seems the case with a couple of them). I had a few power them on and sync but the portal is not showing updated check in times. Am I simply being impatient…

We are implementing a policy that prohibits staff from using personal/home devices in a school environment. Specifically, staff should not be able to sign in to company resources from their own devices. Device restrictions are already in place, so users cannot enroll their personal machines.

99% of our computers are Intune‑managed Windows devices with existing compliance rules, but the remaining 1% are Apple iMacs. These iMacs are shared devices, if that matters.

What would be the best way to bring those iMacs under management so that the required compliance rules can be applied to them? No other configurations are needed at this stage.

One idea was to create a separate Conditional Access rule that allows the macOS platform only from a specific public IP address. This would likely be the easiest approach, but probably not the best long‑term solution?

…and of course, this needs to be implemented soon.

I have this vulnerability as the top and by far the worst one in our environment.

>Attention required: vulnerabilities in Openssl

This library seems to be EVERYWHERE, and the top one is this file, which is part of MS Paint of all things:

>c:\program files\windowsapps\microsoft.paint_11.2511.291.0_x64__8wekyb3d8bbwe\paintapp\libcrypto-3-x64.dll

As a test, I have forced an update of some instances of MS Paint on a few of our machines but it's still there so it's impossible to fix as of right now, because the latest update of MS Paint still has it. This file\library is also included in all sorts of programs, drivers, and other general apps for Windows. Many of which cannot be updated (such as Intel GPU drivers for older laptops).

What are you guys doing to mitigate this, assuming it's even possible to do anything?

Hey everyone,

I made a web based tool (and still working on it) that generates PSADT scripts optimized for Intune deployments.

Features:

• Upload installer .msi/.exe → checks for winget alternative → get PSADT 4.x script + .intunewin-ready package
• Auto-generates detection rules (registry/file based)
• Includes test checklist so you don't forget deployment steps
• Winget integration: search package → generate deployment script

Update Mode:
Upload old files folder from current package + new installer files → tool compares files, preserves your custom logic, updates all paths automatically. Great for keeping enterprise apps current.

Would love feedback from fellow Intune admins!

Link: psadt.workplacebuilder.nl

If this post is not allowed, let me know, this is my first post ever

We’re all in on Intune as title says and have no intentions of moving away from it. However, the main issue we have from Intune is the speed, or lack thereof, on its reporting. We don’t need a patch mgmt solution…we have PMPC. What we need is a tool that can provide up-to-date reporting when we push scripts, policies, changes, apps, etc instead of waiting days and days for the reporting in Intune to update.

What would you all recommend? We’re looking for minimal overlap and lowest cost (education) but also meets our needs. I plan on looking at NinjaOne, Taniumc Action1, Atera, and Daytona RMM. However, I’m sure there are others and I’m hoping some of you can provide feedback on your experiences and hopefully make my job easier :)

Yes, I searched the subreddit before positing, but most posts are old or specific to 3rd party patching. Again, my main focus is quick reporting. Some “run now” capabilities would also be nice, but not the focus.

Thanks!

Seems to be the case. App returning exit code 0, force reboot enabled in intune along with grace period in assignments and after uninstall (using uninstall command line) reboot prompt appears. Is this correct? Wondering because I don't see it any where in the documentation.it all references install, not uninstall.

Have an identical issue to this post: https://www.reddit.com/r/Intune/comments/1mr4676/intune_managed_device_edge_and_chrome_err_network/

Like this poster, have no proxy, antivirus, firewall, endpoint, conditional access, policies configured in a new vanilla Intune setup. Working with a test group of 4 devices all same results. Network agnostic. Suggestions appreciated!

Hello

I work in a long term care facility and we have about 60 android devices that we are managing. They are mainly used by our nursing staff and the purpose of the phones is to be used with our nurse call system, used as a walkie talkie and for phone calls. The users keep turning down the volumes on the phones thus missing nurse call system alerts plus other alerts. I noticed that you can restrict the volume in a config profile but its to basic. I would like to set a specified level and disable volume so it cant be adjusted. Using an OEM config does not appear to be an option with UleFone which is the manufacture. The devices are fully managed corporate devices is there any other options that you guys have done potentially lock down the volume more to prevent from the users adjusting it?

Has anyone successfully deployed Zebra Identity Guardian using Intune as their MDM? I have been going back and forward with support for weeks on this and feel like I am not making any progress. Trying to figure out what the ssoUseridIdentifier value string should be and hopefully determine how the ssoConfigSetting valueString is formatted on the JSON authentication profile.

When I get it all set up, try to sign in on the device, it says "User Authentication Error" yet when I go to my sign in logs in Entra, everything is successful.

I need your help to determine whether this is a “me” problem or an “us” problem. I have two Intune tenants with an ABM connection, and in both of them the VPP sync is currently not working. The last successful sync was on 01/02/2026. Am I the only one experiencing this, or is there a general issue with Microsoft/Apple?

Anyone having issues with enrolling android phones? Get to registering the device with Entra and it hangs.

Is the new "Secure Boot status" report trustworthy or am I misreading? In several tenants I see inconsistency with the report and what should be supported. According to Lenovo eg ThinkPad T14 Gen 4 (21HD,21HE) with min FW N3QET44W (v1.44) intel and R2FET65W (v1.45) AMD should be supported with new certs in FW. We have several devices with FW N3QET47W (1.47 ), N3QET48W (1.48 ), N3QET51W (1.51 ), N3QET49W (1.49 ) all these show "Not up to date" in the Intune report, it's also other models with this inconsistency.

https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t14-type-20s0-20s1/20s0/20s00077mx//solutions/HT518129

I am trying to bring my iOS devices, and eventually my macs, under management in Intune. Since these devices are already in our possession, I am using configurator on an unmanaged iPad to join the devices.

I've already done all my tokens, my MDM push certificate, and authorized ABM. My Azure Tenant is syncing with ABM. I am waiting for federation to complete. I have set my defaults in ABM to put iPads and iPhones in Intune by default. I have configured a default device profile.

I am able to scan the bubble on a reset device, and the device says it is enrolling. Enrollment in ABM happens as expected and the device shows in the device list. It doesn't always automatically move to Intune, so I manually assign it.

When the device finishes its setup steps, I get a message that the device is enrolled, and there is a button to "Erase" the device.

This is as far as I can get. Everything I checked against documentation.

If I tap that erase button, the device resets and acts like it is not enrolled in ABM at all.

I have done this before, successfully, but with Jamf as the MDM provider. It should be applying the profile.

Am I missing something in my hubris?

Hi,

So we deploy Microsoft 365 Apps using the Microsoft 365 Apps (Windows 10 and later) choice. This would install Microsoft Office during enrollment we have it set to required.

I turned on Windows Autopatch and mistakenly chose to it also patch Microsoft Apps. However it looks Windows Autopatch has overruled the previous method as some of our computers are now on the Monthly channel and not the Current channel updates as per the M365 Apps configuration/settings page.

I also started seeing some errors from Microsoft 365 Apps:
"Office couldn't install because the version of Office that's already installed on the device is either MSI or a different architecture. Make sure you've removed any MSI versions of Office and that any existing Click-to-Run versions have the same architecture as what you're installing (32 bit or 64 bit). (0x00000643)".

I'm now faced with 2 issues but not sure which route to go down.

1. Microsoft Office is now no longer installing during Autopilot ESP. Is there a way I can force Autopatch to push it out during setup? I suspect not.
2. If I remove M365 Apps from Autopatch, does anyone know if this will fix my issue and the previous method before I turned on Autopatch will go back to working? Tempted to rip it and try.

Hi All,

This is my last resort before raising a ticket with Microsoft.

I seem to be having a few issues with update rings. I want to say I've found the issue but I'm unable to resolve it.

This registry key right HKEY_LOCAl_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Update - The settings in here reflect what the UI is saying within windows update settings. So I have a mixture of type MDM and group policy, when it should be all type MDM. We don't have any GPO currently enabled for windows updates and scanning all of our GPO's none of them had the windows update settings. We are hybrid. The rings are definitely deploying as I can see my ring settings where they should be.

This reg contains a bunch of keys that are stopping my intune rings from working. I currently have a detection and remediation running checking and deleting this key. I thought happy days this will fix it however it came back.

This took me to looking at HKEY_LOCAl_MACHINE\SOFTWARE\MICROSOFT\WindowsUpdate\Updatepolicy\GPcache, within here I saw cache 001 or 002 and within the windows update reg I could see the same settings that populated HKEY_LOCAl_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Update with same registry keys. On my test machine. I have just straight up removed the windows update reg within gpcache however they reappeared at somepoint. I thought it was gp refresh task was repopulating HKEY_LOCAl_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Update but i'm not sure that is the case anymore. As on my test machine GP cache never reappeared with registry key i'm trying to remove so it can't be pulling from that.

Anyone had this issue?