r/Intune

▲ 6 r/Intune

Bought a used laptop that still has Windows Autopilot. Can the previous company still monitor it?

Hi everyone,

I recently bought a used ThinkPad T14s Gen 4 and i wanted to perform a completely clean installation of Windows 11.

The installation itself went fine, but as soon as I reached the OOBE setup and connected to Wi-Fi, Windows recognized the hardware hash, and immediately displayed the previous company's corporate sign-in page and locks me out...

I know I can bypass this using:

"OOBE\BYPASSNRO"

... Which is exactly what I did. AFTER I formatted it AGAIN and never connected to WiFi. After that, I completed the installation normally and installed all Windows updates.

I've contacted the seller, but I'm still waiting for a reply.

My question is: Can the previous company still monitor or manage the laptop after using the OOBE\BYPASSNRO trick, or does that simply bypass the Autopilot setup?

I'm honestly a bit worried that they might still have some kind of access to the laptop. Any insight would be appreciated!🙏🙏🙏

reddit.com
u/Airballons — 6 hours ago
▲ 24 r/Intune

Intune EAM Auto-Updates are now GA!

Enterprise Application Management isn't new, but automatic updates for Enterprise App Catalog apps now are. And the timing couldn't be better—just before the summer break. ☀️

If you're using Microsoft 365 E5, EAM is now included, allowing you to automatically keep supported applications up to date with minimal effort.

In this short blog, I cover:
✅ How to enable Auto-Updates
✅ Important caveats to know
✅ What the end-user experience looks like

Read more here.

https://www.xplorethecloud.nl/l/auto-update-eam-applications/

u/jithinB_Dev — 7 hours ago
▲ 4 r/Intune

Device Compliance, BitLocker, and BIOS Updates

Greetings,

Background: Financial services org with 900-1000 Windows devices under management in Intune. Userbase is made up of advisor teams, each determining their own schedule and travel plans. Management wants to restrict access exclusively to company issued devices which I'm planning on doing through Conditional Access and the "Require device to be marked as compliant" control.

The self-test and IT team test has gone well, but the most common non-compliant scenario appears to be BitLocker suspending when a BIOS update is pending. Before I roll this out to the triple digits I'm trying to see if I'm misunderstanding something.

Question: When requiring device compliance how are you managing BIOS updates and mitigating users being locked out when those updates require suspension of BitLocker?

  • Are you using the "Require encryption of data storage on device" or the "Require BitLocker" control in your compliance policies? Both?
  • Are you making use of grace periods and email notifications?
  • Are you using WUfB/Autopatch, vendor tools, and/or remediation scripts to schedule/distribute BIOS updates?
  • If using WUfB/Autopatch, which update behavior are you using? (notify, install, install and restart, etc.)

Additional details: We're mostly Dell, and our non-Dell devices are getting phased out. I know I can use DCU with ADMX or scripting to manage the application of BIOS updates independently of WUfB, but again I'm not sure I've figured out a way to have it nudge the user to update without locking out the user hours or even days before the reboot deadline.

Any help or insight is appreciated.

reddit.com
u/SwanTron86 — 5 hours ago
▲ 15 r/Intune

are browser extensions a real security risk for enterprises or are we overreacting

so been going back and forth on this with our security lead. the extensions get installed with almost no friction, and most users never read the permission scopes at install time,... and the assumption a lot of people have (that once you approve an extension you're done thinking about it) isn't right.

what worth being precise about the actual mechanism here since it changes where the real risk sits. chromium based browsers disable an extension and force a re-approval prompt when it requests a permission scope increase, so it's not a silent bypass the way people assume. now the risk is that users click through that prompt without reading what changed, which means the control exists but gets defeated by habit,..like not by a gap in the browser itself.

so separately, an extension with broad host permissions can read and modify anything rendered in the browser, which by now covers most of the sensitive work happening on a given laptop..: SSO sessions, internal tools, and whatever genAI tab someone has open next to it.

we did an inventory pull last quarter and found extensions installed months ago for a one off task that nobody ever removed, several with permissions nobody remembered granting. like store review processes catch some malicious ones after the fact but that's reactive, not preventive.

what are other teams doing here beyond just a hard block list. does anyone have a workable middle ground between "no extensions ever" and "anything goes"?

reddit.com
u/Alone_Bread5045 — 14 hours ago
▲ 9 r/Intune+1 crossposts

Additional Speakers Announced for Workplace Ninjas US 2027 and Day 1 Keynote!!

Hi Everyone,

It's our pleasure to introduce the second set of speakers for Workplace Ninjas US, who already join last week's first set of announced speakers: Jonah Andersson, Edine Olijve-Watkinson, Ru Campbell, Nathan McNulty, Simon Binder, and Michael Niehaus

Firstly, we announced our Day 1 Keynote will feature two amazing Microsoft people for our Day 1 Keynote: Sangee Visweswaran and Lavanya Lakshman, both great leaders on the Intune Product Team!!

Now, today we're happy to officially announce these 6 speakers who will be part of the very strong group joining us in Scottsdale, AZ:

Rudy Ooms was unofficially announced on a podcast but let us officially introduce you to the master of #reverseengineering #MSIntune who knows his way around #DLLs and pretty much everything else in Intune. He's going to be doing a few sessions that have never been done before. He is alone worth the price of admission. Get ready for a Rudy you've never seen before!

Johan Arwidmark is one of the smarter people in the #MSIntune world, specializing in things like #OSD, #SCCM, and so much more.

Mona Ghadiri is another special person who made an amazing name for herself with her amazing work in Dallas with our #scholarship recipients showing the power of true mentorship. She was one of the first #securityCopilot MVPs and is a great person to know.

Donnie Taylor is one of our favorite people, who does some amazing #AI work, as shown in his session about n8n at #WPNinjaSUS Dallas in April. He's got a few more captivating sessions that you don't want to miss.

Lindsay Shelton is one of our favorite #Copilot people today. Her Intro to #PowerAutomate in Dallas last December was one of the top sessions of the week.

Oktay Sari rounds out our group this week. Oktay is one of the experts on #iOS and #MacOS for #MSIntune. We'll be extending our #MSIntune sessions in Scottsdale covering more platforms and he will be a major part of that strategy!

Let's be honest, 70 degrees in January is a great idea, and we have a ton of really dynamic and interesting things planned to make this a can't miss event unlike anything people have seen in recent memory.

Read our "Why Attend" to see why you should join us in Scottsdale: https://workplaceninjas.us/why-attend/

reddit.com
u/Electronic-Bite-8884 — 11 hours ago
▲ 4 r/Intune+1 crossposts

Microsoft Remote Help "You don't have the right permissions to help the other person"

Has anyone run into this issue with Microsoft Remote Help?

Remote Help has been working fine in our tenant for about two years. Recently, when I click Get a security code, I receive:

"It looks like you don't have the right permissions to help the other person."

Nothing changed on my side except I decreased the licensing count for the Microsoft Remote Help, and it set to 'Schedule this change for', although I'm not certain that's related but I have a strong suspicion it is.

Has anyone seen this before or found a solution?

reddit.com
u/vane1978 — 13 hours ago
▲ 3 r/Intune+1 crossposts

Global Secure Access not working on Self-Deploying-Autopilot Device

Hi,

we have been Global Secure Access for quite a while now and so far, so good. I'm now confronted with one device, that does not want to login to the app: no error message, you get a sign-in windows, that works with SSO and all the usual, and then it just doesn't login.
The only thing that is different with this device, is that it has a self-deploying Autopilot profile. All other devices have a user-driven Autopilot profile.
Any ideas on why this won't work? Are there specific prerequisits that are not met on a self-deploying device?

reddit.com
u/doofesohr — 16 hours ago
▲ 25 r/Intune

How are you all handling Intune device certificates in 2026 — still NDES, SCEPman, or something else?

I've been going back and forth on how to issue certificates to Intune-managed devices and I'm curious what everyone else has actually settled on.

The two paths I keep landing on both have real downsides:

  • NDES is "free" and Microsoft-native, but in practice it means standing up AD CS + IIS + the Intune Certificate Connector and keeping all of that patched, monitored and alive. It works, but it's a lot of surface area for what is conceptually a simple job.
  • SCEPman is genuinely well-built and takes most of that pain away — but it's Azure-native/cloud and priced per user, which doesn't fit every environment (air-gapped, cost-sensitive, "keys must stay on our own tin", etc.).

What I'm trying to figure out: for those of you who want this self-hosted and on your own infrastructure — not in Azure, not per-seat — what are you actually running? Are people still grinding through NDES? Rolling their own with a plain SCEP server + FreeRADIUS? Something else entirely?

Full disclosure so I'm not being sneaky: this exact frustration is why I ended up building my own thing — a single-container SCEP appliance with its own issuing CA and bundled RADIUS for Wi-Fi/wired EAP-TLS, configured through a web console (it's in a free beta). I'll keep it to that and drop a link in the comments only if people are curious — I'm genuinely more interested in how others are solving this and whether the fully self-hosted angle even resonates, or if everyone's happily cloud-first now.

A few specific things I'd love takes on:

  1. Is NDES/connector maintenance still a real pain point for you in 2026, or have you moved past it?
  2. If you're on-prem/self-hosted for certs, what does your stack look like today?
  3. What would it take for you to trust any third-party tool to issue certs on your network?
reddit.com
u/SeasonOld6926 — 1 day ago
▲ 4 r/Intune

Registration token update

Hello,

How do you handle a situation where the registration token of a Win32 app (in the install command) needs to change? Do you need to assign the current devices to uninstall the app?

Thanks in advance.

reddit.com
u/ibteea — 17 hours ago
▲ 1 r/Intune

Surface Pro Mic

Anyone notice Surface Pro mic input being broken after the last QU? Even though the driver for the device is still a 2024 release?

reddit.com
u/0xCG — 18 hours ago
▲ 8 r/Intune+1 crossposts

MFA during Intune device Web Sign-in

Scenario:

I have a shared Entra-joined and Intune managed device where I would like for it to prompt for MFA (Microsoft Authenticator) during the Web sign-in authentication method.

Is this possible?

I have a CA policy that requires authentication strength for all cloud apps, but for the life of me I can’t get it to work with Web sign-in. WHfB is not an option since this device could be used by more than 10 people.

Any help is appreciated!

reddit.com
u/MrBigTicket — 1 day ago
▲ 5 r/Intune

Properties Catalog

Anyone using this noticed ghost conflicts? I enabled the Application Properties and several devices report a conflict for the Uninstall Command Property. The devices in question have no other policy assigned reporting a conflict with it.

reddit.com
u/0xCG — 1 day ago
▲ 3 r/Intune

Packaging Help (Microsoft Visual Studio) Windows 11

I am trying to package the newest version of Microsoft visual (18.7.2) studio for my company and I’m running into a ton of trouble.

I am using a vm to package and I have a .ps1 my install.cmd calls to for the application options. When the install finishes I am told a new version of the app is available and it forces closes. When I check the versions it says I have the newest version.

Has anyone had this issue with any other apps? If so what was the fix?

UPDATE: The issue was the VM I was using, when doing it the exact same on a regular test machine in the office, the app works fine.

reddit.com
▲ 30 r/Intune

Auto Update Chrome via Intune

Having a mare getting Chrome to auto update on windows. The package is deploying but is not installing unless the browser is opened, which means it’s reliant on the end user using the browser- so at anytime we probably have 4 iterations across the estate. ADMX is set to update (value 1 in the policy) and the check time is 240 mins. Any ideas?

reddit.com
u/Cheese-Burrito-66 — 2 days ago
▲ 14 r/Intune

Is modifying the Windows hosts file via Intune Remediation Powershell script still supported? Cause I get an Access Denied Error.

Hi everyone,

I'm trying to deploy a simple modification to the Windows hosts file using Microsoft Intune with a Remediations Powershell script but the modification is always denied on my devices.

I've seen this method on various websites and here one reddit, and I've tried it with Add-Content and Set-Content, but it doesn't work.

Source :
https://www.nielskok.tech/intune/set-hosts-file-via-intune/
https://cloudinfra.net/update-add-append-entries-in-hosts-file-using-intune/

Before I spend more time troubleshooting my environment, I'd like to know:

Has anyone successfully modified the Windows hosts file through Intune recently?
If yes, did you use a Remediation script as described in the sources?

I'm mainly trying to determine whether this is still a supported/reliable approach or if the issue is specific to my environment.

Thanks!

u/Massive_Age8849 — 3 days ago
▲ 8 r/Intune

Intune - Roll back June KB5060829 (P4W issue) for affected users only?

We’re using Microsoft Intune and have paused Windows quality updates across the firm due to issues with the June cumulative update (KB5060829) affecting P4W.

Our engineering team advised that Intune can’t uninstall a specific KB. The Uninstall latest quality update action only removes the latest cumulative update, so without changing the overall update/build configuration it isn’t practical for us to roll back only the affected devices.

If we resume updates and more users are affected, is there another approach?For example, could we package a script/app in Company Portal that allows affected users to uninstall KB5060829 themselves and roll back to the previous cumulative update, or is that not supported for modern Windows cumulative updates?

reddit.com
u/MEDITATIONUNITY — 4 days ago
▲ 5 r/Intune

Intune mass iPhone deployment

Hello guys,

This is my 3rd Intune migration within different companies I worked for but I am still new to the management environment. I was always was part of the L3, meaning I was doing the repetitive manual work with users.

I have googled, searched this and other subreddits but can't get much help.

Scenario: I already have 500+ iPhone 17 assigned to Intune and now I have to start each device go through the Hello setup and enroll the devices to Intune so they are all centrally managed. Apps are downloaded automatically but I still need to login to each app with each of the 500+ user accounts. The MDM environment itself is ready.

My main concern is that it is very labor intensive and time consuming to do all of this devices. Deadlines are tight.

Is there any way to streamline the preparation before handing to users?

I saw a video where this dude is using a wired Logitech gamepad controlling multiple iPhones at the same time and doing all the common setup at the same time. I suppose it was some sort of USB switcher KVM that he connected the gamepad and iPhones to. I honestly don't know what solution he was using but that alone would be very helpful.

Have anyone used that before? What is the setup to get that working? Do I need extra software?

What is better than preparing each device by hand?

Your expertise is very much appreciated.

reddit.com
u/AccomplishedSwim2998 — 4 days ago
▲ 5 r/Intune

Yardi Maintenance Mobile MDM app configuration

Does anyone know if it's possible to use an iOS MDM app configuration profile (I'm using Intune) to configure the connection settings without having to use a QR code/URL? Does Yardi's app expose configuration key/value pairs and does anyone know the schema?

The QR code is not that annoying but it would be nice if our users could simply start using a pre-configured app.

reddit.com
u/DeanTheMeanMachine — 3 days ago
▲ 6 r/Intune

OOBE Update KB5095189 leads to Enrollment Error 0x87d1041c

Hey everybody,
recently, we've seen many Autopilot deployments (Win11 24H2) failing with error code 0x87d1041c in the device setup phase after the first user login.

After reviewing the logs, we found out that the OOBE update KB5095189 enforced a restart. Unfortunately, this restart happens in parallel to an ongoing Win32app installation. After the restart, the "interrupted" app is not detected => Error, because the app is one of the blocking apps in our ESP profile.

The devices were all pre-provisioned. Our colleagues turned them on and we could see the automatic app detection and update installation before any user interaction. After the user login, we could see the error in the device setup phase.

Does this issue sound familiar to someone else? Is there anything we could do?

reddit.com
u/unoquattro — 4 days ago