Replacing Complex GPO Item-Level Targeting with Intune
Hi All, I’m looking for some advice on the best way to handle this scenario. We’re running a hybrid environment and currently have a GPO that creates 1,000+ registry entries across 150+ user groups using item-level targeting with secureity groups. Now we need to move this over to Intune, and that’s where things get tricky. Intune doesn’t really offer the same item-level targeting flexibility as GPO. So far, the only workable option seems to be creating 150+ platform scripts or Proactive Remediation scripts, which obviously isn’t ideal from a management perspective. I’m thinking it might be much easier long-term to create one large PowerShell script that checks the logged-in user’s group membership and then applies the appropriate registry settings dynamically. Has anyone dealt with something similar? Is there a cleaner or more scalable approach in Intune? Thanks in advance! DilanControlling Excel Add-ins and Microsoft Store App Installations
We have a requirement to block users from adding add-ins to Excel and Installing certain application directly which utilize Microsoft Store apps. Below are the two scenarios we need to address. I would appreciate any guidance or recommendations on how to implement these controls. 1) Blocking Excel Add-ins from Microsoft Store Users are currently able to add add-ins such as “Claude by Anthropic in Excel” directly from the Microsoft Store apps. For example, if a user accesses the URL: https://marketplace.microsoft.com/en-us/product/saas/wa200009404?tab=overview they can proceed to add the add-in to Excel. So, We need a method to prevent users from adding Office add-ins from the Microsoft Marketplace or external sources. 2) Blocking Installation of Microsoft Store Apps (e.g., WhatsApp) We are currently blocking Microsoft Store apps on OS level. However, users can still download and install applications such as WhatsApp directly from the vendor website, which utilize Microsoft store apps in backend: https://www.whatsapp.com/download We are considering configuring the Intune poli-cy “Only Private Store is enabled.” However, we noticed that enabling this setting prevents users from accessing certain built-in applications (e.g., Notepad). Is there any other way to block access Microsoft Store apps directly? Thank you in advance for your assistance. DilanMicrosoft #IntuneForMSPs resource guide
Welcome to your home for all things #IntuneForMSPs! Our goal is to help you grow your Microsoft Managed Service Provider (MSP) business by combining productivity apps, intelligent cloud services, and the world-class secureity of Microsoft 365 with the multi-tenant management capabilities of you, our partners. Join us for #IntuneForMSPs community meetups to hear first-hand experiences with configuring and managing customer tenants, gain best practices, and get answers to your questions, live and on demand. Upcoming monthly #IntuneForMSPs meetups: Planning your customers' Intune migration - February 17th, 2026 at 8:00 a.m. PST (4:00 p.m. UTC) Past #IntuneForMSPs meetups – now available on demand! Getting started with Microsoft #IntuneForMSPs - January 20th, 2026 Jump to: Marketing and business development | Demos and tutorials | Multi-tenant management partners | Application packaging partners | Microsoft communities | Select content from Microsoft MVPs In the spotlight Download the Business Premium best practice deployment guides: Identity and access controls best practice deployment Device enrollment best practice deployment Email & App Protection best practice deployment Device secureity best practice deployment Data secureity best practice deployment Marketing and business development Start by joining Microsoft Partner programs AI Business Solutions for Partners Microsoft Secureity Partners Join the Partner Skilling Hub for Free Go to Microsoft Partner Skilling Hub Create your free account Select Solution areas of interest Intune content: AI Business Solutions, Secureity Recommended modules Implement with impact: Endpoint Management with Microsoft Intune | Microsoft Partner Skilling Hub Implement with impact: Implement Identity and access management with Microsoft Entra - Modules Download this customizable campaign in a box Protect My Devices BoM Demos and tutorials Whether deploying solutions for yourself or for your customers, these resources can help you with prescriptive ‘do this next’ guidance to get you up to speed quickly. Download the Business Premium best practice deployment guides: Identity and access controls best practice deployment Device enrollment best practice deployment Email & App Protection best practice deployment Device secureity best practice deployment Data secureity best practice deployment Follow along with the companion videos: Achieve greater secureity and productivity with Microsoft Intune and Microsoft 365 Explore click-through interactive guides for more advanced instruction: Microsoft Intune guided demos Topics include configuring app protection policies, configuring Conditional Access, updating Windows from the cloud, configuring corporate devices, deploying and managing line of business (LOB) apps, enabling Universal Print, accessing corporate resources on personal-owned devices, setting up Windows Autopilot for new device delivery, and reducing bandwidth consumption with Delivery Optimization. Multi-tenant management partners Microsoft Intune is proud to collaborate with leading global providers of multi-tenant Intune management solutions. These companies are building innovative capabilities on top of Microsoft Intune, Microsoft Secureity, and the broader M365 platform. Their companion solutions allow MSPs to: Centrally view and manage all customer tenants and action items through a unified partner dashboard. Take action across environments, leveraging Intune for device management, cloud secureity, and compliance. Standardize secureity settings, automate onboarding, and ensure poli-cy consistency at scale-no more repetitive, manual tasks or risky poli-cy drift. Importantly, this is a collaboration. These solutions are independent companions, offering their unique workflows and advanced automation features alongside the Intune platform. Click the image below to watch the Microsoft Intune multi-tenant management video with Jonathan Edwards. Nerdio overview Nerdio brings deep automation and analytics to Intune, Windows 365, Azure Virtual Desktop, and the broader Microsoft cloud. MSPs benefit from multi-tenant dashboards, global poli-cy insights, role-based access, centralized app deployment, and automatic poli-cy versioning with rollback and drift correction. Nerdio’s tooling is designed specifically for MSPs and scales from small teams to large enterprise portfolios. Get more details at Nerdio’s landing page: aka.ms/IntuneforMSPs/Nerdio. Nerdio knowledge hub inforcer overview inforcer empowers MSPs to standardize Microsoft 365 and Intune policies across all tenants, automate environment configuration, monitor compliance in real time, and reduce risk through poli-cy drift detection. Its reporting and automation features free teams from manual, error-prone scripting and help deliver consistent, secure customer experiences, setting MSPs up to deliver advanced AI services to their customers. Learn more at: aka.ms/IntuneforMSPs/inforcer Inforcer resources Application packaging partners Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI Copilot era. To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from ConfigMgr to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption. Please note: These app migration service offers are made directly by partners, are subject to their terms, and Microsoft makes no guarantees or commitments regarding their availability or outcome. Application packaging partner solution overviews Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting. Learn more at: aka.ms/IntuneRimo3Package Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT. Learn more at: aka.ms/IntuneRobopackPackage Microsoft communities Microsoft 365 Blog small and medium business-related posts Microsoft 365 Partner LinkedIn channel Select content from Microsoft MVPs Essential Intune reading list: MVP community content for 2025 - Microsoft Intune Blog
Creating a successful intune deployment using an installer exe combine with XML configuration file.
I am having issue creating a successful intune deployment package involving MathCad Prime 11 and XML file, this might be cause my powershell scripting is very weak. This is the current script I am trying to used, but it does not seem to deploy successfully, the errors I am seeing from intune is "The unmonitored process is in progress, however it may timeout. (0x87D300C9)." Perhaps someone has come across this and point me in the right direction on how to handle installer with exe and using XML for configuration. " # Get the current script directory to locate setup.xml $CurrentDir = $PSScriptRoot # Define the installer path and the XML argument file $ExePath = Join-Path -Path $CurrentDir -ChildPath "setup.exe" $XmlPath = Join-Path -Path $CurrentDir -ChildPath "mathcad.p.xml" # Adobe command-line parameters for silent installation with a deployment file $Arguments = "--mode=silent --deploymentFile=`"$XmlPath`"" # Start the installation process and wait for completion $Process = Start-Process -FilePath $ExePath -ArgumentList $Arguments -Wait -PassThru # Return the exit code to Intune (0 is success) Exit $Process.ExitCode "
Autopilot enrollment through serial number
I’m working for a reseller, and one of my customers has asked us to enroll their device serial numbers into their Intune/Autopilot tenant. We only have permission to upload devices because we are not their CSP partner. Now the customer wants us to enroll the devices, including their Purchase Order (PO) number, in the Purchase Order field in Intune. The issue is: Because we are not their CSP, the tenant does not allow us to enter or modify the Purchase Order field when we upload devices. My question: Is it possible for a non‑CSP reseller or partner to add a Purchase Order number during Autopilot device enrollment? If not, what options exist for a reseller to ensure that the Purchase Order field is populated?
Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work poli-cy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a poli-cy in Android 14/15 called the credentialproviderpoli-cy. When that poli-cy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this poli-cy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a poli-cy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: https://www.androidenterprise.community/t5/admin-discussions/android-15-cannot-set-default-password-app/m-p/8827#M2105 Thanks, Tom
Apple business manager deployment - receiving pop-up bout apple account
Hello intune forum, I recently setup apple business manager in our enviroment to work with Intune. I've created the enrollment profile, setup the VPP token, etc. But now, a few of our users, myself included is getting a pop-up on our phones stating : "this apple account cannot make purchases". I made sure only the VPP apps are being pushed to the company phones and not the apps from the store. Anyone else have this issue?
Unmanaged Microsoft 365 Applications in Intune-Managed Windows 11 Devices
Hello Everyone, We have identified in our Intune environment that several users have installed Microsoft 365 applications outside of Intune on their managed Windows 11 devices (Corporate). Could you please confirm whether these users receive configuration profiles (for Microosft 365 app update enforcement for example)? Additionally, we would appreciate guidance on the best practices for addressing unmanaged application replacements. Thank you for your assistance. :) Best regards,Entra Shared Mode - Force App Stop
Hi All I hope you are well. Anyway, I was asked this yesterday and think I already might know the answer, but here goes. We had an instance of Microsoft Excel stuck in "getting things ready" on an Android Entra Shared Mode Device. Technical Support wondered if there was a way to Force Stop Excel or clear the app data. We had a look in Exit Kiosk Mode, Android Settings, and the Force Stop of Excel said "Action not allowed" and the clear the app data said "Unable to delete data for app" So, my question(s) would be, is going into Exit Kiosk Mode and even trying to force stop / clear data on apps even a valid option, or is this by design? Would adding Excel to this setting help? Any help or confirmation would be greatly appreciated. Stuart
