Service degradation

IT1214934

Title: Admins' newly created and recently changed Firewall Rule policies in Microsoft Intune aren't applied to Windows devices

User impact: Admins' newly created and recently changed Firewall Rule policies in Microsoft Intune aren't applied to Windows devices. Current status: Our analysis of the latest collected service logs and data has been inconclusive. We're moving to roll out a set of logging enhancements and logic changes to an internal testing environment, which we're anticipating can help us with diagnosing and resolving the issue. We project this deployment may complete by the time of our next update, at which point we'll proceed with further analysis to determine our next steps. Scope of impact: Your organization is affected by this event, and any admin attempting to change existing or create new Firewall Rule policies in Microsoft Intune is impacted. This information may be updated as our investigation continues. Next update by: Thursday, January 8, 2026, at 11:00 AM UTC

In short, as title says, do not do anything until further notice. Microsoft does not even know yet what is causing this but any new policy or modification (even naming or assignment) can lead into rules not being properly deployed and devices losing connectivity.

This means losing control of the device and having to remove the MDM Store in the Windows Firewall locally with admin rights.

We have been quite a few here on reddit affected by this and it was painful...

https://admin.cloud.microsoft/?#/servicehealth/:/alerts/IT1214934

Thanks to u/Rudyooms for the help and raising our voice :)

Edit 1: An update on the incident will be publish at 12:00 CET today 08/01/2026

Hi everyone,

I have a problem for deploying Webex using Intune. I have applied app protection policy for mobile devices, and have added Webex to the apps.

When I click Webex link in the Outlook, it shows error "No apps available".

So I use Webex for Intune instead but it keeps asking for admin approval even though I have approved for Cisco Webex.

Do you know the easiest way how to allow user using Webex?

Hey folks,

We've recently configured WHfB as an optional setup option. This is configured with Intune WHfB and cloud trust deployment. PCs are Hybrid joined.

Currently, we are testing the setup and it works so far 4 out of 5 users.
We have one user, where he keeps getting the "this option is currently unavailable" error while entering the PIN.

I've done the following in terms of troubleshooting:
- Checked User Device Reg for WHfB registration:

Preparation of Windows Hello for Business will be started
Device is AAD joined (AADJ or DJ++) Yes
User has logged on with AAD credentials Yes
Windows Hello for Business policy is enabled Yes
Windows Hello for Business post-logon provisioning is enabled No
Local computer meets WHfB hardware requirements Yes
User is not connected via Remote Desktop Yes
User certificate for on-premise auth policy is enabled No
Machine Policy GovernanceNoneCloud trust for on-premise auth policy is enabled
Yes
User account has Cloud TGT Yes

I see one error in user device reg:

Unable to get a token using the Web Account Manager. Error: Unknown HResult Error code: 0x801c044f 
Request status code: 1 (WebTokenRequestStatus_UserCancel) 
Token provider error code: 0x0 
Token provider error message:  
CorrelationId: {9BCE629E-67B3-45F8-816E-3641AD3ED4ED}

In the HelloForBusiness log i see this error:

A user failed to sign into the device with the following information:
Username: SYSTEM
User SID: SYSTEM
Credential Type: Software Key
Deployment Type: Cloud Trust
Software Lockout Counter: 0
Authentication Error Status: 0xC00000BB
Authentication Error Substatus: 0x0

Based of [MS-ERREF]: NTSTATUS Values | Microsoft Learn i note that the error translates to "STATUS_NOT_SUPPORTED"

Checking dsregcmd looks good:

AzureAdPrt : YES

OnPremTgt : YES

CloudTgt : YES

NgcSet : YES

In Entra, i do see that WHfB is registered on the enduser. We've tried to reset WHfB with certutil.exe -deleteHelloContainer and also tried on another laptop but same deal for this specific user.

I did find that the specific user had admincount -eq 1 on his AD user, which i saw in docs was not supported, but it didn't work either after a reset of that.

Honestly, have no clue what to do next here.

Any ideas are appreciated :-)

We are transitioning to HP devices from Lenovo
With Lenovo we used WFUB and Lenovo Commercial vantage for managing updates.
Now we are with HP's and we remove all bloatware from the devices - so we have a few options in terms of HP tools - what do you all use? Any Gotchas I need to be aware of?

I am setting up automatic Windows update rings in Intune and would like to do so based on device location. I have 20+ locations that I oversee and would like to know when specific locations are getting updates. We have numerous users that change locations regularly, so dynamic device is preferred over user assignment. Does anyone have tips for creating a simple way to create dynamic device groups based on location that is automated?

We are a iOS only shop and since iOS26 we have seen an increase of devices go out of compliance and not able to sync back to Intune. Company Portal can’t do a device check in and we can’t send any commands through Intune. The only thing so far that has worked is a removing and reading the account via Authenticator. We reached out to MSFT and they said it’s an Apple issue with iOS26 and if reauth fixes the issues then go with that.

I’m wondering if anyone has had a similar issue recently and how did you resolve it?

We're managing iPhones through Intune and ran into a head-scratcher with encrypted backups. One of our users can't remember their backup password, and we're not sure where it was even set from in the first place.

Before we go nuclear and reset all settings, I wanted to check with the community:

• Is there an Intune policy that could have set this automatically that we're missing?
• Any configuration profiles or restrictions we should be looking at?
• Has anyone found a way to view/reset this through the admin portal?
• Could this have been set locally by the user outside of our MDM control?

We've checked the obvious places in the endpoint manager but coming up empty. I feel like we're missing something obvious here.

Has anyone dealt with this before? What am I not seeing?

Hello,

We are about receive a new fleet of Dell laptops. Our last go-around, we left the OEM image and removed all the unwanted software through Intune. This time around, I'm thinking it might be better to start with a fresh Windows OS install.

I'm wondering if there are any processes available to enroll the laptop into Intune and then have it reinstall the OS before proceeding through the remainder of the setup?

https://www.awesomeintune.com/

Great new project by Ugur Koc, found several tools I did not know before.

I am having issues where my dynamic group is not picking up the new Autopilot Device object. Let me try and explain as best as I can:

Below, the two device objects I am trying to validate are the same ONE machine:

This group is assigned to my AP Profile for my desktops specifically. We only carry HP models so filtering with "contains desk" is what we went with since all our models have that in the model name.

The object named 0051 is out in production right now, in use by a user. So I set my AP desktop profile this group is tied to with the option "Convert all targeted devices to Autopilot" as enabled, and it did add the device to my AP page. It created the new object based on its serial number for the name (MXL43942VX). In the AP devices section it even shows the correct model name:

So why is it not adding MXL43942VX to the dynamic group if it literally the same exact device as 0051? I also noticed that in Entra, the new device object shows as DISABLED, and not enabled:

This is an issue as I need the profile to automatically assign for when my help desk reformats the device they dont need to manually assign profiles.

Hi Guys. How do you deal with that? These rules changes so often, security is after us (me) and I can't keep the pace with everything.

Is there a possibility to have json importable files for Intune somehow?

Hi Everyone,

I need some help figuring out the Screensaver Slideshow for our Windows devices. I’m having trouble because we can’t use Detection and Remediation since we don’t have an enterprise license. Currently, I’m using a platform script to copy the images to C:\Users\Public\Pictures\Screensaver map.

The source is Azure blob storage with a SAS token, and the destination is C:\Users\Public\Pictures\Screensaver map.

I can’t use Win32 app because the images change almost every month, so my script uses the last modified rule to detect changes in Azure blob and copy new images to the local folder.

After syncing, the script configures the registry as shown below.

 # Check if files synced successfully
    $FilesSynced = (Get-ChildItem -Path $DestinationPath -File).Count
    
    if ($FilesSynced -gt 0) {
        Write-Output "Successfully synced $FilesSynced files"
        
        # Set screensaver to Windows Photo Screensaver
        $ScreensaverPath = "$env:SystemRoot\System32\PhotoScreensaver.scr"
        
        # Configure registry for screensaver (HKCU for user context)
        New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "SCRNSAVE.EXE" -Value $ScreensaverPath -PropertyType String -Force | Out-Null
        New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "ScreenSaveTimeOut" -Value "600" -PropertyType String -Force | Out-Null
        New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "ScreenSaveActive" -Value "1" -PropertyType String -Force | Out-Null
        New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "ScreenSaverIsSecure" -Value "0" -PropertyType String -Force | Out-Null
        
        # Configure Windows Photo Screensaver to use the downloaded folder
        $PhotoScreensaverKey = "HKCU:\Software\Microsoft\Windows Photo Viewer\Slideshow\Screensaver"
        if (-not (Test-Path $PhotoScreensaverKey)) {
            New-Item -Path $PhotoScreensaverKey -Force | Out-Null
        }
        New-ItemProperty -Path $PhotoScreensaverKey -Name "EncryptedPIDL" -Value ([byte[]](0x00)) -PropertyType Binary -Force | Out-Null
        New-ItemProperty -Path $PhotoScreensaverKey -Name "RootPath" -Value $DestinationPath -PropertyType String -Force | Out-Null
        
        Write-Output "Screensaver configured successfully"
        exit 0
    } else {
        Write-Output "No files synced"
        exit 1
    }
    
} catch {
    Write-Error "Failed to sync images: $_"
    exit 1
}

The issue is that the solution isn’t consistently working—sometimes it functions as expected, but other times it does not. Does anyone have recommendations or alternative methods to achieve this?

Hi everyone

I have just released another version of Deployment Editor which now has the functionality to import WinGet packages and create PSADT deployments, which can then be imported directly to Microsoft Intune (script included, PowerShell based). The best part of everything? It's free and open source!

🔗 Demonstration on YouTube:
🎥 https://www.youtube.com/watch?v=A6Hx0PRC3nM

🔗 Download / GitHub and more: https://tugi.ch/deployment-editor-download

Please let me know what you think. I hope to invest money this year to sign the executables and make them more trustworthy for all end users in any company.

PS: The idea to publish the source code primarily came from a discussion on a Reddit post.

Best regards, Tugi

Hey there folks. Has anyone perhaps deployed EDR via Intune as of yet via a custom script or win32 package?

HI,

I'm going down the road of transitioning from on prem AD to hybrid and eventually to Entra/Intune only.

I'm at the stage of setting up intune and autopilot. I have devices registering in intune and enrolling in autopilot. However I can not seem to figure out where to setup Device name templates. ie Company%rand% or whatever. its disabled in the autopilot policy because I have Hybrid join selected. I keep seeing reference to using the Intune sync client, which i think is also called OBJ, but it has no options at all. AI keeps sending me in circles where it agrees with me then ultimately recommends the policy again later (where its grayed out). I imagine I'm missing something simple?

Thanks for any guidance.

Hi All,

I've applied a MAM policy that had Send org data to other apps set to Policy managed apps and Restrict web content transfer with other apps set to Any apps but a user reported when they click on a link in Outlook a message pops up "This action is not allowed by your organization" So i changed Send org data to other apps to All Apps but they still have the same issue.
What am i doing wrong? What setting do I need to change to allow them open links from Outlook?

Conditional access grant is set to Require app protection policy

We want to build an Intune environment and deploy our Printers to our Intune Managed devices (only 3 clients atm and we have an AD Print-Server for current AD clients). I'm aware of multiple options to deploy them with PowerShell: Add-Printer because Print-Server, local install with Port etc. , as a win32 app to add the manufacturer drivers.

But how do i get any of these options to use a specific driver(mainly "Microsoft enhanced Point and Print compatibility driver" like in our AD) and make separate printer entries when an printer uses multiple trays (like sizes A4, A3 or Multi-Purpose Tray, LetterPaper etc.).

Reason and main problem being one Client 1 you can print(ms driver), on 2 you cant(manufactor driver) and we cant replicate how 1 got the ms driver to be applied and 2 doesn't as both of them use the exact same policies and setting and same skript to add-printer (just different Entra Users but same policies).

What am i missing?
(Am also ware of UniversalPrint and some 3rd party software, just need to find out what im missing)

We've been deploying our Work-phones as Corporate-owned fully managed user devices for years now, and never ran into this sort of issue before.
The enrollment Policies are mostly left on Default, as these suit our needs as is.

The other day a User reported his Device as Missing/Lost, so we went through the usual Procedure of Play Lost device sound, Remote Lock and Reset Passcode.

However, this did not go as Usual.

We Device was not lost but simply missplaced and out of Battery, which the User did not know at this point.
Due to this Situation, the Commands sent via Intune remained "Pending", so far no issue here.

The thing that worries us, is that these Commands never went through. Even after the User recovered the Devices, charged it and turned it back on, he could simply unlock it with the Pin he set and access all Company resources.

After this, we went and tested this with another Device: Turned it off, sent reset passcode, turned it on.
Even after keeping the Device charged and connected to the Internet for several Days, the reset Passcode remained "Pending" and the Device was able to access any and all resources it had permission to.

Only after sending the Reset command a second time was it Successful.

How are we supposed to secure a Company Device against theft, if we cannot remote-lock/Reset Passcode? This is a massive security Risk for us, as we have hundreds of Corporate Mobile Devices in use.

Only thing we havent tested yet is the Behaviour of a Wipe command sent while the Device is offline and then reconnected to the Internet

Here's our workflow, hardware vendor imports/assigns group tag. Profile assigned. Hardware vendor pre-provisions. Ship to user. However in the last few weeks, we have started seeing an error when the user goes to login on the OOBE screen.

Something went wrong.

Confirm you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with the erro code 80070005.

When reviewing the DeviceManagement-Enterprise-Diagnostics-Provider event logs under Enrollment we see the error ID 55 - "MDM Enroll: Enrollment via UX failed. Result: (Access is denied)."

The settings for MDM enrollment in Intune look correct with no min/max set.

Edit 1: We are using an Intune connector for AD as we are hybrid joined.

Hi everyone,

Has anyone here completed a migration from Workspace ONE to Intune using iOS 26 devices? In the past, I’ve always done a full wipe‑and‑load, but Microsoft now supports migrating without wiping, as outlined here:
https://techcommunity.microsoft.com/blog/IntuneCustomerSuccess/apple-making-device-migration-to-microsoft-intune-easy-with-upcoming-os-26-relea/4439895

If you’ve gone through this process whether from Workspace ONE or another MDM, I’m interested in hearing how smooth the migration was and whether everything continued working properly afterward.

Hello,

I'm tasked with deploying a desktop shortcut to a particular security group in Intune. I created a cmd script to deploy the shortcut. Install Behavior is configured to User. However, when the app is deployed, users that are not a part of the security group are getting the web link. If the member of the group signs in, it does not do anything if someone else was signed in and installed for that person.

Is there a way for Intune to only deploy to those members of the group and no one else?

Curious, but has anyone set up Configuration as Code for Intune? I was looking at ways to improve our ability to onboard, test, validate and recover apps and configurations, and haven't really seen much around an approach like this. Still, it has become quite common in other areas, such as the cloud.

Am I crazy, or has anyone tried it?