Intune

Cloud

16 sections
262 source tickets

Last synthesized: 2026-02-13 01:30 | Model: gpt-5-mini
Table of Contents

1. Company Portal absent or not auto-installing; Intune management agent restart restored app delivery

85 tickets

2. New-device OOBE or enrollment failures; OS recovery/reinstall restored corporate image and Intune enrollment

49 tickets

3. Application access/install or stalled downloads on managed devices resolved via portal publishing, Creative Cloud flow, sync, or power-cycle

101 tickets

4. Tenant-level enforced wallpaper/lock-screen prevents per-user personalization

2 tickets

5. Windows clients dropping Wi‑Fi connections correlated with NCSI active probe against AVM FritzBox

2 tickets

6. Microsoft Store blocked on new Windows 11 device; apps provided through Company Portal

8 tickets

7. Scheduled lock-screen rollout applied immediately across endpoints; assignment timing corrected and rollback performed

1 tickets

8. MacBooks managed in Apple Business Manager could not be removed by support; Jamf unenrollment used as workaround

2 tickets

9. macOS 'Device Management/MDM wants to make changes' admin prompt perceived as potential phishing

1 tickets

10. USB storage blocked on Cloud‑Only managed Windows device; OneDrive used as alternative

1 tickets

11. Lost or in‑transit device locked via Intune using serial-number lookup

1 tickets

12. Distribution constraints for custom Chrome extension (private store vs. Intune deployment)

1 tickets

13. No local admin rights prevented Office install on Intune-managed PC; Company Portal deployment resolved it

4 tickets

14. Intune power/energy settings not applying until targeted policy assignment and propagation completed

1 tickets

15. Company Portal access requests submitted to IT Service Portal cannot be processed

2 tickets

16. Inventory360 syncing used last‑logged‑in user causing device assignment mismatches

1 tickets

1. Company Portal absent or not auto-installing; Intune management agent restart restored app delivery
95% confidence
Problem Pattern

Company Portal was absent or failed to auto‑install on new or replacement Windows 10/11 devices (occasionally macOS), or appeared as a generic/ghost entry and remained non‑installable. Users reported the portal app installed but repeatedly unresponsive or failing to open, deployments stuck at “still installing”, the Microsoft Intune Management Extension service not running, gpupdate/provisioning hangs, repeated Microsoft 365/Office sign‑in prompts or SSO login loops, and inability to install corporate apps. Microsoft Store installs sometimes returned “This app is required by your organization,” and devices on outdated Windows builds (for example 22H2) sometimes failed to receive Store‑based apps. Issues commonly followed Windows upgrades, offline provisioning, administrative assignment or tenant/service changes, or account duplication/externalized accounts.

Solution

Support restored Company Portal delivery and corporate app installation by addressing enrollment/assignment, account mapping, service availability, and connectivity anomalies. Frequently observed resolutions included: restarting the Microsoft Intune Management Extension service or rebooting devices, after which the portal and managed Office apps typically appeared or auto‑installed within a few hours; manually installing Company Portal from the Microsoft Store when it was already marked distributed; connecting devices to a reliable network (ethernet or corporate Wi‑Fi) and leaving them online until provisioning completed; reactivating or reassigning Company Portal when administratively disabled (one reassignment completed deployment in ~4–8 hours); clearing hung gpupdate/provisioning states with reboots; and applying pending post‑upgrade Windows updates which restored portal delivery on some devices. Persistent delivery failures were often resolved by remote automated re‑enrollment or reprovisioning; a minority required OS recovery, reimage, or device replacement when the Microsoft Store or Windows Update/service was faulty or the device had hung during initial OEM/refurbisher provisioning. Office/Outlook sign‑in failures caused by web‑installed Office were resolved after deploying Company Portal and installing Office through it. One investigation found a duplicate/externalized account that left Company Portal reported as installed but unresponsive and caused an Atlassian SSO loop; deactivating/removing the duplicate and restoring the correct account link restored portal functionality. On macOS endpoints an enrollment redirect to a different management provider was resolved by enrolling through the platform‑specific Self Service app rather than the Windows Company Portal. When portal access was temporarily degraded, browser‑based access to Microsoft 365 served as a workaround. Remote support tools were used during investigations when required.

2. New-device OOBE or enrollment failures; OS recovery/reinstall restored corporate image and Intune enrollment
89% confidence
Problem Pattern

New corporate Windows (Windows 10/11) and iOS devices failed initial Intune/MDM enrollment or provisioning during OOBE/first‑time setup. Symptoms included OOBE stalls at “Device setup”, enrollment errors (for example 801c03ed and 0x80180014), Company Portal absence, devices missing from Autopilot or appearing only under users, iOS Remote Management/configuration‑download timeouts, MFA/Authenticator/Okta sign‑in flow conflicts, device anomalies (BSOD, display flicker, tamper‑protection/blob error 65000), and cases where multiple factory resets did not resolve provisioning. Failures frequently correlated with network/OOBE connectivity issues, identity/conditional‑access or Azure AD/device‑join problems, and occasionally with server‑side provisioning/enrollment service faults.

Solution

Technicians resolved device OOBE/enrollment failures with coordinated fixes across imaging, inventory/Autopilot, identity, vendor/firmware, and network causes. Imaging and recovery: restoring a known-good OEM/corporate image or performing a controlled full reimage consistently recovered Windows laptops; Dell SupportAssist OS Recovery (F12 one-time boot) repeatedly restored corporate images and allowed successful Intune enrollment, Company Portal visibility, corporate naming, and managed-app deployment. Fresh Start behavior: local user-initiated Fresh Start runs were observed to remove devices from Intune and produce tamper‑protection/blob errors (65000); an Intune-initiated Fresh Start sometimes completed provisioning only when the device remained powered and reachable during OOBE. Inventory and Autopilot fixes: registering previously unregistered hardware, correcting suppressed Autopilot V1→V2 screens (suppression scripts), and reassigning correct Azure AD/Intune group memberships restored Autopilot/Intune registration. Identity and conditional‑access fixes: several incidents traced to Azure AD/conditional‑access/entitlement issues where resolving group membership or unblocking the account/device cleared 801c03ed and 0x80180014 errors, though partially provisioned devices frequently still required image recovery and re-enrollment. Server-side provisioning: one case documented an internal provisioning/enrollment service error that IT corrected; a subsequent retry completed OOBE and enrollment. MFA/authenticator behavior: technicians observed Microsoft Authenticator QR-scan or manual-code failures and situations where activating an alternate authenticator (Okta) changed the sign-in flow and prevented returning to the required Authenticator step, stalling enrollment; in at least one case enrollment proceeded after completing MFA on the user’s personal phone and then reconfiguring Authenticator on the corporate device. Vendor/firmware/driver actions: BIOS resets/updates, sfc/dism scans, targeted driver updates, and removal of problematic vendor tools resolved device-side conflicts — SupportAssist 3.6 was correlated with BSODs in multiple incidents. Network and OOBE connectivity: Wi‑Fi or OOBE network failures were a common cause of stalls; devices that remained powered and reachable sometimes completed Intune-initiated remediation and finished provisioning. Service-side incidents and mobile devices: Company Portal visibility problems were linked to upstream Microsoft service incidents and were resolved by a Microsoft-side patch in at least one case. Mobile/iOS enrollment repeatedly showed Remote Management/configuration‑download timeouts; affected iPhones were often diagnosed as defective and replaced under warranty or service‑provider processes when unenrollment/removal failed. When other remediation failed, technicians used full wipe/reimage or hardware replacement to restore a working corporate image and complete Intune enrollment.

3. Application access/install or stalled downloads on managed devices resolved via portal publishing, Creative Cloud flow, sync, or power-cycle
91% confidence
Problem Pattern

Intune-managed Windows and mobile devices intermittently showed Company Portal or Software Center app availability and installation failures: assigned apps were missing from the catalog, Install/Retry was disabled, downloads or installs stalled or failed with generic errors or a red exclamation, or installs unexpectedly prompted for local administrator credentials. Detection scripts sometimes returned 0x87d30065 and users reported transient Company Portal banners such as "No access to company resources"; failures commonly occurred after enrollment/reprovisioning, group or license changes, package republishing, or when a manual install of the same application existed. Some devices also failed to launch the Company Portal (the Microsoft Store opened instead) or displayed immediate launch/blocked errors on open.

Solution

Application availability and stalled installs were resolved by addressing publishing/packaging, entitlement/licensing, client sync/visibility, account provisioning, enrollment state, and device configuration. Support republished and repaired Win32 packages, consolidated or repackaged combined installers, adjusted supersedence/default deployments to replace legacy packages, and removed or blocked unstable installers that caused repeated hangs. Installers that prompted for local-admin credentials were added to the Company Portal or repackaged so the in‑portal Install ran without local-admin prompts. Missing catalog visibility or provisioning was fixed by correcting Azure AD group and entitlement membership, Intune primary‑user or Windows group assignments, Microsoft 365 license assignments, and by creating/provisioning required external vendor accounts before reassigning apps. Client-side visibility and stalled installs cleared after Company Portal synchronization/Work or School account re‑sync, signing users out/in, remote remediation of endpoint-protection blocks, or a full shutdown/restart/power‑cycle; multiple incidents required both a sync and a full reboot. Detection-script failures that returned 0x87d30065 were traced to scripts signed with certificates not present in clients’ Trusted Root/Trusted Publishers stores and were resolved by deploying the signing certificate to affected clients. Several cases were blocked by a manually installed copy of the same application; those required removal of the legacy/manual install (or administrative remediation) before Intune installations could proceed, and a few remote remediation attempts failed when Endpoint Privilege Management (EPM) activation hung. A small number of issues resolved only after backend Company Portal service fixes or overnight propagation following republishing. Separately, one case presented as a Company Portal launch failure where the Microsoft Store opened or the Company Portal showed an immediate error; that incident cleared after support troubleshooting and later user confirmation (steps were not documented). Operational examples included adding add‑ins to the Company Portal to avoid admin prompts, restoring Adobe Creative Cloud after entitlement/group fixes and reinstall via Company Portal, completing ChatGPT Team and Office installs after Company Portal sync plus reboot or remote endpoint remediation, resolving a Cloudya download after a backend portal fix, and publishing utilities and iOS apps through the Self Service Portal once device provisioning and app assignments were corrected.

4. Tenant-level enforced wallpaper/lock-screen prevents per-user personalization
95% confidence
Problem Pattern

Managed devices were prevented from applying user-selected settings because tenant- or device-level policies/profiles enforced different values. Symptoms included desktop wallpaper and lock-screen changes reverting at login or becoming a locked/black background on M365-managed Windows desktops, and macOS showing "a 'Profile' has set this setting" when attempting to enable iCloud Drive. Affected systems included M365 tenant-managed Windows desktops and managed macOS laptops. Users reported they could not personalise settings or enable cloud-sync features and typically saw no actionable error codes.

Solution

Investigations confirmed the behaviour was caused by organisation-enforced settings rather than device faults. For Windows desktops a tenant-level "hard setting" in the M365 tenant enforced Walbrook/LIBF branding and caused any per-user desktop wallpaper or lock-screen changes to revert at next login. For macOS laptops a managed configuration profile had blocked iCloud Drive (the system displayed "a 'Profile' has set this setting"); support advised the user that the organisation used OneDrive for data synchronization instead of iCloud Drive. In both cases users were informed that personalisation or enabling the blocked feature was not possible under the current tenant/profile policy and no configuration changes were made.

Source Tickets (2)
5. Windows clients dropping Wi‑Fi connections correlated with NCSI active probe against AVM FritzBox
90% confidence
Problem Pattern

Multiple Windows endpoints (Intune-enrolled Company Portal devices) experienced unexplained network interruptions—intermittent Wi‑Fi and wired disconnects with no error codes—after AVM FritzBox firmware changes. Affected users also saw application authentication failures (Microsoft Teams repeatedly showed “We couldn't authenticate you” and a white circle with red border in the taskbar) and, in some cases, Company Portal sign-in failures. Incidents occurred after FritzBox firmware updates and were temporally correlated with Windows Network Connectivity Status Indicator (NCSI) active probe behavior against FritzBox devices.

Solution

Incidents that followed AVM FritzBox firmware changes presented as intermittent Wi‑Fi and wired network drops and, in some cases, Microsoft Teams authentication errors and Company Portal sign-in failures on Intune-managed Windows endpoints. The remediation applied to affected managed devices was deployment of two Intune/Company Portal packages that toggled the Windows NCSI active probe registry policy (HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\NoActiveProbe). The packages set NoActiveProbe to 1 to disable active probing and to 0 to re-enable it; the disable command used was: REG ADD HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator /t REG_DWORD /v NoActiveProbe /d 1 (and the inverse to revert). These packages were tested on affected devices and a limited rollout was recommended after verification. The incidents were observed after a FritzBox firmware update and affected both wireless and wired endpoints; the NCSI toggle was the effective workaround on managed systems in the investigated cases.

Source Tickets (2)
6. Microsoft Store blocked on new Windows 11 device; apps provided through Company Portal
90% confidence
Problem Pattern

Newly provisioned corporate Windows 11 devices showed the Microsoft Store reporting it was admin-blocked ("...is blocked. For more information, contact your IT or system administrator."), preventing installation or operation of consumer and line-of-business apps. The organization intended app distribution through Microsoft Intune Company Portal, but Company Portal was sometimes missing due to Microsoft-side installation/service issues or the Store was blocked on the corporate image. Some applications required Store connectivity for license verification (e.g., aText Premium) or administrative device access (e.g., printer connector apps) and therefore failed to work. Device-level policies (for example USB/mass-storage blocked) and prompts to contact the administrator when signing into personal Google/YouTube accounts were also reported.

Solution

IT confirmed the corporate Windows 11 image had the Microsoft Store intentionally blocked and that consumer and some business applications were to be distributed via Microsoft Intune Company Portal. Resolution actions included adding affected apps to the Company Portal (examples: Google Chrome, Parallels for DATEV, Microsoft 365/Office, PDF reader, aText Premium, Canon Inkjet Smart Connect) and providing a whitelist entry for the Microsoft Store via the My Access service; after the whitelist was applied and the Company Portal became available, users were able to install required software and license-dependent apps resumed full functionality. In several cases the Company Portal did not appear immediately because Microsoft-side installation/service issues prevented its auto-installation; availability of the Company Portal restored the normal app delivery path. Some apps required elevated or device-level privileges (for example certain printer connector apps required admin rights to complete driver/connection steps), so those instances were handled with targeted administrative deployment or alternative packaging as appropriate. The Microsoft Store "is blocked" message matched the admin-managed Store policy, and separate device policies had blocked USB/mass-storage on at least one new Dell laptop. Sign-in failures or prompts when using personal Google/YouTube accounts on managed devices were treated as expected behavior under organization-managed accounts and were investigated on a case-by-case basis when required. An unrelated hardware fault on a Lenovo T14s Gen2 resulted in a device replacement.

7. Scheduled lock-screen rollout applied immediately across endpoints; assignment timing corrected and rollback performed
60% confidence
Problem Pattern

A university-wide lock-screen image intended to be displayed only during a future window (21.10–04.11) was applied immediately to enrolled Windows 10, Windows 11 and macOS devices instead of waiting for the scheduled start date. Users and administrators observed the new image appearing ahead of the planned rollout window. The issue involved device lock-screen/wallpaper deployment timing and target group assignment across corporate-managed endpoints.

Solution

The immediate change was undone and the deployment assignment was corrected. Administrators reverted the unintended image on affected devices, removed or adjusted the immediate assignment, and recreated a scheduled deployment with the intended start and end dates for the target device groups. The corrected scheduled deployment was then validated against the affected Windows 10, Windows 11 and macOS device groups to ensure the image only appeared during the specified window.

Source Tickets (1)
8. MacBooks managed in Apple Business Manager could not be removed by support; Jamf unenrollment used as workaround
90% confidence
Problem Pattern

Apple devices managed in Apple Business Manager (ABM) and Jamf could not be cleanly removed or re-enrolled. Affected devices either remained bound to previous management after Jamf/MDM changes or, on iOS, showed no remote enrollment prompt during Setup and instead displayed only an option to remove the device from the organization. Missing or misassigned remote-management/enrollment profiles were observed (enrollment not tied to device serial), and related symptoms included absence of company/SelfService app enrollment and invalid eSIM QR codes.

Solution

Support was unable to remove some devices from Apple Business Manager, so support-level Jamf removals and MDM unenrollments were performed as a workaround. Affected MacBooks were removed from Jamf and unenrolled from MDM; requesters were instructed to locally reinstall the devices and complete enrollment into the target ASM/Intune tenant for testing, after which the devices could be re-added to Jamf/ABM. For the iPhone case, administrators found the device’s remote-management/enrollment profile was not correctly assigned to the device serial; the profile assignment was corrected and the device was re-provisioned (factory reset/re-enrollment) which restored the expected remote enrollment flow and company/SelfService app behavior. When the eSIM QR previously used no longer worked, a replacement eSIM QR was issued. Overall, when ABM removal was not available from support, Jamf unenrollment plus local re-provisioning or correcting profile-to-serial assignments resolved the enrollment failures.

Source Tickets (2)
9. macOS 'Device Management/MDM wants to make changes' admin prompt perceived as potential phishing
95% confidence
Problem Pattern

A MacBook user saw an unexpected system prompt reading 'Device Management/MDM wants to make changes. Enter an administrator’s name and password to allow this.' The user was concerned the prompt might be a phishing attempt because it had not appeared previously. The prompt occurred on macOS during deployment or modification of MDM-managed settings.

Solution

IT verified that the MDM configuration change prompting the dialog had been legitimately deployed by the organization's management. The user entered an administrator username and password to approve the change; IT confirmed the configuration applied successfully and closed the incident.

Source Tickets (1)
10. USB storage blocked on Cloud‑Only managed Windows device; OneDrive used as alternative
90% confidence
Problem Pattern

A new Dell laptop managed under a Cloud Only device policy was unable to read or write external USB sticks; the user needed USB access for training and coaching tasks. The restriction was enforced by device configuration/policy on the managed endpoint. No error codes were provided.

Solution

Support determined that permanent USB enablement could not be granted because the device was managed as Cloud Only. The user was instructed to upload required files to OneDrive and access them by signing into OneDrive with their Microsoft (work) account as the supported alternative. The ticket was closed after the user adopted the OneDrive workflow.

Source Tickets (1)
11. Lost or in‑transit device locked via Intune using serial-number lookup
90% confidence
Problem Pattern

An employee-reported device went missing during postal transit and needed to be remotely blocked/locked. The device could not be physically located and no error messages were present in user reports. Only the device serial number and Intune management were available for remediation.

Solution

Support verified that the device name had not been reused, located the device record in Intune by searching the serial number, and issued a remote lock/block from the Intune portal. The device was successfully locked and marked in inventory.

Source Tickets (1)
12. Distribution constraints for custom Chrome extension (private store vs. Intune deployment)
65% confidence
Problem Pattern

A custom Chrome extension developed for Twilio Flex could not be distributed via the public Chrome Web Store and needed a plan for enterprise-wide delivery. The security team would not perform an automated upfront clearance for internally developed extensions, target user group membership and distribution scope were unclear, and administrative requirements for IU's private Chrome store were unknown.

Solution

Investigation determined that the extension could not be centrally published through the public Chrome Web Store and that two enterprise options existed: use the IU Chrome Enterprise Private Store (which required an IU Google account, developer console access, and a paid developer subscription) or deploy the extension through Intune by assigning a profile/policy to target devices. The security team required a manual penetration test/assessment before corporate distribution, and the distribution scope remained to be clarified before proceeding.

Source Tickets (1)
13. No local admin rights prevented Office install on Intune-managed PC; Company Portal deployment resolved it
90% confidence
Problem Pattern

Users on Intune-managed Windows PCs attempted to install software (for example, Office or Cloudya) but the installer was blocked by a User Account Control prompt requesting administrator credentials or otherwise failed because the user lacked local administrator privileges; the Microsoft Intune Company Portal was present on the device.

Solution

Applications were installed through the Microsoft Intune Company Portal rather than by elevating the local user account. In one case support/IT assigned the Cloudya application to the user in Intune so it appeared in the Company Portal; the user then opened the Company Portal app (launched from the Start/Windows Search), located the app, and installed it. Installation from the Company Portal completed without requiring local administrator credentials and avoided the UAC administrator credential prompts that occurred when running downloaded installers. Support also explained that IU-managed devices were provisioned without local admin rights by default and that application delivery and device controls were managed centrally via Intune/Company Portal rather than by granting end users administrator access.

14. Intune power/energy settings not applying until targeted policy assignment and propagation completed
90% confidence
Problem Pattern

Windows devices reported power/energy settings (screen timeout) not matching the Intune-deployed configuration: screen was turning off after 15 minutes despite a different timeout configured in Intune. Symptoms included policy changes not taking effect immediately and a restart alone not enforcing the new setting. Affected systems were Windows 10 devices enrolled in Intune and assigned (or expected to be assigned) via an Azure AD device/user group.

Solution

A separate Intune device configuration policy named "U-Bildschirm-Timeout konfigurieren - Test" was created and the screen timeout value was changed from 15 to 17 minutes. The target user/device was explicitly added to the Azure AD/Intune assignment group (IU-DE-AAD-ASS-INTUNE-IT-PolicyGroup-W10-U-EnergySettings_Devices) so the new policy applied to that device. After assigning the device to the test group and allowing Intune policy propagation time, the configured screen timeout took effect; a simple restart prior to assignment had not enforced the change.

Source Tickets (1)
15. Company Portal access requests submitted to IT Service Portal cannot be processed
90% confidence
Problem Pattern

Users reported inability to obtain access to the Company Portal (Unternehmensportal) via the IT Service Portal. Symptoms included missing UI controls (top‑right button to send/login credentials) and general access-provisioning requests with no error codes. The Company Portal was not managed through the IT Service Portal, causing requests to be misrouted and unfulfillable by first‑line IT support.

Solution

Support confirmed the Company Portal was not supported or provisioned via the IT Service Portal and closed the tickets after advising requesters to submit dedicated access requests in the IU Meldeportal (Jira Service Management) so the responsible team could grant Company Portal rights. In one case an approver assignment was adjusted as part of the handover to the owning team.

Source Tickets (2)
16. Inventory360 syncing used last‑logged‑in user causing device assignment mismatches
90% confidence
Problem Pattern

Automated hardware-data synchronization from Intune into Inventory360 showed devices assigned to different users in Inventory360 than the Intune primary-user field. Affected devices had user mismatches (examples: Maria Gillitz, Teresa Killian, Chris Jung) with no explicit error codes. Discrepancies were intermittent and more likely when admin/shared accounts were used on devices. The issue manifested as Inventory360 reporting the last interactive/logged-in account instead of the Intune primary user.

Solution

Investigated the sync behavior and reviewed provided screenshots and examples; determined that Inventory360's import process used the device's "last logged-in user" attribute rather than Intune's "primary user" field, which explained the observed assignment discrepancies (notably for devices where admin/shared accounts were used). The finding was communicated to the requester as the root cause of the mismatched assignments.

Source Tickets (1)
Back to Summaries
An unhandled error has occurred. Reload X