Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post. Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

FIX Intune Company Portal App Login Issues with Windows 10/11

Intune Company Portal App Login Issues with Windows 11 or Windows 10 Devices? Have you tried to Repair or Reset Company Portal App to fix the issue? The Intune company portal application is not allowed to log in when it is installed on Windows 10 or Windows 11.

The issue explained in the post below could be due to either Azure AD authentication issues or proxy issues. It won’t let you log in with your username and password.

The Company Portal app will get redirected to the login page repeatedly. Have you tried to log in to the Intune company portal from a Windows device, and can you reproduce this issue?

Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues. This post also explains the Tenant Restriction Policy and company portal issues.

Intune Company Portal App Repair Options

Whenever you have an issue with the Intune Company Portal app, it’s better to Reset, Repair, or Reinstall it before trying to do further troubleshooting. Otherwise, this could be another issue if you see the same problems with a more significant number of Windows 11 devices.

Intune Company Portal App Repair options are easy to use, unlike other Win32 or MSI applications. Since the Intune Company portal is a Microsoft Store Application, it has all the Reset, Repair, and Reinstall options.

To fix Intune Company Portal App Repair Reset Options, you need to follow the steps explained below.

Navigate to the Apps & Features option by right-clicking on the Start button from Windows 11.
Use the search function to find the Company Portal application.
Click on the three (3) vertical dots menu.

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.1 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.1

To repair the Company Portal Application on a Windows 11 device, select Advanced options, as shown in the screenshot below.

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.2 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.2

The first step I always recommend is to TERMINATE the company portal app by clicking on the TERMINATE button from Apps -> Apps & Features -> Company Portal Advanced Options.

Intune Company Portal App Repair

Let’s check the next option, the Intune Company Portal app repair option. If this app isn’t working correctly, you can try to repair it. The Company Portal app’s data will not be affected.

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.3 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.3

Company Portal App Repair Reset and Uninstall

Let’s check the following options to see if the Terminate and Repair options for the Company portal don’t work well. Company Portal App Repair, Reset, and Uninstall are the other options available on Windows 11 devices.

Company Portal REPAIR helps to fix the issue if the app is still not working as expected. The RESET will remove all the app-related data from the Windows 11 PC and give the Company Portal a fresh start.

The UNINSTALL button is the last resource for fixing the Company Portal Application on Windows 11 PC. After uninstalling the app, you can reinstall it from the Microsoft Store.

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.4 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.4

Well, this is a weird issue, so stay with me! Let’s learn how to Fix the Company Portal App Login Error that Occurred. This issue is only for the Intune Company portal application. There was no issue accessing the company portal Website. This issue is only applicable to Windows 10/11 devices.

I have a couple of other posts that might be interesting for you. Learn how to install a company portal application on Windows 10 devices. Intune Company Portal Setup for Personal Windows 10/11 Device Intune Enrollment Options.

Windows 10 devices started getting error messages when users tried to launch the Company portal app. The error details are given below.

Login error occurred – An error occurred while attempting to log in to Company Portal Login Error.

You get two options:

Share Details
Close

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.5 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.5

Send Company Portal App for Windows 10 Logs

You can try to click on Share details to get the Company portal app log for Windows 10 or 11 devices. The message shows “Sending the Logs to Microsoft.“

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.6 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.6

Now you can share the details with Microsoft using the Onenote file. Requesting help with the company portal app for Windows 10 or Windows 11.

NOTE! – You can send the company portal app logs for Windows 10 using the following method as well:

Open the Company Portal app.
Select Help & support > Get help.

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.7 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.7

Details of Company Portal App Log

Describe the problem you’re experiencing. The Company Portal has collected your logs (Diagnostics ID: 2WWEWN) and sent them to Microsoft to help troubleshoot. Your description will help us understand what happened and how to fix the problem. After you’ve described the situation, send this email to your company support for more help.

Now, let’s enter the real troubleshooting scenario of the Company Portal app for Windows 10 devices.

First, I couldn’t find much information from the Microsoft logs mentioned in the above section.
I started looking at event logs to get more details.
Navigate to Microsoft-Windows-AAD/Operational (Azure AD authentication-related errors).
The following event ID 1098 shows an error that started when I tried to launch the company portal app.

Error: 0xCAA5001C Token broker operation failed. Log: 0xcaa10083 Exception in WinRT wrapper. Log: 0xcaa1007b Acquire token failed. Log: 0xcaa9004b Exception during nonce request.

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.8 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.8

Event Log Details

The following are the company portal login issues with Windows 11/10 devices. As you can see in the paragraphs below, these logs are taken from event logs.

Error: 0xCAA5001C Token broker operation failed.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -894947614 (0xcaa82ee2), Description: The request has timed out.
Logged at webaccountprocessor.cpp, line: 593, method: AAD::Core::WebAccountProcessor::ReportOperationError.

Error: 0xCAA82EE2 The request has timed out.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at authorizationclient.cpp, line: 233, method: ADALRT::AuthorizationClient::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113

Log: 0xcaa1007b Acquire token failed.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa1007b Acquire token failed.
Logged at aggregatedtokenrequest.cpp, line: 70, method: AggregatedTokenRequest::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c

0xcaa9004b Exception during nonce request

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 16/07/2020 10:11:06
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa9004b Exception during nonce request.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c

A proxy server tenant restriction was implemented using the following: Use tenant restrictions to manage access to SaaS cloud applications. For more details, see https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions.

The company portal app for Windows 10 or Windows 11 requires authentication to Azure AD through https://login.microsoftonline.com. These URLs are available in the above event logs. Tenant restrictions require TLS inspection only on traffic to Azure AD, not to the Office 365 cloud services.

It seems the TLS inspection for the following URL caused the issue. At least one of the following URLs is required:

https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.9 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.9

After 3 login attempts, the company portal application will show you the following error: “Login error occurred – an error occurred while attempting to login“. You may also get the following details in the error log.

Have you ever seen this? The following scenarios show this issue in different Intune/AAD tenants. The table below helps you show more details.

The Issue in Different Intune/AAD Tenants
Windows 10 AAD Joined
Windows 10 MDM enrolled (Work account)
Windows 10 OOBE

FIX Intune Company Portal App Login Issues with Windows 10/11 – Table 1

I don’t have any solution for this issue yet. If you can reproduce this issue then please do comment on this post. When I remove add Work or School account from Settings – Accounts – Access work or school, then I’m able to login to the Intune company portal.

However, it will (obviously) say, “You need to add your device before you can install apps.” If you select “Don’t add this device,” the Intune company portal will proceed to the next page, which will show you the “my devices” list, etc., with a note, “It looks like you need to add this device so that you can install apps.”

FIX Intune Company Portal App Login Issues with Windows 10/11 - Fig.10 — FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.10

Log File Details – Intune Company Portal:-

Intune Company Portal Login Issues with Windows 10 Anniversary Update.

Microsoft.Management.Services.SelfServicePortal.CommonViewModels.ServiceLoginPageViewModel.<AuthenticateWithExceptionHandlingAsync>d__36.MoveNext()
2016-09-03T06:03:13.4876367Z WARN Event       None                   400 f67a7f1d-54e3-41e0-a838-e39ec3385ba3 3-0-0 Displaying error dialog
 Title: Login error occurred
 Message:An error occurred while attempting to login.
 Exception: Microsoft.Management.Services.SelfServicePortal.Common.Portable.Authentication.IntuneAuthenticationException: Failed to authenticate with AAD
    at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AuthenticationResultHelper.ThrowIfAuthenticationStatusIsNotSuccess(AuthenticationStatus authenticationStatus)
    at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AzureADAuthenticationService.<AuthenticateAsync>d__0.MoveNext()

Resolution – Proxy Issue

The client app (in this case, Company Portal) should support tenant restrictions. I overlooked this point while writing this post. Microsoft docs already document that client software must request tokens directly from Azure AD so that the proxy infrastructure can intercept traffic.

NOTE! – The company portal (website) works well with tenant restrictions.

The proxy servers removed the OMT feature for TLS inspection for AAD authentication communication, which fixed the Company Portal.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

How do I create and Upload an Apple Push Notification Service APN Certificate Using SCCM CB? We need an APN cert to manage iOS and Mac OS devices via Intune and Hybrid SCCM CB.

In this video tutorial, we can see how to get the certs from Apple and How to upload them to SCCM CB for a hybrid solution. How to Create an Apple Push Notification Service (APN) Certificate to Manage iOS and Mac OS X devices via Intune.

You must have an Apple ID/user name and password to upload and download the SCCM CB hybrid certificates. I’m adding more detailed Videos to my YouTube Channel; subscribe here.

The following is the location and file where I saved the downloaded cert from the SCCM CB hybrid environment: C: UsersanoopDocumentsApple CertApple_Cert_4_How_2_Manage.CSR.

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

The screenshot below helps you show the Apple push certificates portal and the certificate for third-party servers. The table below enables you to show more details.

Sep 24, 2016	Vendor	Expiration Date	Status
Mobile Device Management	Microsoft Corporation	Sep 24, 2016	Active
Mobile Device Management	Microsoft Corporation	Sep 24 2016	Active

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB – Table 1

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

Go to the following website !! Apple Website:- https://identity.apple.com/pushcert/.

You can manage iOS and Mac OS devices via Microsoft Intune and SCCM CB hybrid environments at the end of this process!

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How do you create and deploy compliance policies using SCCM CB Hybrid and Intune Environments? We will discuss developing and deploying compliance policies using SCCM CB Hybrid and Intune Environments. Ok, at 3 topics in this post.

1. How to Create Compliance policies using Intune and SCCM CB Hybrid environment.
2. How to deploy Compliance policies and
3. Differences between the compliance policy settings !!

I have created a quick and dirty video tutorial to explain all these steps, and the video is embedded in this post as well 🙂 First and foremost, the compliance policies work along with Conditional Access policies.

The device must comply with our policies to have permission to access corporate resources like emails, SharePoint Online, etc. SCCM CB and Intune Compliance policies can be deployed only to users, not device collections or groups.

As you can see in the following picture, we can specify the type of compliance policy that you want to create in SCCM CB. There are two options: 1. Compliance rules for devices managed with SCCM clients; 2. Compliance rules for devices managed without SCCM clients (MDM clients, etc.).

How Do You Create An SCCM CB Hybrid Compliance Policy?

Moreover, it allows you to select different device platforms, such as Windows 8.1, Windows 10 mobile, iOS, Android, and KNOX. This is a handy option in SCCM CB Hybrid compliance settings! The video tutorial above explains the steps to create an SCCM CB compliance policy.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments - Fig.1 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.1

How Do You Create a Compliance Policy using Intune?

As you must have noticed, all platforms have one general compliance policy. There is no option to create compliance policies for various device platforms, such as iOS, Android, and Windows.

Yes, we don’t have the option to select a specific OS platform in Intune compliance policies. The three common segregations available are as follows. The video tutorial above explains all the steps to create an Intune compliance policy.

Three Common Segregations
System Security
Device Health
Device Properties

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Table 1

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments - Fig.2 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.2

How Do You Deploy Compliance Policies Using SCCM CB Hybrid?

Yes, compliance policies can deploy only to User Collections, not device collections, in SCCM. There are no DEVICE Collections in the drop-down menu!! Yes, this makes sense because compliance policies are associated with conditional access policies in BYOD and CYOD scenarios.

Another point is SCCM CB’s granularity regarding Compliance rules/policy evaluation schedules. You can change the Compliance policy evaluation schedule!!! By default, the SCCM CB compliance policy evaluation schedule is 23 hours. You can change and customize it according to your needs. The video tutorial above explains the steps to deploy the SCCM compliance policy.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments - Fig.3 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.3

How to Deploy Compliance Policy using Intune?

Yes, compliance policies can be deployed only to user groups in Intune, not device groups. Moreover, compared with SCCM CB, the scheduling of compliance policies is not granular. Instead, Intune provides global settings for all the compliance policies we create for that tenant.

Check out the Intune compliance policy settings. What is that? It’s the compliance status validity period. Nice!! It’s a global setting—we can’t specify 31 days for one compliance setting and 20 days for another!! The video tutorial above explains all the steps to deploy the Intune compliance policy.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments - Fig.4 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.4

Difference Between Intune vs SCCM CB Hybrid Compliance Policies

Following are the differences that I have noticed in Intune vs SCCM CB Hybrid Compliance Policies:-
Intune does not allow users to select a specific supported platform. However, with SCCM CB, we can create platform-specific compliance policies.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments - Fig.5 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.5

There is no Granularity in Deploy Scheduling options with Intune. However, many more scheduling options are available for SCCM CB compliance policies.

Intune_Vs_SCCMHow to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments - Fig.6_Compliance_Policies_3 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.6

Outcome/Result of Compliance Policies – Windows 10 Device

The following is an example of a Windows 10 machine that AAD and MDM joined, but it’s not compliant. Device encryption is not enabled on Windows 10 machines.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments - Fig.7 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.7

The following is an example of a Windows 10 device compliant with an organization’s policies. Once Windows 10 is compliant, the user can access corporate mail and other resources.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments - Fig.8 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.8

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User? In this post, I would like to share the video tutorial to explain. Microsoft Intune introduced MAM Reporting options with the Intune 2305 release.

Let’s learn how to create Intune App Protection Policies for iOS iPadOS. In this article – Create Intune App Protection Policies For IOS IPadOS. App Protection Policies can be applied to both enrolled and non-enrolled devices. APP can be used for third-party MDM solutions.

MAM policies created in the MEM portal are different from the MAM policies that we make from the Intune portal for MDM-enrolled devices. Outlook Groups is the newest application included in the Azure portal for Intune MAM-enabled applications.

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. The video below provides more details and an end-user experience.

Intune MAM Policies and App Reporting?

Also, I can see the PREVIEW option to add custom applications for MAM policies without MDM enrollment. This is an excellent feature. Settings –>Preview – Line-of-business apps –> Preview – Add a custom app.

Intune MAM Policies and App Reporting
Settings
Preview – Line of business apps
Preview – Add a custom app

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User – Table 1

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User - Fig.1 — Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User – Fig.1

Resources

SCCM Video Tutorials For IT Pros – HTMD Blog #2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Azure RMS Roadshow Presentation Overview of EMS Intune Azure AD Azure Rights Management Service 1

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups

Key Takeaways

Automatically organize devices during enrollment.
Reduce manual device group assignments.
Improve consistency and scalability in device management.
Deploy applications and policies based on department or device role.

In this post let’s Learn How to Setup Dynamic Device Groups in Intune. Managing devices efficiently is a part of endpoint administration. Microsoft Intune provides several methods to organize and manage devices, and Device Categories remain a simple and effective option for assigning devices to the correct groups during enrollment.

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups

By combining Device Categories with Dynamic Device Groups in Microsoft Entra ID, administrators can reduce manual effort and ensure devices receive the correct policies, applications, and configurations. This approach helps device management and improve deployment consistency across the organization.

How Do You Add Devices Automatically to Intune Groups using Microsoft Entra Dynamic Device Groups?

To automatically add devices to Intune groups, you first need to create a Dynamic Device Group in the Microsoft Entra admin center. Sign in to the Microsoft Entra portal, navigate to Groups > All Groups, and select New Group. Dynamic groups automatically manage membership based on rules, eliminating the need to manually add or remove devices.

In this example, we will create a security group that uses dynamic membership rules. Once the group is created, Microsoft Entra automatically evaluates devices against the configured rule and adds matching devices to the group. This makes device management more efficient and ensures devices are always assigned to the correct group.

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups - Fig.1 — How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups – Fig.1

On the New Group page, select Security as the Group Type and provide a Group Name and Description. Under Membership Type, select Dynamic Device instead of Assigned. This enables Microsoft Entra to automatically manage group membership based on the rules you define.

After selecting Dynamic Device, create a membership rule that identifies the devices you want to include in the group.
Once the rule is validated and saved, select Create.
Microsoft Entra will begin processing the rule and automatically add devices that meet the specified criteria.
Whenever a new user joins the IT department, that user is automatically added to the Intune MDM group. Provisioning and de-provisioning groups is made easy with this.

Microsoft Entra ID provides 2 methods for creating dynamic membership rules: the Rule Builder and the Rule Syntax editor. The Rule Builder offers an easy-to-use graphical interface, while the Rule Syntax editor allows advanced administrators to create more complex queries. To automatically add Hybrid Microsoft Entra joined devices to a dynamic device group, select Add Dynamic Query, choose deviceTrustType as the property, set the operator to Equals, enter ServerAD as the value, and then save the rule.

More Details -> Create AAD Dynamic Groups Based On Domain Join Type Hybrid Azure AD And Azure AD

Learn How to Setup Dynamic Device Groups in Intune
Login to Microsoft Entra portal
Navigate to the Groups > All Groups >select New Group.
Group Type -> Security
Group Name ->HTMD Hybrid Device Group
Group Description -> To add all devices or users from a dept
Membership Type -> Dynamic User

LeHow to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups – Table 1

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups - Fig.2 — How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups – Fig.2

Access the Dynamic Device Group

Navigate to Groups > All Groups in the Microsoft Entra admin center and locate the Dynamic Device Group you want to manage. Select the group to review its settings and configure dynamic membership rules. Once selected, the group can automatically add devices that meet the specified criteria, reducing administrative effort and ensuring devices are organized.

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups - Fig.3 — How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups – Fig.3

Automatically Assign Devices to Intune Groups with Device Categories

Microsoft Intune Device Categories help administrators organize devices and automatically assign them to the appropriate groups during enrollment. To create a device category, sign in to the Intune admin center and navigate to Devices > Manage Devices > Device Categories. Select Create, provide a category name and description, and then save the category.

Device Categories can represent departments, locations, or device purposes such as IT, HR, Finance, or Sales. When users enroll their devices through the Microsoft Intune Company Portal app, they can select the appropriate category. This category can then be used with Microsoft Entra dynamic device groups to automatically group devices and simplify policy and application assignments.

I have created only one category, “ADMIN,” for users. You are free to make an Intune device category for each department!!

More details on AAD Groups Based On Intune Device Categories.

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups - Fig.4 — How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups – Fig.4

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

Intune

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

Table of Contents

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

Author

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

Table of Contents

How Do You Create An SCCM CB Hybrid Compliance Policy?

How Do You Create a Compliance Policy using Intune?

How Do You Deploy Compliance Policies Using SCCM CB Hybrid?

How to Deploy Compliance Policy using Intune?

Difference Between Intune vs SCCM CB Hybrid Compliance Policies

Outcome/Result of Compliance Policies – Windows 10 Device

Author

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User

Table of Contents

Intune MAM Policies and App Reporting?

Resources

Author

Azure RMS Roadshow Presentation Overview of EMS Intune Azure AD Azure Rights Management Service 1

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups

Key Takeaways

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups

How Do You Add Devices Automatically to Intune Groups using Microsoft Entra Dynamic Device Groups?

Access the Dynamic Device Group

Automatically Assign Devices to Intune Groups with Device Categories

Need Further Assistance or Have Technical Questions?

Author

Microsoft Intune Mobile App Management MAM Policy Issues and Workaround

Windows 10 Conditional Access with Azure AD Join Intune MDM Auto Enrollment Enforce Policies

How to Deploy Applications MAM Policies to Mobile Devices Using Intune Part 3

How to Deploy Applications MAM Policies to Mobile Devices Using Intune Part 2

How to Deploy Applications MAM Policies to Devices Using Intune Part 1

How to Learn SCCM ConfigMgr Intune | Start Learning Microsoft Configuration Manager Endpoint Manager

Extend Intune Trial Subscription Validity Version | Expire

What is Intune for Office365 O365 Microsoft Intune

Microsoft Intune Wiki

Windows Intune Download PDF Guide for New Features Functionality

Table of Contents

Intune Company Portal App Repair Options

Intune Company Portal App Repair

Company Portal App Repair Reset and Uninstall

Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues | Tenant Restriction Policy

Problem Statement – Fix Company Portal App Login Error

Send Company Portal App for Windows 10 Logs

Details of Company Portal App Log

Troubleshooting – Fix Company Portal App Login Error

Event Log Details

Fix Company Portal App Login Error Occurred

Intune Company Portal Login Issues

Log File Details – Intune Company Portal:-

Resolution – Proxy Issue

Author

Table of Contents

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

Author

Table of Contents

How Do You Create An SCCM CB Hybrid Compliance Policy?

How Do You Create a Compliance Policy using Intune?

How Do You Deploy Compliance Policies Using SCCM CB Hybrid?

How to Deploy Compliance Policy using Intune?

Difference Between Intune vs SCCM CB Hybrid Compliance Policies

Outcome/Result of Compliance Policies – Windows 10 Device

Author

Table of Contents

Intune MAM Policies and App Reporting?

Resources

Author

Key Takeaways

How to Automatically Add Devices to Intune Groups using Microsoft Entra Dynamic Device Groups

How Do You Add Devices Automatically to Intune Groups using Microsoft Entra Dynamic Device Groups?

Access the Dynamic Device Group

Automatically Assign Devices to Intune Groups with Device Categories

Need Further Assistance or Have Technical Questions?

Author