Known Issues & Service Alerts

There's a known issue in Company Portal where Windows apps deployed with Configuration Manager might take multiple seconds (up to a few minutes) to load on the Windows apps page. Microsoft is investigating this issue and will update this article when more information becomes available.

Microsoft is investigating this issue and will update this article when more information becomes available.

We are aware of an issue with the noncompliance messaging details that appear in Company Portal for Windows 10/11 devices. When a device is identified as noncompliant due to having a Windows build outside the ranges an admin specifies in the Intune compliance policy, a remediation message is display

There's a known issue (originally posted on the Service Health Dashboard as IT393575) where, occasionally, the enrollment of a macOS device fails or the device might become unenrolled because the MDM agent mishandles failed MDM certificate installations. When this issue occurs and the MDM agent does

Android 12 introduced a toast notification when an application accesses the clipboard, regardless of whether the device is MDM enrolled or if apps are protected by app protection policies. Users running Android Company Portal version 5.0.5450.0 or later may notice an unexpected toast notification wh

The issue where customers lose access to Microsoft Intune-managed resources or are prevented from completing enrollment after upgrading certain devices from Android 11 to Android 12 has been resolved. The impacted brands included OPPO, OnePlus, and Realme devices enrolled as Android Enterprise perso

We recently identified several Office settings in the settings catalog that, when enabled, do not automatically enable the required parent setting. This can lead to the policy not applying as expected if you did not configure the parent setting. To help identify which configuration settings have thi

We're aware of an issue where granular OS filtering isn't working as expected for corporate-owned Android Enterprise devices when exporting theAll devices reportfrom the Microsoft Intune admin center, when exporting theDevicesWithInventoryandDevicesreports using the Export API, or when making native

We're aware of an issue that affects Samsung devices enrolled with a work profile. After updating to Android 12, these devices are missing certificates when a user tries to access Gmail or AnyConnect VPN. For more information and temporary workarounds, seeKnown Issue: Missing certificates after upda

Admins who recently published a new Managed Google Play web or line-of-business (LOB) app will notice delays for those apps to sync to Intune. After selecting Sync from either the Microsoft Intune admin center or the Google Play console, it can take six hours or longer for the new apps to appear in

Samsung devices provisioned as Android Enterprise fully managed devices running Android 11 and later show as noncompliant after a managed update is applied. This could potentially affect access to corporate resources, depending on the Conditional Access policies set by the IT administrator. For more

We are aware of some common issue with Intune policy reports, including multiple records for a single device, inaccurate "pending" status, and inconsistencies between data in report lists and in summary charts. We are working on reporting improvements for better performance and new capabilities for

We are aware of an issue that can affect organization using app protection policies (APP, also known as MAM) to manage their mobile Office apps. In this scenario, users are signed out ofallOffice mobile apps once they sign out of a single Office app (or if they are automatically signed out of an app

There are some known issues with filters in Microsoft Intune. This feature became generally available in February 2021. We are tracking remaining known issues with this feature inFilters Public Preview - Overview and Known Issues, which also includes common questions and documentation links.

We are aware of an issue within the Troubleshooting + support blade where the Devices table > columnApp install lifecyclemight show a status of "Failure" even if there are no issues with the apps on the device. Additionally, if you load the Managed Apps view for the impacted device and select a targ

There is a known issue with the Android 10 Samsung A10 biometric authorization (face recognition/thumbprint). Launching any apps with app protection policies (APP, also known as MAM) on an Android 10 Samsung A10 with biometric authorization enabled will cause the device to crash. We have disabled bi

Intune shared a known issue in MC203629, whereby approximately 1% of devices Intune enrolled with iOS 13+ do not return the token needed to allow a password reset. Apple addressed the bug in 13.3.1 and higher, however, simply updating to 13.3.1 cannot fix already-enrolled devices. Devices without a

We are aware of an issue whenenrolling and iOS devices with Apple Configuratorfor Setup Assistant enrollment. After acceptingApply configurationon the device, you might see the error: "Invalid Profile: The configuration for your iPad/iPhone could not be downloaded from [Your Organization Name]." Thi

There are issues with certificate-based authentication when using the Pulse Secure VPN client for iOS, version 7.0 and Check Point Capsule Connect version 1.600 for iOS. Specifically, both VPN clients may report that the certificate is missing from the device, even when the certificate has been prop

In the Intune admin center, we've disabled the "Rename device setting" for Windows devices that are Microsoft Entra hybrid joined. This is to prevent device single sign-on errors that might occur after a user changes their password. Device renaming is available for co-managed devices that are Micros

There is a known issue where the enrollment status of an iOS/iPadOS or macOS device may not update correctly in Microsoft Intune if a user manually deletes the management profile. The device will be unenrolled from Intune, but it may not be reflected in Microsoft Intune admin center for 30 days.

When you use Conditional Access, a user who signs in to a Cloud PC for the first time might trigger an impossible travel location alert.

Watermarking support is configured on session hosts and enforced by the Remote Desktop client. You can configure Watermarking support by configuring a Group Policy Object (GPO) or the Intune Settings Catalog. The default for the QR code embedded content setting doesn't allow administrators to look u

When non-local admin users sign in to a Cloud PC by using an iPad and the Microsoft Remote Desktop app, the Start menu and taskbar might be missing from the Windows 11 user interface.

Many devices registered with Active Directory might have a machine account password that is automatically updated. By default, these passwords are updated every 30 days. This automation applies to hybrid joined PCs but not Microsoft Entra Native PCs. The machine account password is maintained on the

In a remote desktop session, when you select one position in a text file, the cursor in the Cloud PC has some offset with the actual position.

In high DPI mode, both the server and Cloud PC browser scale the cursor. This conflict results in an offset between the visible cursor position and the actual cursor focus.

Outlook only downloads one month of previous mail, which can't be changed in Outlook settings.

Upgrading an existing Cloud PC between release versions of Windows 10 to Windows 11 might cause the computer name to change to a name that has a prefix of "pps." The Intune device name remains unchanged.

Windows 365 provisioning might fail if both of the following conditions are met:

The following device compliance settings report asNot applicablewhen being evaluated for a Cloud PC: The following device compliance settings might report asNot Compliantwhen being evaluated for a Cloud PC:

When you enable single sign-on, users see a prompt to authenticate to Microsoft Entra ID and allow the Remote Desktop connection when launching a connection to a new Cloud PC. Microsoft Entra remembers up to 15 devices for 30 days before prompting again. To connect, users selectYesin this dialog. To

To sign in by using single sign-on, the Remote Desktop client requests an access token to the Microsoft Remote Desktop app from Microsoft Entra. In issue in this request process might cause the failed connection.

Follow the steps introubleshoot sign-in problems.

When single sign-on isn't used, users can see the Cloud PC lock screen and enter credentials to unlock their Windows session. However, when single sign-on is used, the Cloud PC fully disconnects the session to enable the following capabilities:

When you use single sign-on, all authentication behavior (including supported credential types and sign-in frequency) is driven through Microsoft Entra ID.

Date added:February 9, 2026 During Microsoft Entra hybrid join Autopilot deployments, devices might experience timeout errors with error code 0x80004005 in the deployment process. The issue is resolved in:

Date added:January 16, 2026 When a device is configured with an Intune policy that setsDeny access to this computer from the networkfor the local account, the local Windows administrator account can't start a local Windows Autopilot Reset. This issue affects scenarios where administrators rely on th

Date added:January 13, 2026 Scans for quality updates offered during OOBE might time out during provisioning for Windows Autopilot Microsoft Entra hybrid joined deployments when theAllow OOBE Updatespolicy is configured in the enrollment status page profile. When this occurs, devices don't get the q

Date added:August 13, 2025 The deployment duration value in the Windows Autopilot report includes the time between enrollment and completion of theAccount setupphase of the Enrollment status page (ESP). As a result, if the ESP is configured to show during theAccount setupphase and a reboot occurred

Date added:August 1, 2025 When Windows Autopilot is used in self-deploying mode with Shared PC mode configured, the Enrollment status page (ESP) Account setup phase isn't shown for users signing in with FIDO2 (YubiKey). Account setup is shown when users sign in via username/password sign-ins. The is

Date added:May 9, 2025Date updated:August 1, 2025 The OEM has resolved the issue. Lenovo customers should work with Lenovo support if they encounter an issue. Platforms with the latest models of TPMs manufactured by ST Micro and Nuvoton that support RSA 3072bit might fail TPM attestation and cause f

Date added:April 8, 2025Date updated:April 18, 2025 The following issues are under active investigation:

Date added:April 4, 2025Date updated:December 16, 2025 The Windows Autopilot profile setting which enables automatic configuration of the keyboard language based on theLanguage (Region)setting might fail to apply during provisioning due to a known OS issue. To resolve this issue, useKB5072033or abov

Date added:February 11, 2025Date updated:March 20, 2025 This issue is resolved. The Windows Autopilot report automatically updates deployment status fromIn progresstoFailedafter 4 hours if Intune didn't receive a success or failure status. It's possible that the report didn't receive the latest stat

Date added:December 9, 2024 During Windows Autopilot pre-provisioning technical flow, if a LAPS policy is targeted to the device or user, it isn't applied until the user phase begins.

Date added:December 4, 2024 In Intune's 2411 release, we've updated the backend infrastructure of the Windows Autopilot deployment report for consistency with other Intune reports. With this change, the Windows Autopilot deployment report and theAutopilotEvents Microsoft Graph APInow return 50 recor

Date added:October 9, 2024Date updated:January 15, 2025 DFCI can't currently be configured during the out-of-box experience (OOBE) on devices with Professional editions of Windows 11, version 24H2 For devices that have already been provisioned and have Professional editions of Windows 11, version 24

Date added:August 29, 2024 The Windows Autopilot deployment report was updated to a new infrastructure that doesn't currently support column sorting. The issue will be addressed in the future.

Date added:August 21, 2024Date updated:December 15, 2025 The known issue ofKiosk device profiles not auto logging in when auto logon was enabledwas previously reported as fixed. There were scenarios where the issue could still occur when using autologon with Kiosks andAssigned Access. If multiple re

Date added:July 8, 2024 In some Windows Autopilot deployments of unregistered devices, BitLocker encryption might default to 128-bit even though the admin configured 256-bit encryption due to a known race condition. The issue is being investigated. Microsoft recommends that customers who need 256-bi

Date added:May 17, 2024 When a Windows Autopilot Reset happens, the required apps aren't installed on the Enrollment Status Page (ESP) before the user reaches the desktop. The apps aren't tracked on the ESP, but the apps are installed when the user signs in to the desktop.

Date added:November 1, 2023 TheEnrolled datein theDevices | All devicesandWindows | Windows devicespanes display the date the device was registered to Windows Autopilot instead of the date it was enrolled to Windows Autopilot. For a more accurate date for when the device enrolled to the tenant:

Date added:July 14, 2023 Viewing Windows Autopilot devices within Intune might not work as expected if attempting to filter results. While this issue is being worked on, a workaround is to useMicrosoft Graph APIto properly query and filter necessary devices.

Date added:June 2, 2023 Platforms with the Infineon SLB9672 TPM with firmware release 15.22 with EK certificate might fail with error messageSomething happened, and TPM attestation timed out.To resolve this issue, contact the OEM for an update.

Date added:January 30, 2023Date updated:August 21, 2024,December 15, 2025 There was a known issue in the following Windows Updates released in January 2023: If these updates are installed on a device, Kiosk device profiles that have auto logon enabled won't auto log on. After Windows Autopilot compl

Date added:December 1, 2022 TPM attestation for AMD platforms with ASP firmware TPM might fail with error code 0x80070490 on Windows systems. This issue is resolved on later versions of AMD firmware. Consult with device manufacturers and firmware release notes for which firmware versions contain the

Date added:October 6, 2022 Some devices might intermittently fail TPM attestation during Windows Autopilot pre-provisioning technician flow or self-deployment mode with the error code0x81039001 E_AUTOPILOT_CLIENT_TPM_MAX_ATTESTATION_RETRY_EXCEEDED. This failure occurs during theSecuring your hardwar

Date added:September 22, 2022 The Windows Autopilot deployment report (preview) shows a failed status for any device that experiences an initial deployment failure. For subsequent deployment attempts, using theTry againorContinue to desktopoptions, the deployment state in the report doesn't update.

If you don't see capabilities on the navigation pane such as the Incidents, Action center, or Hunting in your portal, you need to verify that your tenant has the appropriate licenses. For more information, seePrerequisites.

If you have Microsoft Defender for Identity deployed in your environment but you're not seeing Defender for Identity alerts as part of Microsoft Defender XDR incidents, you need to ensure that the Microsoft Defender for Cloud Apps and Defender for Identity integration is enabled. For more informatio

A false positive is a file or URL that is detected as malicious but isn't a threat. You can create indicators and define exclusions to unblock and allow certain files/URLs. SeeAddress false positives/negatives in Defender for Endpoint.

The Microsoft Defender XDR-ServiceNow connector is no longer available in the Microsoft Defender portal. However, you can still integrate Microsoft Defender XDR with ServiceNow by using the Microsoft Security Graph API. For more information, seeSecurity solution integrations using the Microsoft Grap

In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to theMicrosoft Security intelligence websitefor analysis. The following process shows how to resolve this problem.

To learn about browser issues that might affect use of data governance solutions, see these resources: If you need further assistance, contact Microsoft support.

Cross-tenant synchronization can manage user properties in Entra. It does not directly manage exchange attributes. For example:

An external user from the source (home) tenant can't be provisioned into another tenant. Internal guest users from the source tenant can't be provisioned into another tenant. Only internal member users from the source tenant can be provisioned into the target tenant. For more information, seePropert

For existing B2B collaboration users, the showInAddressList attribute is updated as long as the B2B collaboration user doesn't have a mailbox enabled in the target tenant. If the mailbox is enabled in the target tenant, use theSet-MailUserPowerShell cmdlet to set the HiddenFromAddressListsEnabled pr

If the user in the target tenant is assigned an exchange license, cross-tenant synchronization will not be able to update the mail attribute. To work around this, remove the exchange license for the user, update the mail attribute, and assign the license to the user again.

Configuring synchronization from the target tenant isn't supported. All configurations must be done in the source tenant. The target administrator is able to turn off cross-tenant synchronization at any time.

When two users in the source tenant have the same mail, and they both need to be created in the target tenant, one user is created in the target and linked to the two users in the source. Ensure that the mail attribute is not shared among users in the source tenant. In addition, please ensure that t

On configuring provisioning for the first time, you'll notice that the provisioning mode has switched from manual to automatic. You can't change it back to manual. But you can turn off provisioning through the UI. Turning off provisioning in the UI effectively does the same as setting the dropdown t

The attributesSamAccountNameanduserTypearen't available as source attributes. You can instead use a directory extension attribute as a workaround. To learn more, seeMissing source attribute. Extensions to your schema can sometimes be missing from the source attribute dropdown in the UI. Go into the

Thetimebetween provisioning cycles is currently not configurable. The app provisioning service isn't aware of changes made in external apps. So, no action is taken to roll back. The app provisioning service relies on changes made in Microsoft Entra ID. After you change scope fromSync AlltoSync Assi

This is a current list of known limitations with the Microsoft Entra ECMA Connector Host and on-premises application provisioning.

The SQL Connector expects the DSN file to be encoded in UTF-8. Other encodings might not be read correctly and result in the error "Data source name not found and no default driver specified."

The following applications and directories aren't yet supported. By using on-premises provisioning, you can take a user already in Microsoft Entra ID and provision them into a third-party application.You can't bring a user into the directory from a third-party application.Customers will need to re

The following attributes and objects aren't supported: The Microsoft Entra ECMA Connector Host currently requires either an SSL certificate to be trusted by Azure or the provisioning agent to be used. The certificate subject must match the host name the Microsoft Entra ECMA Connector Host is install