Time Zone configuration profiles and policies
Hello, I'm trying to find out the way to control "automatic time zone change" option to allow users to turn it off or on. On the Intune side there is a configuration profile using OMA-URI settings ("./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeTimeZone" with string "LOCAL SERVICEAdministratorsUsers"). This one controls whether user can change the Time Zone manually in the Control Panel (the old school way) and it also reflects in the Settings when the "Set time zone automatically" is turned off however we have some users that have this option greyed out and I have not found a way how to change this from the Intune side. Users are normally standard users and they do not have administrative rights by default but they should be able to change some of the settings when they invoke "elevation mode" eg in the 1st picture below if I would switch "Set time zone automatically" on I would be presented with authentication dialog and after authentication the setting would turn on. 1st case - user can change the "set time zone automatically" option on/off but is not in the group that is allowed to manually change the time zone hence it does not even show the time zone choices (this reflects the configuration profile mentioned above) 2nd case - user can change the "set time zone automatically" option on/off and is in the group that is allowed to manually change the time zone => shows additional options Time Zone and DST. 3rd case - user can not change the "set time zone automatically" option at all means can't change the TZ or DST in Settings, but is able to change time zone via Control Panel (see below) And the question for the million $$$ 🙂 is if or where is the option / configuration that makes the "Set time zone automatically" greyed out. Any ideas? Thanks
How is your company managing driver updates via Intune?
Hey folks, I’m currently reviewing our driver update strategy for Windows 11 devices managed via Intune. As you probably know, using Windows Update for Business (WUfB) gives us two main options for driver updates: Automatically allow drivers via WUfB Manually approve drivers via Intune + Windows Update for Business deployment service (WUfB-DS) Each approach has its own pros and cons: Automatic driver updates are great for keeping everything up to date with minimal effort, but they come with risks. We’ve seen networking components randomly break after an update, or newer GPU drivers triggering application compatibility issues. Definitely not zero-risk. Manual approval, on the other hand, gives you control and helps avoid surprises, but it also introduces operational overhead: identifying needed drivers, testing, scheduling approvals, and communicating with users — all of that takes time and effort. We’re debating internally whether the automation risk is worth the convenience, or if the manual path is the only safe option in an enterprise setting. So I’m curious: How is your company handling this? Are you letting Windows install driver updates automatically? Or are you manually controlling which drivers get deployed — and if so, how are you handling the process and workload? Would love to hear your thoughts, especially if you’ve found a good balance or process that works well in production! Thanks in advance!We’re running into an Intune issue where a Win32 app with a dependency sits at "Download Pending"
Setup: Main App: Installs in User Context Dependency: Installs in System Context Dependency Detection: Hosts file modification detection script Direct file detection does NOT work either When the hosts file modification is present (detection is met), detection works, and everything installs fine manually The Problem: If detection passes (exit 0) → Everything installs fine. If detection fails (exit 1) → Intune never moves forward, just stays at "Download Pending" indefinitely. Happens with both file-based detection and script-based detection. Dependency app as well at parent app install fine via Intune on their own as well as manual testing. What We Need to Know: Does Intune get stuck in "Download Pending" instead of moving forward when dependency detection fails? Could the install context mismatch (dependency in SYSTEM, main app in USER) be causing this? Myth or fact? Does Intune break the install process if a dependency app is in system context and the parent app is in user context? Again, both apps work fine independent of each other. Thanks for any help!
Subject: Best Practices for Aligning UPNs in Hybrid Entra ID + Intune Environment
Hello, I’m seeking guidance on best practices for aligning user identities in a hybrid Microsoft 365 environment, particularly regarding UPN consistency and device enrollment into Intune. Environment Overview: Client is using a hybrid Azure AD join setup via Entra ID Connect (formerly Azure AD Connect). Devices are domain-joined and enrolled into Microsoft Intune via Group Policy (GPO). Entra ID Connect sync is active with write-back where appropriate. On-premises UPN format: [email protected] (or .xxx) Entra ID / M365 UPN format: email address removed for privacy reasons (e.g., routable custom domain) Issue: Devices are intermittently failing to enroll into Intune or are not showing up as compliant/joined. Manually updating the on-premises UPN to match the Entra ID UPN (email address removed for privacy reasons) seems to resolve the issue, but this is not yet standardized across the org. It's unclear whether this mismatch is breaking hybrid join and/or interfering with automatic MDM enrollment via GPO. Questions: What is Microsoft’s current best practice regarding UPN alignment between on-prem AD and Entra ID in a hybrid environment? Is it mandatory or strongly recommended to match the on-prem UPN to the Entra UPN (especially when using automatic Intune enrollment)? Could this mismatch be contributing to MDM enrollment issues, and if so, what is the correct process to fix it in bulk? Are there any known caveats or dependencies when changing the UPN on-prem (e.g., impact on Outlook profiles, cached credentials, etc.)? Is there a supported or recommended PowerShell method to audit and align UPNs safely? Goal: We're aiming for consistent, reliable hybrid Entra join with automatic Intune enrollment and minimal end-user disruption. Any insight or guidance is appreciated, especially if there’s documentation or field experience to support it.Set Edge as the default browser on Android
Is it possible to use Intune to set Edge as the default browser app for an Android fully managed device? We have an app that goes through an SSO process and uses the default browser for that. The SSO process will fail if the default browser is set to Chrome, but will work when the default browser is set to Edge. The "Restrict web content transfer with other apps" setting doesn't seem to help in this instance. Any suggestions would be appreciated & thanks in advance.GRAPH - Add/remove user to distribution list
Good evening, for about a week, through a small program that uses graph api, the addition / removal of users from distribution lists no longer works; do you have any idea why? I have many processes that use graph api and they never gave me problems; we thought it was a temporary problem, but after a week it still doesn't work (attached the error)Uninstalling printer queues
Hello, We are going to migrate from shared printers on a server to a new system. We need to delete all the printer queues which are \\server\printer01/02/03.... I tried using remediation script with no luck. Here is the detection part : # Recherche des imprimantes correspondant aux motifs IM?? ou CANON_* $printers = Get-Printer | Where-Object { $_.Name -like '\\server\IM*' -or $_.Name -like '\\server\CANON_*' } if ($printers) { #Write-Output "Imprimantes détectées :" #$printers | ForEach-Object { Write-Output $_.Name } exit 1 # Code de sortie 1 = imprimantes trouvées } else { #Write-Output "Aucune imprimante correspondante trouvée." exit 0 # Code de sortie 0 = aucune imprimante trouvée } and here is the remediation part : # Supprimer les imprimantes contenant "IM" ou commençant par "CANON_" $printersToRemove = Get-Printer | Where-Object { $_.Name -like '\\server\IM*' -or $_.Name -like '\\server\CANON_*' } foreach ($printer in $printersToRemove) { try { Remove-Printer -Name $printer.Name -ErrorAction Stop # Write-Output "Imprimante supprimée : $($printer.Name)" } catch { Write-Output "Erreur lors de la suppression de : $($printer.Name) - $_" } } And the settings : SettingsDetection script YesRemediation script YesRun this script using the logged-on credentials YesEnforce script signature check NoRun script in 64-bit PowerShell No If I test the scripts locally, it works. Any ideas? ThanksFeature Upgrade W11 24H2 not pushing why?
Hi, community i create a feature upgrade to 24H2 who is Rollout immediate start,i have computer who are already either in 21H2/22H2/23H2, and also W10 who are W11 readiness. I dont understand why some are passing a lot of others are still stuck in there build. last thing that i want it's to do a in place upgrade. Is there someone in the community who have the same issue and any solution that i can push for my hundreds of laptop who are stuck. thank you so much for your help it will be a lot :)Deploying Script as Win32 App
Hi all, I created a script that is supposed to check if a certain app was installed from a managed installer, then create a file in the C:\Temp folder if it was installed from a managed installer. I would deploy this as a Win32 app so that I could use the detection rules in the Win32 App deployment to check which device was installed via a managed installer. However, it doesn't seem to work. I created a transcript log as well to check if I would get an output from the variables, but it seems to only run the else block in the If Statement. We use a Business Premium license, so I don't access to Enterprise license capabilities like proactive remediation scripts. It is run using the System credentials, I've tested the script locally which works. Thank you, I've included some images of the script and transcript log. Script: Transcript Log Output:
