Known issues in Microsoft Intune

Use this article to learn about any known issues in Microsoft Intune.

If you want to report a bug that isn't listed here, open a support request.

If you want to request a new feature for Intune, consider filing a Microsoft Intune Feedback report.


Export Azure classic portal compliance policies to recreate these policies in the Intune Azure portal

Compliance policies created in the Azure classic portal will be deprecated. You can review and delete any existing compliance policies, however you can't update them. If you need to migrate any compliance policies to the current Intune Azure portal, you can export the policies as a comma-separated file (.csv file). Then, use the details in the file to recreate these policies in the Intune Azure portal.


When the Azure classic portal retires, you will no longer be able to access or view your compliance policies. Therefore, be sure to export your policies and recreate them in the Azure portal before the Azure classic portal retires.

Intune legacy PC client features are only available in the Silverlight console

The ability to manage Windows 10 in the Intune on Azure portal is available via Windows MDM enrollment. For more information, see Intune on Azure console and legacy Intune PC Client.

Groups created by Intune during migration might affect functionality of other Microsoft products

When you migrate from Intune to the Azure portal, you might see a new group named All Users - b0b08746-4dbe-4a37-9adf-9e7652c0b421. This group contains all users in your Azure Active Directory, not only Intune licensed users. This usage can cause issues with other Microsoft products if you expect some existing or new users to not be a member of any groups.

Status blades for migrated policies don't work

You cannot view status information for policies that were migrated from the Azure classic portal in the Azure portal. However, you can continue to view reports for these policies in the classic portal. To view status information for migrated configuration policies, recreate them in the Azure portal.


Multiple app install prompts for certain VPP apps

You may see multiple app install prompts for certain VPP apps, which are already installed on end user devices. This issue occurs if you have the Automatic app updates option set to On for the VPP token that you have uploaded to the Intune Azure portal.

To work around this issue, you can disable the Automatic app updates option for the VPP token. To do this, in the Azure portal open Microsoft Intune. From Intune, select Client apps > iOS VPP tokens. Next, select the VPP Token which has deployed the affected app and select Edit > Automatic app updates > Off > Save. Alternatively, you can stop the deployment of the affected app as a VPP app, which will stop the prompts.

This is a known issue in the current release. We have an upcoming fix that will resolve this issue. When the fix is implemented, your users will no longer see multiple app install prompts.

iOS volume-purchased apps only available in default Intune tenant language

iOS volume-purchased apps are displayed, and can be assigned only for the same country code as your Intune account. Intune only syncs apps from the same iTunes locale as the Intune tenant account country code. For example, if you purchase an app only available in a U.S. store, but your Intune account is German, Intune does not show that app.

Multiple copies of the same iOS volume-purchase program are uploaded

Do not click the Upload button multiple times for the same VPP token. This will result in duplicate VPP tokens being uploaded, and apps syncing multiple times for the same VPP token.

Some Managed Browser traffic not routed through Azure App Proxy

There is a known issue with the Managed Browser and App Proxy integration where certain tertiary traffic (like javascript or AJAX calls) are not routed through the Azure App Proxy. This is a known issue in the current release.

Device configuration

You cannot save a Windows Information Protection policy for some devices

For devices not enrolled with Intune, you can only specify a primary domain in the Corporate Identify field in the settings for a Windows Information Protection policy. If you add additional domains (using Advanced settings > Network perimeter > Add a protected domain), you cannot save the policy. The error message you see will soon be changed to be more accurate.

Cisco AnyConnect and Cisco Legacy AnyConnect VPN client support - iOS

On iOS devices, network access control (NAC) integration does not work with the new Cisco AnyConnect client. We are working with Cisco to provide NAC integration.

Create VPN profiles in Intune provides more details on the Cisco AnyConnect and Cisco Legacy AnyConnect clients.

Using the numeric password type with macOS Sierra devices

Currently, if you select the Numeric Required password type in a device restriction profile for macOS Sierra devices, it is enforced as Alphanumeric. If you want to use a numeric password with these devices, do not configure this setting. This issue might be corrected in a future version of macOS.

For more information about these settings, see macOS device restriction settings in Microsoft Intune.


Compliance policies from Intune do not show up in new console

Compliance policies you created in the classic portal are migrated, but are not displayed in the Azure portal because of design changes in the Azure portal. Compliance policies you created in the Intune classic portal are still enforced, but you must view and edit them in the classic portal.

Additionally, new compliance policies you create in the Azure portal are not visible in the classic portal.

For more information, see What is device compliance.

Conditional access

Conditional access settings from Intune do not show up in new console

After your tenant has been migrated to the Azure portal, your conditional access settings will continue to be applied; however, they will not appear in the Azure Intune portal.

If you would like to view and manage those settings in the Azure portal, you will need to remove the old settings from the classic portal and recreate them in the Azure portal.

For more information see Best practices for conditional access in Azure Active Directory.

Data protection

iOS app protection policies

You can define app protection policies for iOS that are available for users on devices managed through mobile app management (MAM) without enrollment. Due to a temporary error, you can only define these policies for iOS versions with a single decimal point version rather than multiple decimal points. Instead of setting a minimum version of iOS 10.3.1, you set it for iOS 10.3. This will be resolved with a forthcoming update to the iOS SDK.

Administration and accounts

Global Admins (also referred to as Tenant Admins) can continue day-to-day administration tasks without a separate Intune or Enterprise Mobility Suite (EMS) license. However, to use the service, such as to enroll their own device, a corporate device, or use the Intune Company Portal, they need an Intune or EMS license.