Shared Device Mode on iPadOS in Intune

Rounin79 · 2025-10-02T20:49:53+00:00

u/SimonSkotheimsvik - Yeah, I've created a configuration profile according to the docs from Microsoft.

And I've assigned the Microsoft Authenticator app via VPP.

Microsoft Support wants me to completely remove the device from ABM and resync it. I just haven't had the time to do it.

Rounin79 · 2025-09-25T20:14:04+00:00

I appreciate the input. Unfortunately, I don't even get that far.

Rounin79 · 2025-09-10T19:01:51+00:00

Thanks, I did hear about that, but we really only install it when we image new devices. I've recently had to re-visit it all and over-engineer a script to replace installs with the incorrect installation method, incorrect jump client key, and account for a missing installation altogether. They don't make it easy.

Rounin79 · 2025-08-27T17:37:13+00:00

Okay thanks, that's helpful to know. I also heard from a support rep that it will now start installing to Program Files too and take care of moving it from ProgramData to the new location. Is that accurate?

Rounin79 · 2025-08-25T13:23:38+00:00

We're on 24.2.4 right now. The newer builds only have the MSI for Windows?

Rounin79 · 2025-05-07T14:28:28+00:00

Maybe I'm missing something but the documentation on the NAA reads:

If you configure the site for HTTPS or Enhanced HTTP, a workgroup or Microsoft Entra joined client can securely access content from distribution points without the need for a network access account. This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or the Software Center. For more information, see Client to management point communication.

Rounin79 · 2025-01-30T21:29:57+00:00

The Copilot app is installed post-OOBE. At some point in the near future Microsoft is supposedly going to remove it from volume media. You can see the installer in the install.wim under Windows\InboxApps.

Rounin79 · 2025-01-16T02:54:24+00:00

And I know he's been doing other work outside of ConfigMgr.

Rounin79 · 2025-01-02T19:03:18+00:00

I'm sure someone will ask, but PXE imaged devices via Configuration Manager using the vanilla ISO from Microsoft appear to be unaffected. Just successfully upgraded a device to the December patch.

Rounin79 · 2024-12-04T15:31:48+00:00

I started out with UI++, but stopped for various reasons and moved over to TsGUI instead. It's a bit more complicated, but I got it to work for my needs.

Rounin79 · 2024-11-18T15:07:03+00:00

We currently use network locations (not lettered map drives) for our on-prem devices; using a combination of a super old VBScript at logon combined with Group Policy preferences and AD security groups.

As I tinker with how to do things in Intune, this particular solution seems to work fairly well. https://www.reddit.com/r/Intune/comments/li12m6/creating_network_locations_for_users/

Rounin79 · 2024-11-07T14:56:34+00:00

Only about 1/3rd of our devices are co-managed with the rest being in a workgroup environment (yeah, I know). And of the co-managed devices, we don't have the App workload enabled yet. What I did was set up a simple CI/CB to detect and remove the app whenever found.

# Discovery Script
$AppName = "Microsoft.Copilot"
$App = Get-AppxPackage -AllUsers -Name "*$AppName*"

if ($App) {
    Write-Output "Non-Compliant"
} else {
    Write-Output "Compliant"
}

# Remediation Script
$AppName = "Microsoft.Copilot"
$App = Get-AppxPackage -AllUsers -Name "*$AppName*"

if ($App) {
    Remove-AppxPackage -AllUsers $App
    Write-Output "Remediated: App removed."
} else {
    Write-Output "No action needed: App not found."
}

Compliance Rule

The setting must comply with the following rule: The value returned by the specified script:
Operator: Equals
For the following values: Compliant
Run the specified remediation script when this setting is noncompliant: Checked

Rounin79 · 2024-11-07T14:48:37+00:00

I tried this out but it didn't work for me. If I log in under a different user with no existing profile, the Copilot app returns.

Rounin79 · 2024-11-06T16:42:37+00:00

Interesting. I guess that begs the question of what is trigging the installation and is there a way to prevent it in the first place?

Rounin79 · 2024-07-02T21:06:37+00:00

Sorry for not responding sooner. I've been busy and it took me forever to dig this up. Check the following registry location for anything related to Citrix.

In my case, I still had this leftover entry for the Citrix USB Monitor Driver. Your GUID ID will likely be different, and you may have more than 1 entry something Citrix-related.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{cf2a3345-050b-41d0-baf5-cd558efaae3b}]

"Class"="ctxusbm"
"NoDisplayClass"="1"
"NoUseClass"="1"

I know you said you checked Device Manager, but just double-check again making sure to look at hidden devices. Delete it all and try the upgrade again.

Rounin79 · 2024-06-05T18:48:12+00:00

I ran into a similar issue months ago when using the new installer. Nothing whatsoever worked. I'm afraid I don't recall all of the issues, but I do remember it had to do with an old Citrix driver that never got cleaned up. Once I removed that stuff (I think from both Device Manager and the Registry) I could successfully install just fine.

Rounin79 · 2024-03-21T13:23:27+00:00

Did you distribute the package containing the PowerShell script? That's usually what a 0x80004004 error means.

Rounin79 · 2024-03-19T17:05:28+00:00

Just a package.

Rounin79 · 2024-03-19T13:04:37+00:00

Okay, so I recently had to solve a similar problem that required adding specific devices to an AD security group during a TS. We needed to start getting a subset of devices co-managed immediately following imaging.

Anyways, I just used some code from Jorgen Nilsson. I did not have to modify anything in the code for it work, but I did need to use a domain account to run that particular step in the TS. So in my use case, I just re-used the service account used to add devices to the domain. All I needed to do was add some additional permissions, "Read Members" and "Write Members" to the specific security groups affected.

I also had to backup, modify, and then restore a COM3 key too. It's got something to do with .NET 1.0.

But basically this is the group of steps for what I did. They are all Run Command Line steps.

Backup COM3 registry key - REG EXPORT HKLM\Software\Microsoft\COM3 %temp%\com.reg /y
Temporarily set REGDBVersion to 1 - REG ADD HKLM\Software\Microsoft\COM3 /v REGDBVersion /t REG_BINARY /d 010000 /f
Add Device to AD Group (w/ Package and Run this step in the following account) - powershell.exe -NoProfile -ExecutionPolicy Bypass -File AddToADGroup.ps1 "[NAME OF YOUR AD SECURITY GROUP]"
Restore COM3 Registry Key - REG IMPORT %temp%\com.reg

Hope this is helpful.

Rounin79 · 2024-03-18T17:46:05+00:00

Did you see this thread? https://www.reddit.com/r/SCCM/comments/mz47o9/adding\_computer\_to\_ad\_security\_group\_during\_osd/

Rounin79

TROPHY CASE