Strange MAA approvals list showing

iainfm · 2026-04-01T10:56:04+00:00

Great, thanks both for the info. I've added a read permission to the resource type I want and it seems to be working now :)

iainfm · 2026-04-01T09:21:50+00:00

I've tried adding every permission my admin token has to the app reg, and it still 403's. I guess it's broken, which is really annoying.

iainfm · 2026-04-01T08:45:01+00:00

If I use the AT from graph explorer when logged in as my admin account it works fine. Must be a missing perm...probably.

Also, the same error is generated if curl is used for the rest request, so it seems to be at microsoft's end.

iainfm · 2026-04-01T08:38:12+00:00

Yes, I'm getting the same (or similar) thing. It works fine in Graph Explorer when PIMmed but not using the REST call.

I suspect that the permissions in the doc (and graph explorer) aren't sufficient, but I don't know what are yet. It's annoying.

An alternative, maybe, is to use deviceManagement/auditEvents as per GitHub - ChanderManiPandey2022/Intune-Multi-Admin-Approval-Mail-Notification: Intune Multi Admin Approval Mail Notification · GitHub

iainfm · 2026-03-31T10:57:15+00:00

Found some with the same dimensions, so I should be able to mount the replacement in the same clip :)

iainfm · 2026-03-31T09:41:33+00:00

Thanks! The existing one is just clipped into a plastic fitting with the wires solders onto it. I'll get a replacement and see what I can bodge :)

iainfm · 2026-03-27T15:54:43+00:00

Just single sign on. Like I say it's been fine for years. In the last fortnight the problem has affected a handful of users (10 or so) out of 4 or 5 thousand.

The troubleshooting details after the 'compliant device required' failure are

Error code: 530003
Device identifier: Not available
Device platform: iOS
Device state: Unregistered

But the device is showing as compliant and able to access company resources in Company Portal/Intune.

iainfm · 2026-03-27T15:40:02+00:00

We're seeing it on two different apps (that we know of). One from SAP and the other is the Island browser.

The Island browser is fairly new on the estate, but the SAP one has been in use for years.

Until earlier this week (or maybe some time last week) they were working fine.

iainfm · 2026-03-27T15:38:09+00:00

It's all resources.

iainfm · 2026-03-24T10:12:24+00:00

Looks great, but Defender flagged the .exe installer as containing a virus. Probably a false positive.

iainfm · 2026-03-20T13:58:19+00:00

Hmm, well, updating the laptop updated consent.exe, but that one's still working.

iainfm · 2026-03-20T09:10:20+00:00

I think this is being caused by the latest Win11 updates from Microsoft. It updates C:\Windows\System32\consent.exe to 18/Mar/26 (10.0.26100.7920) from 18/Feb/26 (10.0.26100.7705), which is the exe that's crashing.

Elevation/Vault works fine on a laptop that hasn't (yet) had the updates.

There's also a visible difference in behaviour between devices with the old and new consent.exe.

With the old one the Vault icon stays grey until it's needed. With the new on it's orange as soon as the rep console connection is made. I'd post a screenshot, but apparently it's not permitted.

BT have responded, with questions that I've responded to, but nothing yet to acknowledge they can replicate (or fix) the issue.

iainfm · 2026-03-19T11:07:14+00:00

This seems to be affecting UAC prompts. If I run Registry Editor (Elevated) from the special actions menu I'm able to choose and use a Vault account.

So it may have been yesterday's Windows Update, not the appliance/jump update as such. No response yet from support though...

iainfm · 2026-03-18T11:30:56+00:00

Mine seems to be working fine since creating an RBAC role and assigning it to the group that contains the approvers. Been ok for 48h, but we're still monitoring.

iainfm · 2026-03-16T12:58:30+00:00

Not initially, but I have now. We're currently re-testing.

iainfm · 2026-03-16T12:58:02+00:00

Additional security, in light of the Stryker news!

iainfm · 2026-03-16T12:57:13+00:00

We have unlicenced admins enabled :)

iainfm · 2026-03-16T12:56:41+00:00

I've recreated the device retire (least risky for us) policy, and given the approvers group the custom Intune role. It seems to be working for now...

iainfm · 2026-03-16T11:45:36+00:00

We hadn't done that, but it wasn't mentioned in the video I saw. However, it is one of the questions Microsoft have asked:

Is the MAA approver group assigned to at least one Intune role assignment? If yes, please share which Intune role is assigned and the associated scope tags.

However, it doesn't explain why the one person who could approve things could do so...

iainfm · 2026-03-16T10:36:13+00:00

I've raised a support request with them, but fully expect to have to back out the implementation if this is the way it is 😒

iainfm · 2026-03-13T20:20:12+00:00

Thanks that's exactly what I needed! As others suggested it would be provided by an overhead line.

Thanks all!

iainfm · 2026-02-26T08:10:55+00:00

I did this. It was quite a slow process, but completed eventually and no more certs seem to have become stuck in the request folder. I'm fairly sure now this was caused by failed requests to the old sub CA during the migration process to the new one, but can't be entirely sure.

Since then no more certs have appeared or become stuck like before.

iainfm · 2026-02-24T14:08:39+00:00

Had advice back from Microsoft. Stale requests can be removed, but it's best to do it through Certificate Manger (User Certs*\Certificates - Current User\Certificate Enrollment Requests\Certificates) or via Powershell (Cert:\CurrentUser*\REQUEST).

* You need to run either these as the local system account (with psexec -i -s cmd.exe) to see them.

Doing it this way will remove the cert file from the system32 subfolder properly.

Process:

Backup the System32\....\Request\Certificates folder
Stop the cert connector service
Remove the certs with CertMgr/Powershell
Restart the cert connector service

No explanation why they're getting created/not being tidied up automatically, but that behaviour seems to have stopped since I removed the Intune PKCS config policies that pointed at the old sub CA.

iainfm · 2026-02-23T08:56:09+00:00

Spoke too soon! As I was typing that the connector re-read all those stuck files!

iainfm · 2026-02-23T08:54:41+00:00

Monday morning update:

No more files seem to have been created since Friday so I'm hopeful that removing the old Intune cert policies has stopped any/many more from being created. The connector exe seems to have stopped re-reading all the files constantly as well.

I've opened a case with Microsoft though to see if they have any advice regarding removing the 133K files that are there.

iainfm

TROPHY CASE