This article provides guidance for troubleshooting common problems with email profiles in Microsoft Intune.
users are repeatedly prompted to enter their password
Users are repeatedly prompted to enter their password for the email profile. if certificates are used to authenticate and authorize the user, check the mappings of all certificate profiles. Typically, these certificate profiles are assigned to user groups, not device groups. If one of the certificate profiles is not directed at a user, intune continues to try to deploy the email profile.
If the email profile chain is assigned to user groups, make sure your certificate profiles are also assigned to user groups.
profiles deployed to device groups show errors and latency
Email profiles are typically assigned to groups of users. there may be some cases where they are assigned to device groups.
-
For example, you want to implement a certificate-based email profile only for Surface devices, not desktops. in this scenario, device groups might make sense. be aware that these devices may show as unsupported, may return errors, and may not get your email profiles right away.
In this example, you create the email profile and assign the profile to device groups. the device reboots and there is a delay before a user signs in. during this delay, your pkcs certificate profile is deployed, which is assigned to user groups. since there is no user yet, the pkcs certificate profile makes the device uncompliant. the event viewer can also show errors on the device.
To comply, the user signs in to the device and syncs with intune to receive the policies. users can resync manually or wait for the next sync.
for example, you are using dynamic groups. If Azure AD doesn’t update dynamic groups immediately, these devices may show as unsupported.
In these scenarios, you decide whether it is more important to use device groups or more important to show all policies as compliant.
the device already has an email profile installed
If users create an email profile before signing up for intune or microsoft 365 mdm, the intune-deployed email profile may not work as expected:
-
ios/ipados – Intune detects an existing duplicate email profile based on the hostname and email address. the email profile created by the user blocks the deployment of the profile created by intune. this scenario is a common problem as ios/ipados users normally create an email profile and then sign up. the company portal app indicates that the user is out of compliance and may prompt the user to delete the email profile.
The user must delete their email profile in order to deploy the intune profile. To work around this issue, tell your users to sign up and let Intune deploy the email profile. then users can create their email profile.
windows – Intune detects an existing duplicate email profile based on hostname and email address. intune overwrites the existing email profile created by the user.
samsung knox standard – Intune identifies a duplicate email account based on the email address and overwrites it with the intune profile. if the user sets up that account, the intune profile overwrites it again. this behavior may cause some confusion for the user whose account settings are overwritten.
samsung knox does not use the hostname to identify the profile. We recommend that you do not create multiple email profiles to deploy to the same email address on different hosts, as they overwrite each other.
error 0x87d1fde8 for standard knox device
after creating and deploying an exchange active sync email profile for the samsung knox standard for different android devices, the error 0x87d1fde8 or fix error appears in the device properties > policy tab.
Review your eas profile settings for samsung knox and origin policy. samsung note sync option is no longer supported and that option should not be selected in your profile. make sure devices have enough time to process the policy, up to 24 hours.
cannot send images from email account
Users who have automatically configured email accounts cannot send photos or images from their devices. This scenario can occur if Allow emails to be sent from third-party apps is not enabled.
- Sign in to the microsoft endpoint manager admin center.
- select devices > configuration profiles.
- select your email profile > properties > settings.
- set the allow emails to be sent from third-party apps setting to enable.
-