Skip to content

Instantly share code, notes, and snippets.

@undone37

undone37/fix_4kv4v_intune_linux.md

Created May 7, 2026 09:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save undone37/b5a37a4da7b58e8f1806d38839ee8d8f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save undone37/b5a37a4da7b58e8f1806d38839ee8d8f to your computer and use it in GitHub Desktop.
Download ZIP
Fix Intune Portal for Linux 4kv4v Error
Raw
fix_4kv4v_intune_linux.md

The login to Intune Portal fails on KDE Plasma with a Misconfiguration(0) error and a [4kv4v] code in the Microsoft auth window - same machine, same user, same tenant works under GNOME, the only difference being XDG_SESSION_DESKTOP.

The root cause: Intune Portal needs the freedesktop Secret portal (org.freedesktop.impl.portal.Secret) to store auth tokens. gnome-keyring implements the Secret portal backend - KWallet does not. So on a pure KDE box the lookup fails before the registration prompt is even shown, which is why you can't proceed past login. That's also why gnome-desktop-minimal "fixes" it: it pulls in gnome-keyring and xdg-desktop-portal-gtk as dependencies.

Minimal fix (no GNOME desktop)

Three things on top of plain KDE:

1. Install the keyring and the GTK portal backend:

sudo apt install gnome-keyring xdg-desktop-portal-gtk libsecret-1-0

2. Tell xdg-desktop-portal on KDE to use gnome-keyring for the Secret interface:

sudo install -d -m 0755 /etc/xdg/xdg-desktop-portal
sudo tee /etc/xdg/xdg-desktop-portal/kde-portals.conf >/dev/null <<'EOF'
[preferred]
default=kde
org.freedesktop.impl.portal.Secret=gnome-keyring
EOF

3. Make sure gnome-keyring-daemon actually starts in your KDE session. SDDM-based distributions usually pick up the PAM bits automatically once gnome-keyring is installed, but you should log out/in (or reboot) after step 1 so PAM re-evaluates. To verify after re-login:

systemctl --user status gnome-keyring-daemon || pgrep -a gnome-keyring
busctl --user list | grep -i secret      # should show org.freedesktop.secrets

If org.freedesktop.secrets is owned, you're good.

4. Wipe Intune's stale cache and try again:

rm -rf ~/.cache/intune-portal ~/.config/intune-portal
intune-portal
@erenoglu

erenoglu commented May 11, 2026

Copy link
Copy Markdown

But doesn't the KDE Wallet provide the libsecret interface these days? Is this not enough?
image

@eugene-rebedailo

eugene-rebedailo commented May 26, 2026

Copy link
Copy Markdown

Same error occurs when changing your keyring password even on GNOME.

if this happens, clear cache (as per step 4) and login/logout of your environment.

Don’t forget to unlock your keyring (if not done automatically) before you use intune portal.

@hiaror

hiaror commented Jun 3, 2026

Copy link
Copy Markdown

xrdp / Azure VM variant of this error (Ubuntu 24.04, intune-portal 1.2604.19)

If you hit [4kv4v] or "Couldn't enroll your device - Creating a new item in the default secret collection" specifically in an xrdp or remote desktop session, the cause is the same keyring issue but from a different angle. The xrdp PAM stack does not pass your login password to gnome-keyring-daemon, so the keyring runs but the default collection stays locked. You will see these two lines in the intune-portal terminal output:

WARN Failed to store the private key
WARN Failed to store the public key

Diagnostic check: run this in a terminal inside your xrdp session to confirm:

secret-tool store --label="test" service test account test

If you see secret-tool: Cannot create an item in a locked collection then this is your issue.

Fix: apply Microsoft's xrdp-sesman PAM file, clear the stale cache, and reboot:

sudo wget -O /etc/pam.d/xrdp-sesman "https://github.com/microsoft/shell-intune-samples/raw/master/Linux/Misc/Azure%20VM/xrdp-sesman"
rm -rf ~/.cache/intune-portal ~/.config/microsoft-identity-broker ~/.local/state/microsoft-identity-broker
sudo reboot

After reboot, sign back in over RDP with your Linux account password so PAM unlocks the keyring. If the keyring still does not unlock, you can do it manually:

gnome-keyring-daemon --replace --unlock

Then clear the cache again and launch intune-portal from a terminal to watch the output:

rm -rf ~/.cache/intune-portal ~/.config/microsoft-identity-broker ~/.local/state/microsoft-identity-broker
intune-portal

Before the fix, the terminal shows:

INFO enroll: Starting new device enrollment
INFO enroll: Submitting enrollment request attempt=1
WARN Failed to store the private key
WARN Failed to store the public key

After the fix, enrollment completes cleanly:

INFO enroll: Starting new device enrollment
INFO enroll: Submitting enrollment request attempt=1
INFO checkin: Completed device checkin
INFO Successfully checked in with Intune
INFO Compliant status indicated by IWS (no policies assigned)

A few things not worth debugging:

  • microsoft-identity-broker.service could not be found is expected in broker 3.x. It is D-Bus activated, not a systemd service. Do not waste time looking for the service file.
  • Manually launching /opt/microsoft/identity-broker/bin/microsoft-identity-broker in the background does not help. It does not get the correct D-Bus session context when started this way.
  • This does not affect physical Ubuntu desktops with a normal GDM login. The keyring unlocks automatically there.

Repository URL for Ubuntu 24.04: the older guides point to incorrect paths. Retrieve the correct entry with:

curl -s https://packages.microsoft.com/config/ubuntu/24.04/prod.list

Use whatever that command returns as your /etc/apt/sources.list.d/intune.list entry. For Ubuntu 26.04, substitute 26.04 in the URL.

Confirming @eugene-rebedailo's point above: changing your keyring password on GNOME also reproduces this. Same fix applies, clear the cache and unlock the keyring before launching intune-portal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment