In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. In addition to the information in this article:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
  • When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

App management

Company Portal automatically installed on Android Enterprise dedicated devices

Intune Company Portal will now be automatically installed on all Android Enterprise dedicated devices to ensure the appropriate handling of app protection policies. Users will not be able to see or launch the Company Portal, and there are no requirements for users to interact with it. Admins will notice that the Company Portal is automatically installed on their Android Enterprise dedicated devices, without the ability to uninstall.

Uninstall Win32 apps in the Company Portal

Users will be able to uninstall Win32 apps in the Company Portal. If a Win32 app can be uninstalled by the user, the user will be able to select Uninstall for the Win32 app in the Company Portal. For more information about Win32 apps, go to Win32 app management in Microsoft Intune.

Configure whether to show apps from Configuration Manager in Windows Company Portal

In the Intune console, you'll be able to choose whether to show or hide Configuration Manager apps from appearing in the Windows Company Portal. This option will be available in Intune by selecting Tenant administration > Customization. Next to Settings, select Edit. The option to Show or Hide the Configuration Manager applications will be located in the App Sources section of the pane. For related information about configuring the Company Portal app, see How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Global quiet time app policy settings

The global quiet time settings will allow you to create policies to schedule quiet time for your end users, which will automatically mute Microsoft Outlook email and Teams notifications on iOS/iPadOS and Android platforms. These policies can be used to limit end user notifications received after work hours. When this feature is available, you will be able to find it in Microsoft Endpoint Manager admin center by selecting Apps > Quiet Time > Policies.

Device configuration

New settings available in the macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Endpoint Manager admin center, you can see these settings at Devices > Configuration profiles > Create profile > macOS for platform > Settings catalog for profile type.

New settings include:

File Vault > File Vault Options:

  • Destroy FV Key On Standby
  • Block FV From Being Disabled
  • Block FV From Being Enabled

Restrictions:

  • Allow Bluetooth Modification

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

The Company Portal app will enforce Password Complexity setting on Android Enterprise 12+ personally owned devices with a work profile

On Android Enterprise 12+ personally owned devices with a work profile, you can create a compliance policy and/or device configuration profile that sets the password complexity. Starting with the 2211 release, this setting is available in the Endpoint Manager admin center:

  • Devices > Configuration profiles > Create profile > Android Enterprise for platform > Personally owned with a work profile
  • Devices > Compliance policies > Create policy > Android Enterprise for platform > Personally owned with a work profile

The Company Portal app will enforce the Password complexity setting in its December release.

For more information on this setting and the other settings you can configure on personally owned devices with a work profile, go to:

Applies to:

  • Android Enterprise 12+ personally owned devices with a work profile

There are default settings for SSO extension requests on macOS devices

When you create a single sign-on app extension configuration profile, there are some settings you configure. The following settings will use the following default values for all SSO extension requests:

  • AppPrefixAllowList key Default value: com.microsoft.,com.apple.

  • browser_sso_interaction_enabled key Default value: 1

  • disable_explicit_app_prompt key Default value: 1

If you configure a value other than the default value, then the configured value will overwrite the default value.

For example, you don't configure the AppPrefixAllowList key. By default, all Microsoft apps (com.microsoft.) and all Apple apps (com.apple.) will be enabled for SSO. You can overwrite this behavior by adding a different prefix to the list, such as com.contoso..

For more information on the Enterprise SSO plug-in, go to Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS and macOS devices in Microsoft Intune

Applies to:

  • macOS

There are default settings for SSO extension requests on iOS/iPadOS devices

When you create a single sign-on app extension configuration profile, there are some settings you configure. The following settings will use the following default values for all SSO extension requests:

  • AppPrefixAllowList key Default value: com.apple.

  • browser_sso_interaction_enabled key Default value: 1

  • disable_explicit_app_prompt key Default value: 1

If you configure a value other than the default value, then the configured value will overwrite the default value.

For example, you don't configure the AppPrefixAllowList key. By default, all Apple apps (com.apple.) will be enabled for SSO. You can overwrite this behavior by adding a different prefix to the list, such as com.contoso..

For more information on the Enterprise SSO plug-in, go to Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS and macOS devices in Microsoft Intune

Applies to:

  • iOS/iPadOS

Remote help client app will have a new option to disable chat functionality in the Tenant level setting

In the Remote help app, admins will have the option to disable chat functionality from the new tenant level setting. Turning on the disable chat feature will remove the chat button in the Remote Help app. This setting can be found in the Remote Help Settings tab under Tenant Administration in Microsoft Intune.

For more information, see Configure Remote Help for your tenant.

Applies to:

  • Windows 10/11

Device enrollment

Enrollment token lifetime will increase to 65 years for Android Enterprise dedicated devices

You'll be able to create an enrollment profile for Android Enterprise dedicated devices that's valid for up to 65 years. If you have an existing profile, the enrollment token will still expire on the date you chose when you created the profile, but when you renew it you'll be able to extend the lifetime to 65 years.

Device management

Update policies for macOS now available for all supervised devices

You'll soon be able to manage software update policies for macOS devices that weren't supervised through Automated Device Enrollment (ADE). Update policies for macOS are available under Devices > Update policies for macOS (preview). For more information on configuring update policies for macOS, see Use Microsoft Intune policies to manage macOS software updates | Microsoft Learn.

Applies to:

  • macOS

Endpoint security firewall rules support for ICMP type

We’re adding a new setting named IcmpTypesAndCodes to the endpoint security firewall rules template for Windows 10. To configure this in the Microsoft Endpoint Manager admin center by selecting Endpoint security > Firewall > Create Policy > Platform: Windows 10, Windows 11, and Windows Server > Profile: Microsoft Defender Firewall Rules).

With this new setting, you’ll be able to configure inbound and outbound rules for Internet Control Message Protocol (ICMP) as part of a firewall rule.

Applies to:

  • Windows 10, Windows 11, and Windows Server

Device security

Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint

You’ll soon be able to manage Tamper protection for Microsoft Defender for Endpoint on unenrolled devices as part of the MDE Security configuration scenario.

When this support is available, your tamper protection configurations from Windows Security Experience profiles for Antivirus policies can apply to all devices instead of only to those that are enrolled with Intune.

Applies to:

  • Windows 10
  • Windows 11

Attack surface reduction policy support for Security settings management for Microsoft Defender for Endpoint

Attack surface reduction policies will soon support devices managed through the MDE Security configuration scenario. Today, only devices that are enrolled with Intune support this policy type.

Applies to:

  • Windows 10
  • Windows 11

Microsoft Tunnel for Mobile Application Management for Android (public preview)

In a public preview, we’re adding support for mobile application management (MAM) to the Microsoft Tunnel VPN gateway. With this preview for Android devices that have not enrolled with Intune, supported apps will be able to use Microsoft Tunnel to connect to your organization when working with corporate data and resources. This includes VPN gateway support for:

  • Secure access to on-premises apps and resources using modern authentication
  • Single Sign On and conditional access.

To use Tunnel for MAM on an unenrolled device will require the following three profiles:

  • An app configuration profile for managed apps, to configure Microsoft Defender on devices for use as the Tunnel client app.
  • A second app configuration profile for managed apps, to configure Microsoft Edge to connect to Tunnel.
  • An app protection profile to enable automatic start of the Microsoft Tunnel connection.

For information about using Tunnel on enrolled devices, see Microsoft Tunnel overview

Applies to:

  • Android Enterprise

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Ending support for Company Portal authentication method for iOS/iPadOS ADE enrollment

As we continue to invest in Setup Assistant with modern authentication, which is the Apple supported path to require enrollment during Setup Assistant with optional multi-factor authentication, we plan to remove the Company Portal authentication method from new and existing iOS/iPadOS ADE enrollment profiles in Q1 of CY2023. This will include removing the Run Company Portal in Single App Mode until authentication setting.

How does this affect you or your users?

In Q1 of CY2023, new enrollments (new devices that are targeted with an existing enrollment profile or devices re-enrolling) that are targeted with an existing enrollment profile with the Company Portal authentication method, will not be able to enroll.

This will not impact existing enrolled devices unless the device is re-enrolled after this change. The device will not be able to re-enroll until the authentication method is switched in the enrollment profile to Setup Assistant with modern authentication.

New iOS/iPadOS enrollment profiles will not have the option to select Company Portal as the authentication method.

If you have not already, you will need to move to use Setup Assistant with modern authentication. Within the Microsoft Endpoint Manager admin center, you will want to either create a new ADE enrollment profile, or edit your existing enrollment profile to use the “Setup assistant with modern authentication.”

User experience: The Setup Assistant with modern authentication enrollment flow does change the enrollment screen order where authentication will occur prior to accessing the home screen. If you have user guides that share screenshots, you will want to update those so the guides match the experience of Setup Assistant with modern authentication.

How can you prepare?

To enroll new devices (or re-enroll) after this change, you will either need to update existing profiles to move to Setup Assistant with modern authentication or create a new enrollment profile with this method.

For related information, see:

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they are ending support for Windows Information Protection (WIP), Microsoft Endpoint Manager will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we will remove support for WIP without enrollment scenario by the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend that you take action to disable WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it is only applicable to Windows 8.1 devices.

Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available.

How does this affect you or your users?

If you are managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There is no impact to existing devices and policies, however, you will not be able to enroll new devices if they are running Windows 8.1.

How can you prepare?

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Endpoint Manager admin center > Devices > Windows > Windows devices, and filter by OS.

Additional information

Update your certificate connector for Microsoft Intune

As of June 1, 2022, Intune certificate connectors earlier than version 6.2101.13.0 may no longer work as expected and stop connecting to the Intune service. See Certificate Connectors for Microsoft Intune for additional information on the certificate connector lifecycle and support.

How does this affect you or your users?

If you're impacted by this change, see MC393815 in the Message center.

How can you prepare?

Download, install, and configure the latest certificate connector. For more information see, Install the Certificate Connector for Microsoft Intune.

To check which version of the certificate connector you are using, follow these steps:

  1. On a Windows Server running the Intune Certificate Connector, launch "Add or Remove programs".
  2. A list of installed programs and applications will be displayed.
  3. Look for an entry related to the Microsoft Intune Certificate Connector. There will be a "Version" associated with the connector. Note: Names for older connectors may vary.

Plan for Change: New APP biometrics settings and authorization requirements for Android devices

Currently, our biometric settings do not distinguish between Class 2 and Class 3 Biometrics. Expected with Intune’s July (2207) service release, we are modifying fingerprint and biometric settings for Intune app protection policies (APP) that apply to Android devices to accommodate Class 3 Biometrics.

When you create or modify an app protection policy, you will see the following changes on the Access requirements page:

  • The setting Fingerprint instead of PIN for access will be rolled into the existing setting Biometrics instead of PIN for access. This setting will apply to all biometrics (Class 2 and Class 3).
  • The setting Override fingerprint with PIN after timeout will be modified to Override Biometrics with PIN after timeout. This setting will apply to all biometrics (Class 2 and Class 3).
  • There is a new setting: Class 3 Biometrics (Android 9.0+) with a new sub-setting: Override Biometrics with PIN after biometric updates. This sub-setting applies only to Class 3 Biometrics, when selected.

Note

Support for Class 3 Biometrics depends on the device, so you may need to contact your device manufacturers to understand device-specific limitations.

How does this affect you or your users?

Existing policies that allow fingerprints or biometrics for authentication will be migrated with no user impact.

After this change, if you configure the policy to require Class 3 Biometrics (Android 9.0+), the following will occur:

  • For users with Android devices that support Class 3 Biometrics, the user will be prompted to enter their APP PIN the first time they sign in to the APP-protected app. Subsequent sign-ins will use Class 3 Biometrics for authentication. However, if a user does not configure biometrics that satisfy the Class 3 requirements, they will be prompted to enter their PIN with each subsequent sign-in.
  • For users with Android devices that do not support Class 3 Biometrics, the user will be prompted to enter their PIN each time they sign in to the APP-protected app.

If Override Biometrics with PIN after biometric updates is also required, users who update their stored Class 3 Biometrics will be prompted to enter their APP PIN the next time they sign in to the APP-protected app.

How can you prepare?

Admins should be aware of the combined settings for fingerprints and Class 2 Biometrics. If your existing policy allows for fingerprint authentication but not other biometrics, it will allow for both once migrated. Also, if you had previously required an APP PIN after fingerprint timeout, this timeout setting will apply to all biometrics.

Note

If you are using the Microsoft Graph API’s FingerprintBlocked and BiometricAuthenticationBlocked, plan to update your APIs to use the new combined FingerprintAndBiometricEnabled API. The current APIs will retain their values for existing policies and the new FingerprintAndBiometricEnabled API will be defaulted to Null for these policies, until the policy has been updated.

Plan for change: Intune is moving to support macOS 11.6 and higher later this year

Apple is expected to release macOS 13 (Ventura) later this year, Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 11.6 (Big Sur) and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 16.

How does this affect you or your users?

This change will affect you only if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Big Sur is compatible with these computers.

Note

Devices that are currently enrolled on macOS 10.15 or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 10.15 or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 10.15 or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for change: Intune is moving to support iOS/iPadOS 14 and later

Later this year, we expect iOS 16 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 14/iPadOS 14 and higher shortly after iOS 16’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 14).

Because Office 365 mobile apps are supported on iOS/iPadOS 14.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 14 or iPadOS 14 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. See https://aka.ms/ADE_userless_support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management, go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status > App Protection report: iOS, Android.

To manage the supported OS version in your organization, you can use Microsoft Endpoint Manager controls for both mobile device management and APP. For more information, see Manage operating system versions with Intune.

Plan for Change: Deploy macOS LOB apps by uploading PKG-type installer files

We recently announced the general availability to deploy macOS line-of-business (LOB) apps by uploading PKG-type installer files directly in the Microsoft Endpoint Manager admin center. This process no longer requires the use of the Intune App Wrapping Tool for macOS to convert .pkg files to .intunemac format.

In August 2022, we removed the ability to upload wrapped .intunemac files in the Microsoft Endpoint Manager admin center.

How does this affect you or your users?

There is no impact to apps previously uploaded with .intunemac files. You can upgrade previously uploaded apps by uploading the .pkg file type.

How can you prepare?

Moving forward, deploy macOS LOB apps by uploading and deploying PKG-type installer files in the Microsoft Endpoint Manager admin center.

Plan for change: Intune is moving to support Android 8.0 and later in January 2022

Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for mobile device management (MDM) enrolled devices on or shortly after January 7, 2022.

How does this affect you or your users?

After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will no longer receive updates to the Android Company Portal or the Intune App. Enrolled devices will continue to have Intune policies applied but are no longer supported for any Intune scenarios. Company Portal and the Intune App will not be available for devices running Android 7.x and lower beginning mid-February; however, these devices will not be blocked from completing enrollment if the requisite app has been installed prior to this change. If you have MDM enrolled devices running Android 7.x or below, update them to Android version 8.0 (Oreo) or higher or replace them with a device on Android version 8.0 or higher.

Note

Microsoft Teams devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

How can you prepare?

Notify your helpdesk, if applicable, of this upcoming change in support. You can identify how many devices are currently running Android 7.x or below by navigating to Devices > All devices > Filter. Then filter by OS and sort by OS version. There are two admin options to help inform your users or block enrollment.

Here's how you can warn users:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that warns users.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send an email or push notification to users before marking them noncompliant.

Here's how you can block devices running on versions earlier than Android 8.0:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that blocks users from app access.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices running Android 7.x or earlier non-compliant.
  • Set enrollment restrictions that prevent devices running Android 7.x or earlier from enrolling.

Note

Intune app protection policies are supported on devices running Android 9.0 and later. See MC282986 for more details.

Plan for change: Intune APP/MAM is moving to support Android 9 and higher

With the upcoming release of Android 12, Intune app protection policies (APP, also known as mobile application management) for Android will move to support Android 9 (Pie) and later on October 1, 2021. This change will align with Office mobile apps for Android support of the last four major versions of Android.

Based on your feedback, we've updated our support statement. We're doing our best to keep your organization secure and protect your users and devices, while aligning with Microsoft app lifecycles.

Note

This announcement doesn't affect Microsoft Teams Android devices. Those devices will continue to be supported regardless of their Android OS version.

How does this affect you or your users?

If you're using app protection policies (APP) on any device that's running Android version 8.x or earlier, or you decide to enroll any device that's running Android version 8.x or earlier, these devices will no longer be supported for APP.

APP policies will continue to be applied to devices running Android 6.x to Android 8.x. But if you have problems with an Office app and APP, support will request that you update to a supported Office version for troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or later, or replace them with a device on Android version 9.0 or later before October 1, 2021.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. You also have two admin options to warn users:

Take action: Update to the latest version of the Android Company Portal app

Starting with the October (2110) service release, Intune will no longer support new Android device administrator enrollments that use Company Portal version 5.04993.0 or earlier. The reason is a change in the integration of Intune with Samsung devices.

How does this affect you or your users?

Users who need to enroll Samsung devices in an Android device administrator by using an older version of the Company Portal app (any version earlier than 5.04993.0) will no longer be successful. They'll need to update the Company Portal app to successfully enroll.

How can you prepare?

Update any older version of the Company Portal staged in your environment to support Android device administrator enrollments before the Intune October (2110) service release. Inform your users that they'll need to update to the latest version of the Android Company Portal to enroll their Samsung device.

If applicable, inform your helpdesk in case users don't update the app before enrolling. We also recommend that you keep the Company Portal app updated to ensure that the latest fixes are available on your devices.

More information

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security antivirus Windows 10 profiles

We've made a minor change to improve the antivirus profile experience for Windows 10. There's no user effect, because this change affects only what you'll see in the UI.

How does this affect you or your users?

Previously, when you configured a Windows security profile for the Endpoint Security antivirus policy, you had two options for most settings: Yes and Not configured. Those settings now include Yes, Not configured, and a new option of No.

Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting is set to Not configured and the child setting is set to Yes, both the parent and child settings will be set to Not configured. That change will take effect when you edit the profile.

How can you prepare?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change will affect you only if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Endpoint Manager admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.