What's new in Microsoft Intune

Learn what's new each week in Microsoft Intune.

You can also read:

Note

Each monthly update can take up to three days to rollout and will be in the following order:

  • Day 1: Asia Pacific (APAC)
  • Day 2: Europe, Middle East, Africa (EMEA)
  • Day 3: North America
  • Day 4+: Intune for Government

Some features roll out over several weeks and might not be available to all customers in the first week.

For a list of upcoming Intune feature releases, see In development for Microsoft Intune. For new information about Autopilot, see Windows Autopilot What's new.

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Week of March 25, 2024 (Service release 2403)

Microsoft Intune Suite

New elevation type for Endpoint Privilege Management

Endpoint Privilege Management has a new file elevation type, support approved. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone Intune add-on.

A support-approved elevation gives you a third option for both the default elevation response and the elevation type for each rule. Unlike automatic or user confirmed, a support-approved elevation request requires Intune administrators to manage which files can run as elevated on a case-by-case basis.

With support approved elevations, users can request approval to elevate an application that is not explicitly allowed for elevation by automatic or user approved rules. This takes the form of an elevation request that must be reviewed by an Intune administrator who can approve or deny the elevation request.

When the request is approved, users are notified that the application can now be run as elevated, and they will have 24 hours from the time of approval to do so before the elevation approval expires.

Applies to:

  • Windows 10
  • Windows 11

For more information on this new capability, see Support approved elevation requests.

App management

Extended capabilities for Managed Google Play apps on personally-owned Android devices with a work profile

There are new capabilities extended to work profile devices. The following capabilities were previously available only on corporate-owned devices:

  • Available apps for device groups: You can use Intune to make apps available for device groups through the Managed Google Play store. Previously, apps could only be made available to user groups.

  • Update priority setting: You can use Intune to configure the app update priority on devices with a work profile. To learn more about this setting, see Update a Managed Google Play app.

  • Required apps display as available in Managed Google Play: You can use Intune to make required apps available for users through the Managed Google Play store. Apps that are part of existing policies now display as available.

These new capabilities will follow a phased rollout over multiple months.

Applies to:

  • Android Enterprise personally owned devices with a work profile

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Passcode:

  • Maximum Passcode Age In Days
  • Minimum Complex Characters
  • Require Alphanumeric Passcode

Restrictions:

  • Allow Marketplace App Installation
macOS

Declarative Device Management (DDM) > Passcode:

  • Change At Next Auth
  • Custom Regex
  • Failed Attempts Reset In Minutes
  • Maximum Passcode Age In Days
  • Minimum Complex Characters
  • Require Alphanumeric Passcode

Full Disk Encryption > FileVault:

  • Recovery Key Rotation In Months

New settings available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > Windows 10 and later for platform > Settings catalog for profile type.

  • Delivery optimization:

    • DO Disallow Cache Server Downloads On VPN - This setting blocks downloads from Microsoft Connected Cache servers when the device connects using VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected using VPN.

    • DO Set Hours To Limit Background Download Bandwidth - This setting specifies the maximum background download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

    • DO Set Hours To Limit Foreground Download Bandwidth - This setting specifies the maximum foreground download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

    • DO Vpn Keywords - This policy allows you to set one or more keywords used to recognize VPN connections.

  • Messaging:

    • Allow Message Sync - This policy setting allows the backup and restore of cellular text messages to Microsoft's cloud services.
  • Microsoft Defender Antivirus:

    • Specify the maximum depth to scan archive files
    • Specify the maximum size of archive files to be scanned

For more information on these settings, see:

Applies to:

  • Windows 10 and later

New archive file scan settings added to Antivirus policy for Windows devices

We've added the following two settings to the Microsoft Defender Antivirus profile for endpoint security Antivirus policy that apply to Windows 10 and Windows 11 devices:

With Antivirus policy, you can manage these settings on devices enrolled by Intune and on devices managed through the Defender for Endpoint security settings management scenario.

Both settings are also available in the settings catalog at Devices > Configuration > Create > Windows 10 and later for platform > Settings catalog for profile type > Defender.

Applies to:

  • Windows 10
  • Windows 11

Updates to assignment filters

You can use Intune assignment filters to assign a policy based on rules you create.

Now, you can:

  • Use managed app assignment filters for Window MAM app protection policies and app configuration policies.
  • Filter your existing assignment filters by Platform, and by the Managed apps or Managed devices filter type. When you have many filters, this feature makes it easier to find specific filters you created.

For more information on these features, see:

This feature applies to:

  • Managed devices on the following platforms:

    • Android device administrator
    • Android Enterprise
    • Android (AOSP)
    • iOS/iPadOS
    • macOS
    • Windows 10/11
  • Managed apps on the following platforms:

    • Android
    • iOS/iPadOS
    • Windows

Device management

New compliance setting lets you verify device integrity using hardware-backed security features

A new compliance setting called Check strong integrity using hardware-backed security features lets you verify device integrity using hardware-backed key attestation. If you configure this setting, strong integrity attestation is added to Google Play's integrity verdict evaluation. Devices must meet device integrity to remain compliant. Microsoft Intune marks devices that don’t support this type of integrity check as noncompliant.

This setting is available in profiles for Android Enterprise fully managed, dedicated, and corporate-owned work profile, under Device Health > Google Play Protect. It only becomes available when the Play integrity verdict policy in your profile is set to Check basic integrity or Check basic integrity & device integrity.

Applies to:

  • Android Enterprise

For more information, see Device compliance - Google Play Protect.

New compliance settings for Android work profile, personal devices

Now you can add compliance requirements for work profile passwords without impacting device passwords. All new Microsoft Intune settings are available in compliance profiles for Android Enterprise personally-owned work profiles under System Security > Work Profile Security, and include:

  • Require a password to unlock work profile
  • Number of days until password expires
  • Number of previous passwords to prevent reuse
  • Maximum minutes of inactivity before password is required
  • Password complexity
  • Required password type
  • Minimum password length

If a work profile password fails to meet requirements, Company Portal marks the device as noncompliant. Intune compliance settings take precedence over the respective settings in an Intune device configuration profile. For example, if the password complexity in your compliance profile is set to medium and the one in your configuration profile is set to high, Intune will prioritize and enforce the compliance one.

Applies to:

  • Android Enterprise personally owned devices with a work profile

For more information, see Compliance settings - Android Enterprise

Windows quality updates support for expediting non-security updates

Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.

Applies to:

  • Windows 11 devices

For more information about installing an expedited update, see Expedite Windows quality updates in Microsoft Intune.

Introducing a remote action to pause the config refresh enforcement interval

In the Windows Settings Catalog, you can configure Configuration Refresh. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check-in to Intune. The device will replay and re-enforce settings based on previously received policy to minimize the chance for configuration drift.

To support this feature, a remote action will be added to allow a pause in action. If an admin needs to make changes or run remediation on a device for troubleshooting or maintenance, they can issue a pause from Intune for a specified period. When the period expires, settings will be enforced again.

The remote action Pause configuration refresh can be accessed from the device summary page.

For more information, see:

Device security

Updated security baseline for Windows version 23H2

You can now deploy the Intune security baseline for Windows version 23H2. This new baseline is based on the version 23H2 of the Group Policy security baseline found in the Security Compliance Toolkit and Baselines from the Microsoft Download Center, and includes only the settings that are applicable to devices managed through Intune. Use of this updated baseline can help you maintain best-practice configurations for your Windows devices.

This baseline uses the unified settings platform seen in the Settings Catalog which features an improved user interface and reporting experience, consistency and accuracy improvements related to setting tattooing, and the new ability to support assignment filters for profiles.

Use of Intune security baselines can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations, which you can modify to meet the requirements of your organization.

Applies to:

  • Windows 10
  • Windows 11

To view the new baselines included settings with their default configurations, see, Windows MDM security baseline version 23H2.

Use a rootless implementation of Podman to host Microsoft Tunnel

When prerequisites are met, you now have the option to use a rootless Podman container to host a Microsoft Tunnel server. This capability is available when you use Podman for Red Hat Enterprise Linux (RHEL) version 8.8 or later, to host Microsoft Tunnel.

When using a rootless Podman container, the mstunnel services run under a non-privileged service user. This implementation can help limit impact from a container escape. To use a rootless Podman container, you must start the tunnel installation script using a modified command line.

For more information about this Microsoft Tunnel install option, see Use a rootless Podman container.

Improvements for Intune deployments of Microsoft Defender for Endpoint

We’ve improved and simplified the experience, workflow, and report details for onboarding devices to Microsoft Defender when using Intune’s endpoint detection and response (EDR) policy. These changes apply for Windows devices managed by Intune and by the tenant-attach scenario. These improvements include:

  • Changes to the EDR node, dashboards, and reports to improve the visibility of your Defender EDR deployment numbers. See About the endpoint detection and response node.

  • A new tenant-wide option to deploy a preconfigured EDR policy that streamlines the deployment of Defender for Endpoint to applicable Windows devices. See Use a preconfigured EDR policy.

  • Changes to Intune’s the Overview page of the endpoint security node. These changes provide a consolidated view of reports for the device signals from Defender for Endpoint on your managed devices. See Use a preconfigured EDR policy.

These changes apply to the Endpoint security and endpoint detection and response nodes of the admin center, and the following device platforms:

  • Windows 10
  • Windows 11

Windows quality updates will support expediting non-security updates

Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.

Applies to:

  • Windows 11 devices

For more information about installing an expedited update, see Expedite Windows quality updates in Microsoft Intune.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Cerby by Cerby, Inc.
  • OfficeMail Go by 9Folders, Inc.
  • DealCloud by Intapp, Inc.
  • Intapp 2.0 by Intapp, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Week of March 3, 2024

Device enrollment

Role-based access control changes to enrollment settings for Windows Hello for Business

We've updated Role-based access control (RBAC) in the enrollment area for Windows Hello for Business. Enrollment settings related to Windows Hello for Business are read-only for all roles except the Intune Service Administrator. The Intune Service Administrator can create and edit Windows Hello for Business enrollment settings.

For more information, see Role-based access control in the Windows Hello at device enrollment article.

Device security

New enrollment configuration for Windows Hello for Business

A new Windows Hello for Business enrollment setting, Enable enhanced sign in security is available in the Intune admin center. Enhanced sign-in security is a Windows Hello feature that prevents malicious users from gaining access to a user's biometrics through external peripherals.

For more information about this setting, see Create a Windows Hello for Business policy.

HTML formatting supported in noncompliance email notifications

Intune now supports HTML formatting in noncompliance email notifications for all platforms. You can use supported HTML tags to add formatting such as italics, URL links, and bulleted lists to your organization's messages.

For more information, see Create a notification message template.

Week of February 26, 2024

Microsoft Intune Suite

New Microsoft Cloud PKI service

Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. ​Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone Intune add-on. The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see Overview of Microsoft Cloud PKI.

Applies to:

  • Windows
  • Android
  • iOS/iPadOS
  • macOS

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Cinebody by Super 6 LLC

For more information about protected apps, see Microsoft Intune protected apps.

Week of February 19, 2024 (Service release 2402)

App management

Additional app configuration permissions for Android apps

There are six new permissions that can be configured for an Android app using an app configuration policy. These include the following permissions:

  • Allow background body sensor data
  • Media Video (read)
  • Media Images (read)
  • Media Audio (read)
  • Nearby Wifi Devices
  • Nearby Devices

For more information about how to use app config policies for Android apps, see Add app configuration policies for managed Android Enterprise devices.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Bob HR by Hi Bob Ltd
  • ePRINTit SaaS by ePRINTit USA LLC
  • Microsoft Copilot by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Update to Intune Management Extension on Windows

To support expanded functionality and bug fixes, use .NET Framework 4.7.2 or higher with the Intune Management Extension on Windows clients. If a Windows client continues to use an earlier version of the .NET Framework, the Intune Management Extension continues to function. The .NET Framework 4.7.2 is available from Windows Update as of July 10, 2018, which is included in Win10 1809 (RS5) and newer. Note that multiple versions of the .NET Framework can coexist on a device.

Device configuration

Use assignment filters on Endpoint Privilege Management (EPM) policies

You can use assignment filters to assign a policy based on rules you create. A filter allows you to narrow the assignment scope of a policy, like targeting devices with a specific OS version or a specific manufacturer.

You can use filters on Endpoint Privilege Management (EPM) policies.

For more information, see:

Applies to:

  • Windows 10
  • Windows 11

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS
  • Restrictions

    • Allow Live Voicemail
    • Force Classroom Unprompted Screen Observation
    • Force Preserve ESIM On Erase
macOS
  • Full Disk Encryption > FileVault > Force Enable In Setup Assistant
  • Restrictions > Force Classroom Unprompted Screen Observation

For more information, see:

Import up to 20 custom ADMX and ADML administrative templates

You can import custom ADMX and ADML administrative templates in Microsoft Intune. Previously, you could import up to 10 files. Now, you can upload up to 20 files.

Applies to:

  • Windows 10
  • Windows 11

For more information on this feature, see Import custom ADMX and ADML administrative templates into Microsoft Intune (public preview).

New setting for updating MAC address randomization on Android Enterprise devices

There is a new MAC address randomization setting on Android Enterprise devices (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Wi-Fi for profile type).

Starting with Android 10, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Using randomized MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address. However, randomized MAC addresses break functionality that relies on a static MAC address, including network access control (NAC).

Your options:

  • Use device default: Intune doesn't change or update this setting. By default, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Any updates made by the user to the setting persist.

  • Use randomized MAC: Enables MAC address randomization on devices. When connecting to a new network, devices present a randomized MAC address, instead of the physical MAC address. If the user changes this value on their device, it resets to Use randomized MAC on the next Intune sync.

  • Use device MAC: Forces devices to present their actual Wi-Fi MAC address instead of a random MAC address. This setting allows devices to be tracked by their MAC address. Only use this value when necessary, such as for network access control (NAC) support. If the user changes this value on their device, it resets to Use device MAC on the next Intune sync.

Applies to:

  • Android 13 and newer

For more information on the Wi-Fi settings you can configure, see Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune.

Turn Off Copilot in Windows setting in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There is a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices > Configuration > Create > Windows for platform > Settings catalog for profile type.

  • Windows AI > Turn Off Copilot in Windows (User)

    • If you enable this policy setting, users can't use Copilot. The Copilot icon won't appear on the taskbar.
    • If you disable or don't configure this policy setting, users can use Copilot when it's available to them.

This setting uses the Policy CSP - WindowsAI.

For more information about configuring Settings Catalog policies in Intune, including user scope vs. device scope, see Create a policy using settings catalog.

Applies to:

  • Windows 10 and later

Windows Autopilot self-deploying mode is now generally available

Windows Autopilot self-deploying mode is now generally available and out of preview. Windows Autopilot self-deploying mode enables you to deploy Windows devices with little to no user interaction. Once the device connects to network, the device provisioning process starts automatically: the device joins Microsoft Entra ID, enrolls in Intune, and syncs all device-based configurations targeted to the device. Self-deploying mode ensures that the user can't access desktop until all device-based configuration is applied. The Enrollment Status Page (ESP) is displayed during OOBE so users can track the status of the deployment. For more information, see:

This information is also published in Windows Autopilot: What's new.

Windows Autopilot for pre-provisioned deployment is now generally available

Windows Autopilot for pre-provisioned deployment is now generally available and out of preview. Windows Autopilot for pre-provisioned deployment is used by organizations that want to ensure devices are business-ready before the user accesses them. With pre-provisioning, admins, partners, or OEMs can access a technician flow from the Out-of-box experience (OOBE) and kick off device setup. Next, the device is sent to the user who completes provisioning in the user phase. Pre-provisioning delivers most the configuration in advance so the end user can get to the desktop faster. For more information, see:

This information is also published in Windows Autopilot: What's new.

Device enrollment

ESP setting to install required apps during Windows Autopilot pre-provisioning

The setting Only fail selected blocking apps in technician phase is now generally available to configure in Enrollment Status Page (ESP) profiles. This setting only appears in ESP profiles that have blocking apps selected.

For more information, see Set up the Enrollment Status Page.

New local primary account configuration for macOS automated device enrollment

Configure local primary account settings for Macs enrolling in Intune via Apple automated device enrollment. These settings, supported on devices running macOS 10.11 and later, are available in new and existing enrollment profiles under the new Account Settings tab. For this feature to work, the enrollment profile must be configured with user-device affinity and one of the following authentication methods:

  • Setup Assistant with modern authentication
  • Setup Assistant (legacy)

Applies to:

  • macOS 10.11 and later

For more information about macOS account settings, see Create an Apple enrollment profile in Intune.

Await final configuration for macOS automated device enrollment now generally available

Now generally available, await final configuration enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies are installed on devices. The locked experience works on devices targeted with new and existing enrollment profiles, enrolling via one of these authentication methods:

  • Setup Assistant with modern authentication
  • Setup Assistant (legacy)
  • Without user device affinity

Applies to:

  • macOS 10.11 and later

For information about how to enable await final configuration, see Create an Apple enrollment profile.

Device management

AOSP devices check for new tasks and notifications approximately every 15 minutes

On devices enrolled with Android (AOSP) management, Intune attempts to check for new tasks and notifications approximately every 15 minutes. To use this feature, devices must be using the Intune app version 24.02.4 or newer.

Applies to:

  • Android (AOSP)

For more information, see:

New device management experience for Government clouds in Microsoft Intune

In government clouds, there's a new device management experience in the Intune admin center. The Devices area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster.

If you want to try the new experience before your tenant is updated, go to Devices > Overview, select the Preview upcoming changes to Devices and provide feedback notification banner, and select Try it now.

Bulk approval of drivers

Bulk actions are now available for Windows Driver update policies. With bulk actions, multiple driver updates can be approved, paused, or declined at the same time, saving time and effort.

When bulk approving drivers, the date for when the drivers become available to applicable devices can also be set, enabling drivers to be installed together.

Applies to:

  • Windows 10
  • Windows 11

For more information, see Bulk driver updates.

App Control for Business policy limitation is resolved

A previously documented limitation for App Control for Business policy (WDAC), that limited the number of active polices per device to 32, has been resolved by Windows. The issue involves a potential Boot stop failure when more than 32 policies are active on a device.

This issue is resolved for devices that run Windows 10 1903 or later with a Windows security update released on or after March 12, 2024. Older versions of Windows are expected receive this fix in future Windows security updates.

Applies to:

  • Windows 10 version 1903 and later

To learn more about App Control for Business policy for Intune, see Manage approved apps for Windows devices with App Control for Business policy and Managed Installers for Microsoft Intune.

Tenant administration

Customization pane support for excluding groups

The Customization pane now supports selecting groups to exclude when assigning policies. You will find this setting in the Microsoft Intune admin center by selecting Tenant administration > Customization.

For more information, see Assign policies in Microsoft Intune.

Week of January 29, 2024

Microsoft Intune Suite

Microsoft Intune Enterprise Application Management

Enterprise Application Management provides an Enterprise App Catalog of Win32 applications that are easily accessible in Intune. You can add these applications to your tenant by selecting them from the Enterprise App Catalog. When you add an Enterprise App Catalog app to your Intune tenant, default installation, requirements, and detection settings are automatically provided. You can modify these settings as well. Intune hosts Enterprise App Catalog apps in Microsoft storage.

For more information, see:

Microsoft Intune Advanced Analytics

Intune Advanced Analytics provides comprehensive visibility of the end-user experience in your organization and optimizes it with data driven insights. It includes near real-time data about your devices with Device query, increased visibility with custom device scopes, a battery health report and a detailed device timeline for troubleshooting device issues, and anomaly detection to help identify potential vulnerabilities or risks across your device estate.

  • Battery health report

    The battery health report provides visibility into the health of batteries in your organization's devices and its influence on user experience. The scores and insights in this report are aimed to help IT admins with asset management and purchase decisions that improve user experience while balancing hardware costs.

  • Run on-demand device queries on single devices

    Intune allows you to quickly gain on-demand information about the state of your device. When you enter a query on a selected device, Intune runs a query in real time.

    The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.

    Applies to:

    • Windows devices

Intune Advanced Analytics is part of the Microsoft Intune Suite. For added flexibility, this new set of capabilities, together with the existing Advanced Analytics features, is also now available as an individual add-on to Microsoft subscriptions that include Intune.

To use Device query and battery health report in your tenant, or any of the existing Advanced Analytics capabilities, you must have a license for either:

  • The Intune Advanced Analytics add-on
  • The Microsoft Intune Suite add-on

For more information, see:

Week of January 22, 2024 (Service release 2401)

App management

Install DMG and PKG apps up to 8 GB in size on managed Macs

The size-limit of DMG and PKG apps that can be installed using Intune on managed Macs has been increased. The new limit is 8 GB and is applicable to apps (DMG and unmanaged PKG) that are installed using the Microsoft Intune management agent for macOS.

For more information about DMG and PKG apps, see Add a macOS DMG app to Microsoft Intune and Add an unmanaged macOS PKG app to Microsoft Intune.

Intune support of store-signed LOB apps for Surface Hub devices

Intune now supports the deployment of store-signed LOB apps (single file .appx, .msix, .appxbundle, and .msixbundle) to Surface Hub devices. The support for store-signed LOB apps enables offline store apps to be deployed to Surface Hub devices following the retirement of the Microsoft Store for Business.

Route SMS/MMS messages to specific app

You can configure an app protection policy to determine which SMS/MMS app must be used when the end user intends to send a SMS/MMS message after getting redirected from a policy managed app. When the end user clicks on a number with the intent of sending an SMS/MMS message, the app protection settings are used to redirect to the configured SMS/MMS app. This capability relates to the Transfer messaging data to setting and applies to both iOS/iPadOS and Android platforms.

For more information, see iOS app protection policy settings and Android app protection policy settings.

End user app PIN reset

For managed apps that require a PIN to access, allowed end users can now reset the app PIN at any time. You can require an app PIN in Intune by selecting the PIN for access setting in iOS/iPadOS and Android app protection policies.

For more information about app protection policies, see App protection policies overview.

Maximum app package size

The maximum package size for uploading apps to Intune has changed from 8 GB to 30 GB for paid customers. Trial tenants are still restricted to 8 GB.

For more information, see Win32 app management in Microsoft Intune.

Device configuration

New setting that disables location on Android Enterprise devices

On Android Enterprise devices, there's a new setting that allows admins to control the location (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions for profile type > General):

  • Location: Block disables the Location setting on the device and prevents users from turning it on. When this setting is disabled, then any other setting that depends on the device location is affected, including the Locate device remote action. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using location on the device.

Applies to:

  • Android Enterprise

For more information on the settings you can configure, see Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Date and time picker for managed software updates in the settings catalog on iOS/iPadOS and macOS devices

Using the settings catalog, you can enforce managed updates on iOS/iPadOS and macOS devices by entering a date and time (Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative Device Management > Software Update).

Previously, you had to manually type the date and time. Now, there's a date and time picker for the Target Local Date Time setting:

Declarative Device Management (DDM) > Software Update:

  • Target Local Date Time

Important

If you create a policy using this setting before the January 2024 release, then this setting shows Invalid Date for the value. The updates are still scheduled correctly and use the values you originally configured, even though it shows Invalid Date.

To configure a new date and time, you can delete the Invalid Date values, and select a new date and time using the date time picker. Or, you can create a new policy.

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring Managed software updates in Intune, see Use the settings catalog to configure managed software updates.

Device management

New device management experience in Microsoft Intune

We're rolling out an update to the device management experience in the Intune admin center. The Devices area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster. The new experience, previously in public preview, will gradually roll out for general availability over the coming weeks. The public preview experience continues to be available until your tenant receives the update.

The availability of this new admin center experience varies tenant by tenant. While a few will see this update immediately, many might not see the new experience for several weeks. For Government clouds, the availability of this experience is estimated around late February 2024.

Due to the rollout timelines, we are updating our documentation to the new experience as soon as possible to help ease the transition to the new admin center layout. We are unable to provide a side-by-side content experience during this transition and believe providing documentation that aligns to the newer experience brings more value to more customers. If you want to try the new experience and align with doc procedures before your tenant is updated, go to Devices > Overview, select the notification banner that reads Preview upcoming changes to Devices and provide feedback, and select Try it now.

BlackBerry Protect Mobile now supports app protection policies

You can now use Intune app protection policies with BlackBerry Protect Mobile (powered by Cylance AI). With this change Intune supports BlackBerry Protect Mobile for mobile application management (MAM) scenarios for unenrolled devices. This includes the use of risk assessment with Conditional access and configuration of Conditional Launch settings for unenrolled devices.

While configuring the CylancePROTECT Mobile connector (formerly BlackBerry Mobile), you now can select options to turn on App protection policy evaluation for both Android and iOS/iPadOS devices.

For more information, see Set up BlackBerry Protect Mobile, and Create Mobile Threat Defense app protection policy with Intune.

Device security

Support for Intune Defender Update control policies for devices managed by Microsoft Defender for Endpoint

You can now use the endpoint security policy for Defender Update control (Antivirus policy) from the Microsoft Intune admin center with the devices you manage through the Microsoft Defender for Endpoint security settings management capability.

  • Defender Update control policies are part of endpoint security Antivirus policy.

Applies to the following when you use the Windows 10, Windows 11, and Windows Server platform:

  • Windows 10
  • Windows 11

With this support available, devices that are assigned this policy while managed by Defender for Endpoint but not enrolled with Intune, will now apply the settings from the policy. Check your policy to make sure only the devices you intend to receive the policy will get it.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • PrinterOn Print by PrinterOn, Inc. (iOS/iPadOS)
  • Align for Intune by MFB Technologies, Inc. (iOS/iPadOS)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Monitoring reports for devices

In Intune, you can view a new list of all device monitoring reports. You can find these reports in Microsoft Intune admin center by selecting Devices > Monitor. The Monitor pane provides reports related to configuration, compliance, enrollment, and software updates. Additionally, there are other reports that you can view, such as Device actions.

For more information, see Intune reports.

Exported report data maintains search results

Intune can now maintain your report search and filter results when exporting report data. For example, when you use the Noncompliant devices and settings report, set the OS filter to "Windows", and search for "PC", the exported data will only contain Windows devices with "PC" in their name. This capability is also available when calling the ExportJobs API directly.

Easy upload of diagnostic logs for Microsoft Tunnel servers

You can now use a single click within the Intune admin center to have Intune enable, collect, and submit eight hours of verbose logs for a Tunnel Gateway Server to Microsoft. The verbose logs can then be referenced while working with Microsoft to identify or resolve issues with a Tunnel server.

In contrast, the collection of verbose logs has previously required you to sign on to the server, run manual tasks and scripts to enable and collect verbose logs, and then copy them to a location from which you can transfer them to Microsoft.

To find this new capability, in the admin center go to Tenant administration > Microsoft Tunnel Gateway > select a server > select the Logs tab. On this tab, is a new section named Send verbose server logs with button labeled Send logs, and a list view that displays the various log sets that have been collected and submitted to Microsoft.

When you select the Send logs button:

  • Intune captures and submits the current server logs as a baseline, prior to collecting verbose logs.
  • Verbose logging is automatically enabled at level 4, and runs for eight hours to provide time to reproduce an issue for capture in those logs.
  • After eight hours, Intune submits the verbose logs and then restores the server to its default verbosity level of zero (0), for normal operations. If you previously set logs to run at a higher verbosity level, you can restore your custom verbosity level after log collection and upload is complete.
  • Each time Intune collects and submits logs, it updates the list view below the button.
  • Below the button is a list of past log submissions, displaying their verbosity level and an Incident ID that you can use when working with Microsoft to reference a specific set of logs.

For more information about this capability, see Easy upload of diagnostic logs for Tunnel servers.

Week of December 11, 2023 (Service release 2312)

App management

Support to add unmanaged PKG-type applications to managed macOS devices is now generally available

You can now upload and deploy unmanaged PKG-type applications to managed macOS devices using the Intune MDM agent for macOS devices. This feature enables you to deploy custom PKG installers, such as unsigned apps and component packages. You can add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS app (PKG) for app type.

Applies to:

  • macOS

For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB) apps to Microsoft Intune. For more information about the Intune MDM agent for macOS devices, see Microsoft Intune management agent for macOS.

Windows MAM supported in government cloud environments and in 21 Vianet in China

Customer tenants in US Government Community (GCC), US Government Community (GCC) High, and Department of Defense (DoD) environments are now able to use Windows MAM. For related information, see Deploying apps using Intune on the GCC High and DoD Environments and Data protection for Windows MAM.

In addition, Windows MAM is available for Intune operated by 21Vianet in China. For more information, see Intune operated by 21Vianet in China.

Device configuration

Updated security baseline for Microsoft Edge v117

We've released a new version of the Intune security baseline for Microsoft Edge, version v117. This update brings support for recent settings so you can continue to maintain best-practice configurations for Microsoft Edge.

We've also updated our reference article for this baseline where you can view the default configuration of the settings this baseline version includes.

Device management

Support for variables in noncompliant email notifications

Use variables to personalize email notifications that are sent when a user's device becomes noncompliant. The variables included in the template, such as {{username}} and {{devicename}}, are replaced by the actual username or device name in the email that users receive. Variables are supported with all platforms.

For more information and a list of supported variables, see Create a notification message template.

Updated report visualization for Microsoft Defender for Endpoint connector

We updated the reporting visualization for the Microsoft Defender for Endpoint connector. This report visualization displays the count of devices that have onboarded to Defender for Endpoint based on status from the Defender CSP, and visually aligns to other recent report views that use a bar to represent the percentage of devices with different status values.

Device security

New settings for scheduling Antivirus scans added to Antivirus policy for Windows devices

We've added two settings to the Microsoft Defender Antivirus profile for endpoint security Antivirus policy that applies to Windows 10 and Windows 11 devices. These two settings work together to first enable support for a random start time of a device's antivirus scan, and to then define a range of time during which the randomized scan start can begin. These settings are supported with devices managed by Intune and devices managed through the Defender for Endpoint security settings management scenario.

In addition to being added to the Microsoft Defender Antivirus profile, both settings are now available from the settings catalog.

Applies to:

  • Windows 10
  • Windows 11

Microsoft Tunnel support for direct proxy exclusion list in VPN profiles for Android Enterprise

Intune now supports configuration of a Proxy exclusion list when you configure a VPN profile for Microsoft Tunnel for Android devices. With an exclusion list, you can exclude specific domains from your proxy setup without requiring the use of a Proxy Auto-Configuration (PAC) file. The proxy exclusion list is available with both Microsoft Tunnel and Microsoft Tunnel for MAM.

The proxy exclusion list is supported in environments that use a single proxy. The exclusion list isn't suitable or supported when you use multiple proxy servers, for which you should continue to use a .PAC file.

Applies to:

  • Android Enterprise

Microsoft Tunnel server health metric to report on TLS certificate revocation

We've added a new health metric for Microsoft Tunnel named TLS certificate revocation. This new health metric reports on the status of the Tunnel Servers TLS certificate by accessing the Online Certificate Status Protocol (OCSP) or CRL address as defined in the TLS certificate. You can view the status of this new check with all the health checks in the Microsoft Intune admin center by navigating to Tenant administration > Microsoft Tunnel Gateway > Health status, selecting a server, and then selecting that servers Health check tab.

This metric runs as part of the existing Tunnel Health checks, and supports the following status:

  • Healthy: The TLs certificate is not revoked
  • Warning: Unable to check if the TLS certificate is revoked
  • Unhealthy: The TLS certificate is revoked, and should be updated

For more information about the TLS certificate revocation check, see Monitor Microsoft Tunnel.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Akumina EXP by Akumina Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Week of November 27, 2023

App management

Configure offline caching in Microsoft 365 (Office) for Android devices

When the Save As to Local Storage setting is set to blocked in an app protection policy, you can use a configuration key in an app configuration policy to enable or disable offline caching. This setting is only applicable to the Microsoft 365 (Office) app on Android.

For more information, see Data protection settings in Microsoft 365 (Office).

Win32 app grace period settings on a device

On a device where a Win32 app with grace period settings has been deployed, low-rights users without administrative privileges can now interact with the grace period UX. Admins on the device continue to be able to interact with the grace period UX on the device.

For more information about grace period behavior, see Set Win32 app availability and notifications.

Managed Home Screen app configuration additions

Now in public preview, Microsoft Managed Home Screen (MHS) has been updated to improve the core workflows and user experience. In addition to some user interface changes, there's a new top bar navigation where admins can configure device identifying attributes to be displayed. Additionally, users can access settings, sign in/out, and view notifications when permissions are requested on the top bar.

You can add additional settings to configure the Managed Home Screen app for Android Enterprise. Intune now supports the following settings in your Android Enterprise app configuration policy:

  • Enable updated user experience
  • Top Bar Primary Element
  • Top Bar Secondary Element
  • Top Bar User Name Style

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Intune APP SDK for .NET MAUI

Using the Intune APP SDK for .NET MAUI, you can develop Android or iOS apps for Intune that incorporate the .NET Multi-platform App UI. Apps developed using this framework will allow you to enforce Intune mobile application management. For .NET MAUI support on Android, see Intune App SDK for .NET MAUI - Android. For .NET MAUI support on iOS, see Intune App SDK for .NET MAUI - iOS.

Week of November 13, 2023 (Service release 2311)

App management

New grace period status added in apps for Android, Android AOSP

The Intune Company Portal app for Android and Microsoft Intune app for Android AOSP now show a grace period status for devices that don't meet compliance requirements but are still within their given grace period. Users can see the date by which devices must be compliant, and the instructions for how to become compliant. If users don't update their device by the given date, the device is marked as noncompliant.

For more information, see the following articles:

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Managed Settings:

  • Data roaming
  • Personal hotspot
  • Voice roaming (deprecated): This setting is deprecated in iOS 16.0. Data roaming is the replacement setting.
Shared iPad

Managed Settings:

  • Diagnostic submission
macOS

Microsoft Defender > Antivirus engine:

  • Enable passive mode (deprecated): This setting is deprecated. Enforcement level is the replacement setting.
  • Enable real-time protection (deprecated): This setting is deprecated. Enforcement level is the replacement setting.
  • Enforcement level

Settings to manage Windows Subsystem for Linux are now available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

We've added settings to the Windows settings catalog for Windows Subsystem for Linux (WSL). These settings enable Intune integration with WSL so admins can manage deployments of WSL and controls into Linux instances themselves.

To find these settings, in the Microsoft Intune admin center go to Devices > Configuration > Create > New Policy > Windows 10 and later for platform > Settings catalog for profile type.

Windows Subsystem for Linux:

  • Allow kernel debugging
  • Allow custom networking configuration
  • Allow custom system distribution configuration
  • Allow kernel command line configuration
  • Allow custom kernel configuration
  • Allow WSL1
  • Allow the Windows Subsystem for Linux
  • Allow the Inbox version of the Windows Subsystem For Linux
  • Allow user setting firewall configuration
  • Allow nested virtualization
  • Allow passthrough disk mount
  • Allow the debug shell

Applies to:

  • Windows 10
  • Windows 11

Device enrollment

Enrollment for iOS/iPadOS devices in shared device mode now generally available

Now generally available to configure in the Microsoft Intune admin center, set up automated device enrollment for iOS/iPadOS devices that are in shared device mode. Shared device mode is a feature of Microsoft Entra that enables your frontline workers to share a single device throughout the day, signing in and out as needed.

For more information, see Set up enrollment for devices in shared device mode.

Device management

Improvements to new device experience in admin center (public preview)

We've made the following changes to the new Devices experience in the Microsoft Intune admin center:

  • Additional entry points to platform-specific options: Access the platform pages from the Devices navigation menu.
  • Quick entry to monitoring reports: Select the titles of the metrics cards to go to the corresponding monitoring report.
  • Improved navigation menu: We added icons back in to provide more color and context as you navigate.

Flip the toggle in the Microsoft Intune admin center to try out the new experience while it's in public preview and share your feedback.

For more information, see:

Device security

Additional settings for the Linux Antivirus policy template

We've expanded support for Linux by adding the following settings to the Microsoft Defender Antivirus template for Linux devices:

  • cloudblocklevel
  • scanarhives
  • scanafterdefinitionupdate
  • maximumondemandscanthreads
  • behaviormonitoring
  • enablefilehashcomputation
  • networkprotection
  • enforcementlevel
  • nonexecmountpolicy
  • unmonitoredfilesystems

The Microsoft Defender Antivirus template for Linux is supported for devices managed by Intune, as well as those managed only by Defender through the Defender for Endpoint security settings management scenario.

Updated security baseline for Microsoft 365 Apps for Enterprise

We've released a new version of the Intune security baseline for Microsoft 365 Apps for Enterprise, version 2306.

The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to your Office Apps that meet the security recommendations of the Office and security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations. You can modify the default baseline to meet the requirements of your organization.

We've also updated our reference article for this baseline where you can view the default configuration of the settings this baseline version includes.

Deprecation and replacement of two settings found in the Linux and macOS endpoint security Antivirus policies

We have deprecated two settings that are found in the Antivirus engine category of Microsoft Defender Antivirus profiles of both macOS and Linux. These profiles are available as part of Intune's endpoint security Antivirus policies.

For each platform, the two deprecated settings are replaced by a single new setting that aligns to how the device configurations are managed by Microsoft Defender for Endpoint.

The following are the two deprecated settings:

  • Enable real-time protection now appears as Enable real-time protection (deprecated)
  • Enable passive mode now appears as Enable passive mode (deprecated)

The new setting that replaces the two deprecated settings:

  • Enforcement level - By default, Enforcement level is set to Passive and supports options of Real time and On demand.

These settings are also available from the Intune settings catalog for each platform, where the old settings are also marked as deprecated and replaced by the new setting.

With this change, a device that has either of the deprecated settings configured will continue to apply that configuration until the device is targeted by the new setting Enforcement level. Once targeted by Enforcement Level, the deprecated settings no longer are applied to the device.

The deprecated settings will be removed from the Antivirus profiles and the settings catalog in a future update to Intune.

Note

The changes for Linux are now available. The macOS settings are marked as deprecated, but the Enforcement level setting will not be available until December.

Applies to:

  • Linux
  • macOS

Microsoft Defender Firewall profiles are renamed to Windows Firewall

To align to Firewall branding changes in Windows, we are updating the names of Intune profiles for endpoint security Firewall policies. In profiles that have Microsoft Defender Firewall in the name we are replacing that with Windows Firewall.

The following platforms have profiles that are affected, with only the profile names being affected by this change:

  • Windows 10 and later (ConfigMgr)
  • Windows 10, Windows 11, and Windows Server

Endpoint security Firewall policy for Windows Firewall to manage firewall settings for Windows Hyper-V

We've added new settings to the Windows Firewall profile (formerly Microsoft Defender Firewall) for endpoint security Firewall policy. The new settings can be used to manage Windows Hyper-V settings. To configure the new settings, in the Microsoft Intune admin center, go to Endpoint security > Firewall > Platform: Windows 10, Windows 11, and Windows Server > Profile: Windows Firewall.

The following settings have been added to the Firewall category:

  • Target - When Target is set to Windows Subsystem for Linux, the following child settings are applicable:
    • Enable Public Network Firewall
    • Enable Private Network Firewall
    • Allow Host Policy Merge
    • Enable Domain Network Firewall
    • Enable Loopback

Applies to:

  • Windows 10
  • Windows 11

For more information about these settings, see Windows Firewall with Advanced Security.

New Endpoint Security Firewall policy profile for Windows Hyper-V Firewall Rules

We've released a new profile named Windows Hyper-V Firewall Rules that you can find through the Windows 10, Windows 11, and Windows Server platform path for endpoint security Firewall policy. Use this profile to manage the firewall settings and rules that apply to specific Hyper-V containers on Windows, including applications like the Windows Subsystem for Linux (WSL) and the Windows Subsystem for Android (WSA).

Applies to:

  • Windows 10
  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Hey DAN for Intune by Civicom, Inc.
  • Microsoft Azure by Microsoft Corporation (iOS)
  • KeePassium for Intune by KeePassium Labs (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Week of November 6, 2023

App management

Minimum version update for iOS Company Portal

Users are required to update to v5.2311.1 of the iOS Company Portal. If you have enabled the Block installing apps using App Store device restriction setting, you will likely need to push an update to the related devices that use this setting. Otherwise, no action is needed.

If you have a helpdesk, you might want to make them aware of the prompt to update the Company Portal app. In most cases, users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. Users that have an earlier app version will be prompted to update to the latest Company Portal app.

Device security

Defender for Endpoint security settings management enhancements and support for Linux and macOS are generally available

The improvements that were introduced in the Defender for Endpoint security settings management opt-in public preview are now generally available.

With this change, the default behavior for security settings management includes all the behavior added for the opt-in preview – without having to enable support for preview features in Microsoft Defender for Endpoint. This includes the general availability and support for the following endpoint security profiles for Linux and macOS:

Linux:

  • Microsoft Defender Antivirus
  • Microsoft Defender Antivirus exclusions
  • Endpoint detection and response

MacOS:

  • Microsoft Defender Antivirus
  • Microsoft Defender Antivirus exclusions
  • Endpoint detection and response

For more information, see Microsoft Defender for Endpoint Security settings management in the Intune documentation.

Device management

Feature updates and reports support Windows 11 policies

The new setting on Feature update policies enables an organization to deploy Windows 11 to those devices that are eligible for the upgrade, while ensuring devices not eligible for the upgrade are on the latest Windows 10 feature update with a single policy. As a result, admins do not need to create or manage groups of eligible and non-eligible devices.

For more information on feature updates, see Feature updates for Windows 10 and later.

Week of October 30, 2023

Device security

Strict Tunnel Mode in Microsoft Edge available for Microsoft Tunnel for MAM on Android and iOS/iPadOS devices

In Intune, you can use the Microsoft Tunnel for mobile application management (MAM) on Android and iOS/iPadOS devices. With the MAM tunnel, unmanaged devices (devices not enrolled in Intune) can access on-premises apps and resources.

There's a new Strict Tunnel Mode feature you can configure for Microsoft Edge. When users sign into Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again.

To configure this feature, create a Microsoft Edge app configuration policy, and add the following setting:

  • Key: com.microsoft.intune.mam.managedbrowser.StrictTunnelMode
  • Value: True

Applies to:

  • Android Enterprise version 10 and later
  • iOS/iPadOS version 14 and later

For more information, see:

Week of October 23, 2023 (Service release 2310)

App management

Update for users of Android Company Portal app

If users launch a version of the Android Company Portal app below version 5.0.5333.0 (released November 2021), they'll see a prompt encouraging them to update their Android Company Portal app. If a user with an older Android Company Portal version attempts a new device registration using a recent version of the Authenticator app, the process will likely fail. To resolve this behavior, update the Android Company Portal app.

Minimum SDK version warning for iOS devices

The Min SDK version for the iOS Conditional Launch setting on iOS devices now includes a warn action. This action warns end users if the min SDK version requirement isn't met.

For more information, see iOS app protection policy settings.

Minimum OS for Apple LOB and store apps

You can configure the minimum operating system to be the latest Apple OS releases for both Apple line-of-business apps and iOS/iPadOS store apps. You can set the minimum operating system for Apple apps as follows:

  • iOS/iPadOS 17.0 for iOS/iPadOS line-of-business apps
  • macOS 14.0 for macOS line-of-business apps
  • iOS/iPadOS 17.0 for iOS/iPadOS store apps

Applies to:

  • iOS/iPadOS
  • macOS

Android (AOSP) supports line-of-business (LOB) apps

You can install and uninstall mandatory LOB apps on AOSP devices by using the Required and Uninstall group assignments.

Applies to:

  • Android

To learn more about managing LOB apps, see Add an Android line-of-business app to Microsoft Intune.

Configuration scripts for unmanaged macOS PKG apps

You can now configure pre-install and post-install scripts in unmanaged macOS PKG apps. This feature gives you greater flexibility over custom PKG installers. Configuring these scripts is optional and requires the Intune agent for macOS devices v2309.007 or higher.

For more information about adding scripts to unmanaged macOS PKG apps, see Add an unmanaged macOS PKG app.

Device configuration

FSLogix settings are available in the Settings Catalog and Administrative Templates

The FSLogix settings are available in the Settings Catalog and in Administrative Templates (ADMX) for you to configure.

Previously, to configure FSLogix settings on Windows devices, you imported them using the ADMX import feature in Intune.

Applies to:

  • Windows 10
  • Windows 11

For more information on these features, see:

Use delegated scopes in your Managed Google Play apps that configure enhanced permissions on Android Enterprise devices

In your Managed Google Play apps, you can give apps enhanced permissions using delegated scopes.

When your apps include delegated scopes, you can configure the following settings in a device configuration profile (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions for profile type > Applications):

  • Allow other apps to install and manage certificates: Admins can select multiple apps for this permission. The selected apps are granted access to certificate installation and management.
  • Allow this app to access Android security logs: Admins can select one app for this permission. The selected app is granted access to security logs.
  • Allow this app to access Android network activity logs: Admins can select one app for this permission. The selected app is granted access to network activity logs.

To use these settings, your Managed Google Play app must use delegated scopes.

Applies to:

  • Android Enterprise fully managed devices
  • Android Enterprise dedicated devices
  • Android Enterprise corporate-owned devices with a work profile

For more information on this feature, see:

Samsung ended support for kiosk mode on Android device administrator (DA) devices

Samsung marked the Samsung Knox kiosk APIs used on Android device administrator as deprecated in Knox 3.7 (Android 11).

Though the functionality might continue to work, there's no guarantee that it will continue working. Samsung won't fix bugs that might arise. For more information on Samsung support for deprecated APIs, see What kind of support is offered after an API is deprecated? (opens Samsung's web site).

Instead, you can manage kiosk devices with Intune using dedicated device management.

Applies to:

  • Android device administrator (DA)

Import and export settings catalog policies

The Intune settings catalog lists all the settings you can configure, and all in one place (Devices > Configuration > Create > New Policy > Select your platform > For Profile, select Settings catalog).

The settings catalog policies can be imported and exported:

  • To export an existing policy, select the profile > select the ellipsis > Export JSON.
  • To import a previously exported settings catalog policy, select Create > Import policy > select the previously exported JSON file.

For more information about the settings catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Note

This feature is continuing to roll out. It may be a couple of weeks before it's available in your tenant.

New setting to block users from using the same password to unlock the device and access the work profile on Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, users can use the same password to unlock the device and access the work profile.

There's a new setting that can enforce different passwords to unlock the device and access the work profile (Devices > Configuration > Create > Android Enterprise > Personally Owned Work Profile for platform > Device Restrictions for profile type):

  • One lock for device and work profile: Block prevents users from using the same password for the lock screen on the device and work profile. End users are required to enter the device password to unlock the device and enter their work profile password to access their work profile. When set to Not Configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to access their work profile using a single password.

This setting is optional and doesn't impact existing configuration profiles.

Currently, if the work profile password doesn't meet the policy requirements, then device users see a notification. The device isn't marked as non-compliant. A separate compliance policy for the work profile is being created and will be available in a future release.

Applies to:

  • Android Enterprise personally owned devices with a work profile (BYOD)

For a list of settings you can configure on personally owned devices with a work profile, see Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > macOS > Settings catalog for profile type.

Privacy > Privacy Preferences Policy Control:

  • System Policy App Data

Restrictions:

  • Force On Device Only Dictation

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Device enrollment

Web based device enrollment with JIT registration for personal iOS/iPadOS devices

Intune supports web-based device enrollment with just in time (JIT) registration for personal devices set up via Apple device enrollment. JIT registration reduces the number of authentication prompts shown to users throughout the enrollment experience and establishes SSO across the device. Enrollment takes place on the web version of Intune Company Portal, eliminating need for the Company Portal app. Also, this enrollment method enables employees and students without managed Apple IDs to enroll devices and access volume-purchased apps.

For more information, see Set up web based device enrollment for iOS.

Device management

Updates to the Intune add-ons page

The Intune add-ons page under Tenant administration includes Your add-ons, All add-ons, and Capabilities. It provides an enhanced view into your trial or purchased licenses, the add-on capabilities you're licensed to use in your tenant, and support for new billing experiences in Microsoft admin center.

For more information, see Use Intune Suite add-ons capabilities.

Remote Help for Android is now Generally available

Remote Help is generally available for Android Enterprise Dedicated devices from Zebra and Samsung.

With Remote Help, IT Pros can remotely view the device screen and take full control in both attended and unattended scenarios, to diagnose and resolve issues quickly and efficiently.

Applies to:

  • Android Enterprise Dedicated devices, manufactured by Zebra or Samsung

For more information, see Remote Help on Android.

Device security

Configure declarative software updates and passcode policies for Apple devices in the Settings Catalog

You can manage software updates and passcode using Apple's declarative device management (DDM) configuration using the settings catalog (Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative device management).

For more information about DDM, see Apple's declarative device management (DDM) (opens Apple's website).

DDM allows you to install a specific update by an enforced deadline. The autonomous nature of DDM provides an improved user experience as the device handles the entire software update lifecycle. It prompts users that an update is available and also downloads, prepares the device for the installation, & installs the update.

In the settings catalog, the following declarative software update settings are available at Declarative device management > Software Update:

  • Details URL: The web page URL that shows the update details. Typically, this URL is a web page hosted by your organization that users can select if they need organization-specific help with the update.
  • Target Build Version: The target build version to update the device to, like 20A242. The build version can include a supplemental version identifier, like 20A242a. If the build version you enter isn't consistent with the Target OS Version value you enter, then the Target OS Version value takes precedence.
  • Target Local Date Time: The local date time value that specifies when to force install the software update. If the user doesn't trigger the software update before this time, then the device force installs it.
  • Target OS Version: The target OS version to update the device to. This value is the OS version number, like 16.1. You can also include a supplemental version identifier, like 16.1.1.

For more information on this feature, see Manage software updates with the settings catalog.

In the settings catalog, the following declarative passcode settings are available at Declarative device management > Passcode:

  • Automatic Device Lock: Enter the maximum time period that a user can be idle before the system automatically locks the device.
  • Maximum Grace Period: Enter the maximum time period that a user can unlock the device without a passcode.
  • Maximum Number of Failed Attempts: Enter the maximum number of wrong passcode attempts before:
    • iOS/iPadOS wipes the device
    • macOS locks the device
  • Minimum Passcode Length: Enter the minimum number of characters a passcode must have.
  • Passcode Reuse Limit: Enter the number of previously used passcodes that can't be used.
  • Require Complex Passcode: When set to True, a complex passcode is required. A complex passcode doesn't have repeated characters, and doesn't have increasing or decreasing characters, like 123 or CBA.
  • Require Passcode on Device: When set to True, the user must set a passcode to access the device. If you don't set other passcode restrictions, then there aren't any requirements about the length or quality of the passcode.

Applies to:

  • iOS/iPadOS 17.0 and later
  • macOS 14.0 and later

For information about the settings catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Mvision Mobile is now Trellix Mobile Security

The Intune Mobile Threat Defense partner Mvision Mobile has transitioned to Trellix Mobile Security. With this change, we've updated our documentation and the Intune admin center UI. For example, the Mvision Mobile connector is now Trellix Mobile Security. Existing installs of the Mvision Mobile connector also update to Trellix Mobile Security.

If you have questions about this change, reach out to your Trellix Mobile Security representative.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • BuddyBoard by Brother Industries, LTD
  • Microsoft Loop by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Updated reports for Policy compliance and Setting compliance are now generally available

The following device compliance reports are out of public preview and are now generally available:

With this move to general availability, the older versions of both reports have been retired from the Intune admin center and are no longer available.

For more information about these changes, see the Intune Support Team blog at https://aka.ms/Intune/device_compl_report.

Tenant administration

Intune admin center home page update

The Intune admin center home page has been redesigned with a fresh new look and more dynamic content. The Status section has been simplified. You can explore Intune related capabilities in the Spotlight section. The Get more out of Intune section provides links to the Intune community and blog, and Intune customer success. Also, the Documentation and training section provides links to What's New in Intune, Feature in development, and more training. In Microsoft Intune admin center, select Home.

Week of October 16, 2023

Tenant administration

endpoint.microsoft.com URL redirects to intune.microsoft.com

Previously, it was announced that the Microsoft Intune admin center has a new URL (https://intune.microsoft.com).

The https://endpoint.microsoft.com URL now redirects to https://intune.microsoft.com.

What's new archive

For previous months, see the What's new archive.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID by April 2024

Last year we announced a new Microsoft Intune GitHub repository based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, starting on April 1, 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed.

How does this affect you or your users?

If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.

How can you prepare?

Before April 1, 2024, update your PowerShell scripts by:

  1. Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform.
  2. Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:

  • Android Enterprise personally-owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

  • Intune technical support won't be provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

  • Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
  • Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
  • Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

Wrapped iOS apps and iOS apps using the Intune App SDK will require Azure AD app registration

We're making updates to improve the security of the Intune mobile application management (MAM) service. This update will require iOS wrapped apps and SDK integrated apps to be registered with Microsoft Entra ID (formerly Azure Active Directory (Azure AD)) by March 31, 2024 to continue receiving MAM policy.

How does this affect you or your users?

If you have wrapped apps or SDK integrated apps that aren't registered with Azure AD, these apps will be unable to connect to the MAM service to receive policy and your users won't be able to access apps that aren't registered.

How can you prepare?

Prior to this change, you will need to register the apps with Azure AD. See below for detailed instructions.

  1. Register your apps with Azure AD by following these instructions: Register an application with the Microsoft identity platform.
  2. Add the custom redirect URL to your app settings as documented here.
  3. Give your app access to the Intune MAM service, for instructions see here.
  4. Once the above changes are completed, configure your apps for Microsoft Authentication Library (MSAL):
    1. For wrapped apps: Add the Azure AD application client ID into the command-line parameters with the Intune App Wrapping Tool as outlined in the documentation: Wrap iOS apps with the Intune App Wrapping Tool | Microsoft Learn -ac and -ar are required parameters. Each app will need a unique set of these parameters. -aa is only required for single tenant applications.
    2. For SDK integrated apps see, Microsoft Intune App SDK for iOS developer guide | Microsoft Learn. ADALClientId and ADALRedirectUri/ADALRedirectScheme are now required parameters. ADALAuthority is only required for single tenant applications.
  5. Deploy the app.
  6. To validate the above steps:
    1. Target "com.microsoft.intune.mam.IntuneMAMOnly.RequireAADRegistration" application configuration policy and set it to Enabled - Configuration policies for Intune App SDK managed apps - Microsoft Intune | Microsoft Learn
    2. Target App Protection Policy to the application. Enable the 'Work or school account credentials for access' policy and set 'Recheck the access requirements after (minutes of inactivity)' setting to a low number like 1.
  7. Then launch the application on a device and verify if the sign-in (which should be required every minute on app launch) happens successfully with the configured parameters.
  8. Note that if you only do step #6 and #7 before doing the other steps, you might be blocked on application launch. You will also notice the same behavior if some of the parameters are incorrect.
  9. Once you’ve completed the validation steps, you can undo the changes made in step #6.

Note

Intune will soon require an Azure AD device registration for iOS devices using MAM. If you have Conditional Access policies enabled, your devices should already be registered, and you won't notice any change. For more information see, Microsoft Entra registered devices - Microsoft Entra | Microsoft Learn.

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.

Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Update to the latest Intune App SDK and Intune App Wrapper for iOS to support iOS/iPadOS 17

To support the upcoming release of iOS/iPadOS 17, update to the latest versions of the Intune App SDK and the App Wrapping Tool for iOS to ensure applications stay secure and run smoothly. Additionally, for organizations using the Conditional Access grant “Require app protection policy”, users should update their apps to the latest version prior to upgrading to iOS 17. You can learn more by reading the blog: Update Intune App SDK, Wrapper, and iOS apps using MAM policies to support iOS/iPadOS 17.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in August 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning August 30, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

  1. Users won't be able to enroll devices with Android device administrator.
  2. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
  3. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

Plan for Change: Intune is moving to support iOS/iPadOS 15 and later

Later this year, we expect iOS 17 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 15/iPadOS 15 and higher shortly after iOS 17’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 15).

Because Office 365 mobile apps are supported on iOS/iPadOS 15.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 15 or iPadOS 15 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 15/iPadOS 15 while the allowed OS version will change to iOS 12/iPadOS 12 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 12 and higher later this year

Later this year, we expect macOS 14 Sonoma to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 12 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 17.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Monterey is compatible with these computers.

Note

Devices that are currently enrolled on macOS 11.x or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 11.x or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 11.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Ending support for Microsoft Store for Business and Education apps

In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune

How does this affect you or your users?

If you're using Microsoft Store for Business and Education apps:

  1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.
  2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users might still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data.
  3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later.

The retirement of Microsoft Store for Business and Education was announced in 2021. When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.

How can you prepare?

We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:

Related information

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP without enrollment scenario at the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it's only applicable to Windows 8.1 devices.

Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available.

How does this affect you or your users?

If you're managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There's no impact to existing devices and policies, however, you'll not be able to enroll new devices if they are running Windows 8.1.

How can you prepare?

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Intune admin center > Devices > Windows > Windows devices, and filter by OS.

Additional information

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change only affects you if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Intune admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.