What's new in Intune for Education
Learn what's new in Intune for Education. Find out about upcoming changes, product notices, and features from previous releases.
Add and deploy all apps for Windows 11 SE in Intune admin center
Applies to devices running Windows 11 SE, version 22H2 with KB5019980 and later
You no longer have to reach out to Microsoft support to request additional, third-party apps for Windows 11 SE. You can add and deploy any Win32 app in the Microsoft Intune admin center, and then manage its assignments as normal in the Intune for Education portal. For more information about managing devices and apps for Windows 11 SE, see Windows 11 SE overview | Windows for Education.
New workflow for managing Microsoft Store apps
We've integrated the Microsoft Store app catalog with Intune for Education, so you can search, add, and deploy Store apps from one place. The new experience means that you can continue to access and manage Store apps in Intune for Education after the Microsoft Store for Education retirement.
To access the new experience, go to Apps, and then select New app > New Microsoft Store app (new). Supported app types include Win32, .NET, Universal Windows Platform (UWP), and Progressive Web Apps (PWAs).
Add Microsoft Store apps in Intune for Education.
Search the app catalog.
Edit app properties.
New remote actions for Chrome OS
There are two new remote actions that you can use on Chrome OS devices in Intune for Education:
- Factory reset
- Remove user profiles
New Windows Autopilot guided experience
Our new guided experience in Intune for Education walks you through the steps to set up Windows Autopilot for device deployment, so you can get familiar with Windows Autopilot while building a functional deployment policy. During the guided experience, you will:
Set up a new or existing group.
Customize the out-of-box enrollment experience for device users.
Configure the enrollment status page.
To access this feature from your dashboard, go to Tenant settings > Windows Autopilot. For more information about using Windows Autopilot with Intune for Education, see Set up devices with Windows Autopilot.
Manage Google Chrome browser settings
Configure Google Chrome browser settings for devices enrolled in Intune for Education. To view browser options, go to Groups and select a group. Then select Windows device settings > Browser. We've also moved Microsoft Edge settings to this section so that you can manage all browser settings in one place.
Import a CSV File or use a barcode scanner to perform bulk actions
Import a .CSV file or scan device serial numbers to quickly compile and take action on a large group of devices. To upload or scan devices in Intune for Education, go to Barcode scanner. Click through the guided experience to add managed devices and apply supported actions. You can:
• Add devices to a group
• Rename devices
• Autopilot reset
• Factory reset
Block additional administrative apps
Now you can block additional administrative apps in Intune for Education. When you configure “Block administrative apps” we will automatically add to the blocklist Command Prompt, PowerShell, and Registry Tools. You can remove items from the block list and add additional items to the block list. A blocked app means the student will not be able to launch the app.
Configure BitLocker in Intune for Education
Now you can configure BitLocker in Intune for Education. Configure “Encrypt Windows Device” as “Enabled” and this will turn on BitLocker with Education recommended settings. Education recommended settings include silently turning on BitLocker and escrowing BitLocker recovery keys to Microsoft Entra ID. To make additional customizations to BitLocker settings, visit Microsoft Endpoint Manager.
Support for Windows 11 SE
Intune for Education recently added support for devices running Windows 11 SE. Windows 11 SE is a new, cloud-first operating system that offers the power and reliability of Windows 11, with a simplified design that's optimized for low-cost devices in K-8 classrooms. For more information about managing Windows 11 SE devices in Intune for Education, see Manage devices running Windows 11 SE.
Redirect Windows known folders to OneDrive
Enable the newest OneDrive setting in Intune for Education to move users' most important doc, desktop, and picture files to a protected place that they can access anywhere. Silently move Windows Known Folders to OneDrive moves and redirects Windows known folders (Documents, Desktop, and Pictures) to Microsoft OneDrive. The move happens without any user interaction. You have the option to show a notification to users after the move is done.
The setting is grouped under a new Windows device settings category called OneDrive and Storage. To find it, go to Devices > Groups and choose a group. Then select Windows device settings > OneDrive and Storage.
Bulk actions with barcode scanner guided experience
Now you can use an RFID barcode scanner to quickly compile and take action on a large number of devices in Intune for Education. From your dashboard, go to Barcode scanner and scan or enter the serial number on each managed device. When you're done scanning devices, select any of the supported actions. You can:
• Add devices to a group
• Rename devices
• Autopilot reset
• Factory reset
New option lets you assign apps as available
In addition to assigning required apps, you can now use Intune for Education to assign apps as available. After you deploy this type of app, it's made available to device users in Company Portal. Users have the choice to install the app, unlike with required apps, which install automatically.
Deploy websites and web apps as desktop shortcuts
Configure desktop shortcuts for websites and web apps. Add website URLs to Intune and they'll install on devices as web apps that users can access from the Start menu or a desktop shortcut. Websites open in Microsoft Edge, version 77 or later.
Edge must run one time before this policy can take effect on a device. To get around this, you can enable the Enable faster start-up with Microsoft Edge setting in Intune for Education.
Remotely locate lost or stolen Windows devices
Locate lost or stolen Windows devices in Intune for Education. To access the locate action from the dashboard, go to Devices > choose a device > select Locate.
Location services must be enabled for this feature to work. It is supported on the following versions:
- Windows 10, version 20H2 (10.0.19042.789) and later
- Windows 10, version 2004 (10.0.19041.789) and later
- Windows 10, version 1909 (10.0.18363.1350) and later
- Windows 10, version 1809 (10.0.17763.1728) and later
After you select Locate, a notification is sent to the target device to inform anyone using it that the locate action is active. Once the device is located, you can view its location on a map in Intune for Education.
New Windows Update settings
There are three new Windows Update settings in Intune for Education:
- Stay on a version of Windows 10: Choose the version of Windows 10 you want to run on devices. That version will run on devices until you remove or reconfigure this setting.
- Pause feature updates for 35 days: Pause Windows feature updates for 35 days from a selected date. Updates will resume at the end of the 35 days. You can also flip the switch back to Not configured to resume updates.
- Pause quality updates for 35 days Pause Windows quality updates for 35 days from a selected date. Updates will resume at the end of the 35 days. You can also flip the switch back to Not configured to resume updates.
To find these settings, go to Groups and select a group > Windows device settings > Updates and upgrade.
New remote action removes passcodes on iOS devices
Remove the passcode on an iOS device in Intune for Education. To deactivate a password, go to Devices and choose the device. Then select Remove passcode. After the passcode is removed, the user can add a new passcode from the settings app on their device.
For more information about removing passcodes, see Reset or remove a device passcode in Intune in the Microsoft Intune docs.
Create a custom home screen layout for iOS devices
Create and edit the home screen layout on iPad devices to make it easy for students to find the things they need for school. This feature lets you organize and preview how apps (including web apps) and icons appear on the home screen pages, dock, and within folders. To try it out, go to Groups > select a group > iOS device settings > Lock screen, wallpaper, and home screen layout.
Change primary user for Windows devices
View and edit the primary user of a Windows device directly from Intune for Education. The primary user is allowed to use self-service actions like reset, rename, and retire in the Company Portal. To add or change a primary user, go to Devices > select a device > Properties. Then select the hyperlinked text that's next to Primary user.
For more information about primary users, see What is a primary user? in the Microsoft Intune docs.
View BitLocker recovery key
Intune for Education now shows BitLocker recovery key details for encrypted devices that have recovery keys escrowed to Microsoft Entra ID. To see recovery keys, go to Devices > select a device > Recovery keys.
For more detailed information about managing BitLocker keys in Intune, see Manage BitLocker in the Microsoft Intune docs.
Accessibility and performance improvements
Several updates have been made to improve accessibility and performance in Intune for Education. Updates include:
- Improved navigation to make it easier to move between key areas in Intune for Education.
- Increased zoom in/zoom out capability so that you can zoom in even closer on a screen while in Intune for Education. This improvement was made to increase readability and make the portal more accessible to people with visual impairments.
Configure a time zone on devices
Use the new Configure time zone setting to deploy devices with the time zone of your choice. Go to Groups > Windows devices settings > User experience > Device restrictions to configure the setting.
Streamlined deployment of new Microsoft Edge browser
You can now deploy the Microsoft Edge browser from Intune for Education. The app is already available in your app inventory. Simply assign it to students and teachers to deploy it throughout your school.
Search and filter your device list
On the Devices page, you can search, filter, and sort your device list by parameters such as device name, device manufacturer, operating system, and last check-in time.
Perform remote actions with bulk selection
Perform remote actions in bulk, on up to 2,000 devices at a time. The remote actions that support bulk selection include:
- Autopilot Reset
- Factory reset
To make a bulk selection, go to Devices and either:
- Select each applicable device from the list
- Select the checkbox at the top of the list, next to Device name, to select all visible devices at once
Block app removal on iOS devices
Use the Block app removal setting to block users from removing apps from their iOS devices. Go to Groups > Settings > iOS Device Settings > Device restrictions to configure the setting.
Block all forms of Windows PowerShell
Now when you use Intune for Education to block Windows PowerShell from students and teachers, the setting will block both Windows PowerShell and Windows PowerShell ISE.
New documentation on remote assistance options
In response to Covid-19, some schools have switched to remote learning. To help you provide remote assistance to your students and teachers, see our new documentation and guidance about remote assistance options for cloud-managed devices. Also, check out our Remote Learning Deployment Reference if you're looking to get started with remote learning.
Configure new Microsoft Edge browser
You can now configure and deploy the new Microsoft Edge browser from Intune for Education. Some of the settings you'll find apply to both the old and new Edge browser. Other settings, such as the following, only work for the new browser:
- Configure blocked URLs list
- Require Safe Search
- Require YouTube restricted mode
New permissions for group admins
Users assigned as group admins can now:
- Sync Windows Autopilot devices
- Manage Autopilot device and user assignments
- Manage Autopilot deployment profile assignments
- Manage Apple user-initiated enrollment profile assignments
To delegate admin permissions in your organization, go to Intune for Education > Groups > Admins. Users who are assigned Intune's built-in school administrator role also have these permissions. To assign the school admin role or modify permissions, go to the Device Management admin center > Tenant administration > Roles. For a list of all group admin/school administrator permissions, see Assign group admins.
Configure power and sleep settings
Control power and sleep settings for idle Windows devices. You can configure when to:
- Turn off the display
- Put the devices to sleep
- Put the devices in hibernation
Manage VPP token restrictions
You can now restrict admins from accessing selected apps. To add and manage restricted VPP tokens, go to Groups > Admins > Restrict app access for admins.
View Win32 Apps from Intune for Education portal
You can now see the Win32 apps that are configured in your tenant, and manage the apps' group assignments, from the Intune for Education portal.
Configure Take A Test for local guest accounts
New configuration options are available for Take a Test profiles. There's now a local guest account option, so students can click a button on the Windows sign-in screen to launch a secure assessment, and skip entering a password. For more information about Take a Test, see Take tests in Windows 10 and Add a Take a Test profile in Intune for Education.
Changes to education presets
After you sign up for Intune for Education, Intune preconfigures some settings in the All devices group. We've made changes to these presets based on customer feedback. These changes include:
- By default, enrollment of personal Windows devices will be blocked to ensure personal devices are not accidentally enrolled in Intune.
- By default, local Autopilot Reset will be disabled.
Manage Windows Autopilot
From the Intune for Education portal, you can:
- Configure Autopilot deployment profiles.
- Create dynamic groups for Autopilot-registered devices based on group tags.
- Monitor and review device deployments.
For more information about Windows Autopilot, see Overview of Windows Autopilot.
Change to Office 365 deployment
When you deploy Office 365 for Windows, all targeted devices, including those in S mode, will receive Office 365 ProPlus. Before this change, devices in S mode received a different version of Office 365 from the Microsoft Store for Education.
New admin view added to Groups page for easier admin delegation
We've added a new view so that you can more easily see, add, and remove the groups your admins manage. Go to the Groups page and after choosing a group, select Admins > Managed by this group. From there you can add or remove groups.
Perform bulk rename
Rename up to 100 devices at a time. To make a bulk selection, you can manually choose devices from the devices list, or hold down the Ctrl or Command key to select multiple devices at once.
You can then apply a naming template to the group of selected devices, which includes a custom prefix appended by a unique identifier. The unique identifier can be a serial number, a counter, or a Wi-Fi MAC address.
Perform bulk actions
Perform certain remote actions on up to 100 devices at a time. To make a bulk selection, you can manually choose devices from the devices list, or hold down the Ctrl or Command key to select multiple devices at once.
Intune for Education will support the bulk functionality for the following device actions:
- Factory reset
- Autopilot Reset
Easier migration to Intune for Education licenses
After you sign up for Intune for Education, Intune automatically configures some settings in the All devices group with values that are recommended for schools. Now when you add Intune for Education to a tenant that already has an Intune subscription, you'll see the recommended policies, but Intune won't assign them automatically. This change will ensure that no unwanted changes are made to your existing environment.
New permissions for assigned group admins
Intune's built-in School Administrator role now has create, read, update, and delete (CRUD) permissions for Managed Apps. This update means that if you're assigned as a group admin in Intune for Education, you can now create, view, update, and delete the iOS MDM Push Certificate, iOS MDM server tokens, and iOS VPP tokens along with all of the existing permissions you have. To take any of these actions, go to Tenant settings > iOS Device Management.
New deployment documentation
In the enrollment section of our documentation, you'll find new information to help you compare Set up School PCs and Windows Autopilot based on your school's environment and setup needs. Use this information to decide when to use each option, or both, for device setup.
Distinguish between online and offline-licensed Microsoft Store for Education apps
You'll be able to see if a Microsoft Store for Education app has an online or offline license. Intune for Education will show the license type in Express Configuration and on the app's details page, making it easier for you to manage and deploy apps to the correct groups. Apps with online licenses begin installing after a user signs in to a device and require a connection to Microsoft Store to use. Apps with offline licenses install without the need for user sign-in and don't require a connection to Microsoft Store to use.
New iOS settings
New settings have been added to give you more control over the iOS Classroom app.
Apply an iOS device naming template
We've added new naming settings to help you group and identify your iOS devices. During iOS enrollment and MDM server token setup, Intune for Education will automatically name each of your devices with their unique device serial number. You can then add a custom name, such as Contoso or Math1, to the prefix. If you customize the name, the device serial number is attached to the end of it. For example: Contoso012a345b67c8. When you configure or update a naming template for an MDM Server Token, all devices associated with that token are renamed – both existing devices and those enrolled after the naming template is applied.
Updated iOS settings names and added more tooltips
We revised many of the iOS setting names, tooltips, and categories in Intune for Education to make settings easier to find and understand. For a detailed list of these settings, see iOS device settings in Intune for Education.
Refined list of iOS settings in Express Configuration
We adjusted the list of iOS settings in Express Configuration so that you can get your devices and groups set up even faster. You'll see that some settings moved out of Express Configuration, and new settings moved in. The removed settings are still available for you to configure in Groups > Settings > iOS Device Settings. For the full list of device settings in Intune for Education, see iOS device settings and Windows 10 device settings.
New settings for Windows 10 devices
There are several new Windows 10 device settings. Here's just a few of the settings you can now configure in Intune for Education:
- Windows Update notifications: This setting lets you choose whether or not users see notifications about Windows Updates.
- Manual Windows Update: This setting lets you choose whether or not users have access to the Windows Update scan, download, and install features.
Set custom wallpaper and lock screen images for your iOS devices
You can now use Intune for Education to set custom wallpaper and lock screen images on school devices. To upload your images, go to Groups > iOS Device Settings > Wallpaper and lock screen images.
Set up iOS devices with Shared iPad features
When configuring settings in Intune for Education for iOS device enrollment, you now have the option to configure your iOS devices to enroll with Shared iPad features enabled. Shared iPad is an iOS feature that requires students and teachers to sign in to school devices with a Managed Apple ID. They can sign in and out of any enabled device in the school to access saved and in-progress work, apps, and tasks. For more information about Shared iPad in Intune for Education, see Shared iPad configuration.
New settings for Windows 10 devices
We've added new settings to give you more control over areas such as security, Windows updates, device sign-in, and browser experience. Here are just a few new settings you'll see this month:
Configure preferred Azure Active Directory tenant domain: This setting permits students to sign in to a device without a tenant domain name. Students can sign in quickly and easily with just their alias.
Configure new tab page: This setting lets you choose the page that opens when students add a tab in Microsoft Edge. New tabs can open a blank page or a custom one, such as your school's home page.
Switch out of S Mode: This setting lets admins switch devices out of Windows 10 in S Mode, or prevents students from switching their own devices out of S Mode.
Updated Windows settings names and added useful tooltips
We revised many of the setting names and tooltips in Intune for Education to make them easier to find and understand. For even more details about each setting, see Windows 10 device settings in Intune for Education.
Rename Windows devices
Rename any Windows 10 (version 1803 or later) device remotely from the Intune for Education portal. To rename, go to Devices and select a device > Rename device. You can also rename a device from the Device details page.
Remote Autopilot Reset
You can now invoke Autopilot Reset remotely using the Intune for Education portal. Autopilot Reset removes all user data including user-installed apps and personal settings and keeps the device enrolled in Intune so the device is kept up-to-date with all the latest apps, policies, and settings. With this feature, you can quickly wipe and reconfigure students' PCs in bulk to prepare them for a new school year. Learn more about Autopilot Reset here.
New features for iOS management
- Intune for Education now displays location information for your Apple School Manager VPP tokens, so you can easily identify your VPP tokens from both Intune for Education and Apple School Manager.
- You can give your VPP tokens nicknames in Intune for Education for easy labeling and organization.
- Enrollment is now even faster for your iOS devices when you set up an MDM Server Token. Intune for Education automatically configures enrollment settings, so the devices associated with the MDM Server Token have fewer Setup Assistant screens to tap through.
You can now delete a device in the Intune for Education portal. Deleting a device:
- unenrolls the device in Intune.
- removes the device record from Microsoft Entra ID so the device is no longer part of your environment.
Immersive Reader for all Tenants
Your Windows Store for Education inventory gets unlimited licenses for Immersive reader when you sign up for Intune for Education. Immersive Reader is a learning tool that creates a reading experience with accessibility and comprehensions for learners of all ages and abilities. Learn more about Immersive Reader here.
Effective Policy Page
The effective policy page shows all apps and settings applied to a user/device combination based on group memberships. From this page, you can see settings that might be in conflict and troubleshoot the issues. You can reach the effective policy page in two ways:
- click on a user > Go to user details > choose a device that user has recently checked in with.
- click on a device > Go to device details > choose a user that has recently checked in on that device.
All new support for iOS classroom devices
Intune for Education now supports iOS device management in the classroom. We've added new features and pages to Intune for Education to make the setup and management process easy for everyone involved. From the dashboard, you'll have everything you need to successfully set up, configure, and enroll devices.
- Setup iOS device management: We've added a new page with step-by-step guidance to help you quickly connect your Apple accounts to Intune for Education. On-screen indicators let you clearly see the required and optional steps, the ones you've successfully completed, and the ones that are nearing expiration.
- Express configuration: Just like our Windows 10 experience, but tailored to iOS devices, express configuration for iOS helps you quickly assign and change apps and settings. Choose a group of users or devices and select from our Microsoft-recommended settings. These recommendations are preselected, but you can change them at any time to match your school's own policies.
- Apps and settings: We've added separate app and device setting views to help you focus on either iOS or Windows 10 device management. With added Apple VPP support, you can sync your VPP-purchased apps with Intune for Education and assign them directly from the dashboard.
- Dynamic grouping: Now you can apply a specific device platform rule to your dynamic groups. Create a rule to apply to devices or students on Windows 10 or iOS devices.
Get more details and learn how to navigate new pages and workflows in the Intune for Education documentation.
History of group actions taken by admins
You can now view a history of all actions taken by admins to change group admins, apps, and settings for their approved groups. You can find the log of this history in Groups > History.
Windows Defender report
We've added a new report. On the Reports page, you can select Windows Defender report from the list of reports. This lets you view Windows Defender device health status for all your devices. You can see what this looks like in the What are reports? doc.
Use role-based access control to enable group admins
You can now choose groups of people to manage settings for other groups. For example, you could have a group called High School Admins, where the members are your team of admins for high schools in your district. The High School Admins group could be given permission to manage settings for groups of high school students. Find out more in the What are groups? doc.
User and device search
We've added two new options to the sidebar: Users and Devices. You can use these to search for individual users or devices, and quickly open the Details for these items. You can add these searches to the sidebar by See all > Star button (Favorite) to add them to your favorites list.
You can now take remote actions on your users and devices. Select the device you want to take action on, then choose one of the following actions from the details page:
- Reset to factory settings
- Remove from management
- Reset password
Find out more about remote actions.
We've added a new option to the sidebar for Wi-Fi profiles. This lets you define Wi-Fi settings that you can assign to different devices, users, and groups.
Define rules and we'll create groups that automatically populate based on them.
New app status
When adding an app, you'll now see a per-device and per-user status of app installs.
Updated details pages
Select a user or device in one of your groups. A pane will now slide up from the bottom of the screen that lets you get more information on that object, and the status of the apps and settings that you've assigned to it.
May 2017 (initial release)
Intune for Education is now available!
We have launched the Intune for Education portal. Intune for Education is a streamlined experience for schools and educational organizations to manage Windows 10 devices. Find out more about Intune for Education in these docs.