Edit

Share via

In development for Microsoft Intune

  • Article

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. Also:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
  • When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

Microsoft Intune Suite

New actions for Microsoft Cloud PKI

The following actions will be added to Microsoft Cloud PKI:

  • Delete: Delete a certification authority (CA).
  • Pause: Temporarily suspend use of a CA.
  • Revoke a CA certificate: Revoke a CA certificate.

You’ll be able to access all new actions in the Microsoft Intune admin center and Graph API.

App management

New configuration capabilities for Managed Home Screen

You'll be able to configure Managed Home Screen (MHS) to enable a virtual app-switcher button that allows end users to easily navigate between apps on their kiosk devices from MHS. You'll be able to select between a floating or swipe-up app-switcher button. The configuration key will be virtual_app_switcher_type and the possible values will be none, float, and swipe_up.

For information related to configuring the Managed Home Screen app, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

MAC address available from the Managed Home Screen app

MAC address details will be available from the Device Information page of the Managed Home Screen (MHS) app.

For information about MHS, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Intune will support additional macOS app types from the Company Portal

Intune will support the ability to deploy DMG and PKG apps as Available in the Intune macOS Company Portal. This capability enables end users to browse and install agent-deployed applications using Company Portal for macOS.

Applies to:

  • macOS

The Intune App SDK and Intune App Wrapping Tool are moving to a different GitHub repo

The Intune App SDK and Intune App Wrapping Tool are moving to a different GitHub repository and a new account. There will be redirects in place for all existing repositories. In addition, the Intune sample applications are also included in this move. This change relates to both Android and iOS platforms.

New actions for policies, profiles, and apps

You'll be able to remove, reinstall, and reapply individual policies, profiles, and apps for iOS/iPadOS devices and Android corporate owned devices. You'll be able to apply these actions without changing assignments or group membership. These actions are intended to help resolve customer challenges that are external to Intune. Also, these actions can help to quickly restore end user productivity.

Applies to:

  • iOS/iPadOS
  • Android Enterprise corporate owned devices

Added protection for iOS/iPadOS app widgets

To protect organizational data for MAM managed accounts and apps, Intune app protection policies now provide the capability to block data sync from policy managed app data to app widgets. App widgets can be added to end-user's iOS/iPadOS device lock screen, which can expose data contained by these widgets, such as meeting titles, top sites, and recent notes. In Intune, you'll be able to set the app protection policy setting Sync policy managed app data with app widgets to Block for iOS/iPadOS apps. This setting will be available as part of the Data Protection settings in app protection policies. This new setting will be an app protection feature similar to the Sync policy managed app data with native app or add-ins setting.

Applies to:

  • iOS/iPadOS

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Restrictions:

  • Allow Auto Dim

macOS

Privacy > Privacy Preferences Policy Control:

  • Bluetooth Always

Allow access to all apps in Google Play store setting values are changing for Android Enterprise

In an Intune device restrictions configuration policy, you can configure the Allow access to all apps in Google Play store setting using the Allow and Not configured options (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Fully managed, dedicated and corporate-owned work profile > Device restrictions for profile type > **Applications).

The available options are being updated to Allow, Block, and Not configured.

There's no impact to existing profiles using this setting.

For more information on this setting and the values you can currently configure, see Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Applies to:

  • Android Enterprise Fully managed, dedicated and corporate-owned work profile

Device enrollment

Define corporate device identifiers for Windows

Microsoft Intune will support corporate device identifiers for Windows devices. You'll be able to upload a CSV file with model, manufacturer, and serial number to identify corporate machines ahead of enrolling. When a device that matches the model, manufacturer, and serial number criteria enrolls, it will be marked as corporate and managed appropriately.

Intune adding support for Red Hat Enterprise Linux

Microsoft Intune will support device management for Red Hat Enterprise Linux. You'll be able to enroll and manage Red Hat Enterprise Linux devices, and assign standard compliance policies, custom configuration scripts, and compliance scripts.

Applies to:

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8

Account-driven Apple User Enrollment to be generally available for iOS/iPadOS 15+ devices

Intune will support account-driven Apple User Enrollment, the new and improved version of Apple User Enrollment, for devices running iOS/iPadOS 15 and later. This new enrollment method utilizes just-in-time registration, removing the Company Portal app for iOS as an enrollment requirement. Device users will be able to initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience. For more information, see Set up account driven Apple User Enrollment on Microsoft Learn.

If you prefer, you can continue to target iOS/iPadOS devices using the Apple User Enrollment method that requires Company Portal. Devices running iOS/iPadOS 14.8.1 and earlier will be unaffected by this update and can continue to use the method with Company Portal.

Applies to:

  • iOS/iPadOS 15 and later

Device management

Copilot in Intune will have device query feature using Kusto Query Language (KQL) (public preview)

When you use Copilot in Intune, there's a new device query feature that uses KQL.

Use this feature to ask questions about your devices using a natural language. If device query can answer your question, Copilot generates the KQL query you can run to get the data you want.

To learn more about how you can currently use Copilot in Intune, see Microsoft Copilot in Intune.

Changes for Account Protection policies

Account Protection policies can help you protect the credentials of your users, and focus on settings for Windows Hello and Credential Guard, which are part of Windows identity and access management.

To help improve Intune Account Protection policies, we will be removing older templates that use an outdated settings format, and consolidating Account Protection management through use of a single new profile. The settings in the new profile will use the newer unified settings format for device management, be available through the settings catalog, and help to improve the reporting experience in the Intune admin center.

The new profile will be found in the account protection policy node of endpoint security, and will be named Account Protection. With this profile you’ll be able to manage the same settings as before, though the new profile will present updated names and options for those settings.

The old profile we're removing is the Account Protection (Preview) template that's available through endpoint security Account Protection policy.

For more information about this type of policy, see [Manage device security with endpoint security policies](../protect/ endpoint-security-account-protection-policy.md).

Applies to:

  • Windows 10
  • Windows 11

New cpuArchitecture filter device property for app and policy assignments

When you assign an app, compliance policy, or configuration profile, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.

A new cpuArchitecture device filter property is available for Windows and macOS devices. With this property, you can filter app and policy assignments depending on the processor architecture.

For more information on filters and the device properties you can use, see:

Applies to:

  • Windows 10
  • Windows 11
  • macOS

New operatingSystemVersion filter property with new comparison operators (preview)

There's a new operatingSystemVersion filter property. This property:

  • Is in public preview and still being developed. So, some features, like Preview devices, don't work yet.

  • Should be used instead of the existing OSVersion property. The OSVersion property is being deprecated. When operatingSystemVersion is generally available (GA), the OSVersion property will retire, and you won't be able to create new filters using this property. Existing filters that use OSVersion continue to work.

  • Has new comparison operators:

    • GreaterThan: Use for version value types.

      • Allowed values: -gt | gt
      • Example: (device.operatingSystemVersion -gt 10.0.22000.1000)

    • GreaterThanOrEquals: Use for version value types.

      • Allowed values: -ge | ge
      • Example: (device.operatingSystemVersion -ge 10.0.22000.1000)

    • LessThan: Use for version value types.

      • Allowed values: -lt | lt
      • Example: (device.operatingSystemVersion -lt 10.0.22000.1000)

    • LessThanOrEquals: Use for version value types.

      • Allowed values: -le | le
      • Example: (device.operatingSystemVersion -le 10.0.22000.1000)

For managed devices, operatingSystemVersion applies to:

  • Android
  • iOS/iPadOS
  • macOS
  • Windows

For managed apps, operatingSystemVersion applies to:

  • Android
  • iOS/iPadOS
  • Windows

For more information on filters and the device properties you can currently use, see:

Government community cloud (GCC) support for Remote Help for macOS devices

GCC customers will soon be able to use Remote Help for macOS devices on both web app and native application.

Applies to:

  • macOS 12, 13 and 14

For more information, see:

Remote Help on macOS Microsoft Intune for US Government GCC service description

Device security

Defender for Endpoint security settings support in government cloud environments

Customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments will soon be able to use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. This capability is known as Defender for Endpoint security settings management.

For more information about the Intune features supported in GCC High and DoD environments, see Intune US Government service description.

Updated security baseline for Windows 365 Cloud PC

We're working on an update to the Intune security baseline for Windows 365 Cloud PC. The new baseline version uses the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.

Use of Intune security baselines can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.

As with all baselines, the default baseline represents the recommended configurations for each setting, which you can modify to meet the requirements of your organization.

Applies to:

  • Windows 10
  • Windows 11

Support for Intune Device control policy for devices managed by Microsoft Defender for Endpoint

You'll be able to use the endpoint security policy for Device control (Attack surface reduction policy) from the Microsoft Intune with the devices you manage through the Microsoft Defender for Endpoint security settings management capability.

Applies to the following when you use the Windows 10, Windows 11, and Windows Server platform:

  • Windows 10
  • Windows 11

When this change takes effect, devices that are assigned this policy while managed by Defender for Endpoint but not enrolled with Intune, will now apply the settings from the policy. Check your policy to make sure only the devices you intend to receive this policy will get it.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Intune is moving to support iOS/iPadOS 16 and later

Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 16/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).

Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this may not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 16/iPadOS 16 while the allowed OS version will change to iOS 13/iPadOS 13 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 13 and higher later this year

Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Ventura is compatible with these computers.

Note

Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 12.x or below.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Update to Intune endpoint for Remote Help

Starting on May 30, 2024, or soon after, to improve the experience for Remote Help on Windows, Web, and macOS, we're updating the primary network endpoint for Remote Help from https://remoteassistance.support.services.microsoft.com to https://remotehelp.microsoft.com.

How does this affect you or your users?

If you're using Remote Help and you have firewall rules that don't permit the new endpoint https://remotehelp.microsoft.com, admins and users may experience connectivity issues or disruptions with Remote Help.

Additionally, the Remote Help app on Windows will need to be updated to the newest version. No action is needed for the Remote Help app for macOS and the Remote Help Web app.

How can you prepare?

Update your firewall rules to include the new Remote Help endpoint: https://remotehelp.microsoft.com. For Remote Help on Windows, users will need to update to the newest version (5.1.124.0). Most users have opted in for automatic updates and will be updated automatically without any action from the user. To learn more, review Install and update Remote Help for Windows.

Additional information:

Update to the latest Company Portal for Android, Intune App SDK for iOS, and Intune App Wrapper for iOS

Starting June 1, 2024, we're making updates to improve the Intune mobile application management (MAM) service. This update will require iOS wrapped apps, iOS SDK integrated apps, and the Company Portal for Android to be updated to the latest versions to ensure applications stay secure and run smoothly.

Important

If you don't update to the latest versions, users will be blocked from launching your app.

Ahead of this change, for Microsoft apps that need to be updated, when a user opens the app, they'll receive a blocking message to update the app.

Note that the way Android updates, once one Microsoft application with the updated SDK is on the device and the Company Portal is updated to the latest version, Android apps will update. So, this message is focused on iOS SDK/app wrapper updates. We recommend always updating your Android and iOS apps to the latest SDK or app wrapper to ensure that your app continues to run smoothly.

How does this affect you or your users?

If your users haven't updated to the latest Microsoft or third-party app protection supported apps, they'll be blocked from launching their apps. If you have iOS line-of-business (LOB) applications that are using the Intune wrapper or Intune SDK, you must be on Wrapper/SDK version 17.7.0 or later to avoid your users being blocked.

How can you prepare?

Plan to make the changes below before June 1, 2024:

  • Any of your iOS line-of-business (LOB) apps using older versions of the Intune SDK or wrapper must be updated to v17.7.0 or later.
  • For tenants with policies targeted to iOS apps:
    • Notify your users that they need to upgrade to the latest version of the Microsoft apps. You can find the latest version of the apps in the App store. For example, you can find the latest version of Microsoft Teams here and Microsoft Outlook here.
    • Additionally, you have the option to enable the following conditional launch settings:
      • The Min OS version setting to warn users using iOS 15 or older so that they can download the latest apps.
      • The Min SDK version setting to block users if the app is using Intune SDK for iOS older than 17.7.0.
      • The Min app version setting to warn users on older Microsoft apps. Note that this setting must be in a policy targeted to only the targeted app.
  • For tenants with policies targeted to Android apps:
    • Notify your users that they need to upgrade to the latest version (v5.0.6198.0) of the Company Portal app.
    • Additionally, you have the option to enable the following conditional launch device condition setting:
      • The Min Company Portal version setting to warn users using a Company Portal app version older than 5.0.6198.0.

Plan for Change: Ending support for Intune App SDK Xamarin Bindings in May 2024

With the end of support for Xamarin Bindings, Intune will end support for Xamarin apps and the Intune App SDK Xamarin Bindings beginning on May 1, 2024.

How does this affect you or your users?

If you you have iOS and/or Android apps built with Xamarin and are using the Intune App SDK Xamarin Bindings to enable app protection policies, upgrade your apps to .NET MAUI.

How can you prepare?

Upgrade your Xamarin based apps to .NET MAUI. Review the following documentation for more information on Xamarin support and upgrading your apps:

Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID

Last year we announced a new Microsoft Intune GitHub repository based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, in May 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed.

How does this affect you or your users?

If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.

How can you prepare?

Update your PowerShell scripts by:

  1. Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform.
  2. Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.

For detailed step-by-step instructions visit powershell-intune-samples/Updating App Registration (github.com).

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:

  • Android Enterprise personally-owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

  • Intune technical support won't be provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

  • Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
  • Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
  • Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

Wrapped iOS apps and iOS apps using the Intune App SDK will require Azure AD app registration

We're making updates to improve the security of the Intune mobile application management (MAM) service. This update will require iOS wrapped apps and SDK integrated apps to be registered with Microsoft Entra ID (formerly Azure Active Directory (Azure AD)) by March 31, 2024 to continue receiving MAM policy.

How does this affect you or your users?

If you have wrapped apps or SDK integrated apps that aren't registered with Azure AD, these apps will be unable to connect to the MAM service to receive policy and your users won't be able to access apps that aren't registered.

How can you prepare?

Prior to this change, you will need to register the apps with Azure AD. See below for detailed instructions.

  1. Register your apps with Azure AD by following these instructions: Register an application with the Microsoft identity platform.
  2. Add the custom redirect URL to your app settings as documented here.
  3. Give your app access to the Intune MAM service, for instructions see here.
  4. Once the above changes are completed, configure your apps for Microsoft Authentication Library (MSAL):
    1. For wrapped apps: Add the Azure AD application client ID into the command-line parameters with the Intune App Wrapping Tool as outlined in the documentation: Wrap iOS apps with the Intune App Wrapping Tool | Microsoft Learn -ac and -ar are required parameters. Each app will need a unique set of these parameters. -aa is only required for single tenant applications.
    2. For SDK integrated apps see, Microsoft Intune App SDK for iOS developer guide | Microsoft Learn. ADALClientId and ADALRedirectUri/ADALRedirectScheme are now required parameters. ADALAuthority is only required for single tenant applications.
  5. Deploy the app.
  6. To validate the above steps:
    1. Target "com.microsoft.intune.mam.IntuneMAMOnly.RequireAADRegistration" application configuration policy and set it to Enabled - Configuration policies for Intune App SDK managed apps - Microsoft Intune | Microsoft Learn
    2. Target App Protection Policy to the application. Enable the 'Work or school account credentials for access' policy and set 'Recheck the access requirements after (minutes of inactivity)' setting to a low number like 1.
  7. Then launch the application on a device and verify if the sign-in (which should be required every minute on app launch) happens successfully with the configured parameters.
  8. Note that if you only do step #6 and #7 before doing the other steps, you might be blocked on application launch. You will also notice the same behavior if some of the parameters are incorrect.
  9. Once you’ve completed the validation steps, you can undo the changes made in step #6.

Note

Intune will soon require an Azure AD device registration for iOS devices using MAM. If you have Conditional Access policies enabled, your devices should already be registered, and you won't notice any change. For more information see, Microsoft Entra registered devices - Microsoft Entra | Microsoft Learn.

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.

Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Update to the latest Intune App SDK and Intune App Wrapper for iOS to support iOS/iPadOS 17

To support the upcoming release of iOS/iPadOS 17, update to the latest versions of the Intune App SDK and the App Wrapping Tool for iOS to ensure applications stay secure and run smoothly. Additionally, for organizations using the Conditional Access grant “Require app protection policy”, users should update their apps to the latest version prior to upgrading to iOS 17. You can learn more by reading the blog: Update Intune App SDK, Wrapper, and iOS apps using MAM policies to support iOS/iPadOS 17.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in December 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning December 31, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

  1. Users won't be able to enroll devices with Android device administrator.
  2. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
  3. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

Plan for Change: Ending support for Microsoft Store for Business and Education apps

In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune

How does this affect you or your users?

If you're using Microsoft Store for Business and Education apps:

  1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.
  2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users might still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data.
  3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later.

The retirement of Microsoft Store for Business and Education was announced in 2021. When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.

How can you prepare?

We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:

Related information

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP without enrollment scenario at the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change only affects you if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Intune admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.