In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. In addition to the information in this article:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
  • When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

App management

Block pinning web pages to Managed Home Screen app

On Android Enterprise dedicated devices using Managed Home Screen, you can now use app configuration to configure the Managed Home Screen app to block pinning browser web pages to Managed Home Screen. The new key value is block_pinning_browser_web_pages_to_MHS. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Company Portal automatically installed on Android Enterprise dedicated devices

Intune Company Portal will now be automatically installed on all Android Enterprise dedicated devices to ensure the appropriate handling of app protection policies. Users will not be able to see or launch the Company Portal, and there are no requirements for users to interact with it. Admins will notice that the Company Portal is automatically installed on their Android Enterprise dedicated devices, without the ability to uninstall.

Uninstall Win32 apps in the Company Portal

The time frame for the release of this update is still being determined.

Users will be able to uninstall Win32 apps in the Company Portal. If a Win32 app can be uninstalled by the user, the user will be able to select Uninstall for the Win32 app in the Company Portal. For more information about Win32 apps, go to Win32 app management in Microsoft Intune.

Global quiet time app policy settings

The global quiet time settings will allow you to create policies to schedule quiet time for your end users, which will automatically mute Microsoft Outlook email and Teams notifications on iOS/iPadOS and Android platforms. These policies can be used to limit end user notifications received after work hours. When this feature is available, you will be able to find it in Microsoft Endpoint Manager admin center by selecting Apps > Quiet Time > Policies.

Device management

Microsoft Tunnel for Mobile Application Management for iOS/iPadOS (Preview)

As a public preview, we’re adding support for Mobile Application Management (MAM) to the Microsoft Tunnel VPN gateway for iOS/iPadOS. With this preview for iOS devices that have not enrolled with Intune, supported apps on those unenrolled devices will be able to use Microsoft Tunnel to connect to your organization when working with corporate data and resources. This includes VPN gateway support for:

  • Secure access to on-prem apps and resources using modern authentication
  • Single Sign On and conditional access.

Applies to:

  • iOS/iPadOS

Endpoint security firewall rules support for ICMP type

We’re adding a new setting named IcmpTypesAndCodes to the endpoint security firewall rules template for Windows 10. To configure this in the Microsoft Endpoint Manager admin center by selecting Endpoint security > Firewall > Create Policy > Platform: Windows 10, Windows 11, and Windows Server > Profile: Microsoft Defender Firewall Rules).

With this new setting, you’ll be able to configure inbound and outbound rules for Internet Control Message Protocol (ICMP) as part of a firewall rule.

Applies to:

  • Windows 10, Windows 11, and Windows Server

Device security

Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint

You’ll soon be able to manage Tamper protection for Microsoft Defender for Endpoint on unenrolled devices as part of the MDE Security configuration scenario.

When this support is available, your tamper protection configurations from Windows Security Experience profiles for Antivirus policies can apply to all devices instead of only to those that are enrolled with Intune.

Applies to:

  • Windows 10
  • Windows 11

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Enable Intune features that use Windows diagnostic data

Expected in mid-April 2023, Intune features that depend on Windows diagnostic data, such as the app and driver compatibility reports for Windows updates, will require you to enable the use of Windows diagnostic data in Intune and confirm you have the required licensing for these features.

How does this affect you or your users?

If you are using the app and driver compatibility reports for Windows updates, you will need to share Windows diagnostic data with Intune by enabling the use of Windows diagnostic data in processor configuration in your Intune tenant and confirm your licensing in the Endpoint Manager admin center.

How can you prepare?

Navigate to the Endpoint Manager admin center > Tenant administration > Connectors and tokens > Windows data and toggle on "Enable features that require Windows diagnostic data in processor configuration" and set “I confirm that my tenant owns one of these licenses” to On. For more information, see Enable use of Windows diagnostic data by Intune.

Plan for Change: Ending support for Company Portal authentication method for iOS/iPadOS ADE enrollment

As we continue to invest in Setup Assistant with modern authentication, which is the Apple supported path to require enrollment during Setup Assistant with optional multi-factor authentication, we plan to remove the Company Portal authentication method from new and existing iOS/iPadOS ADE enrollment profiles. This will include removing the Run Company Portal in Single App Mode until authentication setting.

We're no longer moving forward with the change at this time, we'll notify you via the Message Center when it's time to replan for this future change.

How does this affect you or your users?

New enrollments (new devices that are targeted with an existing enrollment profile or devices re-enrolling) that are targeted with an existing enrollment profile with the Company Portal authentication method, will not be able to enroll.

This will not impact existing enrolled devices unless the device is re-enrolled after this change. The device will not be able to re-enroll until the authentication method is switched in the enrollment profile to Setup Assistant with modern authentication.

New iOS/iPadOS enrollment profiles will not have the option to select Company Portal as the authentication method.

If you have not already, you will need to move to use Setup Assistant with modern authentication. Within the Microsoft Endpoint Manager admin center, you will want to either create a new ADE enrollment profile, or edit your existing enrollment profile to use the “Setup assistant with modern authentication.”

User experience: The Setup Assistant with modern authentication enrollment flow does change the enrollment screen order where authentication will occur prior to accessing the home screen. If you have user guides that share screenshots, you will want to update those so the guides match the experience of Setup Assistant with modern authentication.

How can you prepare?

To enroll new devices (or re-enroll) after this change, you will either need to update existing profiles to move to Setup Assistant with modern authentication or create a new enrollment profile with this method.

For related information, see:

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they are ending support for Windows Information Protection (WIP), Microsoft Endpoint Manager will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we will remove support for WIP without enrollment scenario by the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend that you take action to disable WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it is only applicable to Windows 8.1 devices.

Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available.

How does this affect you or your users?

If you are managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There is no impact to existing devices and policies, however, you will not be able to enroll new devices if they are running Windows 8.1.

How can you prepare?

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Endpoint Manager admin center > Devices > Windows > Windows devices, and filter by OS.

Additional information

Update your certificate connector for Microsoft Intune

As of June 1, 2022, Intune certificate connectors earlier than version 6.2101.13.0 may no longer work as expected and stop connecting to the Intune service. See Certificate Connectors for Microsoft Intune for additional information on the certificate connector lifecycle and support.

How does this affect you or your users?

If you're impacted by this change, see MC393815 in the Message center.

How can you prepare?

Download, install, and configure the latest certificate connector. For more information see, Install the Certificate Connector for Microsoft Intune.

To check which version of the certificate connector you are using, follow these steps:

  1. On a Windows Server running the Intune Certificate Connector, launch "Add or Remove programs".
  2. A list of installed programs and applications will be displayed.
  3. Look for an entry related to the Microsoft Intune Certificate Connector. There will be a "Version" associated with the connector. Note: Names for older connectors may vary.

Plan for change: Intune is moving to support macOS 11.6 and higher later this year

Apple is expected to release macOS 13 (Ventura) later this year, Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 11.6 (Big Sur) and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 16.

How does this affect you or your users?

This change will affect you only if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Big Sur is compatible with these computers.

Note

Devices that are currently enrolled on macOS 10.15 or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 10.15 or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 10.15 or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for change: Intune is moving to support iOS/iPadOS 14 and later

Later this year, we expect iOS 16 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 14/iPadOS 14 and higher shortly after iOS 16’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 14).

Because Office 365 mobile apps are supported on iOS/iPadOS 14.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 14 or iPadOS 14 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. See https://aka.ms/ADE_userless_support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management, go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status > App Protection report: iOS, Android.

To manage the supported OS version in your organization, you can use Microsoft Endpoint Manager controls for both mobile device management and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support Android 8.0 and later in January 2022

Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for mobile device management (MDM) enrolled devices on or shortly after January 7, 2022.

How does this affect you or your users?

After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will no longer receive updates to the Android Company Portal or the Intune App. Enrolled devices will continue to have Intune policies applied but are no longer supported for any Intune scenarios. Company Portal and the Intune App will not be available for devices running Android 7.x and lower beginning mid-February; however, these devices will not be blocked from completing enrollment if the requisite app has been installed prior to this change. If you have MDM enrolled devices running Android 7.x or below, update them to Android version 8.0 (Oreo) or higher or replace them with a device on Android version 8.0 or higher.

Note

Microsoft Teams devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

How can you prepare?

Notify your helpdesk, if applicable, of this upcoming change in support. You can identify how many devices are currently running Android 7.x or below by navigating to Devices > All devices > Filter. Then filter by OS and sort by OS version. There are two admin options to help inform your users or block enrollment.

Here's how you can warn users:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that warns users.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send an email or push notification to users before marking them noncompliant.

Here's how you can block devices running on versions earlier than Android 8.0:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that blocks users from app access.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices running Android 7.x or earlier non-compliant.
  • Set enrollment restrictions that prevent devices running Android 7.x or earlier from enrolling.

Note

Intune app protection policies are supported on devices running Android 9.0 and later. See MC282986 for more details.

Plan for change: Intune APP/MAM is moving to support Android 9 and higher

With the upcoming release of Android 12, Intune app protection policies (APP, also known as mobile application management) for Android will move to support Android 9 (Pie) and later on October 1, 2021. This change will align with Office mobile apps for Android support of the last four major versions of Android.

Based on your feedback, we've updated our support statement. We're doing our best to keep your organization secure and protect your users and devices, while aligning with Microsoft app lifecycles.

Note

This announcement doesn't affect Microsoft Teams Android devices. Those devices will continue to be supported regardless of their Android OS version.

How does this affect you or your users?

If you're using app protection policies (APP) on any device that's running Android version 8.x or earlier, or you decide to enroll any device that's running Android version 8.x or earlier, these devices will no longer be supported for APP.

APP policies will continue to be applied to devices running Android 6.x to Android 8.x. But if you have problems with an Office app and APP, support will request that you update to a supported Office version for troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or later, or replace them with a device on Android version 9.0 or later before October 1, 2021.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. You also have two admin options to warn users:

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security antivirus Windows 10 profiles

We've made a minor change to improve the antivirus profile experience for Windows 10. There's no user effect, because this change affects only what you'll see in the UI.

How does this affect you or your users?

Previously, when you configured a Windows security profile for the Endpoint Security antivirus policy, you had two options for most settings: Yes and Not configured. Those settings now include Yes, Not configured, and a new option of No.

Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting is set to Not configured and the child setting is set to Yes, both the parent and child settings will be set to Not configured. That change will take effect when you edit the profile.

How can you prepare?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change will affect you only if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Endpoint Manager admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.