In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. In addition to the information in this article:

• If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
• When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
• Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

App management

Install required apps during pre-provisioning

A new toggle will be available in the Enrollment Status Page (ESP) profile that allows you to select whether you want to attempt to install required applications during pre-provisioning (white glove) technician phase. We understand that installing as many applications as possible during pre-provisioning is desired to reduce the end user set up time. To help you achieve this, we have implemented an option to attempt the installation of all the required apps assigned to a device during technician phase. In case of app install failure, ESP will continue except for the apps specified in ESP profile. To enable this function, you will need to edit your Enrollment Status Page profile by selecting Yes on the new setting entitled Only fail selected apps in technician phase. This setting will only appear if you have blocking apps selected. For information about ESP, go to Set up the Enrollment Status Page.

Company Portal automatically installed on Android Enterprise dedicated devices

Intune Company Portal will now be automatically installed on all Android Enterprise dedicated devices to ensure the appropriate handling of app protection policies. Users won't be able to see or launch the Company Portal, and there are no requirements for users to interact with it. Admins will notice that the Company Portal is automatically installed on their Android Enterprise dedicated devices, without the ability to uninstall.

Uninstall Win32 apps in the Company Portal

The time frame for the release of this update is still being determined.

Users will be able to uninstall Win32 apps in the Company Portal. If a Win32 app can be uninstalled by the user, the user will be able to select Uninstall for the Win32 app in the Company Portal. For more information about Win32 apps, go to Win32 app management in Microsoft Intune.

Global quiet time app policy settings

The global quiet time settings will allow you to create policies to schedule quiet time for your end users, which will automatically mute Microsoft Outlook email and Teams notifications on iOS/iPadOS and Android platforms. These policies can be used to limit end user notifications received after work hours. When this feature is available, you will be able to find it in Microsoft Intune admin center by selecting Apps > Quiet Time > Policies.

Device configuration

Add Google accounts to Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, you can configure settings that restrict device features and settings. Currently, there's an Add and remove accounts setting. This setting prevents accounts from being added in the work profile, including preventing Google accounts.

This setting is changing, and you will be able to add Google accounts. The Add and remove accounts setting options will be:

• Block all accounts types: Prevents users from manually adding or removing accounts in the work profile. For example, when you deploy the Gmail app into the work profile, you can prevent users from adding or removing accounts in this work profile.

• Allow all accounts types: Allows all accounts, including Google accounts. These Google accounts are blocked from installing apps from the Managed Google Play Store.

  This setting requires:

  • Google Play app version 80970100 or higher.

• Allow all accounts types, except Google accounts (default): Intune doesn't change or update this setting. By default, the OS might allow adding accounts in the work profile.

For more information on the settings you can configure, go to Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

Applies to:

• Android Enterprise personally owned devices with a work profile

Support for multi-SIM iOS/iPadOS device inventory

You'll soon be able to view the service subscription fields on devices that have multiple SIM cards installed under the per-device Hardware section. The inventory fields that are capable of reporting multiple values to Intune are:

• ICCID
• IMEI
• MEID
• Phone number

These fields will default to using labels returned by the device, such as: Primary, Secondary, CTSubscriptionSlotOne, and CTSubscriptionSlotTwo. These returned labels may be displayed in the language of the local device that is reporting its inventory to Intune.

Applies to:

• iOS/iPadOS

Device management

On-demand proactive remediation for a Windows device

A new device action that is in public preview allows you to run a proactive remediation on-demand to a single Windows device. The Run remediation device action will allow you to resolve issues without having to wait for a proactive remediation to run on its assigned schedule. You will also be able to view the status of proactive remediations under Remediations in the Monitor section of a device.

Endpoint security firewall rules support for ICMP type

We’re adding a new setting named IcmpTypesAndCodes to the endpoint security firewall rules template for Windows 10. To configure this in the Microsoft Intune admin center by selecting Endpoint security > Firewall > Create Policy > Platform: Windows 10, Windows 11, and Windows Server > Profile: Microsoft Defender Firewall Rules).

With this new setting, you’ll be able to configure inbound and outbound rules for Internet Control Message Protocol (ICMP) as part of a firewall rule.

Applies to:

• Windows 10, Windows 11, and Windows Server

Device security

Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint

You’ll soon be able to manage Tamper protection for Microsoft Defender for Endpoint on unenrolled devices as part of the MDE Security configuration scenario.

When this support is available, your tamper protection configurations from Windows Security Experience profiles for Antivirus policies can apply to all devices instead of only to those that are enrolled with Intune.

Applies to:

• Windows 10
• Windows 11

Tenant administration

Add CMPivot queries to Favorites folder

You will be able to add your frequently used queries to a Favorites folder in CMPivot. CMPivot allows you to quickly assess the state of a device managed by Configuration Manager via Tenant Attach and take action. The functionality is similar to one already present in the Configuration Manager console. This addition will help you keep all your most used queries in one place. You can also add tags to your queries to help search and find queries. The queries saved in the Configuration Manager console won't be automatically added to your Favorites folder. You will need to create new queries and add them to this folder. For more information about CMPivot, see Tenant attach: CMPivot usage overview.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Enable Intune features that use Windows diagnostic data

Expected in mid-April 2023, Intune features that depend on Windows diagnostic data, such as the app and driver compatibility reports for Windows updates, will require you to enable the use of Windows diagnostic data in Intune and confirm you have the required licensing for these features.

How does this affect you or your users?

If you are using the app and driver compatibility reports for Windows updates, you will need to share Windows diagnostic data with Intune by enabling the use of Windows diagnostic data in processor configuration in your Intune tenant and confirm your licensing in the Intune admin center.

How can you prepare?

Navigate to the Intune admin center > Tenant administration > Connectors and tokens > Windows data and toggle on "Enable features that require Windows diagnostic data in processor configuration" and set “I confirm that my tenant owns one of these licenses” to On. For more information, see Enable use of Windows diagnostic data by Intune.

Plan for Change: Ending support for Company Portal authentication method for iOS/iPadOS ADE enrollment

As we continue to invest in Setup Assistant with modern authentication, which is the Apple supported path to require enrollment during Setup Assistant with optional multi-factor authentication, we plan to remove the Company Portal authentication method from new and existing iOS/iPadOS ADE enrollment profiles. This will include removing the Run Company Portal in Single App Mode until authentication setting.

We're no longer moving forward with the change at this time, we'll notify you via the Message Center when it's time to replan for this future change.

How does this affect you or your users?

New enrollments (new devices that are targeted with an existing enrollment profile or devices re-enrolling) that are targeted with an existing enrollment profile with the Company Portal authentication method, will not be able to enroll.

This will not impact existing enrolled devices unless the device is re-enrolled after this change. The device will not be able to re-enroll until the authentication method is switched in the enrollment profile to Setup Assistant with modern authentication.

New iOS/iPadOS enrollment profiles will not have the option to select Company Portal as the authentication method.

If you have not already, you will need to move to use Setup Assistant with modern authentication. Within the Microsoft Intune admin center, you will want to either create a new ADE enrollment profile, or edit your existing enrollment profile to use the “Setup assistant with modern authentication.”

User experience: The Setup Assistant with modern authentication enrollment flow does change the enrollment screen order where authentication will occur prior to accessing the home screen. If you have user guides that share screenshots, you will want to update those so the guides match the experience of Setup Assistant with modern authentication.

How can you prepare?

To enroll new devices (or re-enroll) after this change, you will either need to update existing profiles to move to Setup Assistant with modern authentication or create a new enrollment profile with this method.

For related information, see:

• Move to Setup Assistant with Modern Authentication for Automated Device Enrollment
• Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+)
• Using filters with Setup Assistant with modern auth for ADE for corporate iOS/iPadOS/macOS devices
• Enroll iOS/iPadOS devices by using ADE
• Upcoming changes to iOS/iPadOS Company Portal app deployment for Setup Assistant with modern auth

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they are ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we will remove support for WIP without enrollment scenario by the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend that you take action to disable WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it is only applicable to Windows 8.1 devices.

Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available.

How does this affect you or your users?

If you are managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There is no impact to existing devices and policies, however, you will not be able to enroll new devices if they are running Windows 8.1.

How can you prepare?

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Intune admin center > Devices > Windows > Windows devices, and filter by OS.

Additional information

• Manage operating system versions with Intune

Update your certificate connector for Microsoft Intune

As of June 1, 2022, Intune certificate connectors earlier than version 6.2101.13.0 may no longer work as expected and stop connecting to the Intune service. See Certificate Connectors for Microsoft Intune for additional information on the certificate connector lifecycle and support.

How does this affect you or your users?

If you're impacted by this change, see MC393815 in the Message center.

How can you prepare?

Download, install, and configure the latest certificate connector. For more information see, Install the Certificate Connector for Microsoft Intune.

To check which version of the certificate connector you are using, follow these steps:

1. On a Windows Server running the Intune Certificate Connector, launch "Add or Remove programs".
2. A list of installed programs and applications will be displayed.
3. Look for an entry related to the Microsoft Intune Certificate Connector. There will be a "Version" associated with the connector. Note: Names for older connectors may vary.

Plan for change: Intune is moving to support macOS 11.6 and higher later this year

Apple is expected to release macOS 13 (Ventura) later this year, Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 11.6 (Big Sur) and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 16.

How does this affect you or your users?

This change will affect you only if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Big Sur is compatible with these computers.

Note

Devices that are currently enrolled on macOS 10.15 or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 10.15 or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 10.15 or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for change: Intune is moving to support iOS/iPadOS 14 and later

Later this year, we expect iOS 16 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 14/iPadOS 14 and higher shortly after iOS 16’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 14).

Because Office 365 mobile apps are supported on iOS/iPadOS 14.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 14 or iPadOS 14 (if applicable), see the following Apple documentation:

• Supported iPhone models
• Supported iPad models

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. See https://aka.ms/ADE_userless_support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management, go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status > App Protection report: iOS, Android.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both mobile device management and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support Android 8.0 and later in January 2022

Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for mobile device management (MDM) enrolled devices on or shortly after January 7, 2022.

How does this affect you or your users?

After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will no longer receive updates to the Android Company Portal or the Intune App. Enrolled devices will continue to have Intune policies applied but are no longer supported for any Intune scenarios. Company Portal and the Intune App will not be available for devices running Android 7.x and lower beginning mid-February; however, these devices will not be blocked from completing enrollment if the requisite app has been installed prior to this change. If you have MDM enrolled devices running Android 7.x or below, update them to Android version 8.0 (Oreo) or higher or replace them with a device on Android version 8.0 or higher.

Note

Microsoft Teams devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

How can you prepare?

Notify your helpdesk, if applicable, of this upcoming change in support. You can identify how many devices are currently running Android 7.x or below by navigating to Devices > All devices > Filter. Then filter by OS and sort by OS version. There are two admin options to help inform your users or block enrollment.

Here's how you can warn users:

• Create an app protection policy and configure conditional launch with a min OS version requirement that warns users.
• Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send an email or push notification to users before marking them noncompliant.

Here's how you can block devices running on versions earlier than Android 8.0:

• Create an app protection policy and configure conditional launch with a min OS version requirement that blocks users from app access.
• Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices running Android 7.x or earlier non-compliant.
• Set enrollment restrictions that prevent devices running Android 7.x or earlier from enrolling.

Note

Intune app protection policies are supported on devices running Android 9.0 and later. See MC282986 for more details.

Plan for change: Intune APP/MAM is moving to support Android 9 and higher

With the upcoming release of Android 12, Intune app protection policies (APP, also known as mobile application management) for Android will move to support Android 9 (Pie) and later on October 1, 2021. This change will align with Office mobile apps for Android support of the last four major versions of Android.

Based on your feedback, we've updated our support statement. We're doing our best to keep your organization secure and protect your users and devices, while aligning with Microsoft app lifecycles.

Note

This announcement doesn't affect Microsoft Teams Android devices. Those devices will continue to be supported regardless of their Android OS version.

How does this affect you or your users?

If you're using app protection policies (APP) on any device that's running Android version 8.x or earlier, or you decide to enroll any device that's running Android version 8.x or earlier, these devices will no longer be supported for APP.

APP policies will continue to be applied to devices running Android 6.x to Android 8.x. But if you have problems with an Office app and APP, support will request that you update to a supported Office version for troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or later, or replace them with a device on Android version 9.0 or later before October 1, 2021.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. You also have two admin options to warn users:

• Configure a conditional launch setting for APP with a minimum OS version requirement to warn users.
• Use a device compliance policy for an Android device administrator or Android Enterprise. Set the action for noncompliance to send a message to users before marking them as noncompliant.

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security antivirus Windows 10 profiles

We've made a minor change to improve the antivirus profile experience for Windows 10. There's no user effect, because this change affects only what you'll see in the UI.

How does this affect you or your users?

Previously, when you configured a Windows security profile for the Endpoint Security antivirus policy, you had two options for most settings: Yes and Not configured. Those settings now include Yes, Not configured, and a new option of No.

Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting is set to Not configured and the child setting is set to Yes, both the parent and child settings will be set to Not configured. That change will take effect when you edit the profile.

How can you prepare?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change will affect you only if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

• Windows 10 version 1507, Company Portal version 10.1.721.0
• Windows 10 version 1511, Company Portal version 10.1.1731.0
• Windows 10 version 1607, Company Portal version 10.3.5601.0
• Windows 10 version 1703, Company Portal version 10.3.5601.0
• Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Intune admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.