In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. In addition to the information in this article:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
  • When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

App management

Global quiet time app policy settings

The global quiet time settings will allow you to create policies to schedule quiet time for your end users which will automatically mute Microsoft Outlook email and Teams notifications on iOS/iPadOS and Android platforms. These policies can be used to limit end user notifications received after work hours. When this feature is available, you will be able to find it in Microsoft Endpoint Manager admin center by selecting Apps > Quiet Time > Policies.

Select default work apps in Intune Company Portal

Android device users will be able to select and save their preferred work apps in Intune Company Portal. They'll be able to select the default apps they want to use for a specific intent or file type, and change or remove their preferences. Company Portal will securely store the device user's preferred defaults. This feature is an enhancement to the Android MAM custom app picker, which is a part of the Android MAM SDK.

Use filters with app configuration profiles for managed devices

You will be able to use filters to refine the assignment scope when deploying app configuration profiles for managed devices. You can first create a filter using any of the available properties for iOS and Android. Then, in Microsoft Endpoint Manager admin center you can assign your managed app configuration profile by selecting Apps > App configuration policies > Add > Managed devices and go to the assignment page. After selecting a group, you can refine the applicability of the policy by choosing a filter and deciding to use it in Include or Exclude mode. For related information about filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Endpoint Manager.

Device management

Intune support for Linux Ubuntu LTS desktops will be generally available

Intune will support Linux Ubuntu LTS desktops. The following initial functionality is planned for this first release for Linux desktop management:

  • Enroll Linux Ubuntu LTS (22.04 and 20.04) desktops into Microsoft Endpoint Manager
  • Enable access to corporate resources via Microsoft Edge
  • Conditional Access enforcement in Microsoft Edge
  • Standard Compliance policies
    • Linux distribution
    • Device encryption
    • Password complexity
  • Bash script support for custom compliance policies

New hardware details available for individual devices running on iOS/iPadOS

Select Devices > All devices > select one of your listed devices and open it's Hardware details. The following new details are available in the Hardware pane of individual devices:

  • Battery level: Shows the battery level of the device anywhere between 0 and 100, or defaults to null if the battery level cannot be determined. This is available for devices running iOS/iPadOS 5.0 and later.
  • Resident users: Shows the number of users currently on the shared iPad device, or defaults to null if the number of users cannot be determined. This is available for devices running iOS/iPadOS 13.4 and later.

For more information, see View device details with Microsoft Intune.

Applies to:

  • iOS/iPadOS

Endpoint security firewall rules support for ICMP type

We’re adding a new setting named IcmpTypesAndCodes to the endpoint security firewall rules template for Windows 10. To configure this in the Microsoft Endpoint Manager admin center by selecting Endpoint security > Firewall > Create Policy > Platform: Windows 10, Windows 11, and Windows Server > Profile: Microsoft Defender Firewall Rules).

With this new setting you’ll be able to configure inbound and outbound rules for Internet Control Message Protocol (ICMP) as part of a firewall rule.

Applies to:

  • Windows 10, Windows 11, and Windows Server

Support for Locate device on Android Enterprise corporate owned fully managed and Android Enterprise corporate owned work profile devices

You'll be able to use "Locate device" on Android Enterprise corporate owned fully managed and Android Enterprise corporate owned work profile devices. Using this feature, admins will be able to locate lost or stolen corporate devices on-demand. To do this, in Microsoft Endpoint Manager admin center, select Devices, and then select All devices. From the list of devices you manage, select a supported device, and choose the Locate device remote action.

For information on locating lost or stolen devices with Intune, go to:

Applies to:

  • Android Enterprise corporate owned fully managed
  • Android Enterprise corporate owned dedicated devices
  • Android Enterprise corporate owned work profile

Device enrollment

iOS/iPadOS Setup Assistant with modern authentication supports Just in Time Registration (public preview)

Intune will support Just in Time Registration for iOS/iPadOS enrollment scenarios that use Setup Assistant with modern authentication. Just in Time Registration reduces the number of authentication prompts shown to users throughout the provisioning experience, giving them a more seamless onboarding experience. It eliminates the need to have the Company Portal app for Azure AD registration and compliance checks, while automatically establishing SSO across the device. Just In Time Registration will be available in public preview for devices enrolling through Apple Automated Device Enrollment and running iOS/iPadOS 13.0 or later.

Windows Autopilot diagnostics will capture ESP failures

Windows Autopilot diagnostics will automatically capture diagnostics about Windows Autopilot failures that occur on the Enrollment Status Page (ESP). Diagnostics will be available to download in the Microsoft Endpoint Manager admin center.

Device configuration

New settings for Device Firmware Configuration Interface (DFCI) profiles on Windows devices

You can create a DFCI profile that enables the Windows OS to pass management commands from Intune to UEFI (Unified Extensible Firmware Interface) (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface).

You can use this feature to control BIOS settings. There will be new settings you can configure in the DFCI policy:

  • Cameras:

    • Front camera
    • Infrared camera
    • Rear camera
  • Radios:

    • WWAN
    • NFC
  • Ports

    • SD Card

For more information on DFCI profiles, go to Use Device Firmware Configuration Interface (DFCI) profiles on Windows devices in Microsoft Intune and DFCI profile settings list.

Applies to:

  • Windows 11 on supported UEFI
  • Windows 10 RS5 (1809) and later on supported UEFI

New settings available in the iOS/iPadOS and macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Endpoint Manager admin center, you can see these settings at Devices > Configuration profiles > Create profile > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Networking > Cellular:

  • Enable XLAT464

Applies to:

  • iOS/iPadOS

Privacy > Privacy Preferences Policy Control:

  • System Policy App Bundles

Applies to:

  • macOS

Restrictions:

  • Allow Rapid Security Response Installation
  • Allow Rapid Security Response Removal

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Filter app and group policy assignments using Windows 11 SE operating system SKUs

When you assign an app or policy, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.

Two new Windows 11 SE operating system SKU's will added. You'll be able to use these SKUs in your assignment filters to include or exclude Windows 11 SE devices from applying group-targeted policies and applications.

For more information on filters and the device properties you can currently use, go to:

Applies to:

  • Windows 11 SE

New password complexity requirements for Android Enterprise 12+ personally owned devices with a work profile

On Android Enterprise 11 and older personally owned devices with a work profile, you can set the Required password type and a Minimum password length in device configuration profiles and compliance policies.

Google is deprecating these features for Android 12+ personally owned devices with a work profile and replacing them with new password complexity requirements. For more information about this change, go to Day zero support for Android 13.

The new Password complexity setting will have the following options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS may not require a password.
  • Low: Pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked.
  • Medium: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked. The length, alphabetic length, or alphanumeric length must be at least 4 characters.
  • High: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked. The length must be at least 8 characters. The alphabetic or alphanumeric length must be at least 6 characters.

If you currently use the Required password type and Minimum password length settings in your device configuration and compliance policies on Android 12+, then we recommend using the new Password complexity setting instead.

If you continue to use the Required password type and Minimum password length settings, and don't configure the Password complexity setting, then new devices running Android 12+ will default to the High password complexity.

There is no impact for existing devices with the Required password type and Minimum password length settings configured.

For more information on the existing settings you can configure, go to:

Applies to:

  • Android 12.0 and newer
  • Android Enterprise personally owned devices with a work profile

Device security

Grant apps permission on Android Enterprise devices

For Android Enterprise devices, you’ll soon be able to configure certificate profiles to silently grant specific apps access to use the certificate. This expands on the current behavior where a device user must approve the use of a certificate by an application.

You’ll be able to choose to grant certificate access silently to specific apps or to require user approval. When configured for specific apps, you’ll then select which apps have this access as part of the profile, while all other apps will continue to require user approval before being able to use the certificate.

This support will be added to profiles for SCEP, PKCS, PKCS imported, and Derived Credential certificate profiles.

Applies to:

  • Android Enterprise devices that enroll as Fully Managed, Dedicated, and Corporate-Owned work Profile.

Attack surface reduction rule exclusions on a per-rule basis

Attack surface reduction rules provide valuable controls for protecting your devices. Currently, exclusions are only supported for all of the rules that are enabled on the device.

With Intune, you’ll soon be able to configure exclusions for your attack surface reduction rules on a per-rule basis. This will allow you to define exclusions for individual rules versus an exclusion that applies to all of the attack surface reduction rules on a device.

Applies to:

  • Windows 10/11

Manage macOS software updates with Intune

You’ll soon be able to use Intune policies to manage macOS software updates for devices that enrolled using Automated Device Enrollment (ADE). The policy will be available in the Microsoft Endpoint Manager admin center at Devices > macOS > Update policies for macOS.

Supported update types will include:

  • Critical updates
  • Firmware updates
  • Configuration file updates
  • All other updates (OS, built-in apps)

In addition to scheduling when a device updates, you’ll be able to manage behaviors like the following:

  • Download and install: Download or install the update, depending on the current state.
  • Download only: Download the software update without installing it.
  • Install immediately: Download the software update and trigger the restart countdown notification.
  • Notify only: Download the software update and notify the user through the App Store.
  • Install later: Download the software update and install it at a later time.
  • Not configured: No action taken on the software update.

For information from Apple about managing macOS software updates, see Manage software updates for Apple devices - Apple Support in the Apple's Platform Deployment documentation. Apple maintains a list of security updates at Apple security updates - Apple Support.

Reusable groups of settings for removable storage in Device Control profiles

You’ll soon be able to add reusable groups of settings to your profiles for device control profiles in your attack surface reduction policies. To configure device control profiles, go to Microsoft Endpoint Manager admin center by selecting Endpoint security >Attack surface reduction > Create Policy > Platform: Windows 10 and later > Profile: Device Control.

The reusable groups for device control profiles will include a collection of settings that support managing read, write, and execute access for removable storage. Examples of common scenarios include:

  • Prevent write and execute access to all but allow specific approved USBs
  • Audit write and execute access to all but block specific unapproved USBs
  • Only allow specific user groups to access specific removable storage on a shared PC

Applies to:

  • Windows 10 or later

Reusable groups of settings for Microsoft Defender Firewall Rules

You’ll soon be able to add reusable groups of settings to your profiles for Microsoft Defender Firewall Rules. The reusable groups are collections of remote IP addresses and FQDNs that you define one time and can then use with one or more firewall rule profiles. You’ll no longer need to reconfigure the same group of IP addresses in each individual profile that might require them.

Features of the reusable settings groups will include:

  • Add one or more remote IP addresses.

  • Add one or more FQDNs that can auto resolve to the remote IP address, or for one or more simple keywords when auto resolve for the group is off.

  • Use each settings group with one or more firewall rule profiles and the different profiles can support different access configurations for the group.

    For example, you can create two firewall rule profiles that reference the same reusable settings group and assign each profile to a different group of devices. The first profile can block access to all the remote IP addresses in the reusable settings group, while the second profile can be configured to allow access.

  • Edits to a settings group that's in use are automatically applied to the Firewall Rules profiles that use that group.

Reusable groups will be configured on a new Tab for Reusable settings that will be available when you view endpoint security Firewall policy. In the Microsoft Endpoint Manager admin center > Endpoint security > Firewall.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Ending support for Company Portal authentication method for iOS/iPadOS ADE enrollment

As we continue to invest in Setup Assistant with modern authentication, which is the Apple supported path to require enrollment during Setup Assistant with optional multi-factor authentication, we plan to remove the Company Portal authentication method from new and existing iOS/iPadOS ADE enrollment profiles in Q1 2023. This will include removing the Run Company Portal in Single App Mode until authentication setting.

How does this affect you or your users?

In November, new enrollments (new devices that are targeted with an existing enrollment profile or devices re-enrolling) that are targeted with an existing enrollment profile with the Company Portal authentication method, will not be able to enroll.

This will not impact existing enrolled devices unless the device is re-enrolled after this change. The device will not be able to re-enroll until the authentication method is switched in the enrollment profile to Setup Assistant with modern authentication.

New iOS/iPadOS enrollment profiles will not have the option to select Company Portal as the authentication method.

If you have not already, you will need to move to use Setup Assistant with modern authentication. Within the Microsoft Endpoint Manager admin center, you will want to either create a new ADE enrollment profile, or edit your existing enrollment profile to use the “Setup assistant with modern authentication.”

User experience: The Setup Assistant with modern authentication enrollment flow does change the enrollment screen order where authentication will occur prior to accessing the home screen. If you have user guides that share screenshots, you will want to update those so the guides match the experience of Setup Assistant with modern authentication.

How can you prepare?

To enroll new devices (or re-enroll) after this change, you will either need to update existing profiles to move to Setup Assistant with modern authentication or create a new enrollment profile with this method.

For related information, see:

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they are ending support for Windows Information Protection (WIP), Microsoft Endpoint Manager will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we will remove support for WIP without enrollment scenario by the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend that you take action to disable WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it is only applicable to Windows 8.1 devices.

Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available.

How does this affect you or your users?

If you are managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There is no impact to existing devices and policies, however, you will not be able to enroll new devices if they are running Windows 8.1.

How can you prepare?

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Endpoint Manager admin center > Devices > Windows > Windows devices, and filter by OS.

Additional information

Update your certificate connector for Microsoft Intune

As of June 1, 2022, Intune certificate connectors earlier than version 6.2101.13.0 may no longer work as expected and stop connecting to the Intune service. See Certificate Connectors for Microsoft Intune for additional information on the certificate connector lifecycle and support.

How does this affect you or your users?

If you're impacted by this change, see MC393815 in the Message center.

How can you prepare?

Download, install, and configure the latest certificate connector. For more information see, Install the Certificate Connector for Microsoft Intune.

To check which version of the certificate connector you are using, follow these steps:

  1. On a Windows Server running the Intune Certificate Connector, launch "Add or Remove programs".
  2. A list of installed programs and applications will be displayed.
  3. Look for an entry related to the Microsoft Intune Certificate Connector. There will be a "Version" associated with the connector. Note: Names for older connectors may vary.

Plan for Change: New APP biometrics settings and authorization requirements for Android devices

Currently, our biometric settings do not distinguish between Class 2 and Class 3 Biometrics. Expected with Intune’s July (2207) service release, we are modifying fingerprint and biometric settings for Intune app protection policies (APP) that apply to Android devices to accommodate Class 3 Biometrics.

When you create or modify an app protection policy, you will see the following changes on the Access requirements page:

  • The setting Fingerprint instead of PIN for access will be rolled into the existing setting Biometrics instead of PIN for access. This setting will apply to all biometrics (Class 2 and Class 3).
  • The setting Override fingerprint with PIN after timeout will be modified to Override Biometrics with PIN after timeout. This setting will apply to all biometrics (Class 2 and Class 3).
  • There is a new setting: Class 3 Biometrics (Android 9.0+) with a new sub-setting: Override Biometrics with PIN after biometric updates. This sub-setting applies only to Class 3 Biometrics, when selected.

Note

Support for Class 3 Biometrics depends on the device, so you may need to contact your device manufacturers to understand device-specific limitations.

How does this affect you or your users?

Existing policies that allow fingerprints or biometrics for authentication will be migrated with no user impact.

After this change, if you configure the policy to require Class 3 Biometrics (Android 9.0+), the following will occur:

  • For users with Android devices that support Class 3 Biometrics, the user will be prompted to enter their APP PIN the first time they sign in to the APP-protected app. Subsequent sign-ins will use Class 3 Biometrics for authentication. However, if a user does not configure biometrics that satisfy the Class 3 requirements, they will be prompted to enter their PIN with each subsequent sign-in.
  • For users with Android devices that do not support Class 3 Biometrics, the user will be prompted to enter their PIN each time they sign in to the APP-protected app.

If Override Biometrics with PIN after biometric updates is also required, users who update their stored Class 3 Biometrics will be prompted to enter their APP PIN the next time they sign in to the APP-protected app.

How can you prepare?

Admins should be aware of the combined settings for fingerprints and Class 2 Biometrics. If your existing policy allows for fingerprint authentication but not other biometrics, it will allow for both once migrated. Also, if you had previously required an APP PIN after fingerprint timeout, this timeout setting will apply to all biometrics.

Note

If you are using the Microsoft Graph API’s FingerprintBlocked and BiometricAuthenticationBlocked, plan to update your APIs to use the new combined FingerprintAndBiometricEnabled API. The current APIs will retain their values for existing policies and the new FingerprintAndBiometricEnabled API will be defaulted to Null for these policies, until the policy has been updated.

Plan for change: Intune is moving to support macOS 11.6 and higher later this year

Apple is expected to release macOS 13 (Ventura) later this year, Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 11.6 (Big Sur) and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 16.

How does this affect you or your users?

This change will affect you only if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Big Sur is compatible with these computers.

Note

Devices that are currently enrolled on macOS 10.15 or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 10.15 or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 10.15 or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for change: Intune is moving to support iOS/iPadOS 14 and later

Later this year, we expect iOS 16 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 14/iPadOS 14 and higher shortly after iOS 16’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 14).

Because Office 365 mobile apps are supported on iOS/iPadOS 14.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 14 or iPadOS 14 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. See https://aka.ms/ADE_userless_support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management, go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status > App Protection report: iOS, Android.

To manage the supported OS version in your organization, you can use Microsoft Endpoint Manager controls for both mobile device management and APP. For more information, see Manage operating system versions with Intune.

Plan for Change: Deploy macOS LOB apps by uploading PKG-type installer files

We recently announced the general availability to deploy macOS line-of-business (LOB) apps by uploading PKG-type installer files directly in the Microsoft Endpoint Manager admin center. This process no longer requires the use of the Intune App Wrapping Tool for macOS to convert .pkg files to .intunemac format.

In August 2022, we removed the ability to upload wrapped .intunemac files in the Microsoft Endpoint Manager admin center.

How does this affect you or your users?

There is no impact to apps previously uploaded with .intunemac files. You can upgrade previously uploaded apps by uploading the .pkg file type.

How can you prepare?

Moving forward, deploy macOS LOB apps by uploading and deploying PKG-type installer files in the Microsoft Endpoint Manager admin center.

Plan for change: Intune is moving to support Android 8.0 and later in January 2022

Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for mobile device management (MDM) enrolled devices on or shortly after January 7, 2022.

How does this affect you or your users?

After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will no longer receive updates to the Android Company Portal or the Intune App. Enrolled devices will continue to have Intune policies applied but are no longer supported for any Intune scenarios. Company Portal and the Intune App will not be available for devices running Android 7.x and lower beginning mid-February; however, these devices will not be blocked from completing enrollment if the requisite app has been installed prior to this change. If you have MDM enrolled devices running Android 7.x or below, update them to Android version 8.0 (Oreo) or higher or replace them with a device on Android version 8.0 or higher.

Note

Microsoft Teams devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

How can you prepare?

Notify your helpdesk, if applicable, of this upcoming change in support. You can identify how many devices are currently running Android 7.x or below by navigating to Devices > All devices > Filter. Then filter by OS and sort by OS version. There are two admin options to help inform your users or block enrollment.

Here's how you can warn users:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that warns users.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send an email or push notification to users before marking them noncompliant.

Here's how you can block devices running on versions earlier than Android 8.0:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that blocks users from app access.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices running Android 7.x or earlier non-compliant.
  • Set enrollment restrictions that prevent devices running Android 7.x or earlier from enrolling.

Note

Intune app protection policies are supported on devices running Android 9.0 and later. See MC282986 for more details.

Plan for change: Intune APP/MAM is moving to support Android 9 and higher

With the upcoming release of Android 12, Intune app protection policies (APP, also known as mobile application management) for Android will move to support Android 9 (Pie) and later on October 1, 2021. This change will align with Office mobile apps for Android support of the last four major versions of Android.

Based on your feedback, we've updated our support statement. We're doing our best to keep your organization secure and protect your users and devices, while aligning with Microsoft app lifecycles.

Note

This announcement doesn't affect Microsoft Teams Android devices. Those devices will continue to be supported regardless of their Android OS version.

How does this affect you or your users?

If you're using app protection policies (APP) on any device that's running Android version 8.x or earlier, or you decide to enroll any device that's running Android version 8.x or earlier, these devices will no longer be supported for APP.

APP policies will continue to be applied to devices running Android 6.x to Android 8.x. But if you have problems with an Office app and APP, support will request that you update to a supported Office version for troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or later, or replace them with a device on Android version 9.0 or later before October 1, 2021.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. You also have two admin options to warn users:

Take action: Update to the latest version of the Android Company Portal app

Starting with the October (2110) service release, Intune will no longer support new Android device administrator enrollments that use Company Portal version 5.04993.0 or earlier. The reason is a change in the integration of Intune with Samsung devices.

How does this affect you or your users?

Users who need to enroll Samsung devices in an Android device administrator by using an older version of the Company Portal app (any version earlier than 5.04993.0) will no longer be successful. They'll need to update the Company Portal app to successfully enroll.

How can you prepare?

Update any older version of the Company Portal staged in your environment to support Android device administrator enrollments before the Intune October (2110) service release. Inform your users that they'll need to update to the latest version of the Android Company Portal to enroll their Samsung device.

If applicable, inform your helpdesk in case users don't update the app before enrolling. We also recommend that you keep the Company Portal app updated to ensure that the latest fixes are available on your devices.

More information

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security antivirus Windows 10 profiles

We've made a minor change to improve the antivirus profile experience for Windows 10. There's no user effect, because this change affects only what you'll see in the UI.

How does this affect you or your users?

Previously, when you configured a Windows security profile for the Endpoint Security antivirus policy, you had two options for most settings: Yes and Not configured. Those settings now include Yes, Not configured, and a new option of No.

Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting is set to Not configured and the child setting is set to Yes, both the parent and child settings will be set to Not configured. That change will take effect when you edit the profile.

How can you prepare?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change will affect you only if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Endpoint Manager admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.