In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. Also:

• If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
• When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
• Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

App management

Minimum SDK version warning for iOS devices

The Min SDK version for the iOS Conditional Launch setting on iOS devices will include a warn action. This action will warn end users if the min SDK version requirement is not met.

Minimum OS for Apple line-of-business apps

You will soon be able to configure the minimum operating system for Apple line-of-business and iOS/iPadOS store apps to the latest Apple OS releases. You can set iOS/iPadOS 17.0 and macOS 14.0 as minimum OS for Apple line-of-business apps and iOS/iPadOS 17.0 as a minimum OS for iOS/iPadOS store apps.

Applies to:

• iOS/iPadOS
• macOS

Android (AOSP) supports line-of-business (LOB) apps

You will soon be able to install and uninstall mandatory LOB apps on AOSP devices by using the Required and Uninstall group assignments. To learn more about managing LOB apps, see Add an Android line-of-business app to Microsoft Intune.

Applies to:

• Android

Update for users of Android Company Portal app

If users launch a version of the Android Company Portal app below 5.0.5333.0 (released November 2021), they will see a prompt encouraging them to update their Android Company Portal app. If a user with an older Android Company Portal version attempts a new device registration using a recent version of the Authenticator app, the process will likely fail. The way to resolve this is to update the Android Company Portal app.

Intune migrating from SafetyNet Attestation API to Google Play Integrity API

Google has deprecated the SafetyNet Attestation API and replaced it with the Play Integrity API. Intune will be migrating to the new API for app protection policies. The "SafetyNet device attestation" setting name will be updated to align with the new Google Play Integrity API for all policies in the Intune user interface (UI). For related information, see Discontinuing the SafetyNet Attestation API and Migrating from the SafetyNet Attestation API.

Enterprise application management

Enterprise Application Management provides a catalog of prepackaged applications designed to simplify discovery, delivery, and updates for third and first party apps. Enterprise Application Management will be generally available in early Q1 2024.

Company Portal automatically installed on Android Enterprise dedicated devices

Intune Company Portal will now be automatically installed on all Android Enterprise dedicated devices to ensure the appropriate handling of app protection policies. Users won't be able to see or launch the Company Portal, and there are no requirements for users to interact with it. Admins will notice that the Company Portal is automatically installed on their Android Enterprise dedicated devices, without the ability to uninstall.

Support for multi-SIM iOS/iPadOS device inventory

You'll be able to view the service subscription fields on devices that have multiple SIM cards installed under the per-device Hardware section. The inventory fields that are capable of reporting multiple values to Intune are:

• ICCID
• IMEI
• MEID
• Phone number

These fields will default to using labels returned by the device, such as: Primary, Secondary, CTSubscriptionSlotOne, and CTSubscriptionSlotTwo. These returned labels may be displayed in the language of the local device that is reporting its inventory to Intune.

Applies to:

• iOS/iPadOS

Device configuration

New device configuration settings that configure enhanced permissions to apps on Android Enterprise devices

In Intune, you can create a device restrictions profile that manages app installation from unknown sources, app auto updates, and more (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions for profile type > Applications).

There are new settings that give enhanced permissions to some selected apps:

• Allow other apps to install and manage certificates: Admins can select multiple apps for this permission. The selected apps are granted access to certificate installation and management.
• Allow this app to access Android security logs: Admins can select one app for this permission. The selected app is granted access to security logs.
• Allow this app to access Android network activity logs: Admins can select one app for this permission. The selected app is granted access to network activity logs.

For more information on the settings you can configure, go to Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune > Applications.

Applies to:

• Android Enterprise fully managed devices
• Android Enterprise dedicated devices
• Android Enterprise corporate-owned devices with a work profile

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration profiles > Create profile > macOS > Settings catalog for profile type.

Privacy > Privacy Preferences Policy Control:

• System Policy App Data

Restrictions:

• Force On Device Only Dictation

Applies to:

• macOS

For more information about configuring Settings Catalog profiles in Intune, go to Create a policy using settings catalog.

Import and export settings catalog policies

The Intune settings catalog lists all the settings you can configure, and all in one place (Devices > Configuration profiles > Create profile > Select your platform > For Profile, select Settings catalog).

The settings catalog policies can be imported and exported:

• To export an existing policy, select the profile > select the ellipsis > Export.
• To import a previously exported settings catalog policy, select Create profile > Import policy > select the previously exported file.

For more information about the settings catalog, go to Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

New setting to block users from using the same password to unlock the device and access the work profile on Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, users can use the same password to unlock the device and access the work profile.

There's a new setting that can enforce different passwords to unlock the device and access the work profile (Devices > Configuration profiles > Create profile > Android Enterprise > Personally Owned Work Profile for platform > Device Restrictions for profile type):

• One lock for device and work profile: Block prevents users from using the same password for the lock screen on the device and work profile. End users are required to enter the device password to unlock the device and enter their work profile password to access their work profile. When set to Not Configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to access their work profile using a single password.

This setting is optional and doesn't impact existing configuration profiles.

Currently, if the work profile password doesn't meet the policy requirements, then device users see a notification. The device isn't marked as non-compliant. A separate compliance policy for the work profile is being created and will be available in a future release.

For a list of settings you can currently configure on personally owned devices with a work profile, go to Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

Applies to:

• Android Enterprise personally owned devices with a work profile (BYOD)

Device enrollment

Web-based enrollment with JIT registration for personal iOS/iPadOS devices

Intune will support web-based enrollment with just in time (JIT) registration for personal devices set up via Apple device enrollment. JIT registration reduces the number of authentication prompts shown to users throughout the enrollment experience and establishes SSO across the device. Enrollment takes place on the web version of Intune Company Portal, eliminating need for the app. Additionally, this enrollment method enables employees and students without managed Apple IDs to enroll devices and access volume-purchased apps.

Device management

Introducing a remote action to pause the config refresh enforcement interval

In the Windows Settings Catalog you can configure Config Refresh. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check-in to Intune. The device will replay and re-enforce settings based on previously received policy to minimize the chance for configuration drift.

To support this feature, a remote action will be added to allow a pause in action. If an admin needs to make changes or run remediation on a device for troubleshooting or maintenance, they can issue a pause from Intune for a specified period. When the period expires, settings will be enforced again.

The remote action Pause config refresh can be accessed from the device summary page.

For information on currently available Remote actions, see Remote actions.

Remote Help for Android is now generally available

Remote Help will be generally available for Android Enterprise Dedicated devices from Zebra and Samsung.

With Remote Help, IT Pros can remotely view the device screen and take full control in both attended and unattended scenarios, to diagnose and resolve issues quickly and efficiently.

Applies to:

• Android Enterprise Dedicated devices, manufactured by Zebra or Samsung

For more information, go to Remote Help on Android.

Device security

Updated security baseline for Microsoft 365 Apps for Enterprise.

We’re working on an update to the Intune security baseline for Microsoft 365 Apps for Enterprise. This update will bring support for recent settings so you can continue to maintain best-practice configurations for Office apps.

For information about security baselines with Intune, see Use security baselines to configure Windows devices in Intune.

Defender for Endpoint security settings management enhancements and support for Linux and macOS will soon be generally available

The improvements introduced in the Defender for Endpoint security settings management opt-in public preview will soon be generally available. This change will include support all of the opt-in preview behavior – without having to enable support for preview features in Microsoft Defender for Endpoint.

When the opt-in public preview behavior becomes generally available, the following endpoint security profiles for Linux and macOS that were added as part of the opt-in preview will also generally available:

Linux:

• Microsoft Defender Antivirus
• Microsoft Defender Antivirus exclusions
• Endpoint detection and response

MacOS:

• Microsoft Defender Antivirus
• Microsoft Defender Antivirus exclusions
• Endpoint detection and response

For more information, see Microsoft Defender for Endpoint Security settings management in the Intune documentation.

Mvision Mobile is changing to Trellix Mobile Security

The Intune Mobile Threat Defense partner Mvision Mobile is transitioning to Trellix Mobile Security. With this change we’ll be updating Intune UI and our documentation to match. For example, the Mvision Mobile connector will soon be Trellix Mobile Security.

If you have questions about this change, reach out to your Trellix Mobile Security representative.

Configure declarative software updates and passcode policies for Apple devices in the Settings Catalog

You'll be able to manage software updates and passcode using Apple's declarative device management (DDM) configuration using the Settings Catalog (Devices > Configuration profiles > Create profile > iOS/iPadOS or macOS for platform > Settings catalog for profile type:).

For more information about DDM, go to Apple's declarative device management (DDM) (opens Apple's website).

DDM allows you to install a specific update by an enforced deadline. The autonomous nature of DDM provides an improved user experience as the device handles the entire software update lifecycle. It prompts users that an update is available and also downloads, prepares the device for the installation, & installs the update.

In the settings catalog, the following declarative software update settings will be available at Declarative device management > Software Update:

• Details URL: The web page URL that shows the update details. Typically, this is a web page hosted by your organization that users can select if they need organization-specific help with the update.
• Target Build Version: The target build version to update the device to, like 20A242. The build version can include a supplemental version identifier, like 20A242a. If the build version you enter isn’t consistent with the Target OS Version value you enter, then the Target OS Version value takes precedence.
• Target Local Date Time: The local date time value that specifies when to force install the software update. If the user doesn’t trigger the software update before this time, then the device force installs it.
• Target OS Version: The target OS version to update the device to. This value is the OS version number, like 16.1. You can also include a supplemental version identifier, like 16.1.1.

In the settings catalog, the following declarative passcode settings will be available at Declarative device management > Passcode:

• Automatic Device Lock: The maximum period that a user can select, during which the device can be idle before the system automatically locks it.
• Maximum Grace Period: The maximum period that a user can select, during which the user can unlock the device without a passcode.
• Maximum Number of Failed Attempts: The number of failed passcode attempts that the system allows the user before iOS erases the device or macOS locks the device.
• Minimum Passcode Length: The minimum number of characters a passcode can contain.
• Passcode Reuse Limit: The number of historical passcode entries the system checks when validating a new passcode.
• Require Complex Passcode: If 'true', requires a complex passcode. A complex passcode is one that doesn't contain repeated characters or increasing or decreasing characters (such as 123 or CBA).
• Require Passcode on Device: If 'true', requires the user to set a passcode without any requirements about the length or quality of the passcode.

For information on the settings you can currently configure, go to:

• Manage iOS/iPadOS software update policies in Intune
• Manage macOS software update policies in Intune
• Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices

Applies to:

• iOS/iPadOS 17.0 and later
• macOS 14.0 and later

Tenant administration

Intune admin center home page update

The Intune admin center home page has been redesigned with a fresh new look and more dynamic content. The Status section has been simplified. You can explore Intune related capabilities in the Spotlight section. The Get more out of Intune section provides links to the Intune community and blog, as well as Intune customer success. Also, the Documentation and training section provides links to What's New in Intune, Feature in development, and additional training. This update will be available when you access Microsoft Intune admin center > Home.

endpoint.microsoft.com URL will redirect to intune.microsoft.com

Previously, it was announced that the Microsoft Intune admin center has a new URL (https://intune.microsoft.com). The https://endpoint.microsoft.com URL will redirect to https://intune.microsoft.com.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.

Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users may see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Update to the latest Intune App SDK and Intune App Wrapper for iOS to support iOS/iPadOS 17

To support the upcoming release of iOS/iPadOS 17, update to the latest versions of the Intune App SDK and the App Wrapping Tool for iOS to ensure applications stay secure and run smoothly. Additionally, for organizations using the Conditional Access grant “Require app protection policy”, users should update their apps to the latest version prior to upgrading to iOS 17. You can learn more by reading the blog: Update Intune App SDK, Wrapper, and iOS apps using MAM policies to support iOS/iPadOS 17.

Plan for Change: Removal of Microsoft Graph Beta API Android LOB app properties ‘identityVersion’ and ‘identityName’

With Intune’s October (2310) service release, we'll be removing the Android line-of-business (LOB) app properties “identityVersion” and “identityName” from the Microsoft Graph Beta API managedAndroidLobApp resource type. The same data can be found using the Graph API "versionCode” and “versionName” properties.

How does this affect you or your users?

If you have automation or reporting using the Android LOB app properties “identityVersion” and “identityName”, you'll need update to the “versionName” and “versionCode” properties for the Graph call to continue working.

How can you prepare?

Update your documentation and reporting as needed.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in August 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning August 30, 2024. Until that time, we will support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

1. Users won't be able to enroll devices with Android device administrator.
2. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
3. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users may be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

Plan for Change: Intune is moving to support iOS/iPadOS 15 and later

Later this year, we expect iOS 17 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 15/iPadOS 15 and higher shortly after iOS 17’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 15).

Because Office 365 mobile apps are supported on iOS/iPadOS 15.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 15 or iPadOS 15 (if applicable), see the following Apple documentation:

• Supported iPhone models
• Supported iPad models

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 15/iPadOS 15 while the allowed OS version will change to iOS 12/iPadOS 12 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter. Note that there's a current known issue where several columns are missing from the App protection status report. We expect a fix soon.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 12 and higher later this year

Later this year, we expect macOS 14 Sonoma to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 12 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 17.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Monterey is compatible with these computers.

Note

Devices that are currently enrolled on macOS 11.x or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 11.x or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 11.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Ending support for Microsoft Store for Business and Education apps

In April 2023, we'll begin ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune

How does this affect you or your users?

If you're using Microsoft Store for Business and Education apps:

1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.
2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users may still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data.
3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later.

Note that the retirement of Microsoft Store for Business and Education was announced in 2021. When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.

How can you prepare?

We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:

• Add Microsoft Store apps to Microsoft Intune
• Add a Windows line-of-business app to Microsoft Intune
• Add, assign, and monitor a Win32 app in Microsoft Intune

Related information

• Update to Intune integration with the Microsoft Store on Windows
• Unpacking Endpoint Management: The future of app management in Intune

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP without enrollment scenario at the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it's only applicable to Windows 8.1 devices.

Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available.

How does this affect you or your users?

If you're managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There is no impact to existing devices and policies, however, you'll not be able to enroll new devices if they are running Windows 8.1.

How can you prepare?

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Intune admin center > Devices > Windows > Windows devices, and filter by OS.

Additional information

• Manage operating system versions with Intune

Update your certificate connector for Microsoft Intune

As of June 1, 2022, Intune certificate connectors earlier than version 6.2101.13.0 may no longer work as expected and stop connecting to the Intune service. For more information on the certificate connector lifecycle and support see, Certificate Connectors for Microsoft Intune.

How does this affect you or your users?

If you're impacted by this change, see MC393815 in the Message center.

How can you prepare?

Download, install, and configure the latest certificate connector. For more information see, Install the Certificate Connector for Microsoft Intune.

To check which version of the certificate connector you are using, follow these steps:

1. On a Windows Server running the Intune Certificate Connector, launch "Add or Remove programs".
2. A list of installed programs and applications will be displayed.
3. Look for an entry related to the Microsoft Intune Certificate Connector. There will be a "Version" associated with the connector. Note that names for older connectors may vary.

Plan for change: Intune is moving to support Android 8.0 and later in January 2022

Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for mobile device management (MDM) enrolled devices on or shortly after January 7, 2022.

How does this affect you or your users?

After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will no longer receive updates to the Android Company Portal or the Intune App. Enrolled devices will continue to have Intune policies applied but are no longer supported for any Intune scenarios. Company Portal and the Intune App will not be available for devices running Android 7.x and lower beginning mid-February; however, these devices won't be blocked from completing enrollment if the requisite app has been installed prior to this change. If you have MDM enrolled devices running Android 7.x or below, update them to Android version 8.0 (Oreo) or higher or replace them with a device on Android version 8.0 or higher.

Note

Microsoft Teams devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

How can you prepare?

Notify your helpdesk, if applicable, of this upcoming change in support. You can identify how many devices are currently running Android 7.x or below by navigating to Devices > All devices > Filter. Then filter by OS and sort by OS version. There are two admin options to help inform your users or block enrollment.

Here's how you can warn users:

• Create an app protection policy and configure conditional launch with a min OS version requirement that warns users.
• Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for noncompliance to send an email or push notification to users before marking them noncompliant.

Here's how you can block devices running on versions earlier than Android 8.0:

• Create an app protection policy and configure conditional launch with a min OS version requirement that blocks users from app access.
• Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices running Android 7.x or earlier noncompliant.
• Set enrollment restrictions that prevent devices running Android 7.x or earlier from enrolling.

Note

Intune app protection policies are supported on devices running Android 9.0 and later. See MC282986 for more details.

Plan for change: Intune APP/MAM is moving to support Android 9 and higher

With the upcoming release of Android 12, Intune app protection policies (APP, also known as mobile application management) for Android will move to support Android 9 (Pie) and later on October 1, 2021. This change will align with Office mobile apps for Android support of the last four major versions of Android.

Based on your feedback, we've updated our support statement. We're doing our best to keep your organization secure and protect your users and devices, while aligning with Microsoft app lifecycles.

Note

This announcement doesn't affect Microsoft Teams Android devices. Those devices will continue to be supported regardless of their Android OS version.

How does this affect you or your users?

If you're using app protection policies (APP) on any device that's running Android version 8.x or earlier, or you decide to enroll any device that's running Android version 8.x or earlier, these devices will no longer be supported for APP.

APP policies will continue to be applied to devices running Android 6.x to Android 8.x. But if you have problems with an Office app and APP, support will request that you update to a supported Office version for troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or later, or replace them with a device on Android version 9.0 or later before October 1, 2021.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. You also have two admin options to warn users:

• Configure a conditional launch setting for APP with a minimum OS version requirement to warn users.
• Use a device compliance policy for an Android device administrator or Android Enterprise. Set the action for noncompliance to send a message to users before marking them as noncompliant.

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security antivirus Windows 10 profiles

We've made a minor change to improve the antivirus profile experience for Windows 10. There's no user effect, because this change affects only what you'll see in the UI.

How does this affect you or your users?

Previously, when you configured a Windows security profile for the Endpoint Security antivirus policy, you had two options for most settings: Yes and Not configured. Those settings now include Yes, Not configured, and a new option of No.

Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting is set to Not configured and the child setting is set to Yes, both the parent and child settings are set to Not configured. That change takes effect when you edit the profile.

How can you prepare?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change only affects you if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

• Windows 10 version 1507, Company Portal version 10.1.721.0
• Windows 10 version 1511, Company Portal version 10.1.1731.0
• Windows 10 version 1607, Company Portal version 10.3.5601.0
• Windows 10 version 1703, Company Portal version 10.3.5601.0
• Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Intune admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.