Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain in-demand skills with online sessions designed to meet the industry’s challenges head-on at Microsoft Ignite.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Learn what's new each week in Microsoft Intune.
You can also read:
Note
Each monthly update can take up to three days to rollout and will be in the following order:
Some features roll out over several weeks and might not be available to all customers in the first week.
For a list of upcoming Intune feature releases, see In development for Microsoft Intune.
For new information about Windows Autopilot solutions, see:
You can use RSS to be notified when this page is updated. For more information, see How to use the docs.
Additional details are now provided for app installation reporting of Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You can view installation error codes and detailed error messages for LOB apps in Intune. For information about app installation error details, see Monitor app information and assignments with Microsoft Intune.
Applies to:
Microsoft Intune app protection policies (APP) are now supported on the Microsoft Teams app on VisionOS devices. To learn more about how to target policies to VisionOS devices, see Managed app properties for more information about filters for managed app properties.
Applies to:
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.
A new setting Set Copilot Hardware Key is now available in the Settings Catalog. To see this and other settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.
Applies to:
You can now use DFCI profiles to manage UEFI (BIOS) settings for Samsung devices that run Windows 10 or Windows 11. Not all Samsung devices running Windows are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.
You can manage DFCI profiles from within the Microsoft Intune admin center by going to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type. For more information about DFCI profiles, see:
Applies to:
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.
We've added new settings to the Settings Catalog. To view available settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Restrictions:
Restrictions:
The following settings have been deprecated by Apple and will be marked as deprecated in the Settings Catalog:
Networking > Firewall:
A new deployment channel setting in Microsoft Intune enables you to store macOS authentication certificates in the user keychain. This enhancement strengthens system security and improves the user experience by reducing certificate prompts. Prior to this change, Microsoft Intune automatically stored user and device certificates in the system keychain. The deployment channel setting is available in SCEP and PKCS certificate profiles for macOS, and in VPN, Wi-Fi, and wired network settings configuration profiles for macOS. For more information about the profiles and their new setting, see:
Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.
You can now choose what you want to collect from your devices, using the catalog of properties and then view the collected properties in the Resource Explorer view.
Applies to:
Now generally available, Microsoft Intune supports compliance checks for instances of Windows Subsystem for Linux (WSL) running on a Windows host device. You can create a Windows 10/11 compliance policy that contains the allowed Linux distribution names and versions evaluated on WSL. Microsoft Intune includes the WSL compliance results in the overall compliance state of the host device.
For more information about WSL compliance, see Evaluate compliance for Windows Subsystem for Linux.
The following protected app is now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
We've added the ability to view a device's ICCID number for devices enrolled as Android Enterprise Dedicated or Android Fully Managed. Admins can view ICCID numbers in their device inventory.
You can now find the ICCID number for Android devices by navigating to Devices > Android. Select a device of interest. In the side panel, under Monitor select Hardware. The ICCID number will be in the Network details group. The ICCID number isn't supported for Android Corporate-Owned Work Profile devices.
Applies to:
We're adding the Intune remote device actions to Single device query to help you manage your devices remotely. From the device query interface, you'll be able to run device actions based on query results for faster and more efficient troubleshooting.
Applies to:
For more information, see:
Now generally available, customer tenants in the Government Community Cloud (GCC), US Government Community High (GCC High), and Department of Defense (DoD) environments can use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. Previously, support for Defender security settings was in public preview.
This capability is known as Defender for Endpoint security settings management.
App configuration policies for Android Enterprise devices now support overriding the following permissions:
For more information about app configuration policies for Android Enterprise devices, see Add app configuration policies for managed Android Enterprise devices.
Applies to:
Intune now supports Windows Autopilot device preparation policy for Intune operated by 21Vianet in China cloud. Customers with tenants located in China can now use Windows Autopilot device preparation with Intune to provision devices.
For information about this Autopilot support, see the following in the Autopilot documentation:
Beginning in October 2024, Android 10 and later is the minimum Android OS version that is supported for user-based management methods, which includes:
For enrolled devices on unsupported OS versions (Android 9 and lower)
While Intune doesn't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.
Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices are not affected by this change.
Intune now collects additional files and registry keys to assist in troubleshooting the Device Hardware Inventory feature.
Applies to:
The UI for the Intune Company Portal app for Windows is updated. Users now see an improved experience for their desktop app without changing the functionality they've used in the past. Specific UI improvements are focused on the Home, Devices, and Downloads & updates pages. The new design is more intuitive and highlights areas where users need to take action.
For more information, see New look for Intune Company Portal app for Windows. For end user details, see Install and share apps on your device.
The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that a Simple Certificate Enrollment Protocol (SCEP) certificate's subject alternative name (SAN) must have a security identifier (SID) extension that maps to the user or device SID in Active Directory. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working.
To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a URI
attribute and the OnPremisesSecurityIdentifier
variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID.
For more information and steps, see Update certificate connector: Strong mapping requirements for KB5014754.
Applies to:
This requirement isn't applicable to device certificates used with Microsoft Entra joined users or devices, because the SID attribute is an on-premises identifier.
In public preview, customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments can now use Intune to manage the Defender security settings on the devices that onboarded to Defender without enrolling those devices with Intune. This capability is known as Defender for Endpoint security settings management.
For more information about the Intune features supported in GCC High and DoD environments, see Intune US Government service description.
We updated the process for Public Key Cryptography Standards (PKCS) certificate issuance in Microsoft Intune to support the security identifiers (SID) information requirements described in KB5014754. As part of this update, an OID attribute containing the user or device SID is added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID.
The SID update is available for user certificates across all platforms, and for device certificates specifically on Microsoft Entra hybrid joined Windows devices.
For more information, see:
Working time settings allow you to enforce policies that limit access to apps and mute message notifications received from apps during non-working time. The limit access setting is now available for the Microsoft Teams and Microsoft Edge apps. You can limit access by using App Protection Policies (APP) to block or warn end users from using the iOS/iPadOS or Android Teams and Microsoft Edge apps during non-working time by setting the Non-working time conditional launch setting. Also, you can create a non-working time policy to mute notifications from the Teams app to end users during non-working time.
Applies to:
We've streamlined the way apps from Enterprise App Catalog are added to Intune. We now provide a direct app link rather than duplicating the app binaries and metadata. App contents now download from a *.manage.microsoft.com
subdomain. This update helps to improve the latency when adding an app to Intune. When you add an app from Enterprise App Catalog, it syncs immediately and is ready for additional action from within Intune.
Enterprise App Management is enhanced to allow you to update an Enterprise App Catalog app. This capability guides you through a wizard that allows you to add a new application and use supersedence to update the previous application.
For more information, see Guided update supersedence for Enterprise App Management.
On Android device administrator managed (DA) devices, Samsung has deprecated many Samsung Knox APIs (opens Samsung's web site) configuration settings.
In Intune, this deprecation impacts the following device restrictions settings, compliance settings, and trusted certificate profiles:
In the Intune admin center, when you create or update a profile with these settings, the impacted settings are noted.
Though the functionality might continue to work, there's no guarantee that it will continue working for any or all Android DA versions supported by Intune. For more information on Samsung support for deprecated APIs, see What kind of support is offered after an API is deprecated? (opens Samsung's web site).
Instead, you can manage Android devices with Intune using one of the following Android Enterprise options:
Applies to:
For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type.
Some VAIO devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.
For more information about DFCI profiles, see:
Applies to:
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.
There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Declarative Device Management (DDM) > Math Settings:
Calculator
System Behavior
Web Content Filter:
Declarative Device Management (DDM) > Math Settings:
Calculator
System Behavior
System Configuration > System Extensions:
End users might see a different consent experience for remote log collection after the Android APP SDK 10.4.0 and iOS APP SDK 19.6.0 updates. End users no longer see a common prompt from Intune and only see a prompt from the application, if it has one.
Adoption of this change is per-application and is subject to each applications release schedule.
Applies to:
New Setup Assistant screens are available to configure in the Microsoft Intune admin center. You can hide or show these screens during automated device enrollment (ADE).
For macOS:
For iOS/iPadOS:
You can configure these screens in new and existing enrollment policies. For more information and additional resources, see:
Now when you create an enrollment token for Android Open Source Project (AOSP) corporate-owned, user-associated devices, you can select an expiration date that's up to 65 years into the future, an improvement over the previous 90 day expiration date. You can also modify the expiration date of existing enrollment tokens for Android Open Source Project (AOSP) corporate-owned, user-associated devices.
You can now use the new Personal Data Encryption (PDE) template that is available through endpoint security disk encryption policy. This new template configures the Windows PDE configuration service provider (CSP), which was introduced in Windows 11 22H2. The PDE CSP is also available through the settings catalog.
PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
Applies to:
For more information about PDE, including prerequisites, related requirements, and recommendations, see the following articles in the Windows security documentation:
The following protected app is now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
All Android devices automatically migrate to the updated Managed Home Screen (MHS) user experience. For more information, see Updates to the Managed Home Screen experience.
Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: profile-based enrollment and account-driven enrollment. Apple ended support for profile-based user enrollment, known in Intune as user enrollment with Company Portal. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for profile-based user enrollment with Company Portal. Users can no longer enroll devices targeted with this enrollment profile type. This change doesn't affect devices that are already enrolled with this profile type, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices.
There's no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected.
We recommend account-driven user enrollment as a replacement method for devices. For more information about your BYOD enrollment options in Intune, see:
For more information about the device enrollment types supported by Apple, see Intro to Apple device enrollment types in the Apple Platform Deployment guide.
Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.
For more information on this change, see Plan for change: Intune is moving to support iOS/iPadOS 16 and later.
Note
Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement for supported versus allowed iOS/iPadOS versions for user-less devices.
Applies to:
With Apple's release of macOS 15 Sequoia, Microsoft Intune, the Company Portal app, and the Intune MDM agent will now require macOS 13 (Ventura) and later.
For more information on this change, see Plan for change: Intune is moving to support macOS 13 and later
Note
macOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement.
Applies to:
You can now create Endpoint Privilege Management (EPM) elevation rules directly from a support approved elevation request or from details found in the EPM Elevation report. With this new capability, you won’t need to manually identify specific file detection details for elevation rules. Instead, for files that appear in the Elevation report or a support approved elevation request, you can select that file to open its elevation detail pane, and then select the option to Create a rule with these file details.
When you use this option, you can then choose to add the new rule to one of your existing elevation policies, or create a new policy with only the new rule.
Applies to:
For information about this new capability, see Windows elevation rules policy in the Configure policies for Endpoint Privilege management article.
We're introducing the Resource performance report for Windows physical devices in Intune Advanced Analytics. The report is included as an Intune-add on under Microsoft Intune Suite.
The resource performance scores and insights for physical devices are aimed to help IT admins make CPU/RAM asset management and purchase decisions that improve the user experience while balancing hardware costs.
For more information, see:
Managed Home Screen (MHS) is now supported on Android Enterprise Fully Managed devices. This capability offers organizations the ability to leverage MHS in scenarios where a device is associated with a single user.
For related information, see:
The Discovered Apps report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we're including it as a column in the Discovered Apps report.
For more information, see Intune Discovered apps.
We have updated how log activities and events are made for Win32 apps and the Intune Management Extension (IME) logs. A new log file (AppWorkload.log) contains all logging information related to app deployment activities conducted by the IME. These improvements provide better troubleshooting and analysis of app management events on the client.
For more information, see Intune management extension logs.
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.
There are new settings in the Apple Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Declarative Device Management (DDM) > Safari Extension Settings:
Declarative Device Management (DDM) > Software Update Settings:
Automatic Actions
Deferrals
Notifications
Rapid Security Response
Recommended Cadence
Restrictions:
Authentication > Extensible Single Sign On (SSO):
Authentication > Extensible Single Sign On Kerberos:
Declarative Device Management (DDM) > Disk Management:
Declarative Device Management (DDM) > Safari Extension Settings:
Declarative Device Management (DDM) > Software Update Settings:
Allow Standard User OS Updates
Automatic Actions
Deferrals
Notifications
Rapid Security Response
Restrictions:
System Policy > System Policy Control:
Multi administrative approval adds the ability to limit application access policies to Windows applications or all non-Windows applications or both. We're adding a new access policy to the multiple administrative approval feature to allow approvals for changes to multiple administrative approval.
For more information, see Multi admin approval.
Intune now supports account-driven Apple User Enrollment, the new, and improved version of Apple User Enrollment, for devices running iOS/iPadOS 15 and later. This new enrollment method utilizes just-in-time registration, removing the Company Portal app for iOS as an enrollment requirement. Device users can initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience.
For more information, see Set up account driven Apple User Enrollment on Microsoft Learn.
Apple announced they are ending support for profile-based Apple User Enrollment. As a result, Microsoft Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18. We recommend enrolling devices with account-driven Apple User Enrollment for similar functionality and an improved user experience.
Managing Intune-enrolled devices with Android Enterprise management options previously required you to connect your Intune tenant to your managed Google Play account using an enterprise Gmail account. Now you can use a corporate Microsoft Entra account to establish the connection. This change is happening in new tenants, and doesn't affect tenants that have already established a connection.
For more information, see Connect Intune account to Managed Google Play account - Microsoft Intune | Microsoft Learn.
Intune operated by 21Vianet now supports Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices for MTD vendors that also have support in that environment. When an MTD partner is supported and you sign in to a 21Vianet tenant, the supported connectors are available.
Applies to:
For more information, see:
When you assign an app, compliance policy, or configuration profile, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.
A new cpuArchitecture
device filter property is available for Windows and macOS devices. With this property, you can filter app and policy assignments depending on the processor architecture.
For more information on filters and the device properties you can use, see:
Applies to:
When you create an endpoint security policy in Intune, you can select the Windows platform. For multiple templates in endpoint security, there are now only two options to choose for the Windows platform: Windows and Windows (ConfigMgr).
Specifically, the platform name changes are:
Original | New |
---|---|
Windows 10 and later | Windows |
Windows 10 and later (ConfigMgr) | Windows (ConfigMgr) |
Windows 10, Windows 11, and Windows Server | Windows |
Windows 10, Windows 11, and Windows Server (ConfigMgr) | Windows (ConfigMgr) |
These changes apply to the following policies:
For more information on endpoint security features in Intune, see Manage endpoint security in Microsoft Intune.
Applies to:
You can specify the time that OS updates are enforced on devices in their local time zone. For example, configuring an OS update to be enforced at 5pm schedules the update for 5pm in the device's local time zone. Previously, this setting used the time zone of the browser where the policy was configured.
This change only applies to new policies that are created in the August 2408 release and later. The Target Date Time setting is in the settings catalog at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative Device Management > Software Update.
In a future release, the UTC text will be removed from the Target Date Time setting.
For more information on using the settings catalog to configure software updates, see Managed software updates with the settings catalog.
Applies to:
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
The organizational message feature has moved out of the Microsoft Intune admin center and into its new home in the Microsoft 365 admin center. All organizational messages you created in Microsoft Intune are now in the Microsoft 365 admin center, where you can continue to view and manage them. The new experience includes highly requested features such as the ability to author custom messages, and deliver messages on Microsoft 365 apps.
For more information, see:
We are excited to announce that the following capabilities from the Microsoft Intune Suite are now supported in U.S. Government Community Cloud (GCC) High and U.S. Department of Defense (DoD) environments.
Add-on capabilities:
Plan 2 capabilities:
For more information, see:
As we prepare to support managed device attestation in Intune, we are starting a phased rollout of an infrastructure change for new enrollments that includes support for the Automated Certificate Management Environment (ACME) protocol. Now when new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. ACME provides better protection than SCEP against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. There is no change to the end user's enrollment experience, and no changes to the Microsoft Intune admin center. This change only impacts enrollment certificates and has no impact on any device configuration policies.
ACME is supported for Apple Device Enrollment, Apple Configurator enrollment, and Automated device enrollment (ADE) methods. Eligible OS versions include:
The following actions have been added for Microsoft Cloud PKI issuing and root certification authorities (CA):
You can access all new actions in the Microsoft Intune admin center and Graph API. For more information, see Delete Microsoft Cloud PKI certification authority.
Intune supports the capability to deploy DMG and PKG apps as Available in the Intune macOS Company Portal. This capability enables end users to browse and install agent-deployed applications using Company Portal for macOS. This capability requires a minimum version of the Intune agent for macOS v2407.005 and Intune Company Portal for macOS v5.2406.2.
The Enterprise App Catalog has updated to include additional apps. For a complete list of supported apps, see Apps available in the Enterprise App Catalog.
The Intune App SDK and Intune App Wrapping Tool have moved to a different GitHub repository and a new account. There are redirects in place for all existing repositories. In addition, the Intune sample applications are also included in this move. This change relates to both Android and iOS platforms.
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.
There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.
Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection:
For more information on configuring the clipboard transfer direction in Azure Virtual Desktop, see Configure the clipboard transfer direction and types of data that can be copied in Azure Virtual Desktop.
Applies to:
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.
There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Restrictions:
Privacy > Privacy Preferences Policy Control:
In an Intune device restrictions configuration policy, you can configure the Allow access to all apps in Google Play store setting using the Allow and Not configured options (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Fully managed, dedicated and corporate-owned work profile > Device restrictions for profile type > Applications).
The available options are updated to Allow, Block, and Not configured.
There's no impact to existing profiles using this setting.
For more information on this setting and the values you can currently configure, see Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.
Applies to:
Microsoft Intune now supports device management for Red Hat Enterprise Linux. You can enroll and manage Red Hat Enterprise Linux devices, and assign standard compliance policies, custom configuration scripts, and compliance scripts. For more information, see Deployment guide: Manage Linux devices in Microsoft Intune and Enrollment guide: Enroll Linux desktop devices in Microsoft Intune.
Applies to:
Use the new device attestation status report in Microsoft Intune to find out if a device has attested and enrolled securely while being hardware-backed. From the report, you can attempt remote attestation via a new device action.
For more information, see:
You can now configure just-in-time (JIT) registration and JIT compliance remediation for all Apple iOS and iPadOS enrollments. These Intune-supported features improve the enrollment experience because they can take the place of the Intune Company Portal app for device registration and compliance checks. We recommend setting up JIT registration and compliance remediation for new enrollments, and to improve the experience for existing enrolled devices. For more information, see Set up just in time registration in Microsoft Intune.
We have consolidated the Intune profiles that were related to identity and account protection, into a single new profile named Account protection. This new profile is found in the account protection policy node of endpoint security, and is now the only profile template that remains available when creating new policy instances for identity and account protection. The new profile includes Windows Hello for Business settings for both users and devices, and settings for Windows Credential Guard.
Because this new profile uses Intune’s unified settings format for device management, the profiles settings are also available through the settings catalog, and help to improve the reporting experience in the Intune admin center.
You can continue to use any instances of the following profile templates that you already have in place, but Intune no longer supports creating new instances of these profiles:
Applies to:
There's a new operatingSystemVersion
filter property. This property:
Is in public preview and still being developed. So, some features, like Preview devices, don't work yet.
Should be used instead of the existing OSVersion
property. The OSVersion
property is being deprecated.
When operatingSystemVersion
is generally available (GA), the OSVersion
property will retire, and you won't be able to create new filters using this property. Existing filters that use OSVersion
continue to work.
Has new comparison operators:
GreaterThan
: Use for version value types.
-gt
| gt
(device.operatingSystemVersion -gt 10.0.22000.1000)
GreaterThanOrEquals
: Use for version value types.
-ge
| ge
(device.operatingSystemVersion -ge 10.0.22000.1000)
LessThan
: Use for version value types.
-lt | lt
(device.operatingSystemVersion -lt 10.0.22000.1000)
LessThanOrEquals
: Use for version value types.
-le
| le
(device.operatingSystemVersion -le 10.0.22000.1000)
For managed devices, operatingSystemVersion
applies to:
For managed apps, operatingSystemVersion
applies to:
For more information on filters and the device properties you can use, see:
GCC customers can now use Remote Help for macOS devices on both web app and native application.
Applies to:
For more information, see:
You can now deploy the Intune security baseline for Windows 365 Cloud PC. This new baseline is based on Windows version 24H1. This new baseline version uses the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.
Use of Intune security baselines can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.
As with all baselines, the default baseline represents the recommended configurations for each setting, which you can modify to meet the requirements of your organization.
Applies to:
To view the new baselines included settings with their default configurations, see, Windows 365 baseline settings version 24H1.
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
We've added a new category and setting to the Device Control profile for the Windows 10, Windows 11, and Windows Server platform of Intune Attack surface reduction policy.
The new setting is Allow Storage Card, and found in the new System category of the profile. This setting is also available from the Intune settings catalog for the Windows devices.
This setting controls whether the user is allowed to use the storage card for device storage, and can prevent programmatic access to the storage card. For more information on this new setting, see AllowStorageCard in the Windows documentation.
When you use Copilot in Intune, there's a new device query feature that uses KQL. Use this feature to ask questions about your devices using a natural language. If device query can answer your question, Copilot generates the KQL query you can run to get the data you want.
To learn more about how you can currently use Copilot in Intune, see Microsoft Copilot in Intune.
You can now remove, reinstall, and reapply individual policies, profiles, and apps for iOS/iPadOS devices and Android corporate owned devices. You can apply these actions without changing assignments or group membership. These actions are intended to help resolve customer challenges that are external to Intune. Also, these actions can help to quickly restore end user productivity.
For more information, see Remove apps and configuration
MAC address details are now available from the Device Information page of the Managed Home Screen (MHS) app. For information about MHS, see Configure the Microsoft Managed Home Screen app for Android Enterprise.
You can now configure Managed Home Screen (MHS) to enable a virtual app-switcher button that allows end users to easily navigate between apps on their kiosk devices from MHS. You can select between a floating or swipe-up app-switcher button. The configuration key is virtual_app_switcher_type
and the possible values are none
, float
, and swipe_up
. For information related to configuring the Managed Home Screen app, see Configure the Microsoft Managed Home Screen app for Android Enterprise.
We've made changes to the device registration process for Apple devices enrolling with Intune Company Portal. Previously, Microsoft Entra device registration occurred during enrollment. With this change, registration occurs after enrollment.
Existing enrolled devices aren't affected by this change. For new user or device enrollments that utilize Company Portal, users must return to Company Portal to complete registration:
For iOS users: Users with notifications enabled are prompted to return to the Company Portal app for iOS. If they disable notifications, they aren't alerted, but still need to return to Company Portal to complete registration.
For macOS devices: The Company Portal app for macOS detects the installation of the management profile and automatically register the device, unless the user closes the app. If they close the app, they must reopen it to complete registration.
If you're using dynamic groups, which rely on device registration to work, it's important for users to complete device registration. Update your user guidance and admin documentation as needed. If you're using Conditional Access (CA) policies, no action is required. When users attempt to sign in to a CA-protected app, they are prompted to return to Company Portal to complete registration.
These changes are currently rolling out and will be made available to all Microsoft Intune tenants by the end of July. There's no change to the Company Portal user interface. For more information about device enrollment for Apple devices, see:
Microsoft Intune now supports corporate device identifiers for devices running Windows 11, version 22H2 and later so that you can identify corporate machines ahead of enrollment. When a device that matches the model, manufacturer, and serial number criteria enrolls, Microsoft Intune marks it as a corporate device and enable the appropriate management capabilities. For more information, see Add corporate identifiers.
Endpoint Privilege Management (EPM) elevation rules now support the elevation of Windows Installer and PowerShell files in addition to executable files that were previously supported. The new file extensions that EPM supports include:
For information about using EPM, see Endpoint Privilege Management.
A new Microsoft Cloud PKI property called CA keys is available in the admin center and shows the type of certification authority keys used for signing and encryption. The property displays one of the following values:
Certification authorities created with a licensed Intune Suite or Cloud PKI standalone add-on use HSM signing and encryption keys. Certification authorities created during a trial period use software-backed signing and encryption keys. For more information about Microsoft Cloud PKI, see Overview of Microsoft Cloud PKI for Microsoft Intune.
Managed Home Screen (MHS) now supports sign-in for the US Government Community (GCC), US Government Community (GCC) High, and U.S. Department of Defense (DoD) environments. For more information, see Configure the Managed Home Screen and Microsoft Intune for US Government GCC service description.
Applies to:
The Managed Apps report now provides details about Enterprise App Catalog apps for a specific device. For more information about this report, see Managed Apps report.
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.
There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Restrictions:
System Configuration > Font:
Privacy > Privacy Preferences Policy Control:
Applies to:
Using the Intune settings catalog, you can configure Apple's declarative device management (DDM) feature to manage software updates on iOS/iPadOS devices.
When you configure a managed software update policy using the settings catalog, you can:
For more information about configuring managed software update profiles in Intune, see Use the settings catalog to configure managed software updates.
Applies to:
In the Intune admin center, you can select Devices > By platform, and view the policy options for the platform you select. These platform-specific pages are updated and include tabs for navigation.
For a walkthrough of the Intune admin center, see Tutorial: Walkthrough Microsoft Intune admin center.
We've updated role-based access controls (RBAC) for all enrollment platform restrictions in the Microsoft Intune admin center. The Global Administrator and Intune Service Administrator roles can create, edit, delete, and reprioritize enrollment platform restrictions. For all other built-in Intune roles, restrictions are read-only.
Applies to:
It's important to know that with these changes:
For more information, see Create device platform restrictions.
We've completed a rebrand in the Microsoft Intune admin center to support replacing Wandera with Jamf. This includes updates to the name of the Mobile Threat Defense connector, which is now Jamf, and changes to the minimum required platforms to use the Jamf connector:
For information about Jamf and other Mobile Threat Defense (MTD) vendors that Intune supports, see Mobile Threat Defense partners.
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps
End users can view the BitLocker recovery key for an enrolled Windows device and the FileVault recovery key for an enrolled Mac in the Company Portal app for iOS and Company Portal app for macOS. This capability will reduce helpdesk calls in the event the end user gets locked out of their corporate machines. End users can access the recovery key for an enrolled device by signing into the Company Portal app and selecting Get recovery key. This experience is similar to the recovery process on the Company Portal website, which also allows end users to see recovery keys.
You can prevent end users within your organization from accessing BitLocker recovery keys by configuring the Restrict non-admin users from recovering the BitLocker keys for their owned device setting in Microsoft Entra ID.
Applies to:
For more information, see:
We’ve begun to replace the role-based access control (RBAC) rights to endpoint security policies that are granted by the Security baselines permission with a series of more granular permissions for specific endpoint security tasks. This change can help you assign the specific rights your Intune admins require to do specific jobs instead of relying on either the built-in Endpoint Security Manager role or a custom role that includes the Security baseline permission. Prior to this change, the Security baseline permission grants rights across all endpoint security policies.
The following new RBAC permissions are available for endpoint security workloads:
Each new permission supports the following rights for the related policy:
Each time we add a new granular permission for an endpoint security policy to Intune, those same rights are removed from the Security baselines permission. If you use custom roles with the Security baselines permission, the new RBAC permission is assigned automatically to your custom roles with the same rights that were granted through the Security baseline permission. This autoassignment ensures your admins continue to have the same permissions they have today.
For more information about current RBAC permissions and built-in roles, see:
Important
With this release, the granular permission of Antivirus for endpoint security policies might be temporarily visible in some Tenants. This permission is not released and isn't supported for use. Configurations of the Antivirus permission are ignored by Intune. When Antivirus becomes available to use as a granular permission, it's availability will be announced in this What's new in Microsoft Intune article.
Enrollment time grouping is a new, faster way to group devices during enrollment. When configured, Intune adds devices to the appropriate group without requiring inventory discovery and dynamic membership evaluations. To set up enrollment time grouping, you must configure a static Microsoft Entra security group in each enrollment profile. After a device enrolls, Intune adds it to the static security group and delivers assigned apps and policies.
This feature is available for Windows 11 devices enrolling via Windows Autopilot device preparation. For more information, see Enrollment time grouping in Microsoft Intune.
To improve the experience for Remote Help on Windows, Web, and macOS devices, we have updated the primary endpoint for Remote Help:
https://remoteassistance.support.services.microsoft.com
https://remotehelp.microsoft.com
If you use Remote Help and have firewall rules that block the new primary endpoint, admins and users might experience connectivity issues or disruptions when using Remove Help.
To support the new primary endpoint on Windows devices, upgrade Remote Help to version 5.1.124.0. Web and macOS devices don't require an updated version of Remote Help to make use of the new primary endpoint.
Applies to:
For information on the newest version of Remote Help, see the March 13, 2024 entry for What's New for Remote Help. For information about Intune endpoints for Remote Help, see Remote Help in Network endpoints for Microsoft Intune.
Now in a public preview, Microsoft Intune supports compliance checks for instances of Windows Subsystem for Linux (WSL) running on a Windows host device.
With this preview you can create a custom compliance script that evaluates the required distribution and version of WSL. WSL compliance results are included in the overall compliance state of the host device.
Applies to:
For information about this capability, see Evaluate compliance of Windows Subsystem for Linux (public preview).
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.
There are new settings in the macOS Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.
Microsoft AutoUpdate (MAU):
Microsoft Defender > Features:
For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.
Applies to:
To reduce the enrollment time for end users, Microsoft Intune supports device staging for Android Enterprise devices. With device staging, you can stage an enrollment profile and complete all related enrollment steps for workers receiving these devices:
When frontline workers receive the devices, all they have to do is connect to Wi-Fi and sign in to their work account. A new device staging token is required to enable this feature. For more information, see Device staging overview.
End users can now view the BitLocker Recovery Key for enrolled Windows devices from the Company Portal website. This capability can reduce helpdesk calls in the event the end user gets locked out of their corporate machines. End users can access the recovery key for an enrolled device by signing into the Company Portal website and selecting Show recovery key. This experience is similar to the MyAccount website, which also allows end users to see recovery keys.
You can prevent end users within your organization from accessing BitLocker recovery keys by configuring the Microsoft Entra toggle Restrict non-admin users from recovering the BitLocker key(s) for their owned device.
For more information, see:
We've released a new version of the Windows hardware attestation report that shows the value of settings attested by Device Health Attestation and Microsoft Azure Attestation for Windows 10/11. The Windows hardware attestation report is built on a new reporting infrastructure, and reports on new settings added to Microsoft Azure Attestation. The report is available in the admin center under Reports > Device Compliance > Reports.
For more information, see Intune reports.
The Windows health attestation report previously available under Devices > Monitor has been retired.
Applies to:
Feature updates can now be made available to end users as Optional updates, with the introduction of Optional Feature updates. End users see the update in the Windows Update settings page in the same way that it's shown for consumer devices.
End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a Required update, then admins can change the setting on the policy, and update the rollout settings so that the update is deployed as a Required update to devices that don't yet have it installed.
For more information on Optional Feature updates, see Feature updates for Windows 10 and later policy in Intune.
Applies to:
You can now deploy the Intune security baseline for Microsoft Defender for Endpoint. The new baseline, version 24H1, uses the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.
Use of Intune security baselines can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.
As with all baselines, the default baseline represents the recommended configurations for each setting, which you can modify to meet the requirements of your organization.
Applies to:
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
On Apple devices, you can use Microsoft Intune and the Microsoft Enterprise SSO plug-in to configure single sign-on (SSO) for apps and websites that support Microsoft Entra authentication, including Microsoft 365.
On macOS devices, Platform SSO is available in public preview. Platform SSO expands the SSO app extension by allowing you to configure different authentication methods, simplify the sign-in process for users, and reduce the number of passwords they need to remember.
Platform SSO is included in the Company Portal app version 5.2404.0 and newer.
For more information on Platform SSO and to get started, see:
Applies to:
You can now customize your Intune admin center experience by using collapsible navigation and favorites. The left navigation menus in the Microsoft Intune admin center are updated to support expanding and collapsing each subsection of the menu. In addition, you can set admin center pages as favorites. This portal capability will gradually roll out over the next week.
By default, menu sections are expanded. You can choose your portal menu behavior by selecting the Settings gear icon at the top right to display the Portal settings. Then, select Appearance + startup views and set the Service menu behavior to Collapsed or Expanded as the default portal option. Each menu section retains the expanded or collapsed state that you choose. Additionally, selecting the star icon next to a page on the left navigation adds the page to a Favorites section near the top of the menu.
For related information, see Change the Portal settings.
We recently released and improved the Managed Home Screen experience, which is now Generally Available. The app is redesigned to improve the core workflows throughout the application. The updated design offers a more usable and supportable experience.
With the release, we stop investing in previous Managed Home Screen workflows. New features and fixes for Managed Home Screen are only added to the new experience. During August 2024, the new experience is automatically enabled for all devices.
For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.
In Intune, you can require end users to enter their session PIN to resume activity on Managed Home Screen after the device is inactive for a specified period of time. Set the Minimum inactive time before session PIN is required setting to the number of seconds the device is inactive before the end user must input their session PIN.
For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.
IPv4 and IPv6 connectivity details are now both available from the Device Information page of the Managed Home Screen app. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.
Managed Home Screen now supports domainless sign-in. Admins can configure a domain name, which will be automatically appended to usernames upon sign-in. Also, Managed Home Screen supports a custom login hint text to be displayed to users during the sign-in process.
For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.
In Intune, you can now expose a setting in the Managed Home Screen app that allows the end user to turn on and off the device's auto-rotation. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.
In Intune, you can expose settings in the Managed Home Screen app to adjust screen brightness for Android Enterprise devices. You can choose to expose a setting in the app to allow end users to access a brightness slider to adjust the device screen brightness. Also, you can expose a setting to allow end users to toggle adaptive brightness.
For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.
Xamarin.Forms has evolved into .NET Multi-platform App UI (MAUI). Existing Xamarin projects should be migrated to .NET MAUI. For more information about upgrading Xamarin projects to .NET, see the Upgrade from Xamarin to .NET & .NET MAUI documentation.
Xamarin support ended as of May 1, 2024 for all Xamarin SDKs including Xamarin.Forms and Intune App SDK Xamarin Bindings. For Intune support on Android and iOS platforms, see Intune App SDK for .NET MAUI - Androidand Microsoft Intune App SDK for MAUI.iOS.
Win32 app supersedence provides the capability to supersede apps deployed as available with auto-update intent. For example, if you deploy a Win32 app (app A) as available and installed by users on their device, you can create a new Win32 app (app B) to supersede app A using auto-update. All targeted devices and users with app A installed as available from the Company Portal are superseded with app B. Also, only app B shows in the Company Portal. You can find the auto-update feature for available app supersedence as a toggle under the Available assignment in the Assignments tab.
For more information about app supersedence, see Add Win32 app supersedence.
On Android Enterprise devices, you can use an OEMConfig device configuration profile to add, create and/or customize OEM specific settings.
When you create an OEMConfig policy that exceeds 500 KB, then the following error is shown in the Intune admin center:
Profile is larger than 500KB. Adjust profile settings to decrease the size.
Previously, OEMConfig policies that exceeded 500 KB were shown as pending.
For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.
Applies to:
Windows changed how the Firewall configuration service provider (CSP) enforces rules from Atomic blocks of firewall rules. The Windows Firewall CSP on a device implements the firewall rule settings from your Intune endpoint security Firewall policies. The change of CSP behavior now enforces an all-or-nothing application of firewall rules from each Atomic block of rules.
Previously, the CSP on a device would go through the firewall rules in an Atomic block of rules - one rule (or setting) at a time with the goal of applying all the rules in that Atomic block, or none of them. If the CSP encountered any issue with applying any rule from the block to the device, the CSP wouldn't only stop that rule, but also cease to process subsequent rules without trying to apply them. However, rules that applied successfully before a rule failed, would remain applied to the device. This behavior can lead to a partial deployment of firewall rules on a device, since the rules that were applied before a rule failed to apply aren't reversed.
With the change to the Firewall CSP, when any rule in the block is unsuccessful in applying to the device, all the rules from that same Atomic block that were applied successfully are rolled back. This behavior ensures the desired all-or-nothing behavior is implemented and prevents a partial deployment of firewall rules from that block. For example, if a device receives an Atomic block of firewall rules that has a misconfigured rule that can't apply, or has a rule that isn't compatible with the devices operating system, then the CSP fails all the rules from that block, And, it rolls back any rules that applied to that device.
This change of Firewall CSP behavior is available on devices that run the following Windows versions or later:
For more information on the subject of how the Windows Firewall CSP uses Atomic blocks to contain firewall rules, see the note near the top of Firewall CSP in the Windows documentation.
For troubleshooting guidance, see the Intune support blog How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation process.
We added CrowdStrike Falcon as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the CrowdStrike connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment in your compliance policies.
With the Intune 2404 service release, the CrowdStrike connector is now available in the admin center. However, it isn't useable until CrowdStrike publishes the required App Configuration profile details necessary to support iOS and Android devices. The profile details are expected sometime after second week of May.
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
The Windows update distribution report in Intune provides a summarized report. This report shows:
You can drill down further in the report for each quality update that aggregates devices based on the Windows 10/11 feature version and the update statuses.
Finally, the admins can get the list of devices that aggregate to the numbers shown in the previous two reports, which can also be exported and used for troubleshooting and analysis along with the Windows Update for business reports.
For more information on Windows update distribution reports, see Windows Update reports on Intune.
Applies to:
The Microsoft 365 remote application diagnostics allows Intune admins to request Intune app protection logs and Microsoft 365 application logs (where applicable) directly from the Intune console. You can find this report in the Microsoft Intune admin center by selecting Troubleshooting + support > Troubleshoot > select a user > Summary > App protection*. This feature is exclusive to applications that are under Intune app protection management. If supported, the application specific logs are gathered and stored within dedicated storage solutions for each application.
For more information, see Collect diagnostics from an Intune managed device.
Remote Help now supports helpdesk connecting to a user's device and requesting full control of the macOS device.
For more information, see:
Applies to:
For previous months, see the What's new archive.
These notices provide important information that can help you prepare for future Intune changes and features.
With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows will enforce these changes on February 11, 2025.
To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. For more information, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates
These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:
For detailed steps and additional guidance, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates
If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:
We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.
If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.
If you choose to build apps targeting Android API 35, you'll need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you’ve wrapped your app and are targeting API 35 you'll need to use the new version of the App wrapper (v1.0.4549.6).
Note
As a reminder, while apps must update to the latest SDK if targeting Android 15, apps do not need to update the SDK to simply run on Android 15.
You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.
Here are the public repositories:
To support the upcoming release of iOS/iPadOS 18.1, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. Important: If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:
As a best practice, always update your iOS apps to the latest App SDK or App Wrapping Tool to ensure that your app continues to run smoothly.
If you have applications using the Intune App SDK or Intune App Wrapping Tool, you'll need to update to the latest version to support iOS 18.1.
For apps running on iOS 18.1, you must update to the new version of the Intune App SDK for iOS
For apps running on iOS 18.1, you must update to the new version of the Intune App Wrapping Tool for iOS
Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.1. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to Apps > Monitor > App protection status, then review “Platform version” and “iOS SDK version”.
Starting on or after October 15, 2024, to further increase security, Microsoft will require admins to use multi-factor authentication (MFA) when signing into the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. To take advantage of the extra layer of protection MFA offers, we recommend enabling MFA as soon as possible. To learn more, review Planning for mandatory multifactor authentication for Azure and admin portals.
Note
This requirement also applies to any services accessed through the Intune admin center, such as Windows 365 Cloud PC.
MFA must be enabled for your tenant to ensure admins are able to sign-in to the Azure portal, Microsoft Entra admin center and Intune admin center after this change.
For more information, refer to: Planning for mandatory multifactor authentication for Azure and admin portals.
Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 16/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.
If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).
Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this may not affect you. You've likely already upgraded your OS or devices.
To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:
Note
Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 16/iPadOS 16 while the allowed OS version will change to iOS 13/iPadOS 13 and later. See this statement about ADE Userless support for more information.
Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.
To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.
Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices.
This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Ventura is compatible with these computers.
Note
Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 12.x or below.
Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.
With the end of support for Xamarin Bindings, Intune will end support for Xamarin apps and the Intune App SDK Xamarin Bindings beginning on May 1, 2024.
If you have iOS and/or Android apps built with Xamarin and are using the Intune App SDK Xamarin Bindings to enable app protection policies, upgrade your apps to .NET MAUI.
Upgrade your Xamarin based apps to .NET MAUI. Review the following documentation for more information on Xamarin support and upgrading your apps:
Last year we announced a new Microsoft Intune GitHub repository based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, in May 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed.
If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.
Update your PowerShell scripts by:
For detailed step-by-step instructions visit powershell-intune-samples/Updating App Registration (github.com).
In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:
Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.
Note
Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.
For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:
While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.
Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:
For more information, review: Manage operating system versions with Microsoft Intune.
Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.
Note
For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.
This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.
Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.
Additional information:
We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.
Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.
If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.
After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.
If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.
Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning December 31, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access.
After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:
Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.
Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.
In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune
If you're using Microsoft Store for Business and Education apps:
The retirement of Microsoft Store for Business and Education was announced in 2021. When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.
We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:
Related information
Microsoft Windows announced they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP without enrollment scenario at the end of calendar year 2022.
If you have enabled WIP policies, you should turn off or disable these policies.
We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.
Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain in-demand skills with online sessions designed to meet the industry’s challenges head-on at Microsoft Ignite.
Register nowTraining
Learning path
Implement finance and operations apps - Training
Plan and design your project methodology to successfully implement finance and operations apps with FastTrack services, data management and more.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.