What's new in the Microsoft Intune - previous months

Week of September 18, 2023 (Service release 2309)

App management

MAM for Windows general availability

You can now enable protected MAM access to org data via Microsoft Edge on personal Windows devices. This capability uses the following functionality:

  • Intune Application Configuration Policies (ACP) to customize the org user experience in Microsoft Edge
  • Intune Application Protection Policies (APP) to secure org data and ensure the client device is healthy when using Microsoft Edge
  • Windows Security Center threat defense integrated with Intune APP to detect local health threats on personal Windows devices
  • Application Protection Conditional Access to ensure the device is protected and healthy before granting protected service access via Microsoft Entra ID.

Intune Mobile Application Management (MAM) for Windows is available for Windows 11, build 10.0.22621 (22H2) or later. This feature includes the supporting changes for Microsoft Intune (2309 release), Microsoft Edge (v117 stable branch and later) and Windows Security Center (v 1.0.2309.xxxxx and later). App Protection Conditional Access is in Public Preview.

Sovereign cloud support is expected in the future. For more information, see App protection policy settings for Windows.

Device configuration

OEMConfig profiles that don't deploy successfully aren't shown as "pending"

For Android Enterprise devices, you can create a configuration policy that configures the OEMConfig app (Devices > Configuration > Create > Android Enterprise for platform > OEMConfig for profile type).

Previously, OEMConfig profiles that exceed 350 KB show a "pending" state. This behavior changed. An OEMConfig profile that exceeds 350 KB isn't deployed to the device. Profiles in a pending state or profiles larger that 350 KB aren't shown. Only profiles that successfully deploy are shown.

This change is a UI change only. No changes are made to the corresponding Microsoft Graph APIs.

To monitor the profile pending status in the Intune admin center, go to Devices > Configuration > Select the profile > Device status.

Applies to:

  • Android Enterprise

For more information on OEM Configuration, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Config Refresh settings are in the settings catalog for Windows Insiders

In the Windows Settings Catalog, you can configure Config Refresh. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune.

Config Refresh:

  • Enable config refresh
  • Refresh cadence (minutes)

Applies to:

  • Windows 11

For more information on the Settings Catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Managed Settings now available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

The settings within the Managed Settings command are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > iOS/iPadOS > Settings catalog for profile type.

Managed Settings > App Analytics:

  • Enabled: If true, enable sharing app analytics with app developers. If false, disable sharing app analytics.

Applies to:

  • Shared iPad

Managed Settings > Accessibility Settings:

  • Bold Text Enabled
  • Grayscale Enabled
  • Increase Contrast Enabled
  • Reduce Motion Enabled
  • Reduce Transparency Enabled
  • Text Size
  • Touch Accommodations Enabled
  • Voice Over Enabled
  • Zoom Enabled

Managed Settings > Software Update Settings:

  • Recommendation Cadence: This value defines how the system presents software updates to the user.

Managed Settings > Time Zone:

  • Time Zone: The Internet Assigned Numbers Authority (IANA) time zone database name.

Applies to:

  • iOS/iPadOS

Managed Settings > Bluetooth:

  • Enabled: If true, enable the Bluetooth setting. If false, disable the Bluetooth setting.

Managed Settings > MDM Options:

  • Activation Lock Allowed While Supervised: If true, a supervised device registers itself with Activation Lock when the user enables Find My.

Applies to:

  • iOS/iPadOS
  • macOS

For more information on these settings, see Apple's developer website. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

New setting available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There's a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices > Configuration > Create > macOS > Settings catalog for profile type.

Microsoft Defender > Cloud delivered protection preferences:

  • Cloud Block Level

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Intune integration with the Zebra Lifeguard Over-the-Air service is generally available

Microsoft Intune supports integration with Zebra Lifeguard Over-the-Air service, which allows you to deliver OS updates and security patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can select the firmware version you want to deploy, set a schedule, and stagger update downloads and installs. You can also set minimum battery, charging status, and network conditions requirements for when the update can happen.

This integration is now generally available for Android Enterprise Dedicated and Fully Managed Zebra devices that are running Android 8 or later. It also requires a Zebra account and Intune Plan 2 or Microsoft Intune Suite.

Previously, this feature was in public preview and free for use. With this release as generally available, this solution now requires an add-on license for its use.

For licensing details, see Intune add-ons.

Device enrollment

SSO support during enrollment for Android Enterprise fully managed and corporate-owned devices with a work profile

Intune supports single sign-on (SSO) on Android Enterprise devices that are fully managed or corporate-owned with a work profile. With the addition of SSO during enrollment, end users enrolling their devices only need to sign in once with their work or school account.

Applies to:

  • Android Enterprise corporate owned devices with a work profile
  • Android Enterprise fully managed

For more information on these enrollment methods, see:

Device management

Introducing Remote Help on macOS

The Remote Help web app allows users to connect to macOS devices and join a view-only remote assistance session.

Applies to:

  • 11 Big Sur
  • 12 Monterey
  • 13 Ventura

For more information on Remote Help on macOS, see Remote Help.

Management certificate expiration date

Management certificate expiration date is available as a column in the Devices workload. You can filter on a range of expiration dates for the management certificate and also export a list of devices with an expiration date matching the filter.

This information is available in Microsoft Intune admin center by selecting Devices > All devices.

Windows Defender Application Control (WDAC) references are updated to App Control for Business

Windows renamed Windows Defender Application Control (WDAC) as App Control for Business. With this change, the references in Intune docs and the Intune admin center are updated to reflect this new name.

Intune supports iOS/iPadOS 15.x as the minimum version

Apple released iOS/iPadOS version 17. Now, the minimum version supported by Intune is iOS/iPadOS 15.x.

Applies to:

  • iOS/iPadOS

For more information on this change, see Plan for change: Intune is moving to support iOS/iPadOS 15 and later.

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement for supported versus allowed iOS/iPadOS versions for user-less devices.

Government tenant support for endpoint security Application Control policy and managed installer

We've added support to use endpoint security Application Control policies, and to configure a managed installer, to the following sovereign cloud environments:

  • US Government clouds
  • 21Vianet in China

Support for Application Control policy and managed installers was originally released in preview in June 2023. Application Control policies in Intune are an implementation of Defender Application Control (WDAC).

Device security

Endpoint Privilege Management support for Windows 365 devices

You can now use Endpoint Privilege Management to manage application elevations on Windows 365 devices (also known as Cloud PCs).

This support doesn't include Azure Virtual Desktop.

Elevation report by Publisher for Endpoint Privilege Management

We've released a new report named Elevation report by Publisher for Endpoint Privilege Management (EPM). With this new report you can view all managed and unmanaged elevations, which are aggregated by the publisher of the app that is elevated.

You'll find the report in the Report node for EPM in the Intune admin center. Navigate to Endpoint security > Endpoint Privilege Management and then select the Reports tab.

macOS support with Intune Endpoint security policies for Endpoint detection and response

Intune Endpoint security policies for Endpoint detection and response (EDR) now support macOS. To enable this support, we've added a new EDR template profile for macOS. Use this profile with macOS devices enrolled with Intune and macOS devices managed through the opt-in public preview of the Defender for Endpoint security settings management scenario.

The EDR template for macOS includes the following settings for the Device tags category from Defender for Endpoint:

  • Type of tag – The GROUP tag, tags the device with the specified value. The tag is reflected in the admin center on the device page and can be used for filtering and grouping devices.
  • Value of tag - Only one value per tag can be set. The Type of a tag is unique and shouldn't be repeated in the same profile.

To learn more about Defender for Endpoint settings that are available for macOS, see Set preferences for Microsoft Defender for Endpoint on macOS in the Defender documentation.

Linux support with Intune Endpoint security policies for Endpoint detection and response

Intune Endpoint security policies for Endpoint detection and response (EDR) now support Linux. To enable this support, we've added a new EDR template profile for Linux. Use this profile with Linux devices enrolled with Intune and Linux devices managed through the opt-in public preview of the Defender for Endpoint security settings management scenario.

The EDR template for Linux includes the following settings for the Device tags category from Defender for Endpoint:

  • Value of tag - Only one value per tag can be set. The Type of a tag is unique and shouldn't be repeated in the same profile.
  • Type of tag – The GROUP tag, tags the device with the specified value. The tag is reflected in the admin center on the device page and can be used for filtering and grouping devices.

You can learn more about Defender for Endpoint settings that are available for Linux in Set preferences for Microsoft Defender for Endpoint on Linux in the Defender documentation.

Monitor and troubleshoot

Updated reports for Update rings for Windows 10 and later

Reporting for Update rings for Windows 10 and later has been updated to use Intune's improved reporting infrastructure. These changes align to similar improvements introduced for other Intune features.

With this change for reports for Update rings for Windows 10 and later, when you select an update rings policy in the Intune admin center, there isn't a left-pane navigation for Overview, Manage, or Monitor options. Instead, the policy view opens to a single pane that includes the following policy details:

  • Essentials – including the policy name, created and modified dates, and more details.
  • Device and user check-in status – This view is the default report view and includes:
    • A high-level overview of device status for this policy, and a View report button to open a more comprehensive report view.
    • A streamlined representation and count of the different device status values returned by devices assigned to the policy. The simplified bar and chart replace former doughnut charts seen in the prior reporting representation.
  • Two other report tiles to open more reports. These tiles include:
    • Device assignment status – This report combines the same information as the previous Device status and User status reports, which are no longer available. However, with this change, pivots and drill-in through based on the user name is no longer available.
    • Per setting status – This new report provides success metrics for each setting configured differently than the defaults, allowing for new insight to which settings might not be successfully deploying to your organization.
  • Properties – View details for each configuration page of the policy, including an option to Edit each areas profile details.

For more information about reports for update rings for Windows 10 and later, see Reports for Update rings for Windows 10 and later policy in the Windows Update reports for Microsoft Intune article.

Role-based access

Updating the scope of UpdateEnrollment

With the introduction of a new role UpdateEnrollment, the scope of UpdateOnboarding is getting updated.

The UpdateOnboarding setting for custom and built-in roles is modified to only manage or change the Android Enterprise binding to Managed Google Play and other account-wide configurations. Any built-in roles that used UpdateOnboarding will now have UpdateEnrollmentProfiles included.

The resource name is being updated from Android for work to Android Enterprise.

For more information, see Role-based access control (RBAC) with Microsoft Intune.

Week of September 11, 2023

Device configuration

Introducing Remote Launch on Remote Help

With Remote Launch, the helper can launch Remote Help seamlessly on the helper and user's device from Intune by sending a notification to the user's device. This feature allows both helpdesk and the sharer to be connected to a session quickly without exchanging session codes.

Applies to:

  • Windows 10/11

For more information, see Remote Help.

Week of September 4, 2023

Device management

Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024

Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on August 30, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable.

If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends.

For more information, see Ending support for Android device administrator on GMS devices.

Week of August 28, 2023

Device configuration

Windows and Android support for 4096-bit key size for SCEP and PFX certificate profiles

Intune SCEP certificate profiles and PKCS certificate profiles for Windows and Android devices now support a Key size (bits) of 4096. This key size is available for new profiles and existing profiles you choose to edit.

  • SCEP profiles have always included the Key size (bits) setting and now support 4096 as an available configuration option.
  • PKCS profiles don't include the Key size (bits) setting directly. Instead, an admin must modify the certificate template on the Certification Authority to set the Minimum key size to 4096.

If you use a third-party Certificate Authority (CA), you might need to contact your vendor for assistance with implementing the 4096-bit key size.

When updating or deploying new certificate profiles to take advantage of this new key size, we recommend using a staggered deployment approach. This approach can help avoid creating excessive demand for new certificates across a large number of devices at the same time.

With this update, be aware of the following limitations on Windows devices:

  • 4096-bit key storage is supported only in the Software Key Storage Provider (KSP). The following don't support storing keys of this size:
    • The hardware TPM (Trusted Platform Module). As a workaround you can use the Software KSP for key storage.
    • Windows Hello for Business. There isn't a workaround at this time.

Tenant administration

Access policies for multiple Administrator Approval are now generally available

Access policies for multiple Administrator Approval are out of public preview and are now generally available. With these policies, you can protect a resource, like App deployments, by requiring any change to the deployment to be approved by one of a group of users who are approvers for the resource, before that change is applied.

For more information, see Use Access policies to require multiple administrative approval.

Week of August 21, 2023 (Service release 2308)

App management

Managed Home Screen end-users prompted to grant exact alarm permission

Managed Home Screen uses the exact alarm permission to do the following actions:

  • Automatically sign out users after a set time of inactivity on the device
  • Launch a screen saver after a set period of inactivity
  • Automatically relaunch MHS after a certain period of time when a user exits kiosk mode

For devices running Android 14 and higher, by default, the exact alarm permission will be denied. To make sure critical user functionality isn't impacted, end-users are prompted to grant exact alarm permission upon first launch of Managed Home Screen. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android's developer documentation.

Managed Home Screen notifications

For Android devices running Android 13 or higher that target API level 33, by default, applications don't have permission to send notifications. In previous versions of Managed Home Screen, when an admin had enabled automatic relaunch of Managed Home Screen, a notification was displayed to alert users of the relaunch. To accommodate change to notification permission, in the scenario when an admin has enabled auto-relaunch of Managed Home Screen, the application will now display a toast message alerting users of the relaunch. Managed Home Screen is able to auto-grant permission for this notification, so no change is required for admins configuring Managed Home Screen to accommodate the change in notification permission with API level 33. For more information about Android 13 (API level 33) notification messages, see the Android developer documentation. For more information about Managed Home Screen, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

New macOS web clip app type

In Intune, end users can pin web apps to the dock on your macOS devices (Apps > macOS > Add > macOS web clip).

Applies to:

  • macOS

For related information about the settings you can configure, see Add web apps to Microsoft Intune.

Win32 app configurable installation time

In Intune, you can set a configurable installation time to deploy Win32 apps. This time is expressed in minutes. If the app takes longer to install than the set installation time, the system will fail the app install. Max timeout value is 1440 minutes (1 day). For more information about Win32 apps, see Win32 app management in Microsoft Intune.

Samsung Knox conditional launch check

You can add more detection of device health compromises on Samsung Knox devices. Using a conditional launch check within a new Intune App Protection Policy, you can require that hardware-level device tamper detection and device attestation be performed on compatible Samsung devices. For more information, see the Samsung Knox device attestation setting in the Conditional launch section of Android app protection policy settings in Microsoft Intune.

Device configuration

Remote Help for Android in public preview

Remote Help is available in public preview for Android Enterprise Dedicated devices from Zebra and Samsung. With Remote Help, IT Pros can remotely view the device screen and take full control in both attended and unattended scenarios, to diagnose and resolve issues quickly and efficiently.

Applies to:

  • Android Enterprise Dedicated devices, manufactured by Zebra or Samsung

For more information, see Remote Help on Android.

Group Policy analytics is generally available

Group Policy analytics is generally available (GA). Use Group Policy analytics to analyze your on-premises group policy objects (GPOs) for their migration to Intune policy settings.

Applies to:

  • Windows 11
  • Windows 10

For more information about Group Policy analytics, see Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune.

New SSO, login, restrictions, passcode, and tamper protection settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS > Settings catalog for profile type.

iOS/iPadOS 17.0 and later

Restrictions:

  • Allow iPhone Widgets On Mac
macOS

Microsoft Defender > Tamper protection:

  • Process's arguments
  • Process path
  • Process's Signing Identifier
  • Process's Team Identifier
  • Process exclusions
macOS 13.0 and later

Authentication > Extensible Single Sign On (SSO):

  • Account Display Name
  • Additional Groups
  • Administrator Groups
  • Authentication Method
  • Authorization Right
  • Group
  • Authorization Group
  • Enable Authorization
  • Enable Create User At Login
  • Login Frequency
  • New User Authorization Mode
  • Account Name
  • Full Name
  • Token To User Mapping
  • User Authorization Mode
  • Use Shared Device Keys
macOS 14.0 and later

Login > Login Window Behavior:

  • Autologin Password
  • Autologin Username

Restrictions:

  • Allow ARD Remote Management Modification
  • Allow Bluetooth Sharing Modification
  • Allow Cloud Freeform
  • Allow File Sharing Modification
  • Allow Internet Sharing Modification
  • Allow Local User Creation
  • Allow Printer Sharing Modification
  • Allow Remote Apple Events Modification
  • Allow Startup Disk Modification
  • Allow Time Machine Backup

Security > Passcode:

  • Password Content Description
  • Password Content Regex

Device enrollment

Just-in-time registration and compliance remediation for iOS/iPadOS Setup Assistant with modern authentication now generally available

Just in time (JIT) registration and compliance remediation for Setup Assistant with modern authentication are now out of preview and generally available. With just in time registration, the device user doesn't need to use the Company Portal app for Microsoft Entra registration and compliance checking. JIT registration and compliance remediation are embedded into the user's provisioning experience, so they can view their compliance status and take action within the work app they're trying to access. Also, this establishes single-sign on across the device. For more information about how to set up JIT registration, see Set up Just in Time Registration.

Awaiting final configuration for iOS/iPadOS automated device enrollment now generally available

Now generally available, awaiting final configuration enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies install on devices. The locked experience works on devices targeted with new and existing enrollment profiles. Supported devices include:

  • iOS/iPadOS 13+ devices enrolling with Setup Assistant with modern authentication
  • iOS/iPadOS 13+ devices enrolling without user affinity
  • iOS/iPadOS 13+ devices enrolling with Microsoft Entra ID shared mode

This setting is applied once during the out-of-box automated device enrollment experience in Setup Assistant. The device user doesn't experience it again unless they re-enroll their device. Awaiting final configuration is enabled by default for new enrollment profiles. For information about how to enable awaiting final configuration, see Create an Apple enrollment profile.

Device management

Changes to Android notification permission prompt behavior

We've updated how our Android apps handle notification permissions to align with recent changes made by Google to the Android platform. As a result of Google changes, notification permissions are granted to apps as follows:

  • On devices running Android 12 and earlier: Apps are permitted to send notifications to users by default.
  • On devices running Android 13 and later: Notification permissions vary depending on the API the app targets.
    • Apps targeting API 32 and lower: Google has added a notification permission prompt that appears when the user opens the app. Management apps can still configure apps so that they're automatically granted notification permissions.
    • Apps targeting API 33 and higher: App developers define when the notification permission prompts appear. Management apps can still configure apps so that they're automatically granted notification permissions.

You and your device users can expect to see the following changes now that our apps target API 33:

  • Company Portal used for work profile management: Users see a notification permission prompt in the personal instance of the Company Portal when they first open it. Users don't see a notification permission prompt in the work profile instance of Company Portal because notification permissions are automatically permitted for Company Portal in the work profile. Users can silence app notifications in the Settings app.
  • Company Portal used for device administrator management: Users see a notification permission prompt when they first open the Company Portal app. Users can adjust app notification settings in the Settings app.
  • Microsoft Intune app: No changes to existing behavior. Users don't see a prompt because notifications are automatically permitted for the Microsoft Intune app. Users can adjust some app notification settings in the Settings app.
  • Microsoft Intune app for AOSP: No changes to existing behavior. Users don't see a prompt because notifications are automatically permitted for the Microsoft Intune app. Users can't adjust app notification settings in the Settings app.

Device security

Defender Update controls to deploy updates for Defender is now generally available

The profile Defender Update controls for Intune Endpoint security Antivirus policy, which manages update settings for Microsoft Defender, is now generally available. This profile is available for the Windows 10, Windows 11, and Windows Server platform. While in public preview, this profile was available for the Windows 10 and later platform.

The profile includes settings for the rollout release channel by which devices and users receive Defender Updates that are related to daily security intelligence updates, monthly platform updates, and monthly engine updates.

This profile includes the following settings, which are all directly taken from Defender CSP - Windows Client Management.

  • Engine Updates Channel
  • Platform Updates Channel
  • Security Intelligence Updates Channel

These settings are also available from the settings catalog for the Windows 10 and later profile.

Elevation report by applications for Endpoint Privilege Management

We've released a new report named Elevation report by applications for Endpoint Privilege Management (EPM). With this new report you can view all managed and unmanaged elevations, which are aggregated by the application that elevated. This report can aid you in identifying applications that might require elevation rules to function properly, including rules for child processes.

You'll find the report in the Report node for EPM in the Intune admin center. Navigate to Endpoint security > Endpoint Privilege Management and then select the Reports tab.

New settings available for macOS Antivirus policy

The Microsoft Defender Antivirus profile for macOS devices has been updated with nine more settings, and three new settings categories:

Antivirus engine – The following settings are new in this category:

  • Degree of parallelism for on-demand scans – Specifies the degree of parallelism for on-demand scans. This setting corresponds to the number of threads used to perform the scan and impacts the CPU usage, and the duration of the on-demand scan.
  • Enable file hash computation – Enables or disables file hash computation feature. When this feature is enabled, Windows Defender computes hashes for files it scans. This setting helps improve the accuracy of Custom Indicator matches. However, enabling Enable file hash computation can impact device performance.
  • Run a scan after definitions are updated – Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting triggers an antivirus scan on the running processes of the device.
  • Scanning inside archive files – If true, Defender unpacks archives and scan files inside them. Otherwise archive content is skipped, which improves scanning performance.

Network protection – A new category that includes the following setting:

  • Enforcement level – Configure this setting to specify if network protection is disabled, in audit mode, or enforced.

Tamper protection - A new category that includes the following setting:

  • Enforcement level - Specify whether tamper protection is disabled, in audit mode, or enforced.

User interface preferences – A new category that includes the following settings:

  • Control sign-in to consumer version - Specify whether users can sign into the consumer version of Microsoft Defender.
  • Show / hide status menu icon – Specify whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.
  • User initiated feedback – Specify whether users can submit feedback to Microsoft by going to Help > Send Feedback.

New profiles that you create include the original settings and the new settings. Your existing profiles automatically update to include the new settings, with each new setting set to Not configured until you choose to edit that profile to change it.

For more information about how to set preferences for Microsoft Defender for Endpoint on macOS in enterprise organizations, see Set preferences for Microsoft Defender for Endpoint on macOS.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • VerityRMS by Mackey LLC (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

CloudDesktop log now collected with Windows diagnostics data

The Intune remote action to collect diagnostics from a Windows device now includes data in a log file.

Log file:

  • %temp%\CloudDesktop*.log

Anomaly detection device cohorts in Intune Endpoint analytics is generally available

Anomaly detection device cohorts in Intune Endpoint analytics is now generally available.

Device cohorts are identified in devices associated with a high or medium severity anomaly. Devices are correlated into groups based on one or more factors they have in common like an app version, driver update, OS version, device model. A correlation group will contain a detailed view with key information about the common factors between all affected devices in that group. You can also view a breakdown of devices currently affected by the anomaly and 'at risk' devices. "At risk" devices haven't yet shown symptoms of the anomaly.

For more information, see Anomaly detection in Endpoint analytics.

Improved user experience for device timeline in Endpoint Analytics

The user interface (UI) for device timeline in Endpoint analytics is improved and includes more advanced capabilities (support for sorting, searching, filtering, and exports). When viewing a specific device timeline in Endpoint analytics, you can search by event name or details. You can also filter the events and choose the source and level of events that appear on the device timeline and select a time range of interest.

For more information, see Enhanced device timeline.

Updates for compliance policies and reports

We've made several improvements to the Intune compliance policies and reports. With these changes, the reports more closely align to the experience in use for device configuration profiles and reports. We've updated our compliance report documentation to reflect the available compliance report improvements.

Compliance report improvements include:

  • Compliance details for Linux devices.
  • Redesigned reports that are up-to-date and simplified, with newer report versions beginning to replace older report versions, which will remain available for some time.
  • When viewing a policy for compliance, there isn't a left-pane navigation. Instead, the policy view opens to a single pane that defaults to the Monitor tab and its Device status view.
    • This view provides a high-level overview of device status for this policy, supports drilling in to review the full report, and a per-setting status view of the same policy.
    • The doughnut chart is replaced by a streamlined representation and count of the different device status values returned by devices assigned the policy.
    • You can select the Properties tab to view the policy details, and review and edit its configuration and assignments.
    • The Essentials section is removed with those details appearing in the policy's Properties tab.
  • The updated status reports support sorting by columns, the use of filters, and search. Combined, these enhancements enable you to pivot the report to display specific subsets of details you want to view at that time. With these enhancements, we have removed the User status report as it has become redundant. Now, while viewing the default Device status report you can focus the report to display the same information that was available from User status by sorting on the User Principal Name column, or searching for a specific username in the search box.
  • When viewing status reports, the count of devices that Intune displays now remains consistent between different report views as you drill in for deeper insights or details.

For more information about these changes, see the Intune Support Team blog at https://aka.ms/Intune/device_compl_report.

Week of August 14, 2023

App management

Use the Turn off the Store application setting to disable end user access to Store apps, and allow managed Intune Store apps

In Intune, you can use the new Store app type to deploy Store apps to your devices.

Now, you can use the Turn off the Store application policy to disable end users' direct access to Store apps. When it's disabled, end users can still access and install Store apps from the Windows Company Portal app and through Intune app management. If you want to allow random store app installs outside of Intune, then don't configure this policy.

The previous Only display the private store within the Microsoft Store app policy doesn't prevent end users from directly accessing the store using the Windows Package Manager winget APIs. So, if your goal is to block random unmanaged Store application installs on client devices, then it's recommended to use the Turn off the Store application policy. Don't use the Only display the private store within the Microsoft Store app policy . Applies to:

  • Windows 10 and later

For more information, see Add Microsoft Store Apps to Microsoft Intune.

Week of August 7, 2023

Role-based access control

Introducing a new role-based access control (RBAC) permission under the resource Android for work

Introducing a new RBAC Permission for creating a custom role in Intune, under the resource Android for work. The permission Update Enrollment Profile allows the admin to manage or change both AOSP and Android Enterprise Device Owner enrollment profiles that are used to enroll devices.

For more information, see Create custom role.

Week of July 31, 2023

Device security

New BitLocker profile for Intune's endpoint security Disk encryption policy

We have released a new experience creating new BitLocker profiles for endpoint security Disk Encryption policy. The experience for editing your previously created BitLocker policy remains the same, and you can continue to use them. This update applies only for the new BitLocker policies you create for the Windows 10 and later platform.

This update is part of the continuing rollout of new profiles for endpoint security policies, which began in April 2022.

App management

Uninstall Win32 and Microsoft store apps using the Windows Company Portal

End-users can uninstall Win32 apps and Microsoft store apps using the Windows Company Portal if the apps were assigned as available and were installed on-demand by the end-users. For Win32 apps, you have the option to enable or disable this feature (off by default). For Microsoft store apps, this feature is always on and available for your end-users. If an app can be uninstalled by the end-user, the end-user will be able to select Uninstall for the app in the Windows Company Portal. For related information, see Add apps to Microsoft Intune.

Week of July 24, 2023 (Service release 2307)

App management

Intune supports new Google Play Android Management API

Changes have been made to how Managed Google Play public apps are managed in Intune. These changes are to support Google's Android Management APIs (opens Google's web site).

Applies to:

  • Android Enterprise

To learn more about changes to the admin and user experience, see Support Tip: Intune moving to support new Google Play Android Management API.

App report for Android Enterprise corporate-owned devices

You can now view a report containing all apps found on a device for Android Enterprise corporate-owned scenarios, including system apps. This report is available in Microsoft Intune admin center by selecting Apps > Monitor > Discovered apps. You'll see Application Name and Version for all apps detected as installed on the device. It can take up to 24 hours for app information to populate the report.

For related information, see Intune discovered apps.

Add unmanaged PKG-type applications to managed macOS devices [Public Preview]

You can now upload and deploy unmanaged PKG-type applications to managed macOS devices using the Intune MDM agent for macOS devices. This feature enables you to deploy custom PKG installers, such as unsigned apps and component packages. You can add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS app (PKG) for app type.

Applies to:

  • macOS

For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB) apps to Microsoft Intune. For more information about the Intune MDM agent for macOS devices, see Microsoft Intune management agent for macOS.

New settings available for the iOS/iPadOS web clip app type

In Intune, you can pin web apps to your iOS/iPadOS devices (Apps > iOS/iPadOS > Add > iOS/iPadOS web clip). When you add web clips, there are new settings available:

  • Full screen: If configured to Yes, launches the web clip as a full-screen web app without a browser. There isn't a URL nor search bar, and no bookmarks.
  • Ignore manifest scope: If configured to Yes, a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip's URL. This setting has no effect when Full screen is set to No. Available in iOS 14 and later.
  • Precomposed: If configured to Yes, prevents Apple's application launcher (SpringBoard) from adding "shine" to the icon.
  • Target application bundle identifier: Enter the application bundle identifier that specifies the application that opens the URL. Available in iOS 14 and later.

Applies to:

  • iOS/iPadOS

For more information, see Add web apps to Microsoft Intune.

Change to default settings when adding Windows PowerShell scripts

In Intune, you can use policies to deploy Windows PowerShell scripts to your Windows devices (Devices > Scripts > Add > Windows 10 and later). When you add a Windows PowerShell script, there are settings you configure. To increase secure-by-default behavior of Intune, the default behavior of the following settings has changed:

  • The Run this script using the logged on credentials setting defaults to Yes. Previously, the default was No.
  • The Enforce script signature check setting defaults to Yes. Previously, the default was No.

This behavior applies to new scripts you add, not existing scripts.

Applies to:

  • Windows 10 and later (excluding Windows 10 Home)

For more information about using Windows PowerShell scripts in Intune, see Use PowerShell scripts on Windows 10/11 devices in Intune.

Device configuration

Added Support for Scope tags

You can now add scope tags when creating deployments using Zebra LifeGuard Over-the-Air integration (in public preview).

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > macOS for platform > Settings catalog for profile type.

Microsoft AutoUpdate (MAU):

  • Current Channel (Monthly)

Microsoft Defender > User interface preferences:

  • Control sign-in to consumer version

Microsoft Office > Microsoft Outlook:

  • Disable Do not send response

User Experience > Dock:

  • MCX Dock Special Folders

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Compliance Retrieval service support for MAC address endpoints

We've now added MAC address support to the Compliance Retrieval service.

The initial release of the CR service included support for using only the Intune device ID with the intent to eliminate the need to manage internal identifiers like serial numbers and MAC addresses. With this update, organizations that prefer to use MAC addresses over certificate authentication can continue to do so while implementing the CR service.

While this update adds MAC address support to the CR service, our recommendation is to use certificate-based authentication with the Intune device ID included in the certificate.

For information about the CR service as a replacement for the Intune Network Access Control (NAC) service, see the Intune blog at https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696.

Settings insight within Intune security baselines is generally available

Announcing the general availability of Settings insight in Microsoft Intune.

The Settings insight feature adds insight to settings giving you confidence in configurations that have been successfully adopted by similar organizations. Settings insight is currently available for security baselines.

Navigate to Endpoint security > Security baselines. While creating and editing a workflow, these insights are available for all settings with light bulbs.

Device security

Tamper protection support for Windows on Azure Virtual Desktop

Intune now supports use of endpoint security Antivirus policy to manage Tamper protection for Windows on Azure Virtual Desktop multi-session devices. Support for Tamper protection requires devices to onboard to Microsoft Defender for Endpoint before the policy that enables Tamper protection is applied.

EpmTools PowerShell module for Endpoint Privilege Management

The EpmTools PowerShell module is now available for use with Intune Endpoint Privilege Management (EPM). EpmTools includes the cmdlets like Get-FileAttributes that you can use to retrieve file details to help build accurate elevation rules, and other cmdlets you can use to troubleshoot or diagnose EPM policy deployments.

For more information, see EpmTools PowerShell module.

Endpoint Privilege Management support to manage elevation rules for child processes

With Intune Endpoint Privilege Management (EPM) you can manage which files and processes are allowed to Run as Administrator on your Windows devices. Now, EPM elevation rules support a new setting, Child process behavior.

With Child process behavior, your rules can manage the elevation context for any child processes created by the managed process. Options include:

  • Allowing all child processes created by the managed process to always run as elevated.
  • Allow a child process to run as elevated only when it matches the rule that manages its parent process.
  • Deny all child processes from running in an elevated context, in which case they run as standard users.

Endpoint Privilege Management is available as an Intune add-on. For more information, see Use Intune Suite add-on capabilities.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Dooray! for Intune

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Updated reports for Setting compliance and Policy compliance are in public preview

We've released two new reports as a public preview for Intune device compliance. You can find these new preview reports in the Intune admin center at Reports > Device compliance > Reports tab:

Both reports are new instances of existing reports, and deliver improvements over the older versions, including:

  • Details for Linux settings and devices
  • Support for sorting, searching, filtering, exports, and paging views
  • Drill-down reports for deeper details, which are filtered based on the column you select.
  • Devices are represented a single time. This behavior is in contrast to the original reports, which could count a device more than once if multiple users used that device.

Eventually, the older report versions that are still available in the admin center at Devices > Monitor will be retired.

Week of July 10, 2023

App management

Updates to app configuration policy reporting

As part of our continuing efforts to improve the Intune reporting infrastructure, there have been several user interface (UI) changes for app configuration policy reporting. The UI has been updated with the following changes:

  • There isn't a User status tile or a Not applicable device tile on the Overview section of the App configuration policies workload.
  • There isn't a User install status report on the Monitor section of the App configuration policies workload.
  • The Device install status report under the Monitor section of the App configuration policies workload no longer shows the Pending state in the Status column.

You can configure policy reporting in Microsoft Intune admin center by selecting Apps > App configuration policies.

Week of July 3, 2023

Device management

Intune support for Zebra devices on Android 13

Zebra will be releasing support for Android 13 on their devices. You can read more at Migrating to Android 13 (opens Zebra's web site).

  • Temporary issues on Android 13

    The Intune team thoroughly tested Android 13 on Zebra devices. Everything continues working as normal, except for the following two temporary issues for device administrator (DA) devices.

    For Zebra devices running Android 13 and enrolled with DA management:

    1. App installations don't happen silently. Instead, users get a notification from the Company Portal app (if they allow notifications) that asks for permission to allow the app installation. If a user doesn't accept the app installation when prompted, then the app doesn't install. Users will have a persistent notification in the notification drawer until they allow the installation.

    2. New MX profiles don't apply to Android 13 devices. Newly enrolled Android 13 devices don't receive configuration from MX profiles. MX profiles that previously applied to enrolled devices continue to apply.

    In an update coming later in July, these issues will be resolved and the behavior will return to how it was before.

  • Update devices to Android 13

    You'll soon be able to use Intune's Zebra LifeGuard Over-the-Air integration to update Android Enterprise dedicated and fully managed devices to Android 13. For more information, see Zebra LifeGuard Over-the-Air Integration with Microsoft Intune.

    Before you migrate to Android 13, review Migrating to Android 13 (opens Zebra's web site).

  • OEMConfig for Zebra devices on Android 13

    OEMConfig for Zebra devices on Android 13 requires using Zebra's new Zebra OEMConfig Powered by MX OEMConfig app (opens the Google Play store). This new app can also be used on Zebra devices running Android 11, but not earlier versions.

    For more information on this app, go to the New Zebra OEMConfig app for Android 11 and later blog post.

    The Legacy Zebra OEMConfig app (opens the Google Play store) can only be used on Zebra devices running Android 11 and earlier.

For more general information about Intune Android 13 support, go to the Day Zero support for Android 13 with Microsoft Intune blog post.

Device security

Defender for Endpoint security settings management enhancements and support for Linux and macOS in public preview

With Defender for Endpoint security settings management, you can use Intune's endpoint security policies to manage Defender security settings on devices that onboard to Defender for Endpoint but aren't enrolled with Intune.

Now, you can opt in to a public preview from within the Microsoft Defender portal to gain access to several enhancements for this scenario:

  • Intune's endpoint security policies become visible in and can be managed from within the Microsoft Defender portal. This enables security admins to remain in the Defender portal to manage Defender and the Intune endpoint security policies for Defender security settings management.

  • Security settings management supports deploying Intune endpoint security Antivirus policies to devices that run Linux and macOS.

  • For Windows devices, the Windows Security Experience profile is now supported with security settings management.

  • A new onboarding workflow removes the Microsoft Entra hybrid join prerequisite. Microsoft Entra hybrid join requirements prevented many Windows devices from successfully onboarding to Defender for Endpoint security settings management. With this change, those devices can now complete enrollment and start processing policies for security settings management.

  • Intune creates a synthetic registration in Microsoft Entra ID for devices that can't fully register with Microsoft Entra ID. Synthetic registrations are device objects created in Microsoft Entra ID that enable devices to receive and report back on Intune policies for security settings management. In addition, should a device with a synthetic registration become fully registered, the synthetic registration is removed from Microsoft Entra ID in deference to the full registration.

If you don't opt in to the Defender for Endpoint Public Preview, the previous behaviors remain in place. In this case, while you can view the Antivirus profiles for Linux, you can't deploy it as its supported only for devices managed by Defender. Similarly, the macOS profile that's currently available for devices enrolled with Intune can't be deployed to devices managed by Defender.

Applies to:

  • Linux
  • macOS
  • Windows

Week of June 26, 2023

Device configuration

Android (AOSP) supports assignment filters

Android (AOSP) supports assignment filters. When you create a filter for Android (AOSP), you can use the following properties:

  • DeviceName
  • Manufacturer
  • Model
  • DeviceCategory
  • oSVersion
  • IsRooted
  • DeviceOwnership
  • EnrollmentProfileName

For more information on filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Applies to:

  • Android

On-demand remediation for a Windows device

A new device action that is in public preview allows you to run a remediation on-demand on a single Windows device. The Run remediation device action allows you to resolve issues without having to wait for a remediation to run on its assigned schedule. You'll also be able to view the status of remediations under Remediations in the Monitor section of a device.

The Run remediation device action is rolling-out and can take a few weeks to reach all customers.

For more information, see Remediations.

Device management

Windows Driver update management in Intune is generally available

Announcing the general availability of Windows Driver update management in Microsoft Intune. With driver update policies, you can view a list of driver updates that are recommended and applicable to your Windows 10 and Windows 11 device that are assigned to the policy. Applicable driver updates are those that can update a device's driver version. Driver update policies update automatically to add new updates as they're published by the driver manufacturer and remove older drivers that no longer apply to any device with the policy.

Update policies can be configured for one of two approval methods:

  • With Automatic approval, each new recommended driver that's published by the driver manufacturer and added to the policy is automatically approved for deployment to applicable devices. Policies set for automatic approvals can be configured with a deferral period before the automatically approved updates are installed on devices. This deferral gives you time to review the driver and to pause its deployment if necessary.

  • With manual approval, all new driver updates are automatically added to the policy, but an admin must explicitly approve each update before Windows Update deploys it to a device. When you manually approve an update, you choose the date when Windows Update will begin to deploy it to your devices.

To help you manage driver updates, you review a policy and decline an update you don't want to install. You can also indefinitely pause any approved update, and reapprove a paused update to restart its deployment.

This release also includes driver update reports that provide a success summary, per-device update status for each approved driver, and error and troubleshooting information. You can also select an individual driver update and view details about it across all the policies that include that driver version.

To learn about using Windows Driver update policies, see Manage policy for Windows Driver updates with Microsoft Intune.

Applies to:

  • Windows 10
  • Windows 11

Week of June 19, 2023 (Service release 2306)

App management

MAM for Microsoft Edge for Business [Preview]

You can now enable protected MAM access to org data via Microsoft Edge on personal Windows devices. This capability uses the following functionality:

  • Intune Application Configuration Policies (ACP) to customize the org user experience in Microsoft Edge
  • Intune Application Protection Policies (APP) to secure org data and ensure the client device is healthy when using Microsoft Edge
  • Windows Defender client threat defense integrated with Intune APP to detect local health threats on personal Windows devices
  • Application Protection Conditional Access to ensure the device is protected and healthy before granting protected service access via Microsoft Entra ID

For more information, see Preview: App protection policy settings for Windows.

To participate in the public preview, complete the opt-in form.

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Networking > Network Usage Rules:

  • SIM Rules
macOS

Authentication > Extensible Single Sign On (SSO):

  • Authentication Method
  • Denied Bundle Identifiers
  • Registration Token

Full Disk Encryption > FileVault:

  • Output path
  • Username
  • Password
  • UseKeyChain

Device Firmware Configuration Interface (DFCI) supports Asus devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In Microsoft Intune admin center, select Devices > Configuration > Create > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type.

Some Asus devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

For more information about DFCI profiles, see:

Applies to:

  • Windows 10
  • Windows 11

Saaswedo Datalert telecom expense management is removed in Intune

In Intune, you could manage telecom expenses using Saaswedo's Datalert telecom expense management. This feature is removed from Intune. This removal includes:

  • The Telecom Expense Management connector

  • Telecom expenses RBAC category

    • Read permission
    • Update permission

For more information from Saaswedo, see The datalert service is unavailable (opens Saaswedo's web site).

Applies to:

  • Android
  • iOS/iPadOS

Settings insight within Intune security baseline

The Settings insight feature adds insights to security baselines giving you confidence in configurations that are successfully adopted by similar organizations.

Navigate to Endpoint security > Security baselines. When you create and edit the workflow, these insights are available for you in the form of a light bulb.

Device management

New endpoint security Application Control policy in preview

As a public preview, you can use a new endpoint security policy category, Application Control. Endpoint security Application Control policy includes:

  • Policy to set the Intune Management Extension as a tenant-wide managed installer. When enabled as a managed installer, apps you deploy through Intune (after enablement of Managed Installer) to Windows devices are tagged as installed by Intune. This tag becomes useful when you use Application Control policies to manage which apps you want to allow or block from running on your managed devices.

  • Application Control policies that are an implementation of Defender Application Control (WDAC). With Endpoint security Application Control policies, it's easy to configure policy that allows trusted apps to run on your managed devices. Trusted apps are installed by a managed installer or from the App store. In addition to built-in trust settings, these policies also support custom XML for application control so you can allow other apps from other sources to run to meet your organizations requirements.

To get started with using this new policy type, see Manage approved apps for Windows devices with Application Control policy and Managed Installers for Microsoft Intune

Applies to:

  • Windows 10
  • Windows 11

Endpoint analytics is available to tenants in Government cloud

With this release, Endpoint analytics is available to tenants in Government cloud.

Learn more about Endpoint analytics.

Introducing in-session connection mode switch in Remote Help

In Remote Help, you can now take advantage of the in-session connection mode switch feature. This feature can help effortlessly transition between full control and view-only modes, granting flexibility and convenience.

For more information on Remote Help, see Remote Help.

Applies to:

  • Windows 10/11

Device security

Update to Endpoint Privilege Management reports

Intune's Endpoint Privilege Management (EPM) reports now support exporting the full reporting payload to a CSV file. With this change, you can now export all events from an elevation report in Intune.

Endpoint Privilege Managements run with elevated access option now available on the top-level menu for Windows 11

The Endpoint Privilege Management option to Run with elevated access is now available as a top-level right-click option on Windows 11 devices. Previous to this change, standard users were required to select Show more options to view the Run with elevated access prompt on Windows 11 devices.

Endpoint Privilege Management is available as an Intune add-on. For more information, see Use Intune Suite add-on capabilities.

Applies to:

  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Idenprotect Go by Apply Mobile Ltd (Android)
  • LiquidText by LiquidText, Inc. (iOS)
  • MyQ Roger: OCR scanner PDF by MyQ spol. s r.o.
  • CiiMS GO by Online Intelligence (Pty) Ltd
  • Vbrick Mobile by Vbrick Systems

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Microsoft Intune troubleshooting pane is now generally available

The Intune troubleshooting pane is now generally available. It provides details about user's devices, policies, applications, and status. The troubleshooting pane includes the following information:

  • A summary of policy, compliance, and application deployment status.
  • Support for exporting, filtering, and sorting all reports.
  • Support to filter by excluding policies and applications.
  • Support to filter to a user's single device.
  • Details about available device diagnostics and disabled devices.
  • Details about offline devices that haven't checked-in to the service for three or more days.

You can find the troubleshooting pane in Microsoft Intune admin center by selecting Troubleshooting + support > Troubleshoot.

Updated troubleshoot + support pane in Intune

The Troubleshooting + support pane in the Intune admin center has been updated by consolidating the Roles and Scopes report into a single report. This report now includes all relevant role and scope data from both Intune and Microsoft Entra ID, providing a more streamlined and efficient experience. For related information, see Use the troubleshooting dashboard to help users at your company.

Download mobile app diagnostics

Now generally available, access user-submitted mobile app diagnostics in the Intune admin center, including app logs sent through Company Portal apps, which include Windows, iOS, Android, Android AOSP, and macOS. In addition, you can retrieve app protection logs via Microsoft Edge. For more information, see Company Portal app logs and Use Microsoft Edge for iOS and Android to access managed app logs.

Week of June 12, 2023

Device management

New Devices from HTC and Pico supported on Microsoft Intune for Android Open Source Devices

Microsoft Intune for Android open source project devices (AOSP) now supports the following devices:

  • HTC Vive XR Elite
  • Pico Neo 3 Pro
  • Pico 4

For more information, see:

Applies to:

  • Android (AOSP)

App management

Microsoft Store for Business or Microsoft Store for Education

Apps added from the Microsoft Store for Business or Microsoft Store for Education won't deploy to devices and users. Apps show as "not applicable" in reporting. Apps already deployed are unaffected. Use the new Microsoft Store app to deploy Microsoft Store apps to devices or users. For related information, see Plan for Change: Ending support for Microsoft Store for Business and Education apps for upcoming dates when Microsoft Store for Business apps will no longer deploy and Microsoft Store for Business apps will be removed.

For more information, see the following resources:

Week of June 5, 2023

Device configuration

Android Enterprise 11+ devices can use Zebra's latest OEMConfig app version

On Android Enterprise devices, you can use OEMConfig to add, create, and customize OEM-specific settings in Microsoft Intune (Devices > Configuration > Create > Android Enterprise for platform > OEMConfig).

There's a new Zebra OEMConfig Powered by MX OEMConfig app that aligns more closely to Google's standards. This app supports Android Enterprise 11.0 and newer devices.

The older Legacy Zebra OEMConfig app continues to support devices with Android 11 and earlier.

In your Managed Google Play, there are two versions of Zebra OEMConfig app. Be sure to select the correct app that applies to your Android device versions.

For more information on OEMConfig and Intune, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise 11.0 and newer

Week of May 29, 2023

Device management

Intune UI displays Windows Server devices as distinct from Windows clients for the Security Management for Microsoft Defender for Endpoint scenario

To support the Security Management for Microsoft Defender for Endpoint (MDE security configuration) scenario, Intune now differentiates Windows devices in Microsoft Entra ID as either Windows Server for devices that run Windows Server, or as Windows for devices that run Windows 10 or Windows 11.

With this change, you can improve policy targeting for MDE security configuration. For example, you can use dynamic groups that consist of only Windows Server devices, or only Windows client devices (Windows 10/11).

For more information about this change, see the Intune Customer Success blog Windows Server devices now recognized as a new OS in Microsoft Intune, Microsoft Entra ID, and Defender for Endpoint .

Tenant administration

Organizational messages for Windows 11 now generally available

Use organizational messages to deliver branded, personalized call-to-actions to employees. Select from more than 25 messages that support employees through device onboarding and lifecycle management, in 15 different languages. Messages can be assigned to Microsoft Entra user groups. They're shown just above the taskbar, in the notifications area, or in the Get started app on devices running Windows 11. Messages continue to appear or reappear based on the frequency you configure in Intune, and until the user has visited the customized URL.

Other features and functionality added in this release include:

  • Confirm licensing requirements prior to first message.
  • Choose from eight new themes for taskbar messages.
  • Give messages a custom name.
  • Add scope groups and scope tags.
  • Edit the details of a scheduled message.

Scope tags were previously unavailable for organizational messages. With the addition of scope tag support, Intune adds the default scope tag to every message created before June 2023. Admins that want access to those messages must be associated with a role that has the same tag. For more information about available features and how to set up organizational messages, see Overview of organizational messages.

Week of May 22, 2023 (Service release 2305)

App management

Update to macOS shell scripts maximum running time limit

Based on customer feedback, we're updating the Intune agent for macOS (version 2305.019) to extend the maximum script run time to 60 minutes. Previously, the Intune agent for macOS only allowed shell scripts to run for up to 15 minutes before reporting the script as a failure. The Intune agent for macOS 2206.014 and higher supports the 60-minute timeout.

Assignment filters support app protection policies and app configuration policies

Assignment filters support MAM app protection policies and app configuration policies. When you create a new filter, you can fine tune MAM policy targeting using the following properties:

  • Device Management Type
  • Device Manufacturer
  • Device Model
  • OS Version
  • Application Version
  • MAM Client Version

Important

All new and edited app protection policies that use Device Type targeting are replaced with assignment filters.

For more information on filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Update to MAM reporting in Intune

MAM reporting has been simplified and overhauled, and now uses Intune's newest reporting infrastructure. Benefits of this include improved data accuracy and instantaneous updating. You can find these streamlined MAM reports in the Microsoft Intune admin center by selecting Apps > Monitor. All MAM data available to you is contained within the new App protection status report and App configuration status report.

Global quiet time app policy settings

The global quiet time settings allow you to create policies to schedule quiet time for your end users. These settings automatically mute Microsoft Outlook email and Teams notifications on iOS/iPadOS and Android platforms. These policies can be used to limit end user notifications received after work hours. For more information, see Quiet time notification policies.

Device configuration

Introducing enhanced chat in Remote Help

Introducing enhanced chat with Remote Help. With the new and enhanced chat you can maintain a continuous thread of all messages. This chat provides support for special characters and other languages including Chinese and Arabic.

For more information on Remote Help, see Remote Help.

Applies to:

  • Windows 10/11

Remote Help administrators can reference audit log sessions

For Remote Help, in addition to existing session reports, administrators can now reference audit logs sessions created in Intune. This feature enables administrators to reference past events for troubleshooting and analyzing log activities.

For more information on Remote Help, see Remote Help.

Applies to:

  • Windows 10
  • Windows 11

Turn on/off Personal data encryption on Windows 11 devices using the settings catalog

The settings catalog includes hundreds of settings that you can configure and deploy to your devices.

In the settings catalog, you can turn on/off Personal data encryption (PDE). PDE is a security feature introduced in Windows 11 version 22H2 that provides more encryption features for Windows.

PDE is different than BitLocker. PDE encrypts individual files and content, instead of whole volumes and disks. You can use PDE with other encryption methods, such as BitLocker.

For more information on the settings catalog, see:

This feature applies to:

  • Windows 11

Visual Studio ADMX settings are in the Settings Catalog and Administrative Templates

Visual Studio settings are included in the Settings Catalog and Administrative Templates (ADMX). Previously, to configure Visual Studio settings on Windows devices, you imported them with ADMX import.

For more information on these policy types, see:

Applies to:

  • Windows 10
  • Windows 11

Group policy analytics supports scope tags

In Group Policy analytics, you import your on-premises GPO. The tool analyzes your GPOs and shows the settings that can (and can't) be used in Intune.

When you import your GPO XML file in Intune, you can select an existing scope tag. If you don't select a scope tag, then the Default scope tag is automatically selected. Previously, when you imported a GPO, the scope tags assigned to you were automatically applied to the GPO.

Only admins within that scope tag can see the imported policies. Admins not in that scope tag can't see the imported policies.

Also, admins within their scope tag can migrate the imported policies that they have permissions to see. To migrate an imported GPO into a Settings Catalog policy, a scope tag must be associated with the imported GPO. If a scope tag isn't associated, then it can't migrate to a Settings Catalog policy. If no scope tag is selected, then a default scope tag is automatically applied.

For more information on scope tags and Group Policy analytics, see:

Introducing Intune integration with the Zebra Lifeguard Over-the-Air service (public preview)

Now available in public preview, Microsoft Intune supports integration with Zebra Lifeguard Over-the-Air service, which allows you to deliver OS updates and security patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can select the firmware version you want to deploy, set a schedule, and stagger update downloads and installs. You can also set minimum battery, charging status, and network conditions requirements for when the update can happen.

Available for Android Enterprise Dedicated and Fully Managed Zebra devices that are running Android 8 or later, and requires an account with Zebra.

New Google domain allowlist settings for Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, you can configure settings that restrict device features and settings.

Currently, there's an Add and remove accounts setting that can allow Google accounts be added to the work profile. For this setting, when you select Allow all accounts types, you can also configure:

  • Google domain allow-list: Restricts users to add only certain Google account domains in the work profile. You can import a list of allowed domains or add them in the admin center using the contoso.com format. When left blank, by default, the OS might allow adding all Google domains in the work profile.

For more information on the settings you can configure, see Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

Applies to:

  • Android Enterprise personally owned devices with a work profile

Renaming Proactive remediation to Remediations and moving to a new location

Proactive remediations are now Remediations and are available from Devices > Remediations. You can still find Remediations in both the new location and the existing Reports > Endpoint Analytics location until the next Intune service update.

Remediations are currently not available in the new Devices experience preview.

Applies to:

  • Windows 10
  • Windows 11

Remediations are now available in Intune for US Government GCC High and DoD

Remediations (previously known as proactive remediations) are now available in Microsoft Intune for US Government GCC High and DoD.

Applies to:

  • Windows 10
  • Windows 11

Create inbound and outbound network traffic rules for VPN profiles on Windows devices

Note

This setting is coming in a future release, possibly the 2308 Intune release.

You can create a device configuration profile that deploys a VPN connection to devices (Devices > Configuration > Create > Windows 10 and later for platform > Templates > VPN for profile type).

In this VPN connection, you can use the Apps and Traffic rules settings to create network traffic rules.

There's a new Direction setting you can configure. Use this setting to allow Inbound and Outbound traffic from the VPN connection:

  • Outbound (default): Allows only traffic to external networks/destinations to flow using the VPN. Inbound traffic is blocked from entering the VPN.
  • Inbound: Allows only traffic coming from external networks/ sources to flow using the VPN. Outbound traffic is blocked from entering the VPN.

For more information on the VPN settings you can configure, including the network traffic rule settings, see Windows device settings to add VPN connections using Intune.

Applies to:

  • Windows 10 and later

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > macOS for platform > Settings catalog for profile type.

Microsoft Defender > Antivirus engine:

  • Scanning inside archive files
  • Enable file hash computation

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Wipe device action and new obliteration behavior setting available for macOS

You can now use the Wipe device action instead of Erase for macOS devices. You can also configure the Obliteration Behavior setting as part of the Wipe action.

This new key allows you to control the wipe fallback behavior on Macs that have Apple Silicon or the T2 Security Chip. To find this setting, navigate to Devices > macOS > [Select a device] > Overview > Wipe in the Device action area.

For more information on the Obliteration Behavior setting, go to Apple's Platform Deployment site Erase Apple devices - Apple Support.

Applies to:

  • macOS

Device enrollment

Account driven Apple User Enrollment available for iOS/iPadOS 15+ devices (public preview)

Intune supports account driven user enrollment, a new and improved variation of Apple User Enrollment for iOS/iPadOS 15+ devices. Now available for public preview, the new option utilizes just-in-time registration, which eliminates the need for the Company Portal app during enrollment. Device users can initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience. You can continue to target iOS/iPadOS devices using the existing profile-based user enrollment method that uses Company Portal. Devices running iOS/iPadOS, version 14.8.1 and earlier remain unaffected by this update and can continue to use the existing method. For more information, see Set up account driven Apple User Enrollment.

Device security

New security baseline for Microsoft 365 Office Apps

We've released a new security baseline to help you manage security configurations for M365 Office Apps. This new baseline uses an updated template and experience that uses the unified settings platform seen in the Intune settings catalog. You can view the list of settings in the new baseline at Microsoft 365 Apps for Enterprise baseline settings (Office).

The new Intune security baseline format aligns the presentation of settings that are available to the settings found in the Intune settings catalog. This alignment helps resolve past issues for setting names and implementations for settings that could create conflicts. The new format also improves the reporting experience for baselines in the Intune admin center.

The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to your Office Apps that meet the security recommendations of the Office and security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations. You can modify the default baseline to meet the requirements of your organization.

To learn more, see Security baselines overview.

Applies to:

  • Windows 10
  • Windows 11

Security baseline update for Microsoft Edge version 112

We've released a new version of the Intune security baseline for Microsoft Edge, version 112. In addition to releasing this new version for Microsoft Edge, the new baseline uses an updated template experience that uses the unified settings platform seen in the Intune settings catalog. You can view the list of settings in the new baseline at Microsoft Edge baseline settings (version 112 and higher).

The new Intune security baseline format aligns the presentation of settings that are available to the settings found in the Intune settings catalog. This alignment helps resolve past issues for setting names and implementations for settings that could create conflicts. The new format also improves the reporting experience for baselines in the Intune admin center.

Now that the new baseline version is available, all new profiles you create for Microsoft Edge use the new baseline format and version. While the new version becomes the default baseline version, you can continue to use the profiles you've previously created for older versions of Microsoft Edge. But, you can't create new profiles for those older versions of Microsoft Edge.

To learn more, see Security baselines overview.

Applies to:

  • Windows 10
  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Achievers by Achievers Inc.
  • Board.Vision for iPad by Trusted Services PTE. LTD.
  • Global Relay by Global Relay Communications Inc.
  • Incorta (BestBuy) by Incorta, Inc. (iOS)
  • Island Enterprise Browser by Island (iOS)
  • Klaxoon for Intune by Klaxoon (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Week of May 8, 2023

Device configuration

Device Firmware Configuration Interface (DFCI) supports Dynabook devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In Microsoft Intune admin center, select Devices > Configuration > Create > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type.

Some Dynabook devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

For more information about DFCI profiles, see:

Applies to:

  • Windows 10
  • Windows 11

eSIM bulk activation for Windows PCs via download server is now available on the Settings Catalog

You can now perform at-scale configuration of Windows eSIM PCs using the Settings Catalog. A download server (SM-DP+) is configured using a configuration profile.

Once the devices receive the configuration, they automatically download the eSIM profile. For more information, see eSIM configuration of a download server.

Applies to:

  • Windows 11
  • eSIM capable devices

Week of May 1, 2023

App management

macOS shell scripts maximum running time limit

We have fixed an issue that caused Intune tenants with long-running shell scripts to not report back on the script run status. The macOS Intune agent stops any macOS shell scripts that run longer than 15 minutes. These scripts report as failed. The new behavior is enforced from macOS Intune agent version 2305.019.

DMG app installation for macOS

The DMG app installation feature for macOS is now generally available. Intune supports required and uninstall assignment types for DMG apps. The Intune agent for macOS is used to deploy DMG apps. For related information, see Deploy DMG-type applications to managed macOS devices.

Deprecation of Microsoft Store for Business and Education

The Microsoft Store for Business connector is no longer available in the Microsoft Intune admin center. Apps added from the Microsoft Store for Business or Microsoft Store for Education won't sync with Intune. Apps that have previously synced continue to be available and deploy to devices and users.

It's now also possible to delete Microsoft Store for Business apps from the Apps pane in the Microsoft Intune admin center so that you can clean up your environment as you move to the new Microsoft Store app type.

For related information, see Plan for Change: Ending support for Microsoft Store for Business and Education apps for upcoming dates when Microsoft Store for Business apps won't deploy and Microsoft Store for Business apps are removed.

Device configuration

Remote Help now supports conditional access capability

Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For example, multifactor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses.

For more information, see:

Device security

Updated settings for Microsoft Defender in endpoint security Antivirus policy

We've updated the available settings in the Microsoft Defender Antivirus profile for endpoint security Antivirus policy. You can find this profile in the Intune admin center at Endpoint security > Antivirus > Platform: Windows 10, Windows 11, and Windows Server > Profile: Microsoft Defender Antivirus.

  • The following settings have been added:

    • Metered Connection Updates
    • Disable Tls Parsing
    • Disable Http Parsing
    • Disable Dns Parsing
    • Disable Dns Over Tcp Parsing
    • Disable Ssh Parsing
    • Platform Updates Channel
    • Engine Updates Channel
    • Security Intelligence Updates Channel
    • Allow Network Protection Down Level
    • Allow Datagram Processing On Win Server
    • Enable Dns Sinkhole

    For more information about these settings, see the Defender CSP. The new settings are also available through the Intune Settings Catalog.

  • The following setting has been deprecated:

    • Allow Intrusion Prevention System

    This setting now appears with the Deprecated tag. If this deprecated setting was previously applied on a device, the setting value is updated to NotApplicable and has no effect on the device. If this setting is configured on a device, there's no effect on the device.

Applies to:

  • Windows 10
  • Windows 11

Week of April 17, 2023 (Service release 2304)

App management

Changes to iCloud app backup and restore behavior on iOS/iPadOS and macOS devices

As an app setting, you can select to Prevent iCloud app backup for iOS/iPadOS and macOS devices. You can not backup managed App Store apps and line-of-business (LOB) apps on iOS/iPadOS, as well as managed App Store apps on macOS devices (macOS LOB apps don't support this feature), for both user and device licensed VPP/non-VPP apps. This update includes both new and existing App Store/LOB apps sent with and without VPP that are being added to Intune and targeted to users and devices.

Preventing the backup of the specified managed apps ensures that these apps can be properly deployed via Intune when the device is enrolled and restored from backup. If the admin configures this new setting for new or existing apps in their tenant, then managed apps can and will be reinstalled for devices. But, Intune doesn't allow them to be backed up.

This new setting appears in Microsoft Intune admin center by modifying the properties of an app. For an existing app, you can select Apps > iOS/iPadOS or macOS > select the app > Properties > Assignment Edit. If no group assignment has been set, select Add group to add a group. Modify either the setting under VPN, Uninstall on device removal, or Install as removable. Then, select Prevent iCloud app backup. The Prevent iCloud app backup setting is used to prevent backup of app data for the application. Set to No to allow the app to be backed up by iCloud.

For more information, see Changes to applications' backup and restore behavior on iOS/iPadOS and macOS devices and Assign apps to groups with Microsoft Intune.

Prevent automatic updates for Apple VPP apps

You can control the automatic update behavior for Apple VPP at the per-app assignment level using the Prevent automatic updates setting. This setting is available in Microsoft Intune admin center by selecting Apps > iOS/iPadOS or macOS > Select a volume purchase program app > Properties > Assignments > Select a Microsoft Entra group > App settings.

Applies to:

  • iOS/iPadOS
  • macOS

Device configuration

Updates to the macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > macOS for platform > Settings catalog for profile type.

The new setting is located under:

Microsoft AutoUpdate (MAU) > [targeted app]:

  • Update channel override

The following settings have been deprecated:

Microsoft AutoUpdate (MAU) > [targeted app]:

  • Channel Name (Deprecated)

Privacy > Privacy Preferences Policy Control > Services > Listen Event or Screen Capture:

  • Allowed

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, go to Create a policy using settings catalog.

The Microsoft Enterprise SSO plug-in for Apple devices is now generally available

In Microsoft Intune, there's a Microsoft Enterprise SSO plug-in. This plug-in provides single sign-on (SSO) to iOS/iPadOS and macOS apps and websites that use Microsoft Entra ID for authentication.

This plug-in is now generally available (GA).

For more information about configuring the Microsoft Enterprise SSO plug-in for Apple devices in Intune, go to Microsoft Enterprise SSO plug-in in Microsoft Intune.

Applies to:

  • iOS/iPadOS
  • macOS

Disable Activation Lock device action for supervised macOS devices

You can now use the Disable Activation Lock device action in Intune to bypass Activation Lock on Mac devices without requiring the current username or password. This new action is available in Devices > macOS > select one of your listed devices > Disable Activation Lock.

More information on managing Activation Lock is available at Bypass iOS/iPadOS Activation Lock with Intune or on Apple's website at Activation Lock for iPhone, iPad, and iPod touch - Apple Support.

Applies to:

  • macOS 10.15 or later

ServiceNow Integration is now Generally Available (GA)

Now generally available, you can view a list of ServiceNow incidents associated with the user you've selected in the Intune Troubleshooting workspace. This new feature is available under Troubleshooting + Support > select a user > ServiceNow Incidents. The incidents shown have a direct link back to the source incident and show key information from the incident. All incidents listed link the "Caller" identified in the incident with the user selected for Troubleshooting.

For more information, go to Use the troubleshooting portal to help users at your company.

More permissions to support administrators in controlling delivery of organization messages

With more permissions administrators can control delivery of content created and deployed from Organizational messages and the delivery of content from Microsoft to users.

The Update organizational message control RBAC permission for organizational messages determines who can change the Organizational Messages toggle to allow or block Microsoft direct messages. This permission is also added to the Organizational Messages Manager built-in role.

Existing custom roles for managing Organizational Messages must be modified to add this permission for users to modify this setting.

Device management

Endpoint security firewall rules support for ICMP type

You can now use the IcmpTypesAndCodes setting to configure inbound and outbound rules for Internet Control Message Protocol (ICMP) as part of a firewall rule. This setting is available in the Microsoft Defender Firewall rules profile for the Windows 10, Windows 11, and Windows Server platform.

Applies to:

  • Windows 11 and later

Manage Windows LAPS with Intune policies (public preview)

Now available in a public preview, manage Windows Local Administrator Password Solution (Windows LAPS) with Microsoft Intune Account protection policies. To get started, see Intune support for Windows LAPS.

Windows LAPS is a Windows feature that allows you to manage and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices.

To manage LAPS, Intune configures the Windows LAPS configuration service provider (CSP) that is built in to Windows devices. It takes precedence over other sources of Windows LAPS configurations, like GPOs or the Microsoft Legacy LAPS tool. Some of the capabilities you can use when Intune manages Windows LAPS include:

  • Define password requirements like complexity and length that apply to the local administrator accounts on a device.
  • Configure devices to rotate their local admin account passwords on a schedule. And, back up the account and password in your Microsoft Entra ID or on-premises Active Directory.
  • Use an Intune device action from the admin center to manually rotate the password for an account on your own schedule.
  • View account details from within the Intune admin center, like the account name and password. This information can help you recover devices that are otherwise inaccessible.
  • Use Intune reports to monitor your LAPS policies, and when devices last rotated passwords manually or by schedule.

Applies to:

  • Windows 10
  • Windows 11

New settings available for macOS software update policies

macOS software update policies now include the following settings to help manage when updates install on a device. These settings are available when the All other updates update type is configured to Install later:

  • Max User Deferrals: When the All other updates update type is configured to Install later, this setting allows you to specify the maximum number of times a user can postpone a minor OS update before it's installed. The system prompts the user once a day. Available for devices running macOS 12 and later.

  • Priority: When the All other updates update type is configured to Install later, this setting allows you to specify values of Low or High for the scheduling priority for downloading and preparing minor OS updates. Available for devices running macOS 12.3 and later.

For more information, see Use Microsoft Intune policies to manage macOS software updates.

Applies to:

  • macOS

Introducing the new partner portals page

You can now manage hardware specific information on your HP or Surface devices from our partner portals page.

The HP link takes you to HP Connect where you can update, configure, and secure the BIOS on your HP devices. The Microsoft Surface link takes you to the Surface Management Portal where you can get insights into device compliance, support activity, and warranty coverage.

To access the Partner portals page, you must enable the Devices pane preview and then navigate to Devices > Partner Portals.

Windows Update compatibility reports for Apps and Drivers are now generally available

The following Microsoft Intune reports for Windows Update compatibility are out of preview and now generally available:

  • Windows feature update device readiness report - This report provides per-device information about compatibility risks that are associated with an upgrade or update to a chosen version of Windows.

  • Windows feature update compatibility risks report - This report provides a summary view of the top compatibility risks across your organization for a chosen version of Windows. You can use this report to understand which compatibility risks impact the greatest number of devices in your organization.

These reports can help you plan an upgrade from Windows 10 to 11, or for installing the latest Windows feature update.

Device security

Microsoft Intune Endpoint Privilege Management is generally available

Microsoft Endpoint Privilege Management (EPM) is now generally available and no longer in preview.

With Endpoint Privilege Management, admins can set policies that allow standard users to perform tasks normally reserved for an administrator. To do so, you configure policies for automatic and user-confirmed workflows that elevate the run-time permissions for apps or processes you select. You then assign these policies to users or devices that have end users running without Administrator privileges. After the device receives a policy, EPM brokers the elevation on behalf of the user, allowing them to elevate approved applications without needing full administrator privileges. EPM also includes built-in insights and reporting.

Now that EPM is out of preview, it requires another license to use. You can choose between a stand-alone license that adds only EPM, or license EPM as part of the Microsoft Intune Suite. For more information, see Use Intune Suite add-on capabilities.

While Endpoint Privilege Management is now generally available, the reports for EPM will transition to a feature in preview, and will receive some more enhancements before being removed from preview.

Support for WDAC Application ID tagging with Intune Firewall Rules policy

Intune's Microsoft Defender Firewall Rules profiles, which are available as part of endpoint security Firewall policy, now include the Policy App ID setting. This setting is described in the MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId CSP and supports specifying a Windows Defender Application Control (WDAC) Application ID tag.

With this capability, you can scope your firewall rules to an application or a group of applications and rely on your WDAC policies to define those applications. By using tags to link to and rely on WDAC policies, your Firewall Rules policy won't need to rely on the firewall rules option of an absolute file path, or use of a variable file path that can reduce security of the rule.

Use of this capability requires you to have WDAC policies in place that include AppId tags that you can then specify in your Intune Microsoft Defender Firewall Rules.

For more information, see the following articles in the Windows Defender Application Control documentation:

Applies to:

  • Windows 10/11

New App and browser isolation profile for Intune's endpoint security Attack Surface Reduction policy

We have released a new experience creating new App and Browser Isolation profiles for endpoint security Attack Surface Reduction policy. The experience for editing your previously created App and Browser isolation policies remains the same, and you can continue to use them. This update applies only for the new App and Browser Isolation policies you create for the Windows 10 and later platform.

This update is part of the continuing rollout of new profiles for endpoint security policies, which began in April 2022.

Additionally, the new profile includes the following changes for the settings it includes:

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • ixArma by INAX-APPS (iOS)
  • myBLDNG by Bldng.ai (iOS)
  • RICOH Spaces V2 by Ricoh Digital Services
  • Firstup - Intune by Firstup, Inc. (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Role-based access control

New Assign (RBAC) permissions for organizational messages

The Assign RBAC permissions for organizational messages determines who can assign target Microsoft Entra groups to an organizational message. To access RBAC permissions, sign in to the Microsoft Intune admin center and go to Tenant administration > Roles.

This permission is also added to the Organizational Messages Manager built-in role. Existing custom roles for managing Organizational Messages must be modified to add this permission for users to modify this setting.

Tenant administration

Delete organizational messages

You can now delete organizational messages from Microsoft Intune. After you delete a message, it's removed from Intune, and no longer appears in the admin center. You can delete a message anytime, regardless of its status. Intune automatically cancels active messages after you delete them. For more information, see Delete organizational messages.

Review audit logs for organizational messages

Use audit logs to track and monitor organizational message events in Microsoft Intune. To access the logs, sign in to the Microsoft Intune admin center and go to Tenant administration > Audit logs. For more information, see Audit logs for Intune activities.

Week of April 10, 2023

Device configuration

User configuration support for Windows 10 multi-session VMs is now GA

You can now:

  • Configure user scope policies using Settings catalog and assign to groups of users.
  • Configure user certificates and assign to users.
  • Configure PowerShell scripts to install in the user context and assign to users.

Applies to:

Week of April 3, 2023

Device configuration

Add Google accounts to Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, you can configure settings that restrict device features and settings. Currently, there's an Add and remove accounts setting. This setting prevents accounts from being added in the work profile, including preventing Google accounts.

This setting changed. You can now add Google accounts. The Add and remove accounts setting options are:

  • Block all accounts types: Prevents users from manually adding or removing accounts in the work profile. For example, when you deploy the Gmail app into the work profile, you can prevent users from adding or removing accounts in this work profile.

  • Allow all accounts types: Allows all accounts, including Google accounts. These Google accounts are blocked from installing apps from the Managed Google Play Store.

    This setting requires:

    • Google Play app version 80970100 or higher
  • Allow all accounts types, except Google accounts (default): Intune doesn't change or update this setting. By default, the OS might allow adding accounts in the work profile.

For more information on the settings you can configure, go to Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

Applies to:

  • Android Enterprise personally owned devices with a work profile

Week of March 27, 2023

App management

Update macOS DMG apps

You can now update apps of type macOS apps (DMG) deployed using Intune. To edit a DMG app that's already created in Intune, upload the app update with the same bundle identifier as the original DMG app. For related information, see Add a macOS DMG app to Microsoft Intune.

Install required apps during pre-provisioning

A new toggle is available in the Enrollment Status Page (ESP) profile that allows you to select whether you want to attempt to install required applications during the Windows Autopilot pre-provisioning technician phase. We understand that installing as many applications as possible during pre-provisioning is desired to reduce the end user setup time. If there's an app install failure, ESP continues except for the apps specified in the ESP profile. To enable this function, you need to edit your Enrollment Status Page profile by selecting Yes on the new setting entitled Only fail selected apps in technician phase. This setting only appears if you have blocking apps selected. For information about ESP, go to Set up the Enrollment Status Page.

Week of March 20, 2023 (Service release 2303)

App management

More minimum OS versions for Win32 apps

Intune supports more minimum operating system versions for Windows 10 and 11 when installing Win32 apps. In Microsoft Intune admin center, select Apps > Windows > Add > Windows app (Win32). In the Requirements tab next to Minimum operating system, select one of the available operating systems. Other OS options include:

  • Windows 10 21H2
  • Windows 10 22H2
  • Windows 11 21H2
  • Windows 11 22H2

Managed apps permission is no longer required to manage VPP apps

You can view and manage VPP apps with only the Mobile apps permission assigned. Previously, the Managed apps permission was required to view and manage VPP apps. This change doesn't apply to Intune for Education tenants who still need to assign the Managed apps permission. More information about permissions in Intune is available at Custom role permissions.

Device configuration

New settings and setting options available in the macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > macOS for platform > Settings catalog for profile type.

New settings include:

Microsoft Defender > Tamper protection:

  • Enforcement level

Microsoft Office > Microsoft OneDrive:

  • Automatic upload bandwidth percentage
  • Automatically and silently enable the Folder Backup feature (aka Known Folder Move)
  • Block apps from downloading online-only files
  • Block external sync
  • Disable automatic sign in
  • Disable download toasts
  • Disable personal accounts
  • Disable tutorial
  • Display a notification to users once their folders have been redirected
  • Enable Files On-Demand
  • Enable simultaneous edits for Office apps
  • Force users to use the Folder Backup feature (aka Known Folder Move)
  • Hide dock icon
  • Ignore named files
  • Include ~/Desktop in Folder Backup (aka Known Folder Move)
  • Include ~/Documents in Folder Backup (aka Known Folder Move)
  • Open at login
  • Prevent users from using the Folder Backup feature (aka Known Folder Move)
  • Prompt users to enable the Folder Backup feature (aka Known Folder Move)
  • Set maximum download throughput
  • Set maximum upload throughput
  • SharePoint Prioritization
  • SharePoint Server Front Door URL
  • SharePoint Server Tenant Name

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, go to Create a policy using settings catalog.

Add custom Bash scripts to configure Linux devices

In Intune, you can add existing Bash scripts to configure Linux devices (Devices > Linux > Configuration Scripts).

When you create this script policy, you can set the context that the script runs in (user or root), how frequently the script runs, and how many times execution should retry.

For more information on this feature, go to Use custom Bash scripts to configure Linux devices in Microsoft Intune.

Applies to:

  • Linux Ubuntu Desktops

Device enrollment

Support for the await final configuration setting for iOS/iPadOS Automated device enrollment (public preview)

Now in public preview, Intune supports a new setting called Await final configuration in eligible new and existing iOS/iPadOS automated device enrollment profiles. This setting enables an out-of-the-box locked experience in Setup Assistant. It prevents device users from accessing restricted content or changing settings on the device until most Intune device configuration policies are installed. You can configure the setting in an existing automated device enrollment profile, or in a new profile (Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > Create profile). For more information, see Create an Apple enrollment profile.

New setting gives Intune admins control over device-to-category mapping

Control visibility of the device category prompt in Intune Company Portal. You can now hide the prompt from end users and leave the device-to-category mapping up to Intune admins. The new setting is available in the admin center under Tenant Administration > Customization > Device Categories. For more information, see Device categories.

Support for multiple enrollment profiles and tokens for fully managed devices

Create and manage multiple enrollment profiles and tokens for Android Enterprise fully managed devices. With this new functionality, you can now use the EnrollmentProfileName dynamic device property to automatically assign enrollment profiles to fully managed devices. The enrollment token that came with your tenant remains in a default profile. For more information, see Set up Intune enrollment of Android Enterprise fully managed devices.

New Microsoft Entra frontline worker experience for iPad (public preview)

This capability begins to roll out to tenants in mid-April.

Intune now supports a frontline worker experience for iPhones and iPads using Apple automated device enrollment. You can now enroll devices that are enabled in Microsoft Entra ID shared mode via zero-touch. For more information about how to configure automated device enrollment for shared device mode, see Set up enrollment for devices in Microsoft Entra shared device mode.

Applies to:

  • iOS/iPadOS

Device management

Endpoint security firewall policy support for log configurations

You can now configure settings in endpoint security Firewall policy that configure firewall logging options. These settings can be found in the Microsoft Defender Firewall profile template for the Windows 10 and later platform, and are available for the Domain, Private, and Public profiles in that template.

Following are the new settings, all found in the Firewall configuration service provider (CSP):

  • Enable Log Success Connections
  • Log File Path
  • Enable Log Dropped Packets
  • Enable Log Ignored Rules

Applies to:

  • Windows 11

Endpoint security firewall rules support for Mobile Broadband (MBB)

The Interface Types setting in endpoint security Firewall policy now include the option for Mobile Broadband. Interface Types is available in the Microsoft Defender Firewall Rules profile for all platforms that support Windows. For information about the use of this setting and option, see Firewall configuration service provider (CSP).

Applies to:

  • Windows 10
  • Windows 11

Endpoint security firewall policy support for network list manager settings

We've added a pair of network list manager settings to endpoint security Firewall policy. To help determine when a Microsoft Entra device is or isn't on your on-premises domain subnets, you can use the network list manager settings. This information can help firewall rules apply correctly.

The following settings are found in a new category named Network List Manager, that's available in the Microsoft Defender Firewall profile template for the Windows 10, Windows 11, and Windows Server platform:

  • Allowed Tls Authentication Endpoints
  • Configured Tls Authentication Network Name

For information about Network Categorization settings, see NetworkListManager CSP.

Applies to:

  • Windows 10
  • Windows 11

Improvements to Devices area in admin center (public preview)

The Devices area in the admin center now has a more consistent UI, with more capable controls and an improved navigation structure so you can find the information you need faster. To opt in to the public preview and try out the new experience, go to Devices and flip the toggle at the top of the page. Improvements include:

  • A new scenario-focused navigation structure.
  • New location for platform pivots to create a more consistent navigation model.
  • A reduction in journey, helping you get to your destination faster.
  • Monitoring and reports are within the management workflows, giving you easy access to key metrics and reports without having to leave the workflow.
  • A consistent way across list views to search, sort, and filter data.

For more information about the updated UI, see Try new Devices experience in Microsoft Intune.

Device security

Microsoft Intune Endpoint Privilege Management (public preview)

As a public preview, you can now use Microsoft Intune Endpoint Privilege Management. With Endpoint Privilege Management, admins can set policies that allow standard users to perform tasks normally reserved for an administrator. Endpoint Privilege Management can be configured in the Intune admin center at Endpoint security > Endpoint Privilege Management.

With the public preview, you can configure policies for automatic and user-confirmed workflows that elevate the run-time permissions for apps or processes you select. You then assign these policies to users or devices that have end users running without Administrator privileges. Once policy is received, Endpoint Privilege Management will broker the elevation on behalf of the user, allowing them to elevate approved applications without needing full administrator privileges. The preview also includes built-in insights and reporting for Endpoint Privilege Management.

To learn how to activate the public preview and use Endpoint Privilege Management policies, start with Use Endpoint Privilege Management with Microsoft Intune. Endpoint Privilege Management is part of the Intune Suite offering, and free to try while it remains in public preview.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • EVALARM by GroupKom GmbH (iOS)
  • ixArma by INAX-APPS (Android)
  • Seismic | Intune by Seismic Software, Inc.
  • Microsoft Viva Engage by Microsoft (formally Microsoft Yammer)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Diagnostic data collection for Endpoint Privilege Management

To support the release of Endpoint Privilege Management, we've updated Collect diagnostics from a Windows device to include the following data, which is collected from devices enabled for Endpoint Privilege Management:

  • Registry keys:

    • HKLM\SOFTWARE\Microsoft\EPMAgent
  • Commands:

    • %windir%\system32\pnputil.exe /enum-drivers
  • Log files:

    • %ProgramFiles%\Microsoft EPM Agent\Logs\*.*
    • %windir%\system32\config\systemprofile\AppData\Local\mdm\*.log

View status for pending and failed organizational messages

We've added two more states to organizational message reporting details to make it easier to track pending and failed messages in the admin center.

  • Pending: The message hasn't been scheduled yet and is currently in progress.
  • Failed: The message failed to schedule due to a service error.

For information about reporting details, see View reporting details for organizational messages.

You can now view information for tenant attach devices in the existing antivirus reports under the Endpoint Security workload. A new column differentiates between devices managed by Intune and devices managed by Configuration Manager. This reporting information is available in Microsoft Intune admin center by selecting Endpoint security > Antivirus.

Week of March 13, 2023

Device management

Meta Quest 2 and Quest Pro are now in Open Beta (US only) on Microsoft Intune for Android Open Source Devices

Microsoft Intune for Android open source project devices (AOSP) has welcomed Meta Quest 2 and Quest Pro into Open Beta for the US market.

For more information, go to Operating systems and browsers supported by Microsoft Intune

Applies to:

  • Android (AOSP)

App management

Trusted Root Certificates Management for Intune App SDK for Android

If your Android application requires SSL/TLS certificates issued by an on-premises or private certificate authority to provide secure access to internal websites and applications, the Intune App SDK for Android now has support for certificate trust management. For more information and examples, see Trusted Root Certificates Management.

System context support for UWP apps

In addition to user context, you can deploy Universal Windows Platform (UWP) apps from the Microsoft Store app (new) in system context. If a provisioned .appx app is deployed in system context, the app auto-installs for each user that logs in. If an individual end user uninstalls the user context app, the app still shows as installed because it's still provisioned. In addition, the app must not already be installed for any users on the device. Our general recommendation is to not mix install contexts when deploying apps. Win32 apps from the Microsoft Store app (new) already support system context.

Week of March 6, 2023

App management

Deploy Win32 apps to device groups

You can now deploy Win32 apps with Available intent to device groups. For more information, see Win32 app management in Microsoft Intune.

Device management

New URL for Microsoft Intune admin center

The Microsoft Intune admin center has a new URL: https://intune.microsoft.com. The previously used URL, https://endpoint.microsoft.com, continues to work but will redirect to the new URL in late 2023. We recommend taking the following actions to avoid issues with Intune access and automated scripts:

  • Update login or automation to point to https://intune.microsoft.com.
  • Update your firewalls, as needed, to allow access to the new URL.
  • Add the new URL to your favorites and bookmarks.
  • Notify your helpdesk and update IT administrator documentation.

Tenant administration

Add CMPivot queries to Favorites folder

You can add your frequently used queries to a Favorites folder in CMPivot. CMPivot allows you to quickly assess the state of a device managed by Configuration Manager via Tenant Attach and take action. The functionality is similar to one already present in the Configuration Manager console. This addition helps you keep all your most used queries in one place. You can also add tags to your queries to help search and find queries. The queries saved in the Configuration Manager console aren't automatically added to your Favorites folder. You need to create new queries and add them to this folder. For more information about CMPivot, see Tenant attach: CMPivot usage overview.

Device enrollment

New Microsoft Store apps now supported with the Enrollment Status Page

The Enrollment Status Page (ESP) now supports the new Microsoft store applications during Windows Autopilot. This update enables better support for the new Microsoft Store experience and should be rolling out to all tenants starting with Intune 2303. For related information, see Set up the Enrollment Status Page.

Week of February 27, 2023

Device configuration

Support for Locate device on Android Enterprise corporate owned fully managed and Android Enterprise corporate owned work profile devices

You can now use "Locate device" on Android Enterprise corporate owned fully managed and Android Enterprise corporate owned work profile devices. With this feature, admins are able to locate lost or stolen corporate devices on-demand.

In Microsoft Intune admin center, you need to turn the feature on using a device configuration profiles (Devices > Configuration > Create > Android Enterprise for platform > Device Restrictions for profile type).

Select Allow on the Locate device toggle for fully managed and corporate owned work profile devices and select applicable groups. Locate device is available when you select Devices, and then select All devices. From the list of devices you manage, select a supported device, and choose the Locate device remote action.

For information on locating lost or stolen devices with Intune, go to:

Applies to:

  • Android Enterprise corporate owned fully managed
  • Android Enterprise corporate owned dedicated devices
  • Android Enterprise corporate owned work profile

Intune add-ons

Microsoft Intune Suite provides mission-critical advanced endpoint management and security capabilities into Microsoft Intune.

You can find add-ons to Intune in the Microsoft Intune admin center under Tenant administration > Intune add-ons.

For detailed information, see Use Intune Suite add-on capabilities.

View ServiceNow Incidents in the Intune Troubleshooting workspace (Preview)

In public preview, you can view a list of ServiceNow incidents associated with the user you've selected in the Intune Troubleshooting workspace. This new feature is available under Troubleshooting + Support > select a user > ServiceNow Incidents. The list of incidents shown have a direct link back to the source incident and show key information from the incident. All incidents listed link the "Caller" identified in the incident with the user selected for Troubleshooting.

For more information, go to Use the troubleshooting portal to help users at your company.

Device security

Microsoft Tunnel for MAM is now generally available

Now out of preview and generally available, you can add Microsoft Tunnel for Mobile Application Management to your tenant. Tunnel for MAM supports connections from unenrolled Android and iOS devices. This solution provides your tenant with a lightweight VPN solution that allows mobile devices access to corporate resources while adhering to your security policies.

In addition, MAM Tunnel for iOS now supports Microsoft Edge.

Previously, Tunnel for MAM for Android and iOS was in public preview and free for use. With this release as generally available, this solution now requires an add-on license for its use.

For licensing details, see Intune add-ons.

Applies to:

  • Android
  • iOS

Tenant administration

Organizational messages now support custom destination URLs

You can now add any custom destination URL to organizational messages in the taskbar, notifications area, and Get Started app. This feature applies to Windows 11. Messages created with Microsoft Entra registered domains that are in a scheduled or active state are still supported. For more information, see Create organizational messages.

Week of February 20, 2023 (Service release 2302)

App management

Latest iOS/iPadOS version available as minimum OS requirement for LOB and store apps

You can specify iOS/iPadOS 16.0 as the minimum operating system for line-of-business and store app deployments. This setting option is available in Microsoft Intune admin center by selecting Apps > iOS/iPadOS > iOS store app or Line-of-business app. For more information about managing apps, see Add apps to Microsoft Intune.

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Egnyte for Intune by Egnyte

For more information about protected apps, see Microsoft Intune protected apps.

Device configuration

Endpoint Manager admin center is renamed to Intune admin center

The Microsoft Endpoint Manager admin center is now called the Microsoft Intune admin center.

A new Associated Assignments tab for your filters

When you assign an app or policy, you can filter the assignment using different device properties, such as device manufacturer, model, and ownership. You can create and associate a filter with the assignment.

After you create a filter, there's a new Associated Assignments tab. This tab shows all the policy assignments, the groups that receive the filter assignments, and if the filter is using Exclude or Include:

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Devices > Filters > Select an existing filter > Associated Assignments tab.

For more information on filters, go to:

Size and generation included in iOS/iPadOS model information

You can view the size and generation for enrolled iOS/iPadOS devices as part of the Model attribute in Hardware device details.

Go to Devices > All devices > select one of your listed devices and select Hardware to open its details. For example, iPad Pro 11 inch (third generation) displays for the device model instead of iPad Pro 3. For more information, go to: See device details in Intune

Applies to:

  • iOS/iPadOS

Disable Activation Lock device action for supervised iOS/iPadOS devices

You can use the Disable Activation Lock device action in Intune to bypass Activation Lock on iOS/iPadOS devices without requiring the current username or password.

This new action is available under Devices > iOS/iPadOS > select one of your listed devices > Disable Activation Lock.

More information on managing Activation Lock is available at Bypass iOS/iPadOS Activation Lock with Intune or on Apple's website at Activation Lock for iPhone, iPad, and iPod touch - Apple Support.

Applies to:

  • iOS/iPadOS

Allow Temporary Enterprise Feature Control is available in the Settings Catalog

In on-premises group policy, there's an Enable features introduced via servicing that are off by default setting.

In Intune, this setting is known as Allow Temporary Enterprise Feature Control and is available in the Settings Catalog. This servicing adds features that off by default. When set to Allowed, these features are enabled and turned on.

For more information on this feature, go to:

The Windows features that enabled by this policy setting should release later in 2023. Intune is releasing this policy setting now for your awareness and preparation, which is before any need to use the setting with future Windows 11 releases.

For more information on the settings catalog, go to Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Applies to:

  • Windows 11

Device management

Device Control support for Printer Protection (Preview)

In public preview, Device Control profiles for Attack Surface Reduction policy now support reusable settings groups for Printer Protection.

Microsoft Defender for Endpoint Device Control Printer Protection enables you to audit, allow, or prevent printer with or without exclusions within Intune. It allows you to block users from printing via a non-corporate network printer or non-approved USB printer. This feature adds another layer of security and data protection for work from home and remote work scenarios.

Applies to:

  • Windows 10
  • Windows 11

Support to delete stale devices that are managed through Security Management for Microsoft Defender for Endpoint

You can now Delete a device that's managed through the Security Management for Microsoft Defender for Endpoint solution from within the Microsoft Intune admin center. The delete option appears along with other device management options when you view the device's Overview details. To locate a device managed by this solution, in the admin center go to Devices > All devices, and then select a device that displays either MDEJoined or MDEManaged in the Managed by column.

New settings and setting options available in the Apple Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Login > Service Management - Managed Login Items:

  • Team Identifier

Microsoft Office > Microsoft Office:

  • Office Activation Email Address

Applies to:

  • macOS

Networking > Domains:

  • Cross Site Tracking Prevention Relaxed Domains

Applies to:

  • iOS/iPadOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Device security

Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior (Preview)

As part of a public preview for Endpoint security Antivirus policy, you can use the new profile Defender Update controls for the Windows 10 and later platform to manage update settings for Microsoft Defender. The new profile includes settings for the rollout release channel. With the rollout channel, devices and users receive Defender Updates that are related to daily security intelligence updates, monthly platform updates, and monthly engine updates.

This profile includes the following settings, which are all directly taken from Defender CSP - Windows Client Management.

  • Engine Updates Channel
  • Platform Updates Channel
  • Security Intelligence Updates Channel

These settings are also available from the settings catalog for the Windows 10 and later profile.

Applies to:

  • Windows 10
  • Windows 11

Week of February 6, 2023

Tenant administration

Apply recommendations and insights to enrich the Configuration Manager site health and device management experience

You can now use the Microsoft Intune admin center to view recommendations and insights for your Configuration Manager sites. These recommendations can help you improve the site health and infrastructure and enrich the device management experience.

Recommendations include:

  • How to simplify your infrastructure
  • Enhance device management
  • Provide device insights
  • Improve the health of the site

To view recommendations, open the Microsoft Intune admin center and go to Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager, and select a site to view recommendations for that site. Once selected, the Recommendations tab displays each insight along with a Learn more link. This link opens details on how to apply that recommendation.

For more information, see Enable Microsoft Intune tenant attach - Configuration Manager.

Week of January 30, 2023

Device management

HTC Vive Focus 3 supported on Microsoft Intune for Android Open Source Devices

Microsoft Intune for Android open source project devices (AOSP) now supports HTC Vive Focus 3.

For more information, go to Operating systems and browsers supported by Microsoft Intune

Applies to:

  • Android (AOSP)

Introducing support for laser pointers in Remote Help

In Remote Help, you can now use a laser pointer when you're providing assistance on Windows.

For more information on Remote Help, go to Remote Help.

Applies to:

  • Windows 10/11

Week of January 23, 2023 (Service release 2301)

App management

Configure whether to show Configuration Manager apps in Windows Company Portal

In Intune, you can choose whether to show or hide Configuration Manager apps from appearing in the Windows Company Portal. This option is available in Microsoft Intune admin center by selecting Tenant administration > Customization. Next to Settings, select Edit. The option to Show or Hide the Configuration Manager applications are located in the App Sources section of the pane. For related information about configuring the Company Portal app, see How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Block pinning web pages to Managed Home Screen app

On Android Enterprise dedicated devices using Managed Home Screen, you can now use app configuration to configure the Managed Home Screen app to block pinning browser web pages to Managed Home Screen. The new key value is block_pinning_browser_web_pages_to_MHS. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Device management

Grace period status visible in Microsoft Intune app for Android

The Microsoft Intune app for Android now shows a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users can see the date by which devices must be compliant, and the instructions for how to become compliant. If they don't update their device by the given date, the device is marked as noncompliant. For more information, see the following docs:

Software update policies for macOS are now generally available

Software update policies for macOS devices are now generally available. This general availability applies to supervised devices running macOS 12 (Monterey) and later. Improvements are being made to this feature.

For more information, see Use Microsoft Intune policies to manage macOS software updates.

Windows Autopilot device diagnostics

Windows Autopilot diagnostics is available to download in Microsoft Intune admin center from either in the Autopilot deployments monitor or Device Diagnostics monitor for an individual device.

Device enrollment

Enrollment notifications now generally available

Enrollment notifications are now generally available, and are supported on Windows, Apple, and Android devices. This feature is only supported with user-driven enrollment methods. For more information, see Set up enrollment notifications.

Skip or show Terms of Address pane in Setup Assistant

Configure Microsoft Intune to skip or show a new Setup Assistant pane called Terms of Address during Apple Automated Device Enrollment. The Terms of Address lets users on iOS/iPadOS and macOS devices personalize their device by selecting how the system addresses them: feminine, neutral, or masculine. The pane is visible during enrollment by default, and is available for select languages. You can hide it on devices running iOS/iPadOS 16 and later, and macOS 13 and later. For more information about the Setup Assistant screens supported in Intune, see:

Device security

Microsoft Tunnel for Mobile Application Management for iOS/iPadOS (Preview)

As a public preview, you can use the Mobile Application Management (MAM) to the Microsoft Tunnel VPN gateway for iOS/iPadOS. With this preview for iOS devices that haven't enrolled with Intune, supported apps on those unenrolled devices can use Microsoft Tunnel to connect to your organization when working with corporate data and resources. This feature includes VPN gateway support for:

  • Secure access to on-premises apps and resources using modern authentication
  • Single Sign On and conditional access

For more information, go to:

Applies to:

  • iOS/iPadOS

Attack surface reduction policy support for Security settings management for Microsoft Defender for Endpoint

Devices managed through the MDE Security configuration scenario support attack surface reduction policy. To use this policy with devices that use Microsoft Defender for Endpoint but aren't enrolled with Intune:

  1. In the Endpoint Security node, create a new Attack surface reduction policy.
  2. Select Windows 10, Windows 11, and Windows Server as the Platform.
  3. Select Attack Surface Reduction Rules for the Profile.

Applies to:

  • Windows 10
  • Windows 11

SentinelOne – New mobile threat defense partner

You can now use SentinelOne as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the SentinelOne connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment in your compliance policy. The SentinelOne connector can also send risk levels to app protection policies.

Device configuration

Device Firmware Configuration Interface (DFCI) supports Fujitsu devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type).

Some Fujitsu devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

For more information about DFCI profiles, go to:

Applies to:

  • Windows 10
  • Windows 11

Support for Bulk Device Actions on devices running Android (AOSP)

You can now complete "Bulk Device Actions" for devices running Android (AOSP). The bulk device actions supported on devices running Android (AOSP) are Delete, Wipe and Restart.

Applies to:

  • Android (AOSP)

Updated descriptions for iOS/iPadOS and macOS settings in the settings catalog

The settings catalog lists all the settings you can configure, and all in one place. For the iOS/iPadOS and macOS settings, for each setting category, the descriptions are updated to include more detailed information.

For more information on the settings catalog, go to:

Applies to:

  • iOS/iPadOS
  • macOS

New settings available in the Apple Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Accounts > Subscribed Calendars:

  • Account Description
  • Account Host Name
  • Account Password
  • Account Use SSL
  • Account Username

Applies to:

  • iOS/iPadOS

Networking > Domains:

  • Cross Site Tracking Prevention Relaxed Domains

Applies to:

  • macOS

The following settings are also in Settings Catalog. Previously, they were only available in Templates:

File Vault:

  • User Enters Missing Info

Applies to:

  • macOS

Restrictions:

  • Rating Region

Applies to:

  • iOS/iPadOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Filter app and policy assignments by the device's Microsoft Entra join type (deviceTrustType)

When you assign an app or policy, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.

A new device filter property deviceTrustType is available for Windows 10 and later devices. With this property, you can filter app and policy assignments depending on the Microsoft Entra join type. The values include Microsoft Entra joined, Microsoft Entra hybrid joined, and Microsoft Entra registered.

For more information on filters and the device properties you can use, go to:

Applies to:

  • Windows 10 and later

Monitor and troubleshoot

Download mobile app diagnostics in the Microsoft Intune admin center (public preview)

Now in public preview, access user-submitted mobile app diagnostics in the admin center, including app logs sent through Company Portal app for Android, Android (AOSP), or Windows, with support for iOS, macOS, and Microsoft Edge for iOS coming at a later date. For more information about accessing mobile app diagnostics for Company Portal, see Configure Company Portal.

WinGet troubleshooting using diagnostic files

WinGet is a command line tool that enables you to discover, install, upgrade, remove, and configure applications on Windows 10 and Windows 11 devices. When working with Win32 app management in Intune, you can now use the following file locations to help troubleshoot WinGet:

  • %TEMP%\winget\defaultstate*.log
  • Microsoft-Windows-AppXDeployment/Operational
  • Microsoft-Windows-AppXDeploymentServer/Operational

Intune troubleshooting pane update

A new experience for the Intune Troubleshooting pane provides details about user's devices, policies, applications, and status. The troubleshooting pane includes the following information:

  • A summary of policy, compliance, and application deployment status.
  • Support for exporting, filtering, and sorting all reports.
  • Support to filter by excluding policies and applications.
  • Support to filter to a user's single device.
  • Details about available device diagnostics and disabled devices.
  • Details about offline devices that haven't checked-in to the service for three or more days.

You can find the troubleshooting pane in Microsoft Intune admin center by selecting Troubleshooting + support > Troubleshoot. To view the new experience during preview, select Preview upcoming changes to Troubleshooting and provide feedback to display the Troubleshooting preview pane, then select Try it now.

New report for devices without compliance policy (preview)

We've added a new report named Devices without compliance policy to the Device compliance reports you can access through the Reports node of the Microsoft Intune admin center. This report, which is in preview, uses a newer reporting format that provides for more capabilities.

To learn about this new organizational report, see Devices without compliance policy (Organizational).

An older version of this report remains available through the Devices > Monitor page of the admin center. Eventually, that older report version will retire, though it remains available for now.

Service health messages for tenant issues that require administrative attention

The Service health and message center page in the Microsoft Intune admin center can now display messages for Issues in your environment that require action. These messages are important communications that are sent to a tenant to alert administrators about issues in their environment that might require action to resolve.

You can view messages for Issues in your environment that require action in the Microsoft Intune admin center by going to Tenant administration > Tenant status and then selecting the Service health and message center tab.

For more information about this page of the admin center, see View details about your Tenant on the Intune tenant status page.

Tenant administration

Improved UI experience for multiple certificate connectors

We've added pagination controls to the Certificate connectors view to help improve the experience when you have more than 25 certificate connectors configured. With the new controls, you can see the total number of connector records and easily navigate to a specific page when viewing your certificate connectors.

To view certificate connectors, in the Microsoft Intune admin center, go to Tenant administration > Connectors and tokens > Certificate connectors.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Voltage SecureMail by Voltage Security

For more information about protected apps, see Microsoft Intune protected apps.

Scripts

Preview PowerShell script package content in Endpoint Analytics

Admins can now see a preview of a PowerShell script's content for proactive remediations. The content is displayed in a grayed-out box with scrolling capability. Admins can't edit the content of the script in the preview. In Microsoft Intune admin center, select Reports > Endpoint analytics > Proactive remediations. For more information, see PowerShell scripts for Proactive remediations.

Week of January 16, 2023

App management

Win32 app supersedence GA

The feature set for Win32 app supersedence GA is available. It adds support for apps with supersedence during ESP, and also allows supersedence & dependency relationships to be added in the same app subgraph. For more information, see Win32 app supersedence improvements. For information about Win32 app supersedence, see Add Win32 app supersedence.

Week of January 9, 2023

Device configuration

The Company Portal app enforces Password Complexity setting on Android Enterprise 12+ personally owned devices with a work profile

On Android Enterprise 12+ personally owned devices with a work profile, you can create a compliance policy and/or device configuration profile that sets the password complexity. Starting with the 2211 release, this setting is available in the Intune admin center:

  • Devices > Configuration > Create > Android Enterprise for platform > Personally owned with a work profile
  • Devices > Compliance policies > Create policy > Android Enterprise for platform > Personally owned with a work profile

The Company Portal app enforces the Password complexity setting.

For more information on this setting and the other settings you can configure on personally owned devices with a work profile, go to:

Applies to:

  • Android Enterprise 12+ personally owned devices with a work profile

Week of December 19, 2022

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Appian for Intune by Appian Corporation (Android)

For more information about protected apps, see Microsoft Intune protected apps.

Week of December 12, 2022 (Service release 2212)

Device configuration

Remote Help client app includes a new option to disable chat functionality in the Tenant level setting

In the Remote Help app, admins can disable chat functionality from the new tenant level setting. Turning on the disable chat feature removes the chat button in the Remote Help app. This setting can be found in the Remote Help Settings tab under Tenant Administration in Microsoft Intune.

For more information, see Configure Remote Help for your tenant.

Applies to: Windows 10/11

New settings available in the macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > macOS for platform > Settings catalog for profile type.

New settings include:

File Vault > File Vault Options:

  • Block FV From Being Disabled
  • Block FV From Being Enabled

Restrictions:

  • Allow Bluetooth Modification

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are default settings for SSO extension requests on iOS, iPadOS, and macOS devices

When you create a single sign-on app extension configuration profile, there are some settings that you configure. The following settings use the following default values for all SSO extension requests:

  • AppPrefixAllowList key

    • macOS default value: com.microsoft.,com.apple.
    • iOS/iPadOS default value: com.apple.
  • browser_sso_interaction_enabled key

    • macOS default value: 1
    • iOS/iPadOS default value: 1
  • disable_explicit_app_prompt key

    • macOS default value: 1
    • iOS/iPadOS default value: 1

If you configure a value other than the default value, then the configured value overwrites the default value.

For example, you don't configure the AppPrefixAllowList key. By default, all Microsoft apps (com.microsoft.) and all Apple apps (com.apple.) are enabled for SSO on macOS devices. You can overwrite this behavior by adding a different prefix to the list, such as com.contoso..

For more information on the Enterprise SSO plug-in, go to Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS and macOS devices in Microsoft Intune.

Applies to:

  • iOS/iPadOS
  • macOS

Device enrollment

Enrollment token lifetime increases to 65 years for Android Enterprise dedicated devices

Now you can create an enrollment profile for Android Enterprise dedicated devices that's valid for up to 65 years. If you have an existing profile, the enrollment token still expires at whatever date you chose when you created the profile, but during renewal you can extend the lifetime. For more information about creating an enrollment profile, see Set up Intune enrollment for Android Enterprise dedicated devices.

Device management

Update policies for macOS now available for all supervised devices

Software update policies for macOS devices now apply to all macOS supervised devices. Previously, only those devices that enrolled through Automated Device Enrollment (ADE) would qualify to receive updates. For more information on configuring update policies for macOS, see Use Microsoft Intune policies to manage macOS software updates.

Applies to:

  • macOS

Policy and reports for Windows feature updates and expedited quality updates are now Generally Available

Both the policies and reports for managing feature updates and quality updates (expedited updates) for Windows 10 and later, are out of preview and now generally available.

For more information about these policies and reports, see:

Applies to:

  • Windows 10/11

Week of November 28, 2022

App management

Microsoft Store apps in Intune

You can now search, browse, configure, and deploy Microsoft Store apps within Intune. The new Microsoft Store app type is implemented using the Windows Package Manager. This app type features an expanded catalog of apps, which includes both UWP apps and Win32 apps. Roll out of this feature is expected to complete by December 2, 2022. For more information, see Add Microsoft Store apps to Microsoft Intune.

Tenant administration

Access policies for multiple Administrator Approval (public preview)

In public preview, you can use Intune access policies to require that a second Administrator Approval account approve a change before the change is applied. This capability is known as multiple Administrator Approval (MAA).

You create an access policy to protect a type of resource, like App deployments. Each access policy also includes a group of users who are approvers for the changes protected by the policy. When a resource, like an app deployment configuration, is protected by an access policy, any changes that made to the deployment, including creating, deleting, or modifying an existing deployment, won't apply until a member of the approvers group for that access policy reviews and approves that change.

Approvers can also reject requests. The individual requesting a change and the approver can provide notes about the change, or why it was approved or rejected.

Access policies are supported for the following resources:

  • Apps – Applies to app deployments, but doesn't apply to app protection policies.
  • Scripts – Applies to deploying scripts to devices that run macOS or Windows.

For more information, see Use Access policies to require multiple administrative approval.

Device security

Microsoft Tunnel for Mobile Application Management for Android (Preview)

As a public preview, you can now use Microsoft Tunnel with unenrolled devices. This capability is called Microsoft Tunnel for Mobile Application Management (MAM). This preview supports Android, and without any changes to your existing Tunnel infrastructure, supports the Tunnel VPN gateway for:

  • Secure access to on-premises apps and resources using modern authentication
  • Single Sign On and conditional access

To use Tunnel MAM, unenrolled devices must install Microsoft Edge, Microsoft Defender for Endpoint, and the Company Portal. You can then use the Microsoft Intune admin center to configure the following profiles for the unenrolled devices:

  • An App configuration profile for managed apps, to configure Microsoft Defender on devices for use as the Tunnel client app.
  • A second App configuration profile for managed apps, to configure Microsoft Edge to connect to Tunnel.
  • An App protection profile to enable automatic start of the Microsoft Tunnel connection.

Applies to:

  • Android Enterprise

Week of November 14, 2022 (Service release 2211)

App management

Control the display of Managed Google Play apps

You can group Managed Google Play apps into collections and control the order that collections are displayed when selecting apps in Intune. You can also make apps visible via search only. This capability is available in Microsoft Intune admin center by selecting Apps > All apps > Add > Managed Google Play app. For more information, see Add a Managed Google Play store app directly in the Intune admin center.

Device configuration

New password complexity setting for Android Enterprise 12+ personally owned devices with a work profile

On Android Enterprise 11 and older personally owned devices with a work profile, you can set the following password settings:

  • Devices > Compliance > Android Enterprise for platform > Personally owned work profile > System security > Required password type, Minimum password length
  • Devices > Configuration > Android Enterprise for platform > Personally owned work profile > Device restrictions > Work profile settings > Required password type, Minimum password length
  • Devices > Configuration > Android Enterprise for platform > Personally owned work profile > Device restrictions > Password > Required password type, Minimum password length

Google is deprecating the Required password type and Minimum password length settings for Android 12+ personally owned devices with a work profile and replacing them with new password complexity requirements. For more information about this change, go to Day zero support for Android 13.

The new Password complexity setting has the following options:

  • None: Intune doesn't change or update this setting. By default, the OS might not require a password.
  • Low: Pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked.
  • Medium: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked. The length, alphabetic length, or alphanumeric length must be at least four characters.
  • High: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked. The length must be at least eight characters. The alphabetic or alphanumeric length must be at least six characters.

On Android 12+, if you currently use the Required password type and Minimum password length settings in a compliance policy or device configuration profile, then we recommend using the new Password complexity setting instead.

If you continue to use the Required password type and Minimum password length settings, and don't configure the Password complexity setting, then new devices running Android 12+ might default to the High password complexity.

For more information on these settings and what happens to existing devices with the deprecated settings configured, go to:

Applies to:

  • Android Enterprise 12.0 and newer personally owned devices with a work profile

New settings available in the iOS/iPadOS and macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Networking > DNS Settings:

  • DNS Protocol
  • Server Addresses
  • Server Name
  • Server URL
  • Supplemental Match Domains
  • On Demand Rules
  • Action
  • Action Parameters
  • DNS Domain Match
  • DNS Server Address Match
  • Interface Type Match
  • SSID Match
  • URL String Probe
  • Prohibit Disablement

File Vault:

  • Defer
  • Defer Don't Ask At User Logout
  • Defer Force At User Login Max Bypass Attempts
  • Enable
  • Show Recovery Key
  • Use Recovery Key

File Vault > File Vault Recovery Key Escrow:

  • Device Key
  • Location

Restrictions:

  • Allow Air Play Incoming Requests

Applies to:

  • macOS

Web > Web Content Filter:

  • Allow List Bookmarks
  • Auto Filter Enabled
  • Deny List URLs
  • Filter Browsers
  • Filter Data Provider Bundle Identifier
  • Filter Data Provider Designated Requirement
  • Filter Grade
  • Filter Packet Provider Bundle Identifier
  • Filter Packet Provider Designated Requirement
  • Filter Packets
  • Filter Sockets
  • Filter Type
  • Organization
  • Password
  • Permitted URLs
  • Plugin Bundle ID
  • Server Address
  • User Defined Name
  • User Name
  • Vendor Config

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Device Firmware Configuration Interface (DFCI) supports Panasonic devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type).

New Panasonic devices running Windows 10/11 are being enabled for DFCI starting Fall 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Panasonic devices.

Contact your device vendor or device manufacturer to ensure you get eligible devices.

For more information about DFCI profiles, go to:

Applies to:

  • Windows 10
  • Windows 11

Sign in and background item management support on macOS devices using the settings catalog

On macOS devices, you can create a policy that automatically opens items when users sign in to their macOS devices. For example, you can open apps, documents, and folders.

In Intune, the settings catalog includes new Service Management settings at Devices > Configuration > Create > macOS for platform > Settings catalog > Login > Service Management. These settings can prevent users from disabling the managed login and background items on their devices.

For more information on the settings catalog, go to:

Applies to:

  • macOS 13 and newer

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Varicent by Varicent US OpCo Corporation
  • myBLDNG by Bldng.ai
  • Enterprise Files for Intune by Stratospherix Ltd
  • ArcGIS Indoors for Intune by ESRI
  • Meetings by Decisions by Decisions AS
  • Idenprotect Go by Apply Mobile Ltd

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Review Cloud PC connectivity health checks and errors in Microsoft Intune admin center

You can now review connectivity health checks and errors in the Microsoft Intune admin center to help you understand if your users are experiencing connectivity issues. There's also a troubleshooting tool to help resolve connectivity issues. To see the checks, select Devices > Windows 365 > Azure network connections > select a connection in the list > Overview.

Tenant administration

Deliver organizational messages for Windows 11 (public preview)

Use Microsoft Intune to deliver important messages and call-to-actions to employees on their devices. Organizational messages are preconfigured messages intended to improve employee communication in remote and hybrid-work scenarios. They can be used to help employees adapt to new roles, learn more about their organization, and stay informed of new updates and trainings. You can deliver messages just above the taskbar, in the notifications area, or in the Get Started app on Windows 11 devices.

During public preview, you can:

  • Select from various preconfigured, common messages to assign to Microsoft Entra user groups.
  • Add your organization's logo.
  • Include a custom destination URL in the message that redirects device users to a specific place.
  • Preview messages in 15 supported languages, in dark and light theme.
  • Schedule a delivery window and message frequency.
  • Track the status of messages and the number of views and clicks they receive. Views and clicks are aggregated by messages.
  • Cancel scheduled or active messages.
  • Configure a new built-in role in Intune called Organizational Messages Manager, which allows assigned admins to view and configure messages.

All configurations need to be done in the Microsoft Intune admin center. The Microsoft Graph API isn't available to use with organizational messages. For more information, see Overview of organizational messages.

Week of November 7, 2022

App management

Ending support for Windows Information Protection

Windows Information Protection (WIP) policies without enrollment are being deprecated. You can no longer create new WIP policies without enrollment. Until December of 2022, you can modify existing policies until the deprecation of the without enrollment scenario is complete. For more information, go to Plan for Change: Ending support for Windows Information Protection.

Device Configuration

User configuration support for Windows 11 multi-session VMs is now generally available

You can now:

  • Configure user scope policies using Settings catalog and assign to groups of users, including ADMX-ingested policies
  • Configure user certificates and assign to users
  • Configure PowerShell scripts to install in the user context and assign to users

Applies to:

Week of October 31, 2022

App management

Primary MTD service app protection policy setting for Intune

Intune now supports both Microsoft Defender for Endpoint and one non-Mobile Threat Defense (MTD) connector to be turned "On" for App Protection Policy evaluation per platform. This feature enables scenarios where a customer might want to migrate between Microsoft Defender for Endpoint and non-Microsoft MTD service. And, they don't want a pause in protection via risk scores in App Protection Policy. A new setting has been introduced under Conditional Launch health checks titled "Primary MTD service" to specify which service should be enforced for the end user. For more information, see Android app protection policy settings and iOS app protection policy settings.

Week of October 24, 2022 (Service release 2210)

App management

Use filters with app configuration policies for managed devices

You can use filters to refine the assignment scope when deploying app configuration policies for managed devices. You must first create a filter using any of the available properties for iOS and Android. Then, in Microsoft Intune admin center you can assign your managed app configuration policy by selecting Apps > App configuration policies > Add > Managed devices and go to the assignment page. After selecting a group, you can refine the applicability of the policy by choosing a filter and deciding to use it in Include or Exclude mode. For related information about filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune admin center.

Device configuration

Group Policy analytics automatically applies scope tags assigned to admins when they import Group Policy objects

In Group Policy analytics, you can import your on-premises GPOs to see the policy settings that support cloud-based MDM providers, including Microsoft Intune. You can also see any deprecated settings or settings not available.

Now, scope tags assigned to admins are automatically applied when these admins import GPOs into Group Policy analytics.

For example, admins have Charlotte, London, or Boston scope tags assigned to their role:

  • An admin with the Charlotte scope tag imports a GPO.
  • The Charlotte scope tag is automatically applied to the imported GPO.
  • All admins with the Charlotte scope tag can see the imported object.
  • Admins with only the London or only the Boston scope tags can't see the imported object from the Charlotte admin.

For admins to see the analytics or migrate the imported GPO to an Intune policy, these admins must have one of the same scope tags as the admin that did the import.

For more information on these features, go to:

Applies to:

  • Windows 11
  • Windows 10

New network endpoints for Microsoft Intune

New network endpoints have been added to our documentation to accommodate new Azure Scale Units (ASU) that are added to the Intune service. We recommend updating your firewall rules with the latest list of IP addresses to ensure that all network endpoints for Microsoft Intune are up-to-date.

For the full list, go to Network endpoints for Microsoft Intune.

Filter app and group policy assignments using Windows 11 SE operating system SKUs

When you assign an app or policy, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.

Two new Windows 11 SE operating system SKUs are available. You can use these SKUs in your assignment filters to include or exclude Windows 11 SE devices from applying group-targeted policies and applications.

For more information on filters and the device properties you can use, go to:

Applies to:

  • Windows 11 SE

New settings available in the iOS/iPadOS and macOS settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the settings catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Networking > Cellular:

  • Enable XLAT464

Applies to:

  • iOS/iPadOS

Privacy > Privacy Preferences Policy Control:

  • System Policy App Bundles

Applies to:

  • macOS

Restrictions:

  • Allow Rapid Security Response Installation
  • Allow Rapid Security Response Removal

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

New settings for Device Firmware Configuration Interface (DFCI) profiles on Windows devices

You can create a DFCI profile that enables the Windows OS to pass management commands from Intune to UEFI (Unified Extensible Firmware Interface) (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface)

You can use this feature to control BIOS settings. There are new settings you can configure in the DFCI policy:

  • Cameras:

    • Front camera
    • Infrared camera
    • Rear camera
  • Radios:

    • WWAN
    • NFC
  • Ports

    • SD Card

For more information on DFCI profiles, go to:

Applies to:

  • Windows 11 on supported UEFI
  • Windows 10 RS5 (1809) and later on supported UEFI

Device enrollment

iOS/iPadOS Setup Assistant with modern authentication supports Just in Time Registration (public preview)

Intune supports just in time (JIT) Registration for iOS/iPadOS enrollment scenarios that use Setup Assistant with modern authentication. JIT Registration reduces the number of authentication prompts shown to users throughout the provisioning experience, giving them a more seamless onboarding experience. It eliminates the need to have the Company Portal app for Microsoft Entra registration and compliance checks, and establishes single sign-on across the device. JIT Registration is available in public preview for devices enrolling through Apple automated device enrollment and running iOS/iPadOS 13.0 or later. For more information, see Authentication methods for automated device enrollment.

Device management

Connect Chrome OS devices in Intune (public preview)

View company or school-owned devices that run on Chrome OS in the Microsoft Intune admin center. Now in public preview, you can establish a connection between the Google Admin console and Microsoft Intune admin center. Device information about your Chrome OS endpoints is synced into Intune and viewable in your device inventory list. Basic remote actions, such as restart, wipe, and lost mode are also available in the admin center. For more information about how to set up a connection, see Configure Chrome Enterprise connector.

Manage macOS software updates with Intune

You can now use Intune policies to manage macOS software updates for devices that enrolled using Automated Device Enrollment (ADE). See Manage macOS software update policies in Intune.

Intune supports the following macOS update types:

  • Critical updates
  • Firmware updates
  • Configuration file updates
  • All other updates (OS, built-in apps)

In addition to scheduling when a device updates, you can manage behaviors, like:

  • Download and install: Download or install the update, depending on the current state.
  • Download only: Download the software update without installing it.
  • Install immediately: Download the software update and trigger the restart countdown notification.
  • Notify only: Download the software update and notify the user through the App Store.
  • Install later: Download the software update and install it at a later time.
  • Not configured: No action taken on the software update.

For information from Apple about managing macOS software updates, see Manage software updates for Apple devices - Apple Support in the Apple's Platform Deployment documentation. Apple maintains a list of security updates at Apple security updates - Apple Support.

Deprovision Jamf Pro from within the Microsoft Intune admin center

You can now deprovision your Jamf Pro to Intune integration from within the Microsoft Intune admin center. This feature can be useful should you no longer have access to the Jamf Pro console, through which you can also deprovision integration.

This capability functions similarly to disconnecting Jamf Pro from within the Jamf Pro console. So, after you remove the integration, your organization's Mac devices are removed from Intune after 90 days.

New hardware details available for individual devices running on iOS/iPadOS

Select Devices > All devices > select one of your listed devices and open it's Hardware details. The following new details are available in the Hardware pane of individual devices:

  • Battery level: Shows the battery level of the device anywhere between 0 and 100, or defaults to null if the battery level can't be determined. This feature is available for devices running iOS/iPadOS 5.0 and later.
  • Resident users: Shows the number of users currently on the shared iPad device, or defaults to null if the number of users can't be determined. This feature is available for devices running iOS/iPadOS 13.4 and later.

For more information, go to View device details with Microsoft Intune.

Applies to

  • iOS/iPadOS

Use the $null value in filters

When you assign apps and policies to groups, you can use filters to assign a policy based on rules you create (Tenant administration > Filters > Create). These rules use different device properties, such as category or the enrollment profile.

Now, you can use the $null value with the -Equals and -NotEquals operators.

For example, use the $null value in the following scenarios:

  • You want to target all devices that don't have a category assigned to the device.
  • You want to target devices that don't have an enrollment profile property assigned to the device.

For more information on filters and the rules you can create, go to:

Applies to:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 10/11

Device security

Reusable groups of settings for removable storage in Device Control profiles (preview)

In public preview, you can use reusable groups of settings with device control profiles in your attack surface reduction policies.

The reusable groups for device control profiles include a collection of settings that support managing read, write, and execute access for removable storage. Examples of common scenarios include:

  • Prevent write and execute access to all but allow specific approved USBs
  • Audit write and execute access to all but block specific unapproved USBs
  • Only allow specific user groups to access specific removable storage on a shared PC

Applies to:

  • Windows 10 or later

Reusable groups of settings for Microsoft Defender Firewall Rules (preview)

In public preview, you can use reusable groups of settings that you can use with profiles for Microsoft Defender Firewall Rules. The reusable groups are collections of remote IP addresses and FQDNs that you define one time and can then use with one or more firewall rule profiles. You don't need to reconfigure the same group of IP addresses in each individual profile that might require them.

Features of the reusable settings groups include:

  • Add one or more remote IP addresses.

  • Add one or more FQDNs that can auto resolve to the remote IP address, or for one or more simple keywords when auto resolve for the group is off.

  • Use each settings group with one or more firewall rule profiles and the different profiles can support different access configurations for the group.

    For example, you can create two firewall rule profiles that reference the same reusable settings group and assign each profile to a different group of devices. The first profile can block access to all the remote IP addresses in the reusable settings group, while the second profile can be configured to allow access.

  • Edits to a settings group that's in use are automatically applied to all Firewall Rules profiles that use that group.

Attack surface reduction rule exclusions on a per-rule basis

You can now configure per-rule exclusions for Attack surface reduction rules policies. Per-rule exclusions are enabled through a new per-rule setting ASR Only Per Rule Exclusions.

When you create or edit attack surface reduction rule policies and change a setting that supports exclusions from the default of Not configured to any of the other available options, the new per-setting exclusion option becomes available. Any configurations for that setting instance of ASR Only Per Rule Exclusions apply to only that setting.

You can continue to configure global exclusions that apply to all attack surface reduction rules on the device by using the setting Attack Surface Reduction Only Exclusions.

Applies to:

  • Windows 10/11

Note

ASR polices don't support merge functionality for ASR Only Per Rule Exclusions and a policy conflict can result when multiple polices that configure ASR Only Per Rule Exclusions for the same device conflict. To avoid conflicts, combine the configurations for ASR Only Per Rule Exclusions into a single ASR policy. We are investigating adding policy merge for ASR Only Per Rule Exclusions in a future update.

Grant apps permission to silently use certificates on Android Enterprise devices

You can now configure silent use of certificates by apps on Android Enterprise devices that enrolled as Fully Managed, Dedicated, and Corporate-Owned work Profile.

This capability is available on a new Apps page in the certificate profile configuration workflow by setting Certificate access to Grant silently for specific apps (require user approval for other apps). With this configuration, the apps you then select silently use the certificate. All other apps continue to use the default behavior, which is to require user approval.

This capability supports the following certificate profiles for only Android Enterprise Fully Managed, Dedicated, and Corporate-Owned work Profiles:

In-app notifications for Microsoft Intune app

Android Open Source Project(AOSP) device users can now receive compliance notifications in the Microsoft Intune app. This capability is only available on AOSP user-based devices. For more information, see AOSP compliance notifications.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • MyITOps for Intune by MyITOps, Ltd
  • MURAL - Visual Collaboration by Tactivos, Inc

For more information about protected apps, see Microsoft Intune protected apps.

Week of October 17, 2022

App management

Enhanced app picker for managed apps on Android devices

Android device users can select, view, and remove their default app selections in the Intune Company Portal app. Company Portal securely stores the device user's default choices for managed apps. Users can view and remove their selections in the Company Portal app by going to Settings > Default Apps > See defaults. This feature is an enhancement to the Android custom app picker for managed apps, which is a part of the Android MAM SDK. For more information about how to view default apps, see View and edit default apps.

Week of October 10, 2022

Device management

Microsoft Endpoint Manager branding change

As of October 12, 2022, the name Microsoft Endpoint Manager will no longer be used. Going forward, we refer to cloud-based unified endpoint management as Microsoft Intune and on-premises management as Microsoft Configuration Manager. With the launch of advanced management, Microsoft Intune is the name of our growing product family for endpoint management solutions at Microsoft. For details, see the official announcement on the endpoint management Tech Community blog. Documentation changes are ongoing to remove Microsoft Endpoint Manager.

For more information, see Intune documentation.

Grace period status visible in Windows Company Portal

Windows Company Portal now displays a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If users don't update their device by the given date, their device status changes to noncompliant. For more information about setting grace periods, see Configure compliance policies with actions for noncompliance and Check access from Device details page.

Linux device management available in Microsoft Intune

Microsoft Intune now supports Linux device management for devices running Ubuntu Desktop 22.04 or 20.04 LTS. Intune admins don't need to do anything to enable Linux enrollment in the Microsoft Intune admin center. Linux users can enroll supported Linux devices on their own and use the Microsoft Edge browser to access corporate resources online.

In the admin center, you can:

Week of October 03, 2022

Device Security

In Remote Help, a link has been added to the non-compliance warning notification View device compliance information and it allows a helper to learn more about why the device isn't compliant in Microsoft Intune.

For more information, go to:

Applies to: Windows 10/11

Week of September 26, 2022

Monitor and troubleshoot

Open Help and Support without losing your context in the Microsoft Intune admin center

You can now use the ? icon in the Microsoft Intune admin center to open a help and support session without losing your current node of focus in the admin center. The ? icon is always available in the upper right of the title bar of the admin center. This change adds another way to access Help and support.

When you select ?, the admin center opens the help and support view in a new and separate side-by-side pane. By opening this separate pane, you're free to navigate the support experience without affecting your original location and focus on the admin center.

Week of September 19, 2022 (Service release 2209)

App management

New app types for Microsoft Intune

As an admin, you can create and assign two new types of Intune apps:

  • iOS/iPadOS web clip
  • Windows web link

These new app types work in a similar way to the existing web link application type, however they apply only for their specific platform, whereas web link applications apply across all platforms. With these new app types, you can assign to groups and also use assignment filters to limit the scope of assignment. This functionality is in the Microsoft Intune admin center > Apps > All Apps > Add.

Device management

Microsoft Intune is ending support for Windows 8.1

Microsoft Intune is ending support on October 21, 2022 for devices running Windows 8.1. After that date, technical assistance and automatic updates that help protect your devices running Windows 8.1 will no longer be available. Also, because the sideloading scenario for line-of-business apps is only applicable to Windows 8.1 devices, Intune no longer supports Windows 8.1 sideloading. Sideloading is installing, and then running or testing an app that isn't cerified by the Microsoft Store. In Windows 10/11, "sideloading" is simply setting a device config policy to include "Trusted app installation". For more information, see Plan for Change: Ending support for Windows 8.1.

Group member count visible in assignments

When assigning policies in the admin center, you can now see the number of users and devices in a group. Having both counts help you pinpoint the right group and understand the impact the assignment has before you apply it.

Device configuration

New lock screen message when adding custom support information to Android Enterprise devices

On Android Enterprise devices, you can create a device restrictions configuration profile that shows a custom support message on the devices (Devices > Configuration > Create > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type > Custom support information).

There's a new setting you can configure:

  • Lock screen message: Add a message that's shown on the device lock screen.

When you configure the Lock screen message, you can also use the following device tokens to show device-specific information:

  • {{AADDeviceId}}: Microsoft Entra device ID
  • {{AccountId}}: Intune tenant ID or account ID
  • {{DeviceId}}: Intune device ID
  • {{DeviceName}}: Intune device name
  • {{domain}}: Domain name
  • {{EASID}}: Exchange Active Sync ID
  • {{IMEI}}: IMEI of the device
  • {{mail}}: Email address of the user
  • {{MEID}}: MEID of the device
  • {{partialUPN}}: UPN prefix before the @ symbol
  • {{SerialNumber}}: Device serial number
  • {{SerialNumberLast4Digits}}: Last four digits of the device serial number
  • {{UserId}}: Intune user ID
  • {{UserName}}: User name
  • {{userPrincipalName}}: UPN of the user

Note

Variables aren't validated in the UI and are case sensitive. As a result, you might see profiles saved with incorrect input. For example, if you enter {{DeviceID}}, instead of {{deviceid}} or {{DEVICEID}}, then the literal string is shown instead of the device's unique ID. Be sure to enter the correct information. All lowercase or all uppercase variables are supported, but not a mix.

For more information on this setting, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android 7.0 and newer
  • Android Enterprise corporate owned fully managed
  • Android Enterprise corporate owned dedicated devices
  • Android Enterprise corporate owned work profile

Filter on the user scope or device scope in the settings catalog for Windows devices

When you create a settings catalog policy, you can use Add settings > Add filter to filter settings based on the Windows OS edition (Devices > Configuration > Create > Windows 10 and later for platform > Settings catalog for profile type).

When you Add filter, you can also filter on the settings by user scope or device scope.

For more information on the settings catalog, go to Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Applies to:

  • Windows 10
  • Windows 11

Android Open Source Project (AOSP) platform is generally available

Microsoft Intune management of corporate-owned devices that run on the Android Open Source Project (AOSP) platform is now generally available (GA). This feature includes the full suite of capabilities that are available as part of the public preview.

Currently, Microsoft Intune only supports the new Android (AOSP) management option for RealWear devices.

Applies to:

  • Android Open Source Project (AOSP)

Device Firmware Configuration Interface (DFCI) now supports Acer devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type).

New Acer devices running Windows 10/11 will be enabled for DFCI in later 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Acer devices.

Contact your device vendor or device manufacturer to ensure you get eligible devices.

For more information about DFCI profiles in Intune, go to Use Device Firmware Configuration Interface (DFCI) profiles on Windows devices in Microsoft Intune.

Applies to:

  • Windows 10
  • Windows 11

New settings available in the iOS/iPadOS and macOS settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings available in the settings catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Accounts > LDAP:

  • LDAP Account Description
  • LDAP Account Host Name
  • LDAP Account Password
  • LDAP Account Use SSL
  • LDAP Account User Name
  • LDAP Search Settings

Applies to:

  • iOS/iPadOS
  • macOS

The following settings are also in settings catalog. Previously, they were only available in Templates:

Privacy > Privacy Preferences Policy Control:

  • Accessibility
  • Address Book
  • Apple Events
  • Calendar
  • Camera
  • File Provider Presence
  • Listen Event
  • Media Library
  • Microphone
  • Photos
  • Post Event
  • Reminders
  • Screen Capture
  • Speech Recognition
  • System Policy All Files
  • System Policy Desktop Folder
  • System Policy Documents Folder
  • System Policy Downloads Folder
  • System Policy Network Volumes
  • System Policy Removable Volumes
  • System Policy Sys Admin Files

Applies to:

  • macOS

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Device enrollment

Set up enrollment notifications (public preview)

Enrollment notifications inform device users, via email or push notification, when a new device has been enrolled in Microsoft Intune. You can use enrollment notifications for security purposes. They can notify users and help them report devices enrolled in error, or for communicating to employees during the hiring or onboarding process. Enrollment notifications are available to try now in public preview for Windows, Apple, and Android devices. This feature is only supported with user-driven enrollment methods.

Device security

Assign compliance policies to the All devices group

The All devices option is now available for compliance policy assignments. With this option, you can assign a compliance policy to all enrolled devices in your organization that match the policy's platform. You don't need to create a Microsoft Entra group that contains all devices.

When you include the All devices group, you can then exclude individual groups of devices to further refine the assignment scope.

Trend Micro – New mobile threat defense partner

You can now use Trend Micro Mobile Security as a Service as an integrated mobile threat defense (MTD) partner with Intune. By configuring the Trend MTD connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment.

For more information, see:

Grace period status visible on Intune Company Portal website

The Intune Company Portal website now shows a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If they don't update their device by the given date, their status changes to noncompliant. For more information about setting grace periods, see Configure compliance policies with actions for noncompliance.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • RingCentral for Intune by RingCentral, Inc.
  • MangoApps, Work from Anywhere by MangoSpring, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Week of September 12, 2022

Device management

Intune now requires iOS/iPadOS 14 and higher

With Apple's release of iOS/iPadOS 16, Microsoft Intune and the Intune Company Portal will now require iOS/iPadOS 14 and higher. For more information, see Supported operating systems and browsers in Intune.

Intune now requires macOS 11.6 and higher

With Apple's release of macOS 13 Ventura, Microsoft Intune, the Company Portal app, and the Intune MDM agent will now require macOS 11.6 (Big Sur) and later. For more information, see Supported operating systems and browsers in Intune.

Week of September 05, 2022

Device management

Remote Help version: 4.0.1.13 release

With Remote Help 4.0.1.13, fixes were introduced to address an issue that prevented people from having multiple sessions open at the same time. The fixes also addressed an issue where the app was launching without focus, and prevented keyboard navigation and screen readers from working on launch.

For more information, go to Use Remote Help with Intune and Microsoft Intune

Week of August 29, 2022

App management

Updated Microsoft Intune App SDK for Android

The developer guide for the Intune App SDK for Android has been updated. The updated guide provides the following stages:

  • Planning the integration
  • MSAL prerequisite
  • Getting started with MAM
  • MAM integration essentials
  • Multi-Identity
  • App configuration
  • App participation features

For more information, see Intune App SDK for Android.

Week of August 22, 2022

Device management

Use Intune role-based access control (RBAC) for tenant attached devices

You can now use Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Intune admin center. For example, when using Intune as the role-based access control authority, a user with Intune's Help Desk Operator role doesn't need an assigned security role or other permissions from Configuration Manager. For more information, see Intune role-based access control for tenant attached clients.

Week of August 15, 2022 (Service release 2208)

App management

Android strong biometric change detection

The Android Fingerprint instead of PIN for access setting in Intune, which allows the end-user to use fingerprint authentication instead of a PIN, is being modified. This change allows you to require end-users to set strong biometrics. And, if a change in strong biometrics is detected, you can require end-users to confirm their app protection policy (APP) PIN. You can find Android app protection polices in Microsoft Intune admin center by selecting Apps > App protection policies > Create policy > Android. For more information, see Android app protection policy settings in Microsoft Intune.

Noncompliance details available for Android (AOSP) in Microsoft Intune app

Android (AOSP) users can view noncompliance reasons in the Microsoft Intune app. These details describe why a device is marked noncompliant. This information is available on the Device details page for devices enrolled as user-associated Android (AOSP) devices.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Nexis Newsdesk Mobile by LexisNexis
  • My Portal by MangoApps (Android)
  • Re:Work Enterprise by 9Folders, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Device enrollment

Configure zero-touch enrollment from Microsoft Intune admin center

Now you can configure Android zero-touch enrollment from the Microsoft Intune admin center. This feature lets you link your zero-touch account to Intune, add support information, configure zero-touch enabled devices, and customize provisioning extras. For more information about how to enable zero-touch from the admin center, see Enroll by using Google Zero Touch.

Device management

Custom settings for Windows 10/11 device compliance is now generally available

Support for the following custom features is generally available:

Applies to:

  • Windows 10/11

View contents of macOS shell scripts and custom attributes

You can view the contents of macOS shell scripts and custom attributes after you upload the scripts to Intune. You can view Shell scripts and custom attributes in Microsoft Intune admin center by selecting Devices > macOS. For more information, see Use shell scripts on macOS devices in Intune.

Reset passcode remote action available for Android (AOSP) Corporate devices

You can use Reset passcode remote action from the Microsoft Intune admin center for Android Open Source Project (AOSP) Corporate devices.

For information on remote actions, see:

Applies to:

  • Android Open Source Project (AOSP)

Device configuration

Certificate profiles support for Android (AOSP) devices

You can now use Simple Certificate Enrollment Protocol (SCEP) certificate profiles with corporate-owned and userless devices that run the Android Open Source Project (AOSP) platform.

Import, create, and manage custom ADMX and ADML administrative templates

You can create a device configuration policy that uses built-in ADMX templates. In Microsoft Intune admin center, select Devices > Configuration > Create > Windows 10 and later for platform > Templates > Administrative templates.

You can also import custom and third party/partner ADMX and ADML templates into the Intune admin center. Once imported, you can create a device configuration policy, assign the policy to your devices, and manage the settings in the policy.

For information, go to:

Applies to:

  • Windows 11
  • Windows 10

Add an HTTP proxy to Wi-Fi device configuration profiles on Android Enterprise

On Android Enterprise devices, you can create a Wi-Fi device configuration profile with basic and enterprise settings. In Microsoft Intune admin center, select Devices > Configuration > Create > Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile for platform > Wi-Fi.

When you create the profile, you can configure an HTTP proxy using a PAC file or configure the settings manually. You can configure an HTTP proxy for each Wi-Fi network in your organization.

When the profile is ready, you can deploy this profile to your Fully Managed, Dedicated, and Corporate-Owned Work Profile devices.

For more information on the Wi-Fi settings you can configure, go to Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune.

Applies to:

  • Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile

iOS/iPadOS settings catalog supports declarative device management (DDM)

On iOS/iPadOS 15+ devices enrolled using User Enrollment, the settings catalog automatically uses Apple's declarative device management (DDM) when configuring settings.

  • No action is required to use DDM. The feature is built into the settings catalog.
  • There's no impact to existing policies in the settings catalog.
  • iOS/iPadOS devices that aren't enabled for DDM continue to use Apple's standard MDM protocol.

For more information, go to:

Applies to:

  • iOS/iPadOS 15 or later devices enrolled using Apple User Enrollment

New macOS settings available in the settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. New settings are available in the settings catalog. In Microsoft Intune admin center, select Devices > Configuration > Create > macOS for platform > Settings catalog for profile type.

New settings include:

Microsoft Auto Update:

  • Current Channel
  • Number of minutes for the final countdown timer

Restrictions:

  • Allow Universal Control

The following settings are also in settings catalog. Previously, they were only available in Templates:

Authentication > Extensible Single Sign On:

  • Extension Data
  • Extension Identifier
  • Hosts
  • Realm
  • Screen Locked Behavior
  • Team Identifier
  • Type
  • URLs

Authentication > Extensible Single Sign On > Extensible Single Sign On Kerberos:

  • Extension Data
  • Allow Automatic Login
  • Allow Password Change
  • Credential Bundle ID ACL
  • Credential Use Mode
  • Custom Username Label
  • Delay User Setup
  • Domain Realm Mapping
  • Help Text
  • Include Kerberos Apps In Bundle ID ACL
  • Include Managed Apps In Bundle ID ACL
  • Is Default Realm
  • Monitor Credentials Cache
  • Perform Kerberos Only
  • Preferred KDCs
  • Principal Name
  • Password Change URL
  • Password Notification Days
  • Password Req Complexity
  • Password Req History
  • Password Req Length
  • Password Req Min Age
  • Password Req Text
  • Require TLS For LDAP
  • Require User Presence
  • Site Code
  • Sync Local Password
  • Use Site Auto Discovery
  • Extension Identifier
  • Hosts
  • Realm
  • Team Identifier
  • Type

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • macOS

New iOS/iPadOS settings in the settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. There are new iOS/iPadOS settings available in the settings catalog. In Microsoft Intune admin center, select Devices > Configuration > Create > iOS/iPadOS for platform > Settings catalog for profile type. Previously, these settings were only available in Templates:

Authentication > Extensible Single Sign On:

  • Extension Data
  • Extension Identifier
  • Hosts
  • Realm
  • Screen Locked Behavior
  • Team Identifier
  • Type
  • URLs

Authentication > Extensible Single Sign On > Extensible Single Sign On Kerberos:

  • Extension Data
  • Allow Automatic Login
  • Credential Bundle ID ACL
  • Domain Realm Mapping
  • Help Text
  • Include Managed Apps In Bundle ID ACL
  • Is Default Realm
  • Preferred KDCs
  • Principal Name
  • Require User Presence
  • Site Code
  • Use Site Auto Discovery
  • Extension Identifier
  • Hosts
  • Realm
  • Team Identifier
  • Type

System Configuration > Lock Screen Message:

  • Asset Tag Information
  • Lock Screen Footnote

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • iOS/iPadOS

Monitor and troubleshoot

New noncompliant devices and settings report

In Reports > Device Compliance > Reports, there's a new Noncompliant devices and settings organization report. This report:

  • Lists each noncompliant device.
  • For each noncompliant device, it shows the compliance policy settings that the devices aren't compliant with.

For more information on this report, go to Noncompliant devices and settings report (Organizational).

Week of August 1, 2022

Device security

Disable use of UDP connections on your Microsoft Tunnel Gateway servers

You can now disable the use of UDP by your Microsoft Tunnel Servers. When you disable use of UDP, the VPN server supports only TCP connections from tunnel clients. To support use of only TCP connections, your devices must use the generally available version of Microsoft Defender for Endpoint as the Microsoft Tunnel client app as the tunnel client app.

To disable UDP, create or edit a Server configuration for Microsoft Tunnel Gateway and select the checkbox for the new option named Disable UDP Connections.

App management

Company Portal for Windows bulk app install

The Company Portal for Windows now allows users to select multiple apps and install in bulk. From the Apps tab of the Company Portal for Windows, select the multi-select view button on the top right corner of the page. Then, select the checkbox next to each app that you need to install. Next, select the Install Selected button to start installation. All selected apps install at the same time without requiring users to right-click each app or navigate to each app's page. For more information, see Install and share apps on your device and How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Week of July 25, 2022 (Service release 2207)

Device management

Initiate compliance checks for your AOSP devices from the Microsoft Intune app

You can now initiate a compliance check for your AOSP devices from the Microsoft Intune app. Go to Device details. This feature is available on devices that are enrolled via the Microsoft Intune app as user-associated (Android) AOSP devices.

Monitor bootstrap escrow status on a Mac

Monitor the bootstrap token escrow status for an enrolled Mac in the Microsoft Intune admin center. A new hardware property in Intune, called Bootstrap token escrowed, reports whether or not a bootstrap token has been escrowed in Intune. For more information about bootstrap token support for macOS, see Bootstrap tokens.

Enable Common Criteria mode for Android Enterprise devices

For Android Enterprise devices, you can use a new setting, Common Criteria mode, to enable an elevated set of security standards that are typically used by only highly sensitive organizations, such as government establishments.

Applies to:

  • Android 5.0 and newer
  • Android Enterprise corporate owned fully managed
  • Android Enterprise corporate owned dedicated devices
  • Android Enterprise corporate owned work profile

The new setting, Common Criteria mode, is found in the System security category when you configure a Device restrictions template for the Android Enterprise - Fully Managed, Dedicated, and Corporate-Owned Work Profile.

Devices that receive a policy with Common Criteria mode set to Require, elevate security components that include but are not limited to:

  • AES-GCM encryption of Bluetooth Long Term Keys
  • Wi-Fi configuration stores
  • Blocks bootloader download mode, the manual method for software updates
  • Mandates additional key zeroization on key deletion
  • Prevents non-authenticated Bluetooth connections
  • Requires that FOTA updates have 2048-bit RSA-PSS signature

Learn more about Common Criteria:

New hardware detail available for individual devices running on iOS/iPadOS and macOS

In Microsoft Intune admin center, select Devices > All devices > select one of your listed devices and open it's Hardware details. The following new detail is available in the Hardware pane of individual devices:

  • Product name: Shows the product name of the device, such as iPad8,12. Available for iOS/iPadOS and macOS devices.

For more information, see View device details with Microsoft Intune.

Applies to:

  • iOS/iPadOS, macOS

Remote Help Version: 4.0.1.12 release

With Remote Help 4.0.1.12, various fixes were introduced to address the 'Try again later' message that appears when not authenticated. The fixes also include an improved auto-update capability.

For more information, see Use Remote Help with Intune

Device enrollment

Intune supports sign-in from another device during iOS/iPadOS and macOS Setup Assistant with modern authentication

Users going through automated device enrollment (ADE) can now authenticate by signing in from another device. This option is available for iOS/iPadOS and macOS devices enrolling via Setup Assistant with modern authentication. The screen that prompts device users to sign in from another device is embedded into Setup Assistant and shown to them during enrollment. For more information about the sign-in process for users, see [Get the Intune Company Portal app (../user-help/sign-in-to-the-company-portal.md#sign-in-via-another-device).

Detect and manage hardware changes on Windows Autopilot devices

Microsoft Intune will now alert you when it detects a hardware change on an Autopilot-registered device. You can view and manage all affected devices in the admin center. Also, you can remove the affected device from Windows Autopilot and register it again so that the hardware change is accounted for.

Device configuration

New macOS Microsoft AutoUpdate (MAU) settings in the settings catalog

The settings catalog supports settings for Microsoft AutoUpdate (MAU) (Devices > Configuration > Create > macOS for platform >Settings catalog for profile type).

The following settings are now available:

Microsoft Auto Update:

  • Automatically acknowledge data collection policy
  • Days before forced updates
  • Deferred updates
  • Disable Office Insider membership
  • Enable AutoUpdate
  • Enable check for updates
  • Enable extended logging
  • Register app on launch
  • Update cache server
  • Update channel
  • Update check frequency (mins)
  • Updater optimization technique

The settings can be used to configure preferences for the following applications:

  • Company Portal
  • Microsoft Auto Update
  • Microsoft Defender
  • Microsoft Defender ATP
  • Microsoft Edge
  • Microsoft Edge Beta
  • Microsoft Edge Canary
  • Microsoft Edge Dev
  • Microsoft Excel
  • Microsoft OneNote
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Remote Desktop
  • Microsoft Teams
  • Microsoft Word
  • OneDrive
  • Skype for Business

For more information about the settings catalog, go to:

For more information about Microsoft AutoUpdate settings you can configure, go to:

Applies to:

  • macOS

New iOS/iPadOS settings in the settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. There are new iOS/iPadOS settings available in the settings catalog (Devices > Configuration > Create > iOS/iPadOS for platform > Settings catalog for profile type).

New settings include:

Networking > Cellular:

  • Allowed Protocol Mask
  • Allowed Protocol Mask In Domestic Roaming
  • Allowed Protocol Mask In Roaming
  • Authentication Type
  • Name
  • Password
  • Proxy Port
  • Proxy Server
  • Username

The following settings are also in settings catalog. Previously, they were only available in Templates:

User experience > Notifications:

  • Grouping type
  • Preview type
  • Show In Car Play

Printing > Air Print:

  • Force TLS
  • Port

App Management > App Lock:

  • Disable Auto Lock
  • Disable Device Rotation
  • Disable Ringer Switch
  • Disable Sleep Wake Button
  • Disable Touch
  • Disable Volume Buttons
  • Enable Assistive Touch
  • Enable Invert Colors
  • Enable Mono Audio
  • Enable Speak Selection
  • Enable Voice Control
  • Enable Voice Over
  • Enable Zoom
  • Assistive Touch
  • Invert Colors
  • Voice Control
  • Voice Over
  • Zoom

Networking > Domains:

  • Safari Password Auto Fill Domain

Networking > Network Usage Rules:

  • Application Rules
  • Allow Cellular Data
  • Allow Roaming Cellular Data
  • App Identifier Matches

Restrictions:

  • Allow Account Modification
  • Allow Activity Continuation
  • Allow Adding Game Center Friends
  • Allow Air Drop
  • Allow Air Print
  • Allow Air Print Credentials Storage
  • Allow Air Print iBeacon Discovery
  • Allow App Cellular Data Modification
  • Allow App Clips
  • Allow App Installation
  • Allow App Removal
  • Allow Apple Personalized Advertising
  • Allow Assistant
  • Allow Assistant User Generated Content
  • Allow Assistant While Locked
  • Allow Auto Correction
  • Allow Auto Unlock
  • Allow Automatic App Downloads
  • Allow Bluetooth Modification
  • Allow Bookstore
  • Allow Bookstore Erotica
  • Allow Camera
  • Allow Cellular Plan Modification
  • Allow Chat
  • Allow Cloud Backup
  • Allow Cloud Document Sync
  • Allow Cloud Keychain Sync
  • Allow Cloud Photo Library
  • Allow Cloud Private Relay
  • Allow Continuous Path Keyboard
  • Allow Definition Lookup
  • Allow Device Name Modification
  • Allow Diagnostic Submission
  • Allow Diagnostic Submission Modification
  • Allow Dictation
  • Allow Enabling Restrictions
  • Allow Enterprise App Trust
  • Allow Enterprise Book Backup
  • Allow Enterprise Book Metadata Sync
  • Allow Erase Content And Settings
  • Allow ESIM Modification
  • Allow Explicit Content
  • Allow Files Network Drive Access
  • Allow Files USB Drive Access
  • Allow Find My Device
  • Allow Find My Friends
  • Allow Find My Friends Modification
  • Allow Fingerprint For Unlock
  • Allow Fingerprint Modification
  • Allow Game Center
  • Allow Global Background Fetch When Roaming
  • Allow Host Pairing
  • Allow In App Purchases
  • Allow iTunes
  • Allow Keyboard Shortcuts
  • Allow Listed App Bundle IDs
  • Allow Lock Screen Control Center
  • Allow Lock Screen Notifications View
  • Allow Lock Screen Today View
  • Allow Mail Privacy Protection
  • Allow Managed Apps Cloud Sync
  • Allow Managed To Write Unmanaged Contacts
  • Allow Multiplayer Gaming
  • Allow Music Service
  • Allow News
  • Allow NFC
  • Allow Notifications Modification
  • Allow Open From Managed To Unmanaged
  • Allow Open From Unmanaged To Managed
  • Allow OTAPKI Updates
  • Allow Paired Watch
  • Allow Passbook While Locked
  • Allow Passcode Modification
  • Allow Password Auto Fill
  • Allow Password Proximity Requests
  • Allow Password Sharing
  • Allow Personal Hotspot Modification
  • Allow Photo Stream
  • Allow Podcasts
  • Allow Predictive Keyboard
  • Allow Proximity Setup To New Device
  • Allow Radio Service
  • Allow Remote Screen Observation
  • Allow Safari
  • Allow Screenshot
  • Allow Shared Device Temporary Session
  • Allow Shared Stream
  • Allow Spell Check
  • Allow Spotlight Internet Results
  • Allow System App Removal
  • Allow UI App Installation
  • Allow UI Configuration Profile Installation
  • Allow Unmanaged To Read Managed Contacts
  • Allow Unpaired External Boot To Recovery
  • Allow Untrusted TLS Prompt
  • Allow USB Restricted Mode
  • Allow Video Conferencing
  • Allow Voice Dialing
  • Allow VPN Creation
  • Allow Wallpaper Modification
  • Autonomous Single App Mode Permitted App IDs
  • Blocked App Bundle IDs
  • Enforced Software Update Delay
  • Force Air Drop Unmanaged
  • Force Air Play Outgoing Requests Pairing Password
  • Force Air Print Trusted TLS Requirement
  • Force Assistant Profanity Filter
  • Force Authentication Before Auto Fill
  • Force Automatic Date And Time
  • Force Classroom Automatically Join Classes
  • Force Classroom Request Permission To Leave Classes
  • Force Classroom Unprompted App And Device Lock
  • Force Delayed Software Updates
  • Force Encrypted Backup
  • Force iTunes Store Password Entry
  • Force Limit Ad Tracking
  • Force On Device Only Dictation
  • Force On Device Only Translation
  • Force Watch Wrist Detection
  • Force WiFi Power On
  • Force WiFi To Allowed Networks Only
  • Require Managed Pasteboard
  • Safari Accept Cookies
  • Safari Allow Autofill
  • Safari Allow JavaScript
  • Safari Allow Popups
  • Safari Force Fraud Warning

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • iOS/iPadOS

New macOS settings available in the settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. New settings are available in the settings catalog (Devices > Configuration > Create > macOS for platform > Settings catalog for profile type).

New settings include:

System configuration > System extensions:

  • Removable System Extensions

The following settings are also in settings catalog. Previously, they were only available in Templates:

System configuration > System extensions:

  • Allow User Overrides
  • Allowed System Extension Types
  • Allowed System Extensions
  • Allowed Team Identifiers

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • macOS

New search feature in Preview devices when creating a filter

In Microsoft Intune admin center, you can create filters, and then use these filters when assigning apps and policies (Devices > Filters > Create).

When you create a filter, you can select Preview devices to see a list of enrolled devices that match your filter criteria. In Preview devices, you can also search through the list using the device name, OS version, device model, device manufacturer, user principal name of the primary user, and device ID.

For more information on filters, go to Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Week of July 18, 2022

Device management

New event viewers to help debug WMI issues

Intune's remote action to collect diagnostics has been expanded to collect details about Windows Management Instrumentation (WMI) app issues.

The new event viewers include:

  • Microsoft-Windows-WMI-Activity/Operational
  • Microsoft-Windows-WinRM/Operational

For more information about Windows device diagnostics, see Collect diagnostics from a Windows device.

Week of July 4, 2022

Device management

Endpoint analytics scores per device model

Endpoint analytics now displays scores by device model. These scores help admins contextualize the user experience across device models in the environment. Scores per model and per device are available in all Endpoint analytics reports, including the Work from anywhere report.

Monitor and troubleshoot

Use Collect diagnostics to collect details about Windows expedited updates

Intune's remote action to Collect diagnostics now collects more details about Windows expedited updates that you deploy to devices. This information can be of use when troubleshooting problems with expedited updates.

The new details that are collected include:

  • Files: C:\Program Files\Microsoft Update Health Tools\Logs\*.etl
  • Registry Keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate

Week of June 27, 2022 (Service release 2206)

App management

Enterprise feedback policies for Web Company Portal

Feedback settings are now available to address Microsoft 365 enterprise feedback policies for the currently logged in user via the Microsoft 365 Apps admin center. The settings are used to determine whether feedback can be enabled or must be disabled for a user in the Web Company Portal. For more information, see Configure feedback settings for Company Portal and Microsoft Intune apps.

App Protection Policies with Android Enterprise dedicated devices and Android (AOSP) devices

Intune-managed Android Enterprise dedicated devices enrolled with Microsoft Entra ID shared mode and Android (AOSP) devices can now receive app protection policies and can be targeted separately from other Android device types. For more information, see Add Managed Google Play apps to Android Enterprise devices with Intune. For more information about Android Enterprise dedicated devices and Android (AOSP), see Android Enterprise dedicated devices.

Device security

Users assigned the Endpoint Security Manager admin role can modify Mobile Threat Defense connector settings

We've updated the permissions of the built-in Endpoint Security Manager admin role. The role now has the Modify permission for the Mobile Threat Defense category set to Yes. With this change, users assigned this role have permission to change the Mobile Threat Defense connector (MTD connector) settings for your Tenant. Previously, this permission was set to No.

If you missed the previous notice about this coming change, now is a good time to review the users that are assigned the Endpoint Security Manager role for your tenant. If any shouldn't have permissions to edit the MTD connector settings, update their role permissions or create a custom role that includes only Read permissions for Mobile Threat Defense.

View the full list of permissions for the built-in Endpoint Security Manager role.

Improved certificate profile support for Android Enterprise Fully Managed devices

We've improved our PKCS and SCEP certificate profile support for Android Enterprise Fully Managed (Device Owner) devices. You can now use the Intune device ID variable, CN={{DeviceID}}, as the subject alternative name (SAN) in your certificates for these devices.

Device configuration

Certificate profiles support for Android (AOSP) devices

You can now use the following certificate profiles with corporate-owned and userless devices that run the Android Open Source Project (AOSP) platform:

  • Trusted certificate profile
  • PKCS certificate profile

New settings for DFCI profiles on Windows 10/11 devices

On Windows 10/11 devices, you can create a Device Firmware Configuration Interface (DFCI) profile (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type).

DFCI profiles let Intune pass management commands to UEFI (Unified Extensible Firmware Interface) using the DFCI firmware layer. This firmware layer makes configuration more resilient to malicious attacks. DFCI also limits end users' control over the BIOS by graying out managed settings.

There are new settings you can configure:

  • Microphones and Speakers:

    • Microphones
  • Radios:

    • Bluetooth
    • Wi-Fi
  • Ports:

    • USB type A
  • Wake settings:

    • Wake on LAN
    • Wake on power

For more information, see the following resources:

Applies to:

  • Windows 10/11

Add custom support information to Android Enterprise devices

On Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration > Create > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type > Custom support information).

There are some new settings you can configure:

  • Short support message: When users try to change a managed setting, you can add a short message that's shown to users in a system dialog window.
  • Long support message: You can add a long message that's shown in Settings > Security > Device admin apps > Device Policy.

By default, the OEM default messages are shown. When you deploy a custom message, the Intune default message is also deployed. If you don't enter a custom message for the device's default language, then the Intune default message is shown.

For example, you deploy a custom message for English and French. The user changes the device's default language to Spanish. Since you didn't deploy a custom message to the Spanish language, the Intune default message is shown.

The Intune default message is translated for all languages in the Endpoint Manger admin center (Settings > Language + Region). The Language setting value determines the default language used by Intune. By default, it's set to English.

In the policy, you can customize the messages for the following languages:

  • Czech
  • German
  • English (United States)
  • Spanish (Spain)
  • French (France)
  • Hungarian
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Dutch
  • Polish
  • Portuguese (Brazil)
  • Portuguese (Portugal)
  • Russian
  • Swedish
  • Turkish
  • Chinese (Simplified)
  • Chinese (Traditional)

For more information on these settings and the other settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android 7.0 and newer
  • Android Enterprise corporate owned fully managed (COBO)
  • Android Enterprise corporate owned dedicated devices (COSU)
  • Android Enterprise corporate owned work profile (COPE)

Create and deploy Wi-Fi profiles to Android AOSP devices

You create configure and deploy a Wi-Fi profile to your Android AOSP devices.

For more information on these settings, go to Add Wi-Fi settings for Android (AOSP) devices in Microsoft Intune.

Applies to:

  • Android (AOSP)

Settings catalog is generally available (GA) for Windows and macOS devices

The settings catalog is generally available (GA). For more information, go to:

Applies to:

  • macOS
  • Windows 10/11

Migrate feature in Group policy analytics supports sovereign clouds

Using Group Policy analytics, you can import your on-premises GPOs, and create a settings catalog policy using these GPOs. Previously, this Migrate feature wasn't supported on Sovereign Clouds.

The Migrate feature is now supported on Sovereign Clouds.

For more information on these features, go to:

iOS/iPadOS platform is in settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. The iOS/iPadOS platform and some settings are now available in the settings catalog (Devices > Configuration > Create > iOS/iPadOS for platform > Settings catalog for profile type).

New settings include:

Accounts > Caldav:

  • Card DAV Account Description
  • Card DAV Host Name
  • Card DAV Password
  • Card DAV Port
  • Card DAV Principal URL
  • Card DAV Use SSL
  • Card DAV Username

Accounts > Carddav:

  • Card DAV Account Description
  • Card DAV Host Name
  • Card DAV Password
  • Card DAV Port
  • Card DAV Principal URL
  • Card DAV Use SSL
  • Card DAV Username

AirPlay:

  • Allow List

  • Password

  • Profile Removal Password:

  • Removal Password

Proxies > Global HTTP Proxy:

  • Proxy Captive Login Allowed
  • Proxy PAC Fallback Allowed
  • Proxy PAC URL
  • Proxy Password
  • Proxy Server
  • Proxy Server Port
  • Proxy Type
  • Proxy Username

The following settings are also in Settings Catalog. Previously, they were only available in Templates:

Networking > Domains:

  • Email Domains

Printing > Air Print:

  • Printers
  • IP Address
  • Resource Path

Restrictions:

  • Allow Activity Continuation
  • Allow Adding Game Center Friends
  • Allow Air Drop
  • Allow Auto Unlock
  • Allow Camera
  • Allow Cloud Document Sync
  • Allow Cloud Keychain Sync
  • Allow Cloud Photo Library
  • Allow Cloud Private Relay
  • Allow Diagnostic Submission
  • Allow Dictation
  • Allow Erase Content And Settings
  • Allow Fingerprint For Unlock
  • Allow Game Center
  • Allow Multiplayer Gaming
  • Allow Music Service
  • Allow Passcode Modification
  • Allow Password Auto Fill
  • Allow Password Proximity Requests
  • Allow Password Sharing
  • Allow Remote Screen Observation
  • Allow Screenshot
  • Allow Spotlight Internet Results
  • Allow Wallpaper Modification
  • Enforced Software Update Delay
  • Force Classroom Automatically Join Classes
  • Force Classroom Request Permission To Leave Classes
  • Force Classroom Unprompted App And Device Lock
  • Force Delayed Software Updates
  • Safari Allow Autofill

Security > Passcode:

  • Allow Simple Passcode
  • Force PIN
  • Max Failed Attempts
  • Max Grace Period
  • Max Inactivity
  • Max PIN Age In Days
  • Min Complex Characters
  • Min Length
  • PIN History
  • Require Alphanumeric Passcode

User Experience > Notifications:

  • Alert Type
  • Badges Enabled
  • Bundle Identifier
  • Critical Alert Enabled
  • Notifications Enabled
  • Show In Lock Screen
  • Show In Notification Center
  • Sounds Enabled

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • iOS/iPadOS

Use TEAP authentication in wired networks device configuration profiles for Windows devices

On Windows devices, you can create a Wired Networks device configuration profile that supports the Extensible Authentication Protocol (EAP) (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Wired networks for profile type).

When you create the profile, you can use the Tunnel Extensible Authentication Protocol (TEAP).

For more information on wired networks, go to Add and use wired networks settings on your macOS and Windows devices in Microsoft Intune.

Applies to:

  • Windows 11
  • Windows 10

Unlock the work profile on Android Enterprise corporate owned work profile (COPE) devices after a set time using password, PIN, or pattern

On Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration > Create > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type).

On Android Enterprise COPE devices, you can configure the Work profile password > Required unlock frequency setting. Use this setting to select how long users have before they're required to unlock the work profile using a strong authentication method.

For more information on this setting, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android 8.0 and newer
  • Android Enterprise corporate owned work profile (COPE)

New macOS settings in Settings Catalog

The Settings Catalog has new macOS settings you can configure (Devices > Configuration > Create > macOS for platform >Settings catalog for profile type):

Accounts > Caldav:

  • Cal DAV Account Description
  • Cal DAV Host Name
  • Cal DAV Password
  • Cal DAV Port
  • Cal DAV Principal URL
  • Cal DAV Use SSL
  • Cal DAV Username

Accounts > Carddav:

  • Card DAV Account Description
  • Card DAV Host Name
  • Card DAV Password
  • Card DAV Port
  • Card DAV Principal URL
  • Card DAV Use SSL
  • Card DAV Username

User Experience > Dock:

  • Allow Dock Fixup Override
  • Auto Hide
  • Auto Hide Immutable
  • Contents Immutable
  • Double Click Behavior
  • Double Click Behavior Immutable
  • Large Size
  • Launch Animation
  • Launch Animation Immutable
  • Magnification
  • Magnification Size Immutable
  • Magnify Immutable
  • MCX Dock Special Folders
  • Minimize Effect
  • Minimize Effect Immutable
  • Minimize Into Application Immutable
  • Minimize To Application
  • Orientation
  • Persistent Apps
  • Persistent Others
  • Position Immutable
  • Show Indicators Immutable
  • Show Process Indicators
  • Show Recents
  • Show Recents Immutable
  • Size Immutable
  • Static Apps
  • Static Only
  • Static Others
  • Tile Size
  • Window Tabbing
  • Window Tabbing Immutable

System Configuration > Energy Saver:

  • Desktop Power
  • Desktop Schedule
  • Destroy FV Key On Standby
  • Laptop Battery Power
  • Laptop Power
  • Sleep Disabled

System Configuration > System Logging:

  • Enable Private Data

System Configuration > Time Server:

  • Time Server
  • Time Zone

The following settings are also in Settings Catalog. Previously, they were only available in Templates:

Security > Passcode:

  • Allow Simple Passcode
  • Change At Next Auth
  • Force PIN
  • Max Failed Attempts
  • Max Grace Period
  • Max Inactivity
  • Max PIN Age In Days
  • Min Complex Characters
  • Min Length
  • Minutes Until Failed Login Reset
  • PIN History
  • Require Alphanumeric Passcode

There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies.

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune.

Applies to:

  • macOS

New Microsoft Office and Microsoft Outlook preference settings in the macOS Settings Catalog

The Settings Catalog supports preference settings for Microsoft Office and Microsoft Outlook (Devices > Configuration > Create > macOS for platform >Settings catalog for profile type).

The following settings are available:

Microsoft Office > Microsoft Office:

  • Allow experiences and functionality that analyzes user content
  • Allow experiences and functionality that downloads user content
  • Allow macros to modify Visual Basic projects
  • Allow optional connected experiences
  • Allow Visual Basic macros to use system APIs
  • Background accessibility checking
  • Default to local files for open - save
  • Diagnostic data level
  • Disable cloud fonts
  • Disable third-party store add-in catalog
  • Disable user surveys
  • Enable automatic sign-in
  • Prevent all Visual Basic macros from executing
  • Prevent Visual Basic macros from using external dynamic libraries
  • Prevent Visual Basic macros from using legacy MacScript
  • Prevent Visual Basic macros from using pipes to communicate
  • Show Template Gallery on app launch
  • Show What's New dialog
  • Visual Basic macro policy

Microsoft Office > Microsoft Outlook:

  • Allow S - MIME certificates without a matching email address
  • Allowed Email Domains
  • Default domain name
  • Default weather location
  • Disable 'Do Not Forward' options
  • Disable automatic updating of weather location
  • Disable email signatures
  • Disable export to OLM files
  • Disable import from OLM and PST files
  • Disable Junk settings
  • Disable Microsoft 365 encryption options
  • Disable Microsoft Teams meeting support
  • Disable S - MIME
  • Disable Skype for Business meeting support
  • Download embedded images
  • Enable New Outlook
  • Hide On My Computer folders
  • Hide the 'Get started with Outlook' control in the task pane
  • Hide the 'Personalize the new Outlook' dialog
  • Set the order in which S - MIME certificates are considered
  • Set theme
  • Specify first day of the week
  • Trust Office 365 autodiscover redirects
  • Use domain-based autodiscover instead of Office 365

For more information about the Settings Catalog, go to:

For more information about Microsoft Office and Outlook settings you can configure, go to:

Applies to:

  • macOS

Device management

Remotely restart and shut down macOS device

You can remotely restart or shut down a macOS device using device actions. These device actions are available for devices running macOS 10.13 and later.

For more information, see Restart devices with Microsoft Intune.

More Remote actions for Android (AOSP) Corporate devices

For Android Open Source Project (AOSP) Corporate devices, you can soon use more remote actions from the Microsoft Intune admin center - Reboot and Remote lock.

For information about these features, see:

Applies to:

  • Android Open Source Project (AOSP)

User configuration support for Windows 11 multi-session VMs is in public preview

You can:

  • Configure user scope policies using Settings catalog and assign to groups of users
  • Configure user certificates and assign to users
  • Configure PowerShell scripts to install in the user context and assign to users

Applies to:

  • Windows 11

Note

User support for Windows 10 multi-session builds will be available later this year.

For more information, go to Using Azure Virtual Desktop multi-session with Microsoft Intune

View a managed device's group membership

In the monitor section of the Devices workload of Intune, you can view the group membership of all Microsoft Entra groups for a managed device. You can select Group Membership by signing in to Microsoft Endpoint Manager admin center and selecting Devices > All devices > select a device > Group Membership. For more information, see Device group membership report.

Improved certificate reporting details

We've changed what Intune displays when you view certificate details for devices and certificate profiles. To view the report, in the Microsoft Endpoint Manager admin center go to > Devices > Monitor > Certificates.

With the improved reporting view, Intune displays the following information:

  • Valid certificates
  • Certificates that were revoked within the last 30 days
  • Certificates that expired within the last 30 days

The report no longer displays details for certificates that are not valid or that are no longer on a device.

Device enrollment

Utilize bootstrap tokens on macOS devices

Bootstrap token support, previously in public preview, is now generally available to all Microsoft Intune customers, including GCC High and Microsoft Azure Government Cloud tenants. Intune supports the use of bootstrap tokens on enrolled devices running macOS, version 10.15 or later.

Bootstrap tokens allow for non-admin users to have increased MDM permissions, and perform specific software functions on behalf of the IT admin. Bootstrap tokens are supported on:

  • Supervised devices (in Intune, that's all user-approved enrollments)
  • Devices enrolled in Intune via Apple automated device enrollment

For more information about how bootstrap tokens work with Intune, see Set up enrollment for macOS devices.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Condeco by Condeco Limited
  • RICOH Spaces by Ricoh Digital Services

For more information about protected apps, see Microsoft Intune protected apps.

Week of June 13, 2022

Device security

Microsoft Tunnel support for Red Hat Enterprise Linux 8.6

You can now use Red Hat Enterprise Linux (RHEL) 8.6 with Microsoft Tunnel. There are no other requirements beyond the requirements needed for RHEL 8.5 support.

Like RHEL 8.5, you can use the readiness tool (mst-readiness) to check for the presence of the ip_tables module in the Linux kernel. By default, RHEL 8.6 doesn't load the ip_tables module.

For Linux servers that don't load the module, we've provided instructions to load them immediately, and to configure the Linux server to automatically load them at boot.

Week of June 6, 2022

App management

Photo library data transfer support via app protection policies

You can now select to include Photo Library as a supported application storage service. By selecting Photo Library from the Allow users to open data from selected services or the Allow users to save data to selected services setting within Intune, you can allow managed accounts to allow incoming and outgoing data to and from their device's photo library to their managed apps on iOS and Android platforms. In Microsoft Intune admin center, select Apps > App protection policies > Create Policy. Choose either iOS/iPadOS or Android. This setting is available as part of the Data protection step and specifically for Policy managed apps. For more information, see Data protection.

UI improvements show Android enrollment is available, not required

We updated the iconography in the Company Portal for Android app to make it easier for users to recognize when device enrollment is available to them but not required. The new iconography appears in scenarios where the device enrollment availability is set to Available, no prompts in the admin center (Tenant admin > Customization > Create or Edit a policy > Settings).

Changes include:

  • On the Devices screen, users will no longer see a red exclamation point next to a non-enrolled device.
  • On the Device Details screen, users will no longer see a red exclamation point next to the enrollment message. Instead, they'll see the info (i) icon.

To view screenshots of the changes, see UI updates for Intune end-user apps.

Device management

Windows Update compatibility reports for Apps and Drivers (public preview)

In public preview, two Windows Update compatibility reports are now available to help you prepare for a Windows upgrade or update. These reports fill a gap that is currently covered by Desktop Analytics, which is scheduled to be retired on November 30, 2022.

Use these reports to help you plan for an upgrade from Windows 10 to 11 or for installing the latest Windows feature update:

  • Windows feature update device readiness report (Preview) - This report provides per-device information about compatibility risks that are associated with an upgrade or update to a chosen version of Windows.
  • Windows feature update compatibility risks report (Preview) - This report provides a summary view of the top compatibility risks across your organization for a chosen version of Windows. You can use this report to understand which compatibility risks affect the greatest number of devices in your organization.

These reports are rolling out to tenants over the next week. If you don't see them yet, check back again in a day or so. To learn about prerequisites, licensing, and what information is available with these reports, see Windows Update compatibility reports.

Week of May 30, 2022 (Service release 2205)

App management

iOS Company Portal minimum required version

Starting June 1, 2022, the minimum supported version of the iOS Company Portal app will be v5.2205. If your users are running v5.2204 or earlier, they're prompted for an update at login. If you have enabled the Block installing apps using App Store device restriction setting, you will likely need to push an update to the related devices that use this setting. Otherwise, no action is needed. If you have a helpdesk, make them aware of the prompt to update the Company Portal app. In most cases, users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. For more information, see Intune Company Portal.

Push notifications are automatically sent when device ownership changes from Personal to Corporate

For iOS/iPad and Android devices, a push notification is now automatically sent when a device's ownership type is changed from Personal to Corporate. The notification is pushed through the Company Portal app on the device.

With this change, we've removed the Company Portal configuration setting that was previously used to manage this notification behavior.

iOS/iPadOS notifications require March Company Portal or newer

With Intune's May (2205) service release, we have made service side updates to iOS/iPadOS notifications that require users to have the March Company Portal app (version 5.2203.0) or newer. If you're using functionality that could generate iOS/iPadOS Company Portal push notifications, you must ensure your users update the iOS/iPadOS Company Portal to continue receiving push notifications. There's no other change in functionality. For more information, see Update the Company Portal app.

Deployment of macOS LOB apps by uploading PKG-type installer files is now generally available

You can now deploy macOS line-of-business (LOB) apps by uploading PKG-type installer files to Intune. This capability is out of public preview and is now generally available.

To add a macOS LOB app from Microsoft Intune admin center, select Apps > macOS > Add > Line-of-business app. Also, the App Wrapping Tool for macOS will no longer be required to deploy macOS LOB apps. For more information, see How to add macOS line-of-business (LOB) apps to Microsoft Intune.

Improved report experience on the Managed Apps pane

The Managed Apps pane has been updated to better display managed app details for a device. You can switch between displaying managed app details for the primary user and other users on a device, or display app details for the device without any user. The generated app details are displayed using the primary user of the device when the report is initially loaded, or displayed with no primary user if none exists. For more information, see Managed Apps report.

MSfB licenses and Apple VPP licenses

Removing an Intune license from a user will no longer revoke app licenses granted through the Microsoft Store for Business or through Apple VPP. For more information, see How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune, Revoking iOS app licenses, and Microsoft Intune licensing.

Reporting for unlicensed users

Intune will no longer remove users from all Intune reports when they're unlicensed. Until the user is deleted from Microsoft Entra ID, Intune will continue to report the user in most common scenarios. For related information about reporting, see Intune reports.

Device security

New Device Control profile for Intune's endpoint security Attack Surface Reduction policy

As part of the continuing rollout of new profiles for endpoint security policies, which began in April 2022, we've released a new Device Control profile template for Attack Surface Reduction policy for endpoint security in Intune. This profile replaces the previous profile of the same name for the Windows 10 and later platform.

With this replacement, only instances of the new profile can be created. However, any profiles you've previously created that use the old profile structure remain available to use, edit, and deploy.

The new Device Control profile:

  • Includes all the settings that were available in the original profile.
  • Introduces five new settings that are not available in the older profile.

The five new settings focus on removable devices, like USB devices:

Device configuration

Unlock Android Enterprise devices after a set time using password, PIN, or pattern

On Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration > Create > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type).

In Device password and Work profile password, there's a new Required unlock frequency setting. Select how long users must unlock the device using a strong authentication method (password, PIN, or pattern). Your options:

  • 24 hours since last pin, password, or pattern unlock: The screen locks 24 hours after users last used a strong authentication method to unlock the device or work profile.
  • Device default (default): The screen locks using the device's default time.

2.3.4. Advanced passcode management (opens Android's web site)

For a list of the settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android 8.0 and newer
  • Android Enterprise corporate owned fully managed (COBO)
  • Android Enterprise corporate owned dedicated devices (COSU)
  • Android Enterprise corporate owned work profile (COPE)

Use the Settings Catalog to create a Universal Print policy on Windows 11 devices

Many organizations are moving their printer infrastructure to the cloud using Universal Print.

In the Intune admin center, you can use the Settings Catalog to create a universal print policy (Devices > Configuration > Create > Windows 10 and later for platform > Settings catalog for profile type > Printer provisioning). When you deploy the policy, users select the printer from a list of registered Universal Print printers.

For more information, go to Create a Universal Print policy in Microsoft Intune.

Applies to:

  • Windows 11

New macOS settings in the Settings Catalog

The Settings Catalog has new macOS settings you can configure (Devices > Configuration > Create > macOS for platform >Settings catalog for profile type):

Accounts > Accounts:

  • Disable Guest Account
  • Enable Guest Account

Networking > Firewall:

  • Allow Signed
  • Allow Signed App
  • Enable Logging
  • Logging Option

Parental Controls > Parental Controls Time Limits:

  • Family Controls Enabled
  • Time Limits

Proxies > Network Proxy Configuration:

  • Proxies
  • Exceptions List
  • Fall Back Allowed
  • FTP Enable
  • FTP Passive
  • FTP Port
  • FTP Proxy
  • Gopher Enable
  • Gopher Port
  • Gopher Proxy
  • HTTP Enable
  • HTTP Port
  • HTTP Proxy
  • HTTPS Enable
  • HTTPS Port
  • HTTPS Proxy
  • Proxy Auto Config Enable
  • Proxy Auto Config URL String
  • Proxy Captive Login Allowed
  • RTSP Enable
  • RTSP Port
  • RTSP Proxy
  • SOCKS Enable
  • SOCKS Port Integer
  • SOCKS Proxy

Security > Smart Card:

  • Allow Smart Card
  • Check Certificate Trust
  • Enforce Smart Card
  • One Card Per User
  • Token Removal Action
  • User Pairing

Software Update:

  • Allow Pre Release Installation
  • Automatic Check Enabled
  • Automatic Download
  • Automatically Install App Updates
  • Automatically Install Mac OS Updates
  • Config Data Install
  • Critical Update Install
  • Restrict Software Update Require Admin To Install

User Experience > Screensaver User:

  • Idle Time
  • Module Name
  • Module Path

There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies.

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune.

Applies to:

  • macOS

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • F2 Manager Intune by cBrain A/S
  • F2 Touch Intune (Android) by cBrain A/S
  • Microsoft Lists (Android) by Microsoft
  • Microsoft Lens - PDF Scanner by Microsoft
  • Diligent Boards by Diligent Corporation
  • Secure Contacts by Provectus Technologies GmbH
  • My Portal by MangoApps by MangoSpring Inc

For more information about protected apps, see Microsoft Intune protected apps.

Device management

Software updates page for tenant attached devices

There's a new Software updates page for tenant attached devices. This page displays the status for software updates on a device. You can review which updates are successfully installed, failed, and are assigned but not yet installed. Using the timestamp for the update status assists with troubleshooting. For more information, see Tenant attach: Software updates in the admin center.

Microsoft Defender for Endpoint support for App Sync on iOS/iPadOS

Before you can use this capability, you must opt in to a Microsoft Defender for Endpoint Preview. To opt in, contact mdatpmobile@microsoft.com.

When you use Microsoft Defender for Endpoint as your Mobile Threat Defense application, you can configure Defender for Endpoint to request Application Inventory data from Intune from iOS/iPadOS devices. The following two settings are now available:

  • Enable App Sync for iOS Devices: Set to On to allow Microsoft Defender for Endpoint to request metadata of iOS applications from Intune to use for threat analysis purposes. The iOS device must be MDM-enrolled and will provide updated app data during device check-in.

  • Send full application inventory data on personally owned iOS/iPadOS Devices: This setting controls the application inventory data. Intune shares this data with Microsoft Defender for Endpoint when Defender for Endpoint syncs app data and requests the app inventory list.

    When set to On, Defender for Endpoint can request a list of applications from Intune for personally owned iOS/iPadOS devices. This list includes unmanaged apps and apps that were deployed through Intune.

    When set to Off, data about unmanaged apps isn't provided. Intune does share data for the apps that were deployed through Intune.

Support for Retire on Android Enterprise corporate-owned work-profiles devices

You can now use the Retire admin action in the Microsoft Intune admin center to remove the work profile including all corporate apps, data, and policies from an Android Enterprise corporate-owned work profile device. Go to Intune admin center > Devices pane > All Devices > then select the name of the device you want to retire and select Retire.

When you select Retire, the device is unenrolled from Intune management. However, all the data and apps associated with your personal profile remain untouched on the device. For more information, see Retire or wipe devices using Microsoft Intune.

Device enrollment

Improvements for enrollment profiles for Apple Automated Device Enrollment

Two Setup Assistant skip panes, previously released in Intune for public preview, are now generally available to use in Intune. These screens typically appear in Setup Assistant during Apple Automated Device Enrollment (ADE). You can configure screen visibility while you're setting up an enrollment profile in Intune. Intune-supported screen settings are available in the device enrollment profile under the Setup Assistant tab. The new skip panes are:

  • Pane name: Get Started

    • Available for iOS/iPadOS 13 and later.
    • This pane is visible in Setup Assistant during ADE by default.
  • Pane name: Auto Unlock with Apple Watch

    • Available for macOS 12 and later.
    • This pane is visible in Setup Assistant during ADE by default.

There's no change to functionality from the public preview release.

Enroll to co-management from Windows Autopilot

You can configure device enrollment in Intune to enable co-management, which happens during the Windows Autopilot process. This behavior directs the workload authority in an orchestrated manner between Configuration Manager and Intune.

If the device is targeted with an Autopilot enrollment status page (ESP) policy, the device will wait for Configuration Manager. The Configuration Manager client installs, registers with the site, and applies the production co-management policy. Then the Autopilot ESP continues.

For more information, see How to enroll to co-management with Autopilot.

Week of May 9, 2022

Device security

Security Management with Defender for Endpoint is generally available

The Microsoft Intune and Microsoft Defender for Endpoint (MDE) team are excited to announce the general availability of Defender for Endpoint security settings management. As part of this general availability, support for Antivirus, Endpoint Detection and Response, and Firewall rules are now generally available. This general availability applies to Windows Server 2012 R2 and Later, and Windows 10 and Windows 11 clients. In the future, there will be support for other platforms and profiles in a preview capacity.

For more information, see Manage Microsoft Defender for Endpoint on devices with Microsoft Intune.

Device management

Elevation enhancements to Remote Help

Elevation permissions will no longer be assigned when a session is started. Elevation permissions will now apply only when JIT (just in time) access is requested. The access is requested when you select a button on the toolbar. When elevation permissions are assigned, the sign out behavior for the sharer has been modified as follows:

  • If the admin (helper) ends the Remote Help session, the user (sharer) will not be logged off.
  • If the sharer tries to end the session, they're prompted that they will be logged off if they continue.
  • If the sharer is a local admin on their device, the access UAC prompt option will not be available to the helper as they can guide the sharer to perform elevated actions under their own profile. For more information about Remote Help, see Use Remote Help

Week of May 2, 2022

App management

Update priority of Managed Google Play apps

You can set the update priority of Managed Google Play apps on Android Enterprise devices that are dedicated, fully managed, or corporate-owned with a work profile. By selecting Postpone as the Update Priority app setting, the device will wait for 90 days after a new version of the app is detected before installing the app update. For more information, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Week of April 25, 2022 (Service release 2204)

App management

Updated app configuration policies list

The App configuration policies list has been modified in Intune. This list will no longer contain the Assigned column. To view whether an app configuration policy has been assigned, navigate to Microsoft Intune admin center > Apps > App configuration policies > select a policy > Properties.

Password complexity for Android devices

The Require device lock setting in Intune has been extended to include values (Low Complexity, Medium Complexity, and High Complexity). If the device lock doesn't meet the minimum password requirement, you can warn, wipe data, or block the end user from accessing a managed account in a managed app. This feature targets devices that operate on Android 11+. For devices operating on Android 11 and earlier, setting a complexity value of Low, Medium, or High will default to the expected behavior for Low Complexity. For more information, see Android app protection policy settings in Microsoft Intune. management

Improvements to Win32 App Log collection

Win32 App Log collection via Intune Management Extension has moved to the Windows 10 device diagnostic platform, reducing time to collect logs from 1-2 hours to 15 minutes. We've also increased the log size from 60 mb to 250 mb. Along with performance improvements, the app logs are available under the Device diagnostics monitor action for each device, and the managed app monitor. For information about how to collect diagnostics, see Collect diagnostics from a Windows device and Troubleshooting Win32 app installations with Intune.

Device management

Windows 10 and Windows 11 Enterprise multi-session is generally available

In addition to the existing functionality, you can now:

  • Configure profiles under Endpoint Security when you select Platform Windows 10, Windows 11, and Windows Server.
  • Manage Windows 10 and Windows 11 Enterprise multi-session VMs created in Azure Government Cloud in US Government Community (GCC) High and DoD.

For more information, see Windows 10/11 Enterprise multi-session remote desktops.

Device actions available to Android (AOSP) users in Microsoft Intune app

AOSP device users can now rename their enrolled devices in the Microsoft Intune app. This feature is available on devices enrolled in Intune as user-associated (Android) AOSP devices. For more information about Android (AOSP) management, see Set up Intune enrollment for Android (AOSP) corporate-owned user-associated devices.

Support for Audio Alert on Android corporate owned work profiles and fully managed (COBO and COPE) devices

You can now use the device action Play lost device sound to trigger an alarm sound on the device to help locate the lost or stolen Android Enterprise corporate owned work profile and fully managed devices. For more information, see Locate lost or stolen devices.

Device enrollment

New enrollment profile settings for Apple Automated Device Enrollment (public preview)

We've added two new Setup Assistant settings that you can use with Apple Automated Device Enrollment. Each setting controls the visibility of a Setup Assistant pane shown during enrollment. Setup Assistant panes are shown during enrollment by default, so you have to adjust the settings in Microsoft Intune if you want to hide them.

The new Setup Assistant settings are:

  • Get Started (preview): Show or hide the Get Started pane during enrollment. For devices running iOS/iPadOS 13 and later.
  • Auto Unlock with Apple Watch (preview): Show or hide the Unlock Your Mac with your Apple Watch pane during enrollment. For devices running macOS 12 and later.

To configure Setup Assistant settings for Automated Device Enrollment, create an iOS/iPadOS enrollment profile or macOS enrollment profile in Microsoft Intune.

Device security

Microsoft Defender for Endpoint as the Tunnel client app for iOS is now Generally Available

Use of Microsoft Defender for Endpoint that supports Microsoft Tunnel on iOS/iPadOS is now out of preview and is generally available. With general availability, a new version of the Defender for Endpoint app for iOS is available from the App store to download and deploy. If you've been using the preview version as your Tunnel client app for iOS, we recommend you upgrade to the latest Defender for Endpoint app for iOS soon to gain the benefits of the latest updates and fixes.

As of August 30, 2022, the connection type is named Microsoft Tunnel.

With this release, by the end of June, both the standalone Tunnel client app and the preview version of Defender for Endpoint as the Tunnel client app for iOS will be deprecated and be dropped from support. Soon after that deprecation, the standalone Tunnel client app will no longer function and will no longer support opening connections to Microsoft Tunnel.

If you're still using the standalone tunnel app for iOS, plan to migrate to the Microsoft Defender for Endpoint app. Migrate before support for the standalone app ends and its support to connect to Tunnel stops working.

Attack surface reduction rules profile

The Attack Surface Reduction Rules (ConfigMgr) profile for tenant attached devices is now in public preview. For more information, see Tenant attach: Create and deploy attack surface reduction policies.

Device configuration

Endpoint security profiles support filters

There are some new features when using filters:

  • When you create a device configuration profile for Windows devices, a per-policy report shows reporting information in the Device and user check-in status (Devices > Configuration > Select an existing policy).

    When you select View report, the report has an Assignment Filter column. Use this column to determine if a filter successfully applied to your policy.

  • Endpoint Security policies support filters. So, when you assign an endpoint security policy, you can use filters to assign the policy based on rules you create.

  • When you create a new endpoint security policy, it automatically uses the new device configuration profile reporting. When you look at the per-policy report, it also has an Assignment Filter column (Devices > Configuration > Select an existing endpoint security policy > View report). Use this column to determine if a filter successfully applied to your policy.

For more information on filters, see:

Applies to:

  • All platforms

Does not apply to:

  • Administrative Templates (Windows 10/11)
  • Device Firmware Configuration Interface (DFCI) (Windows 10/11)
  • OEMConfig (Android Enterprise)

Create a Settings Catalog policy using your imported GPOs with Group Policy analytics

Using Group Policy analytics, you can import your on-premises GPO, and see the settings that are supported in Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM providers.

When the analysis runs, you see the settings that are ready for migration. There's a Migrate option that creates a Settings Catalog profile using your imported settings. Then, you can assign this profile to your groups.

For more information, go to Create a Settings Catalog policy using your imported GPOs in Microsoft Intune.

Applies to:

  • Windows 11
  • Windows 10

New wired networks device configuration profile for Windows devices

There's a new Wired Networks device configuration profile for Windows 10/11 devices (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Wired networks for profile type).

Use this profile to configure common wired network settings, including authentication, EAP type, server trust, and more. For more information on the settings you can configure, go to Add wired network settings for Windows devices in Microsoft Intune.

Applies to:

  • Windows 11
  • Windows 10

"ADMX_" Policy CSP settings in Administrative Templates and Settings Catalog apply to Windows Professional editions

The Windows Policy CSP settings that begin with "ADMX_" apply to Windows devices running Windows Professional edition. Previously, these settings were shown as Not applicable on devices running Windows Professional edition.

You can use Administrative Templates and Settings Catalog to configure these "ADMX_" settings in a policy, and deploy the policy to your devices (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Settings catalog or Administrative Templates or for profile type).

To use this set of "ADMX_" settings, the following updates must be installed on your Windows 10/11 devices:

To learn more about these features, go to:

To see a list of all the ADMX settings that support Windows Professional edition, go to Windows Policy CSP settings. Any setting that begins with "ADMX_" supports Windows Professional edition.

Applies to:

  • Windows 11
  • Windows 10

New macOS settings in Setting Catalog

The Settings Catalog has new macOS settings you can configure (Devices > Configuration > Create > macOS for platform > Settings catalog for profile type):

Accounts > Mobile Accounts:

  • Ask For Secure Token Auth Bypass
  • Create At Login
  • Expiry Delete Disused Seconds
  • Warn On Create
  • Warn On Create Allow Never

App Management > Autonomous Single App Mode:

  • Bundle Identifier
  • Team Identifier

App Management > NS Extension Management:

  • Allowed Extensions
  • Denied Extension Points
  • Denied Extensions

App Store:

  • Disable Software Update Notifications
  • Restrict Store Software Update Only
  • restrict-store-disable-app-adoption

Authentication > Directory Service:

  • AD Allow Multi Domain Auth
  • AD Allow Multi Domain Auth Flag
  • AD Create Mobile Account At Login
  • AD Create Mobile Account At Login Flag
  • AD Default User Shell
  • AD Default User Shell Flag
  • AD Domain Admin Group List
  • AD Domain Admin Group List Flag
  • AD Force Home Local
  • AD Force Home Local Flag
  • AD Map GGID Attribute
  • AD Map GGID Attribute Flag
  • AD Map GID Attribute
  • AD Map GID Attribute Flag
  • AD Map UID Attribute
  • AD Map UID Attribute Flag
  • AD Mount Style
  • AD Namespace
  • AD Namespace Flag
  • AD Organizational Unit
  • AD Packet Encrypt
  • AD Packet Encrypt Flag
  • AD Packet Sign
  • AD Packet Sign Flag
  • AD Preferred DC Server
  • AD Preferred DC Server Flag
  • AD Restrict DDNS
  • AD Restrict DDNS Flag
  • AD Trust Change Pass Interval Days
  • AD Trust Change Pass Interval Days Flag
  • AD Use Windows UNC Path
  • AD Use Windows UNC Path Flag
  • AD Warn User Before Creating MA Flag
  • Client ID
  • Description
  • Password
  • User Name

Authentication > Identification:

  • Prompt
  • Prompt Message

Login > Login Window Login Items:

  • Disable Login Items Suppression

Media Management Disc Burning:

  • Burn Support

Parental Controls > Parental Controls Application Restrictions:

  • Family Controls Enabled

Parental Controls > Parental Controls Content Filter:

  • Allowlist Enabled
  • Filter Allowlist
  • Filter Blocklist
  • Site Allowlist
  • Address
  • Page Title
  • Use Content Filter

Parental Controls > Parental Controls Dictionary:

  • Parental Control

Parental Controls > Parental Controls Game Center:

  • GK Feature Account Modification Allowed

System Configuration > File Provider:

  • Allow Managed File Providers To Request Attribution

System Configuration > Screensaver:

  • Ask For Password
  • Ask For Password Delay
  • Login Window Idle Time
  • Login Window Module Path

User Experience > Finder:

  • Prohibit Burn
  • Prohibit Connect To
  • Prohibit Eject
  • Prohibit Go To Folder
  • Show External Hard Drives On Desktop
  • Show Hard Drives On Desktop
  • Show Mounted Servers On Desktop
  • Show Removable Media On Desktop
  • Warn On Empty Trash

User Experience > Managed Menu Extras:

  • AirPort
  • Battery
  • Bluetooth
  • Clock
  • CPU
  • Delay Seconds
  • Displays
  • Eject
  • Fax
  • HomeSync
  • iChat
  • Ink
  • IrDA
  • Max Wait Seconds
  • PCCard
  • PPP
  • PPPoE
  • Remote Desktop
  • Script Menu
  • Spaces
  • Sync
  • Text Input
  • TimeMachine
  • Universal Access
  • User
  • Volume
  • VPN
  • WWAN

User Experience > Notifications:

  • Alert Type
  • Badges Enabled
  • Critical Alert Enabled
  • Notifications Enabled
  • Show In Lock Screen
  • Show In Notification Center
  • Sounds Enabled

User Experience > Time Machine:

  • Auto Backup
  • Back up All Volumes
  • Back up Size MB
  • Back up Skip System
  • Base Paths
  • Mobile Backups
  • Skip Paths

Xsan:

  • San Auth Method

Xsan > Xsan Preferences:

  • Deny DLC
  • Deny Mount
  • Only Mount
  • Prefer DLC
  • Use DLC

The following settings are also in Settings Catalog. Previously, they were only available in Templates:

App Management > Associated Domains:

  • Enable Direct Downloads

Networking > Content Caching:

  • Allow Cache Delete
  • Allow Personal Caching
  • Allow Shared Caching
  • Auto Activation
  • Auto Enable Tethered Caching
  • Cache Limit
  • Data Path
  • Deny Tethered Caching
  • Display Alerts
  • Keep Awake
  • Listen Ranges
  • Listen Ranges Only
  • Listen With Peers And Parents
  • Local Subnets Only
  • Log Client Identity
  • Parent Selection Policy
  • Parents
  • Peer Filter Ranges
  • Peer Listen Ranges
  • Peer Local Subnets Only
  • Port
  • Public Range

Restrictions:

  • Allow Activity Continuation
  • Allow Adding Game Center Friends
  • Allow Air Drop
  • Allow Auto Unlock
  • Allow Camera
  • Allow Cloud Address Book
  • Allow Cloud Bookmarks
  • Allow Cloud Calendar
  • Allow Cloud Desktop And Documents
  • Allow Cloud Document Sync
  • Allow Cloud Keychain Sync
  • Allow Cloud Mail
  • Allow Cloud Notes
  • Allow Cloud Photo Library
  • Allow Cloud Private Relay
  • Allow Cloud Reminders
  • Allow Content Caching
  • Allow Diagnostic Submission
  • Allow Dictation
  • Allow Erase Content And Settings
  • Allow Fingerprint For Unlock
  • Allow Game Center
  • Allow iTunes File Sharing
  • Allow Multiplayer Gaming
  • Allow Music Service
  • Allow Passcode Modification
  • Allow Password Auto Fill
  • Allow Password Proximity Requests
  • Allow Password Sharing
  • Allow Remote Screen Observation
  • Allow Screenshot
  • Allow Spotlight Internet Results
  • Allow Wallpaper Modification
  • Enforced Fingerprint Timeout
  • Enforced Software Update Delay
  • Enforced Software Update Major OS Deferred Install Delay
  • Enforced Software Update Minor OS Deferred Install Delay
  • Enforced Software Update Non OS Deferred Install Delay
  • Force Classroom Automatically Join Classes
  • Force Classroom Request Permission To Leave Classes
  • Force Classroom Unprompted App And Device Lock
  • Force Delayed App Software Updates
  • Force Delayed Major Software Updates
  • Force Delayed Software Updates
  • Safari Allow Autofill

There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies.

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune.

Applies to:

  • macOS

April 2022

App management

Uninstall DMG-type applications on managed macOS devices (Public preview)

You can use the Uninstall assignment type to remove DMG-type applications on managed macOS devices from Microsoft Intune. You can find macOS DMG apps in Microsoft Intune admin center by selecting Apps > macOS > macOS app (.DMG). For more information, see Add a macOS DMG app to Microsoft Intune.

Device Management

Updating the device diagnostics folder structure

Intune now exports Windows Device Diagnostic data in an updated format. With the updated format, the logs collected are named to match the data collected, and when multiple files are collected a folder is created. With the earlier format, the zip file used a flat structure of numbered folders that didn't identify their contents.

To take advantage of this diagnostic logging update, devices must install one of the following updates:

  • Windows 11 - KB5011563
  • Windows 10 - KB5011543

These updates are available through the Windows Updates on April 12, 2022.

Microsoft Intune premium add-ons

Microsoft Intune is introducing a new centralized experience to help IT admins identify premium add-on capabilities. These capabilities can be added for another licensing cost available for Microsoft Intune. The first premium add-on is Remote Help.

You can find premium add-ons in Intune under Tenant administration > Premium add-ons. The Summary blade shows all premium add-ons that have been released, a short description, and the status of the add-on. You can view the status of each add-on as either Active or Available for trial or purchase. The premium add-ons capability can be used by Global and Billing administrators to start trials or purchase licenses for premium add-ons.

For more information about Premium add-ons, see Use Premium add-ons capabilities with Intune.

Device security

New profile templates and settings structure for endpoint security policies

We've begun to release new endpoint security profile templates that use the settings format as found in the Settings Catalog. Each new profile template includes the same settings as the older profile it replaces, while bringing the following improvements:

  • Setting names match the Windows CSP name: In most cases, each setting name in the new profiles is a match to the name of the CSP that the setting configures. However, in the Intune UI we've added spaces to that name to make the setting name easier to read. For example, a setting in the Intune UI that's named Allow USB Connection configures the CSP named AllowUSBConnection.

  • Setting options align to those of the Windows CSP: Options for settings now align directly to those options as described and supported by the Windows CSP, with one addition. The addition is that we've included the option of Not configured. When a setting is set to Not configured, that Intune profile doesn't actively manage that setting. When a profile is changed to go from active configuration of setting Not configured, Intune stops actively enforcing the configuration for that setting on the device.

  • Setting guidance is taken from the Windows CSP: The information about the setting found in the Intune UI is taken directly from the Windows CSP content, with Learn more links opening the documentation for the relevant CSP, or the content page that includes that CSP. The CSP defines and manages the settings behavior.

When a new platform and profile template is available for a policy type, the older profile of the same name will no longer be available to create new profiles. Instead, new profiles must use the new profiles and settings format. Eventually, your old profiles will be supported for conversion to the new profile format. Until that conversion is available, you can still use, edit, and deploy your existing profiles.

The following profile templates are now available in the new settings format:

Policy type Platform Profile (template) name
Antivirus Windows 10, Windows 11, and Windows Server Windows Security experience
Antivirus Windows 10, Windows 11, and Windows Server Windows Defender Antivirus
Antivirus Windows 10, Windows 11, and Windows Server Windows Defender Antivirus Exclusions
Firewall Windows 10, Windows 11, and Windows Server Microsoft Defender Firewall
Firewall Windows 10, Windows 11, and Windows Server Microsoft Defender Firewall Rules
Endpoint detection and response Windows 10, Windows 11, and Windows Server Endpoint detection and response
Attack surface reduction Windows 10 and Later Attack surface reduction rules
Attack surface reduction Windows 10 and Later Exploit protection

March 2022

App management

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • CAPTOR™ for Intune by Inkscreen LLC

For more information about protected apps, see Microsoft Intune protected apps.

iOS/iPadOS notifications will require March Company Portal update

If you're using a functionality that could generate iOS/iPadOS Company Portal push notifications, you will want to ensure your users update the iOS/iPadOS Company Portal in March or April 2022. There's no other change in functionality. We will be making service side updates to iOS/iPadOS notifications expected in Intune's May (2205) service release. The Company Portal update will be released prior to the service change, so most users will already have the updated app and won't be affected. However, you should notify users of this change to ensure all users continue to receive push notifications sent by your organization. For more information, see Update the Company Portal app.

Feedback settings for Company Portal and Microsoft Intune apps

Feedback settings are provided to address Microsoft 365 enterprise feedback policies for the currently logged in user via the Microsoft 365 Apps admin center. The settings are used to determine whether feedback can be enabled or must be disabled for a user. This feature is available for Intune Company Portal and Microsoft Intune apps. For more information, see Configure feedback settings for Company Portal and Microsoft Intune apps.

Deploy macOS LOB apps by uploading PKG-type installer files (Public preview)

You can now upload and deploy PKG-type installer files as macOS line-of-business apps. You can add a macOS LOB app from Microsoft Intune admin center by selecting Apps > macOS > Add > Line-of-business app. For more information about macOS LOB apps, see How to add macOS line-of-business apps to Microsoft Intune.

Apps UI when using Android 12L OS

The Android 12L OS contains new features designed to improve the Android 12 experience on large and folding dual-screen devices. Intune apps now support Android 12L OS on Android dual-screen devices.

Display Android Enterprise device serial number using Managed Home Screen app

On Android Enterprise dedicated devices using Managed Home Screen, customers can now use app configuration to configure the Managed Home Screen app to show the serial number for the device on all supported OS versions (8 and later). For information related to the Managed Home Screen app, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Device management

See the IPv4 address and Wi-Fi subnet ID on Android Enterprise devices

Customers can view the IPv4 address and Wi-Fi subnet ID reported for Android Enterprise corporate-owned fully managed, dedicated, and work profile devices.

Android (AOSP) users can view all devices in Intune app

AOSP device users can now view a list of their managed devices and device properties in the Microsoft Intune app. This feature is available on devices enrolled in Intune as user-associated (Android) AOSP devices.

Update eSim cellular data plan in bulk for iOS/iPadOS (public preview)

You can now perform a Bulk device action (Devices > Bulk device action > Update cellular data) to remotely activate or update the cellular data plan on iOS/iPadOS devices that support it. This feature is currently in public preview. For more information, see Use bulk device actions.

Preserve cellular data plan when bulk wiping iOS/iPadOS devices

When you perform a Bulk device action (Devices > Bulk device action > Wipe) to remotely wipe iOS/iPadOS devices from Intune, any cellular data plan on the device will be preserved. However, if you would like to have the devices' data plan removed, then you can select a checkbox and remove the cellular data plan when wiping the devices. For more information, see Use bulk device actions.

Freeze the install of system updates for Android Enterprise corporate-owned devices

For Android Enterprise corporate-owned devices that run version 9.0 and later, you can configure freeze periods during which no system or security updates can install.

To configure a freeze, use Intune device restriction profiles to set one or more blocks that can recur each year. Each block can be for up to 90 days, but you must have a minimum of 60 days between freeze periods, when system updates are allowed to install.

For information about configuring a freeze period, see Freeze periods for system updates in Android Enterprise device settings to allow or restrict features using Intune.

For information about Android requirements for implementing a freeze, see FreezePeriod in the Google developer documentation.

Device security

Tenant attach: Antivirus profile

The Endpoint Security Microsoft Defender Anti-virus profile is now generally available. For more information, see Tenant attach: Create and deploy Antivirus policies from the admin center.

Monitor and troubleshoot

AppxPackaging event viewer is part of collect diagnostics

Intune's remote action to Collect diagnostics will collect more details from Windows devices.  (Devices > Windows > select a Windows device > Collect diagnostics)

The new details include the Microsoft-Windows-AppxPackaging/Operational Event Viewer and the following office log files to help troubleshoot Office installation issues:

%windir%\temp\%computername%*.log
%windir%\temp\officeclicktorun*.log

Device configuration

New reporting experience for device configuration profiles

There's now a new reporting experience for device configuration profiles. This reporting experience excludes Windows administrative template (ADMX), Android Enterprise devices with OEMConfig, and Device Firmware Configuration Interface (DFCI) profile types.

We are continuing to update Intune's report experience to enhance consistency, accuracy, organization, and data representation, which gives an overall "facelift" of Intune's per policy reporting. The new experience updates the per policy overview page to shift away from donut charts to a sleeker overview chart that quickly updates as devices/users check-in.

There are three reports available from the per policy view:

  • Device and user check-in status - This report combines information that was previously split into separate device status and user status reports. This report shows the list of device and user check-ins for the device configuration profile, with the check-in status and last check-in time. When you open the report, the aggregate chart will remain at the top of the page, and the data will be consistent with the list data. Use the filter column to view assignment filter options.
  • Device assignment status - This report surfaces data on the latest status for assigned devices from the device configuration profile. Intune reporting will include pending state information.
  • Per setting status - This report surfaces the summary of device and user check-ins that are in Success, Conflict, Error states at the granular setting level within the device configuration profile. This report uses the same consistency and performance updates and navigation tools we've made available to other reports.

More drilldowns are available and more assignment filters are supported for each report. For more information about each of these reports, see Intune reports.

Google Chrome settings are in Settings Catalog and Administrative Templates

Google Chrome settings are included in the Settings Catalog and Administrative Templates (ADMX). Previously, to configure Google Chrome settings on Windows devices, you created a custom OMA-URI device configuration policy.

For more information on these policy types, see:

Applies to:

  • Windows 10/11

New macOS settings in the Settings Catalog

The Settings Catalog has new macOS settings you can configure (Devices > Configuration > Create > macOS for platform > Settings catalog for profile type):

User Experience > Accessibility:

  • Close View Far Point
  • Close View Hotkeys Enabled
  • Close View Near Point
  • Close View Scroll Wheel Toggle
  • Close View Smooth Images
  • Contrast
  • Flash Screen
  • Mouse Driver
  • Mouse Driver Cursor Size
  • Mouse Driver Ignore Trackpad
  • Mouse Driver Initial Delay
  • Mouse Driver Max Speed
  • Slow Key
  • Slow Key Beep On
  • Slow Key Delay
  • Stereo as Mono
  • Sticky Key
  • Sticky Key Beep On Modifier
  • Sticky Key Show Window
  • Voice Over On Off Key
  • White On Black

Air Play:

  • Allow List
  • Password

User Experience > Desktop:

  • Override Picture Path

Preferences > Global Preferences:

  • Auto Log Out Delay
  • Multiple Session Enabled

Printing > Printing:

  • Require Admin To Print Locally

Security > Security Preferences:

  • Do Not Allow Firewall UI
  • Do Not Allow Lock Message UI
  • Do Not Allow Password Reset UI

Preferences > System Preferences:

  • Disabled Preference Panes
  • Enabled Preference Panes

Preferences > User Preferences:

  • Disable Using Cloud Password

The following settings are also in Settings Catalog. Previously, they were only available in Templates:

Printing > Air Print:

  • IP Address
  • Resource Path

Networking > Firewall:

  • Allowed
  • Bundle ID
  • Block All Incoming
  • Enable Firewall
  • Enable Stealth Mode

Login > Login Items:

  • Hide

Login > Login Window Behavior:

  • Admin Host Info
  • Allow List
  • Deny List
  • Disable Console Access
  • Disable Screen Lock Immediate
  • Hide Admin Users
  • Hide Local Users
  • Include Network User
  • Log Out Disabled While Logged In
  • Login Window Text
  • Power Off Disabled While Logged In
  • Restart Disabled
  • Restart Disabled While Logged In
  • Show Full Name
  • Show Other Users Managed
  • Shut Down Disabled
  • Shut Down Disabled While Logged In
  • Sleep Disabled

System Policy > System Policy Control:

  • Allow Identified Developers
  • Enable Assessment

System Policy > System Policy Managed:

  • Disable Override

There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies.

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune.

Applies to:

  • macOS

Device enrollment

Utilize bootstrap tokens on enrolled macOS devices (public preview)

Intune now supports the use of bootstrap tokens on enrolled devices running macOS, version 10.15 or later. Bootstrap tokens allow for non-admin users to have increased MDM permissions, and perform specific software functions on behalf of the IT admin. Tokens are supported on:

  • Supervised devices (in Intune, that's all user-approved enrollments)
  • Devices enrolled in Intune via Apple automated device enrollment

Bootstrap tokens will begin to function no sooner than March 26, 2022, and it could take longer before they begin to function in all tenants.

For more information about how bootstrap tokens work with Intune, see Set up enrollment for macOS devices.

Enroll macOS virtual machines running Apple silicon

Use the Company Portal app for macOS to enroll virtual machines running on Apple silicon. Intune supports using macOS virtual machines for testing purposes only. For more information about enrolling virtual machines in Intune, see Set up enrollment for macOS devices.

Role-based access control

Android (AOSP) will support scope tags and RBAC settings

When you create a policy for Android (AOSP), you can use role-based access control (RBAC) and scope tags.

For more information on these features, see:

Applies to:

  • Android Open Source Project (AOSP)

February 2022

App management

Advanced logging setting in Company Portal app

The Enable Advanced Logging setting is available in the Intune Company Portal app versions v5.2202 and higher for iOS/iPadOS and macOS. Device users can able to enable or disable advanced logging on a device. By turning on advanced logging, detailed log reports will be sent to Microsoft to troubleshoot issues. By default, the Enable Advanced Logging setting will be off. Device users should keep this setting off unless otherwise instructed by their organization's IT admin. For more information, see Share Company Portal usage data with Microsoft and Manage Company Portal preferences for macOS.

Device configuration

Cellular data plan for Apple's Automated Device Enrollment

As part of an iOS/iPadOS enrollment profile when configuring Automated Device Enrollment (ADE), you can now configure devices to activate cellular data. Configuring this option will send a command to activate cellular data plans for your organization's eSim-enabled cellular devices. Your carrier must provision activations for your devices before you can activate data plans using this command. This setting applies to devices running iOS/iPadOS 13.0 and later that are enrolling with ADE. For more information, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment.

Device management

Support for Audio Alert on Android Dedicated (COSU) devices

You can now use the Play lost device sound device action to trigger an alarm sound on the device to help locate the lost or stolen Android Enterprise dedicated device. For more information, see Locate lost or stolen devices.

UI updates when creating an on-demand VPN device configuration policy on iOS/iPadOS devices

You can create an on-demand VPN connection for your iOS/iPadOS devices (Devices > Configuration > Create > iOS/iPadOS for platform > VPN for profile type > Automatic VPN > On-demand VPN).

The UI is updated to closer match Apple's technical naming. To see the on-demand VPN settings you can configure, go to Automatic VPN settings on iOS and iPadOS devices.

Applies to:

  • iOS/iPadOS

On Android Enterprise, use the Connect Automatically setting on enterprise Wi-Fi profiles

On Android Enterprise devices, you can create Wi-Fi profiles that include common enterprise Wi-Fi settings (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned work profile > Wi-Fi for profile type > Enterprise for Wi-Fi type).

You can configure the Connect automatically setting that automatically connects to your Wi-Fi network when devices are in range.

To see the settings you can configure, go to Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices.

Applies to:

  • Android Enterprise corporate owned fully managed (COBO)
  • Android Enterprise corporate owned dedicated devices (COSU)

Deprecated status in Group Policy Analytics migration readiness report automatically reevaluates your GPOs

Using Group Policy Analytics, you can import your Group Policy Objects (GPOs) to see the settings that are supported in MDM providers, including Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM providers.

The Intune product team updates the mapping logic. When the updates happen, the deprecated settings are automatically reevaluated. Previously, you had to reimport your GPOs.

For more information on Group Policy Analytics and the reporting, see Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Intune.

Applies to:

  • Windows 11
  • Windows 10

Create terms of use for Android (AOSP) user-associated devices

Require Android (AOSP) users to accept your terms and conditions in the Intune Company Portal app before they enroll their devices. This feature is available for corporate-owned, user-associated devices only. For more information about creating terms of use in Intune, see Terms and conditions for user access.

Enforce Microsoft Entra terms of use with Microsoft Intune or Microsoft Intune Enrollment cloud apps

Use the Microsoft Intune cloud app and/or Microsoft Intune Enrollment cloud app to enforce a conditional access, Microsoft Entra Terms of Use acceptance policy on iOS and iPadOS devices during automated device enrollment. This functionality is available when you select Setup Assistant with modern authentication as your authentication method. Both cloud apps now ensure that users accept the terms of use during enrollment and/or during Company Portal sign-in if required by your conditional access policy.

New macOS settings in the Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. When you create a Settings Catalog policy, there are new settings available for macOS devices (Devices > Configuration > Create > macOS for platform > Settings catalog for profile type).

New settings include:

  • Domains > Email Domains

  • Printing > Printing:

    • Allow Local Printers
    • Default Printer
      • Device URI
      • Display Name
    • Footer Font Name
    • Footer Font Size
    • Print Footer
    • Print MAC Address
    • Require Admin To Add Printers
    • Show Only Managed Printers
    • User Printer List
      • Device URI
      • Display Name
      • Location
      • Model
      • PPD URL
      • Printer Locked
  • Profile Removal Password > Removal Password

  • Global HTTP Proxy:

    • Proxy Captive Login Allowed
    • Proxy PAC Fallback Allowed
    • Proxy PAC URL
    • Proxy Password
    • Proxy Server
    • Proxy Server Port
    • Proxy Type
    • Proxy Username

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog.

Device security

Microsoft Tunnel support for Red Hat Enterprise Linux 8.5

You can now use Red Hat Enterprise Linux (RHEL) 8.5 with Microsoft Tunnel.

To support RHEL 8.5, we've also updated the readiness tool (mst-readiness) with a new check for the presence of the ip_tables module in the Linux kernel. By default, RHEL 8.5 doesn't load the ip_tables module.

For Linux servers that don't load the module, we've provided instructions to load them immediately, and to configure the Linux server to automatically load them at boot.

Mobile Threat Defense partner Zimperium is now available in GCC High tenants

Zimperium is now available as a Mobile Threat Defense (MTD) partner in US GCC High environments.

With this support, you'll find the Intune connector for Zimperium as available in the list of MTD connectors that you can enable in your GCC High tenant.

The GCC High environment is a more regulated environment, and only connectors for those MTD partners that are supported for the GCC High environment are available in it. For more information about support in GCC High tenants, Microsoft Intune for US Government GCC High and DoD service description.

Manage the app inventory data for iOS/iPadOS devices that Intune sends to third-party MTD partners

You can now configure the type of application inventory data for personally owned iOS/iPadOS devices that Intune sends to your chosen third-party Mobile Threat Defense (MTD) partner.

To control the app inventory data, configure the following setting as part of the MDM Compliance Policy Settings on the Mobile Threat Defense connector for your partner:

  • Send full application inventory data on personally owned iOS/iPadOS Devices

    Options for this setting include:

    • On - If your MTD partner syncs app data and requests a list of the iOS/iPadOS applications from Intune, then that list includes unmanaged apps (apps not deployed through Intune) and apps deployed through Intune. This behavior is the current behavior.
    • Off - Data about unmanaged apps won't be provided, and the MTD partner only receives details about apps that were deployed through Intune.

For corporate devices, data about managed and unmanaged apps continues to be included with requests for app data by your MTD vendor.

Monitor and troubleshoot

Remote Help is moving in the Microsoft Intune admin center

The Remote Help page in the Microsoft Intune admin center has moved and its now available directly under Tenant administration instead of Connectors and tokens. For more information about Remote Help, see Use Remote Help.

January 2022

App management

Deploy DMG-type applications to managed macOS devices

You can upload and deploy DMG-type applications to managed Macs from Microsoft Intune using the required assignment type. DMG is the file extension for Apple disk image files. DMG-type apps are deployed using the Microsoft Intune MDM agent for macOS. You can add a DMG app from Microsoft Intune admin center by selecting Apps > macOS > Add > macOS app (DMG). For more information, see Add a macOS DMG app to Microsoft Intune.

Device management

Choose either user or device scope when creating Windows VPN profiles

You can create a VPN profile for Windows devices that configures VPN settings (Devices > Configuration > Create > Windows 10 and later for platform > Templates > VPN for profile).

When you create a profile, use the Use this VPN profile with a user/device scope setting to apply the profile to the user scope or the device scope:

  • User scope: The VPN profile is installed within the user's account on the device.
  • Device scope: The VPN profile is installed in the device context and applies to all users on the device.

Existing VPN profiles will apply to their existing scope, and aren't affected by this change. All VPN profiles are installed in the user scope except for the profiles with device tunnel enabled, which requires device scope.

For more information on VPN settings you can currently configure, see Windows device settings to add VPN connections using Intune.

Applies to:

  • Windows 11
  • Windows 10

Filters are Generally Available (GA)

You can use filters to include or exclude devices in workload assignments (like policies and apps) based on different device properties. Filters are now generally available (GA).

For more information on filters, see Use filters when assigning your apps, policies, and profiles.

Automatic device clean-up rules support for Android Enterprise devices

Intune supports the creation of rules to automatically remove devices that appear to be inactive, stale, or unresponsive. You can now use these clean-up rules with Android Enterprise devices that previously didn't support them. These rules are now supported for:

  • Android Enterprise Fully Managed
  • Android Enterprise Dedicated
  • Android Enterprise Corporate-Owned with Work Profile

To learn more about clean-up rules, see Automatically delete devices with cleanup rules.

Use Collect diagnostics to collect more details from Windows 365 devices through Intune remote actions

Intune's remote action to Collect diagnostics now collects more details from Windows 365 (Coud-PC) devices. The new details for Windows 365 devices include the following registry data:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\WebRTC Redirector
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams\

For information about remote actions supported for Windows 365 devices, see Remotely manage Windows 365 devices.

Tenant attach features are Generally Available (GA)

The following tenant attach features are now generally available:

  • Client details
  • Applications
  • Device timeline
  • Resource explorer
  • CMPivot
  • Scripts
  • BitLocker Recovery Keys
  • Collections

Preview filtered device list before deployment

Now as you create or edit a filter in Microsoft Intune, you can preview the list of filtered devices. The new view eliminates the need to apply test filters, because you can immediately preview the impact a filter has on devices and adjust filter rules to achieve your desired outcome. For more information about using filters in Microsoft Intune, see Create a filter.

Device security

Public preview of Tunnel client functionality in Microsoft Defender for Endpoint app for iOS/iPadOS

Microsoft Tunnel client functionality for iOS/iPadOS is migrating into the Microsoft Defender for Endpoint app. With this preview, you can start to use a preview version of Microsoft Defender for Endpoint as the Tunnel app for supported devices. The existing Tunnel client remains available, but will eventually be phased out in favor of the Defender for Endpoint app.

This public preview applies to:

  • iOS/iPadOS

For this preview, you download a preview version of Microsoft Defender for Endpoint from the Apple app store, and then migrate supported devices from the standalone Tunnel client app to the preview app. For details, see Migrate to the Microsoft Defender for Endpoint app.

New Account protection policy to configure users in local groups on devices in public preview

In public preview, you can use a new profile for Intune Account protection policies to manage the membership of the built-in local groups on Windows 10 and 11 devices.

Each Windows device comes with a set of built-in local groups. Each local group contains a set of users that have rights within that group. With the new Local user group membership (preview) profile for endpoint security Account protection policies, you can manage which users are members of those local groups.

To configure local group memberships, you select the built-in local account to modify and then choose the users to add, remove, or replace in the group with other users. Each device that receives the policy the updates the membership of those local groups. Modification of the group membership on each device is done by using the Policy CSP - LocalUsersAndGroups.

To learn more, see Manage local groups on Windows devices.

Scripts/Developer

Intune Data Warehouse updates

The applicationInventory entity has been removed from the Intune Data Warehouse. A new dataset is now available in the UI and via Intune's export API. For more information, see Export Intune reports using Graph APIs.

December 2021

App management

More Session PIN restrictions available for the Microsoft Managed Home Screen app

The Managed Home Screen app for Android Enterprise now can enforce more restrictions on user's Session PINs. Specifically, Managed Home Screen now offers:

  • The ability to define a minimum length for Session PIN.
  • The ability to define a maximum number of tries a user has to successfully enter their Session PIN before getting logged out from Managed Home Screen.
  • The ability to define complexity values that restrict users from creating PINs with repeating (444) or ordered (123, 321, 246) patterns.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android Enterprise device settings to allow or restrict features using Intune.

Device configuration

New option to see the number of profiles with an error or conflict in device configuration profiles

In the Intune admin center, there's a new "X policies with error or conflict" option. When you select this option, you automatically go to the Devices > Monitor > Assignment Failures report. This report helps you troubleshoot errors and conflicts.

This new option is available in the following locations in the Intune admin center:

  • Home page
  • Dashboard

For more information, see Monitor device profiles in Microsoft Intune and Assignment failures report.

Applies to:

  • Windows 11
  • Windows 10

New Timeout and Block iCloud Private Relay settings for iOS/iPadOS and macOS devices

On iOS/iPadOS and macOS devices, you can create a device restrictions policy that manages features on the device (Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Device restrictions).

There are new settings:

  • iOS/iPadOS:
    • Block iCloud Private Relay: On supervised devices, this setting prevents users from using the iCloud Private Relay (opens Apple's web site).
  • macOS
    • Block iCloud Private Relay: On supervised devices, this setting prevents users from using the iCloud Private Relay (opens Apple's web site).
    • Timeout: Users can unlock their devices using a Touch ID, such as a fingerprint. Use this setting to require users to enter their password after a period of inactivity. The default inactivity period is 48 hours. After 48 hours of inactivity, the device prompts for the password, instead of Touch ID.

Applies to:

  • iOS/iPadOS 15 and newer
  • macOS 12 and newer

New device restrictions settings for Android Enterprise corporate-owned devices with a work profile

On Android Enterprise devices, you can configure settings that control features on devices (Devices > Configuration > Create > Android Enterprise for platform > Device restrictions for profile type > General).

For Android Enterprise corporate-owned devices with a work profile, there are new settings:

  • Search work contacts and display work contact caller-id in personal profile
  • Copy and paste between work and personal profiles
  • Data sharing between work and personal profiles

For more information on the settings you can currently configure, see Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise corporate-owned work profile (COPE)

Settings Catalog is supported on U.S. Government GCC High and DoD

Settings Catalog is available and supported on U.S. Government GCC High and DoD.

For more information on Settings Catalog, and what it is, see Use the settings catalog to configure settings on Windows and macOS devices.

Applies to:

  • macOS
  • Windows 11
  • Windows 10

Enter the certificate common name in Wi-Fi profiles for Android Enterprise fully managed, dedicated, and corporate-owned work profile devices

On Android Enterprise devices, you can create a Wi-Fi profile that configures enterprise Wi-Fi settings (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Wi-Fi for profile type).

When you select Enterprise, there's a new Radius server name setting. This setting is the DNS name used in the certificate presented by the Radius Server during client authentication to the Wi-Fi access point. For example, enter Contoso.com, uk.contoso.com, or jp.contoso.com.

If you have multiple Radius servers with the same DNS suffix in their fully qualified domain name, then you can enter only the suffix. For example, you can enter contoso.com.

When you enter this value, user devices can bypass the dynamic trust dialog that's sometimes shown when connecting to the Wi-Fi network.

What you need to know:

  • New Wi-Fi profiles targeting Android 11 or later might require this setting to be configured. Otherwise, the devices might not connect to your Wi-Fi network.

For more information on the settings you can currently configure, see Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile Wi-Fi settings.

Applies to:

  • Android Enterprise corporate-owned work profile (COPE)
  • Android Enterprise corporate owned fully managed (COBO)
  • Android Enterprise dedicated devices (COSU)

New Administrative Templates settings for Microsoft Edge 96, 97, and Microsoft Edge updater on Windows devices

In Intune, you can use Administrative Templates to configure Microsoft Edge settings (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Administrative Templates for profile type).

There are new Administrative Templates settings for Microsoft Edge 96, 97, and the Microsoft Edge updater, including Target Channel override support. Use Target Channel override so users get the Extended Stable release cycle option, which can be set using Group Policy or through Intune.

For more information, see:

Applies to:

  • Windows 11
  • Windows 10
  • Microsoft Edge

Device enrollment

Apply device type filters to Windows and Apple enrollment restriction policies (preview)

Use the new assignment filters in Enrollment Restrictions to include or exclude devices based on device type. For example, you can allow personal devices, while also blocking devices running Windows 10 Home, by applying the operatingsystemSKU assignment filter. Filters can be applied to Windows, macOS, and iOS enrollment policies, with Android support coming at a later date. Filters also enable a new setup experience for enrollment restrictions. For more information about how to create filters, see Create a filter. For more information about using filters with enrollment restrictions, see Set enrollment restrictions.

Use filters on Windows Enrollment Status Page profile assignments

Filters allow you to include or exclude devices in policy or app assignments based on different device properties. When you create an Enrollment Status Page (ESP) profile, you can use filters when assigning the profile. The All users and All devices assignment options will also be available. In Microsoft Intune admin center, select Devices > Enroll devices > Enrollment Status Page > Create. For more information about filters, see Use filters when assigning your apps, policies, and profiles. For more information about ESP profiles, see Set up the Enrollment Status Page.

Device management

Launch Remote Help from within the admin center

You can now launch Remote Help from within the Microsoft Intune admin center. To do so, in the admin center go to All devices and select the device on which assistance is needed. Then select New Remote Help session, which is available from the remote actions bar across the top of the devices view.

Endpoint analytics filtering

You can now add filters to the tables in Endpoint analytics reports. Using filters enables you to discover trends in your environment or spot potential issues.

Use filters to assign Endpoint analytics proactive remediations scripts in admin center - public preview

In the Intune admin center, you can create filters, and then use these filters when assigning apps and policies. You can use filters to assign the following policy:

For more information on filters, see Use filters when assigning your apps, policies, and profiles.

Applies to:

  • Windows 11
  • Windows 10

Intune apps

Newly available protected apps for Intune

The following protected app is now available for Microsoft Intune:

  • Groupdolists by Centrallo LLC

For more information about protected apps, see Microsoft Intune protected apps.

BlackBerry – New mobile threat defense partner

You can now use BlackBerry Protect Mobile (powered by Cylance AI) as an integrated mobile threat defense (MTD) partner with Intune. By connecting the BlackBerry Protect Mobile MTD connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment.

For more information, see:

Monitor and troubleshoot

New event viewer for Windows 10 diagnostics

We've added a new event viewer to Windows device diagnostics called Microsoft-Windows-Windows Firewall with Advanced Security/Firewall. The event viewer can assist you in troubleshooting issues with the firewall. For more information about Windows device diagnostics, see Collect diagnostics from a Windows device.

Device compliance status in Company Portal website

End users can more easily see the compliance status of their devices from the Company Portal website. End users can navigate to the Company Portal website and select the Devices page to see device status. Devices will be listed with a status of Can access company resources, Checking access, or Can't access company resources. For more information, see Manage apps from the Company Portal website and How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

November 2021

App management

Enable app update priority for Managed Google Play apps

You can set the update priority of Managed Google Play apps on dedicated, fully managed, and corporate-owned with a work profile Android Enterprise devices. Select High Priority to update an app as soon as the developer has published the update, regardless of charge status, Wi-Fi capability, or end user activity on the device. For more information, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Clear app data between sessions for Android Enterprise dedicated devices enrolled with shared device mode (public preview)

Using Intune, you can choose to clear app data for applications that have not integrated with Shared device mode to ensure user privacy between sign-in sessions. Users will be required to initiate a sign out from an application that has integrated with Microsoft Entra shared device mode in order for IT-specified apps to have their data cleared. This functionality will be available for Android Enterprise dedicated devices enrolled with shared device mode on Android 9 or later.

Export underlying discovered apps list data

In addition to exporting the summarized discovered apps list data, you can export the more extensive underlying data. The current summarized export experience provides summarized aggregate data, however the new experience also provides the raw data. The raw data export will give you the entire dataset, which is used to create the summarized aggregate report. The raw data is a list of every device and each app discovered for that device. This functionality has been added to the Intune console to replace the Intune Data Warehouse Application Inventories dataset. In the Microsoft Intune admin center, select Apps > Monitor > Discovered apps > Export to display the export options. For more information, see Intune discovered apps and Export Intune reports using Graph APIs.

Filter improvements when displaying platform-specific app lists

Filters have been improved when displaying platform-specific app lists in the Microsoft Intune admin center. Previously, when navigating to a platform-specific app list, you could not use the App type filter on the list. With this change, you can apply filters (including the App Type and Assignment status filters) on the platform-specific list of apps. For more information, see Intune reports.

Newly available protected apps for Intune

The following protected app is now available for Microsoft Intune:

  • PenPoint by Pen-Link, Ltd.

For more information about protected apps, see Microsoft Intune protected apps.

New RBAC permission for Win32 app supersedence and dependency relationships

A new Microsoft Intune permission has been added to create and edit Win32 app supersedence and dependency relationships with other apps. The permission is available under the Mobile apps category by selecting Relate. Starting in the 2202 service release, Intune admins will need this permission to add supersedence and dependency apps when creating or editing a Win32 app in Microsoft Intune admin center. To find this permission in Microsoft Intune admin center, choose Tenant administration > Roles > All roles > Create. This permission has been added to the following built-in roles:

  • Application Manager
  • School administrator

For more information, see Create a custom role in Intune.

Non-applicable status entries are no longer shown in the Device Install Status report

Based on a selected app, the Device Install Status report provides a list of devices and status information for the selected app. App installation details related to the device includes UPN, Platform, Version, Status, Status details, and Last check-in. If the device's platform differs from the application's platform, rather than showing Not Applicable for the Status details of the entry, the entry will no longer be provided. For example, if an Android app has been select and the app is targeted to an iOS device, rather than providing a Not Applicable device status value, the device status for that entry will not be shown in the Device Install Status report. To find this report, in Microsoft Intune admin center, select Apps > All Apps > Select an app > Device Install status. For more information, see Device Install Status report for apps (Operational).

New ADMX settings for Edge 95 and Edge updater

New ADMX settings for Edge 95 and Edge updater have been added to Administrative Templates. These settings include support for "Target Channel override", which allows customers to opt into the Extended Stable release cycle option at any point using Group Policy or through Intune. In Microsoft Intune admin center, select Devices > Configuration > Create. Then, select Platform > Windows 10 and later and Profile > Templates > Administrative Templates. For more information, see Overview of the Microsoft Edge channels, Microsoft Edge Browser Policy Documentation, and Configure Microsoft Edge policy settings in Microsoft Intune.

We've added a new privacy consent screen to Company Portal for Android to meet privacy requirements for certain app stores, such as those in China. People installing Company Portal for the first time from those stores see the new screen during installation. The screen explains what information Microsoft collects and how it's used. A person must agree to the terms before they can use the app. Users who installed Company Portal prior to this release will not see the new screen.

Update Android Company Portal and Intune apps for custom notifications

We have made service side updates to custom notifications for Intune's November (2111) service release. For the best user experience, custom notifications require users to update to recent versions of the Android Company Portal (version 5.0.5291.0, released in October 2021) or Android Intune app (version 2021.09.04, released in September 2021). If users don't update prior to Intune's November (2111) service release and they are sent a custom notification, they will receive a notification to update their app to view the notification. Once they update their app, they see the message sent by your organization in the Notifications section in the app. For more information, see Send custom notifications in Intune.

Device management

Endpoint analytics per device scoring

Per device scores in Endpoint analytics are now out of preview and generally available. Per device scores help you identify devices that could be affecting user experience. Reviewing scores per device might help you find and resolve end-user issues before a call is made to the help desk.

Safeguard holds are now visible in the Feature update failures report

When a device is blocked from installing a Windows update due to a safeguard hold, you can view details about that hold in the Microsoft Intune admin center > Feature update failures report.

A device with a safeguard hold appears as a device with an error in the report. When you view details for such a device, the Alert Message column displays Safeguard Hold, and the Deployment Error Code column displays the ID of the safeguard hold.

Microsoft occasionally places safeguard holds to block installation of an update on a device when something detected on that device is known to result in a poor post-update experience. For example, software or drivers are common reasons to place a safeguard hold. The hold remains in place until the underlying issue is resolved, and the update is safe to install.

To learn more about active safeguard holds and expectations for their resolution, go to the Windows release health dashboard at https://aka.ms/WindowsReleaseHealth.

Improvements for managing Windows Updates for pre-release builds

We've improved the experience of using Update rings for Windows 10 and later to manage Windows updates for pre-release builds. The improvements include:

  • Enable pre-release builds is a new control in on the Update ring settings page for update rings. Use this setting to configure assigned devices to update to a pre-release build. You can select the following list of pre-release builds:

    • Beta Channel
    • Dev Channel
    • Windows Insider - Release Preview

    For more information about pre-release builds, see the Windows Insider website.

  • Devices assigned Update rings for Windows 10 and later policies will no longer have the ManagePreviewBuilds setting changed during Autopilot. When this setting changed during Autopilot, it forced another device reboot.

Use Update Rings for Windows 10 and later to upgrade to Windows 11

There's a new setting to Update Rings for Windows 10 and later. This setting can upgrade eligible devices from Windows 10 to Windows 11:

  • Upgrade Windows 10 devices to Latest Windows 11 release: By default, this setting is set to No. When set to Yes, eligible Windows 10 devices that receive this policy update to the latest build of Windows 11.

    When set to Yes, Intune displays an information box that confirms that by deploying this setting, you're accepting the Microsoft License Terms for devices that upgrade. The information box also contains a link to the Microsoft License Terms.

For more information about update rings, see Update Rings for Windows 10 and later.

Disable Activation Lock remote device action for iOS/iPadOS has been removed from UI

The remote device action to Disable Activation Lock is no longer available in Intune. You can bypass Activation Lock as detailed at Disable Activation Lock on Supervised iOS/iPadOS devices with Intune.

This remote action is removed because the action to disable the iOS/iPadOS Activation Lock feature did not function as intended.

Updates for security baselines

We have a pair of updates for security baselines, which add the following settings:

  • Security baseline for Windows 10 and later (Applies to Windows 10 and Windows 11) The new baseline version is November 2021 and adds Scan scripts that are used in Microsoft browsers to the Microsoft Defender category. This baseline has no other changes.

  • Windows 365 Security Baseline (Preview) The new baseline version is Version 2110 and adds the following two settings, with no other changes:

    • Scan scripts that are used in Microsoft browsers is added to the Microsoft Defender category.
    • Enable tamper protection to prevent Microsoft Defender being disabled is added to Windows Security, which is a new category added with this baseline version.

Plan to update your baselines to the latest version. To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes.

Use custom settings for Device Compliance for Windows 10/11 devices (public preview)

As a public preview, device compliance policy for Windows 10 and Windows 11 devices supports the addition of custom settings to a device compliance policy. Results from custom settings appear in the Microsoft Intune admin center along with other compliance policy details.

To use custom settings, you create and add the following to the admin center to power custom compliance settings:

  • JSON file – The JSON file details the custom settings and their compliance values. The JSON also includes information you provide to your users on how to remediate the settings when noncompliant.
  • PowerShell script – The PowerShell script will deploy to devices where it runs to determine the state of the settings defined in your JSON file, and reports them back to Intune.

With the JSON and script ready, you can then create a standard compliance policy that includes your custom settings. The option to include custom settings is found in a new compliance settings category named Custom Compliance.

To learn more, including examples for the .JSON and PowerShell script, see Custom compliance settings.

New scheduling options for Feature updates for Windows 10 and later

We've added a trio of Rollout options to support improved scheduling of when the updates from a policy for Feature updates for Windows 10 and later are made available for your devices to install. These new options include:

  • Make update available as soon as possible - There is no delay in making the update available, which has been the previous behavior.
  • Make update available on a specific date - With this option you then select the first day that this update will be offered by Windows Update to the devices that receive this policy.
  • Make update available gradually - With this option, Windows Update divides the devices that receive this policy into different groups that are calculated based on a start group time, end group time, and days to wait between groups. Windows update then offers the update to those groups one at a time, until the last group is offered the update. This process helps distribute the availability of the update across the time you've configured. It can reduce the impact to your network when compared to offering the update to all devices at the same time.

For more information including details for gradual availability, see Rollout options for Windows Updates.

New details for Windows devices available in the Microsoft Intune admin center

The following details for Windows 10 and Windows 11 devices are now collected and can be viewed on a devices details pane of the Microsoft Intune admin center:

  • System Management BIOS version
  • TPM Manufacturer version
  • TPM Manufacturer ID

These details are also included when you export the details from the All devices pane.

Settings for Shared iPad now generally available

Four Shared iPad settings are now out of preview and generally available to use when creating an Apple enrollment profile. These settings are applied during automated device enrollment (ADE).

For iPadOS 14.5 and later in Shared iPad mode:

  • Require Shared iPad temporary setting only: Configures the device so that users only see the guest version of the sign-in experience, and must sign in as guest users. They can't sign in with a Managed Apple ID.
  • Maximum seconds of inactivity until temporary session logs out: If there isn't any activity after the specified time, the temporary session automatically signs out.
  • Maximum seconds of inactivity until user session logs out: If there isn't any activity after the specified time, the user session automatically signs out.

For iPadOS 13.0 and later in Shared iPad mode:

  • Maximum seconds after screen lock before password is required for Shared iPad: If the screen lock exceeds this amount of time, a device password will be required to unlock the device.

For more information about setting up devices in Shared iPad mode, see Create an Apple enrollment profile.

Duplicate a settings catalog profile

Settings catalog profiles now support duplication. To create a copy of an existing profile, select Duplicate. The copy contains the same setting configurations and scope tags as the original profile, but doesn't have any assignments attached to it. For more information about the settings catalog, see Use the settings catalog to configure settings on Windows and macOS devices.

Work from anywhere report

The Work from anywhere report has replaced the Recommended software report in Endpoint analytics. The Work from anywhere report contains metrics for Windows, cloud management, cloud identity, and cloud provisioning. For more information, see the Work from anywhere report article.

Locations deprecated for Android device administrator

In October 2021, support for using locations in device compliance policy for devices enrolled as Android device administrator was deprecated. Use of locations is often referred to as network fencing.

For Android device administrator, the policies and dependences that relied on network fence capabilities no longer function. As previously announced, we are re-envisioning support for network fencing. More information will be shared when it's available.

Device security

View BitLocker recovery keys for tenant attached devices

You can now view the BitLocker recovery key for tenant-attached devices in the Microsoft Intune admin center. The recovery keys continue to be stored on-premises for tenant-attached devices, but the visibility in the admin center is intended to assist your Helpdesk scenarios from within the admin center.

To view the keys, your Intune account must have the Intune RBAC permissions to view BitLocker keys, and must be associated with an on-premises user that has the related on-premises permissions in Configuration Manager of Collection Role, with the permission Read BitLocker Recovery Key Permission.

Users with the correct permissions can view keys by going to Devices > Windows devices > select a device > Recovery keys.

Configuration Manager sites that run version 2107 or later support this feature. For sites that run version 2107, you need to install an update rollup to support Microsoft Entra joined devices. For more information, see KB11121541.

BitLocker settings added to settings catalog

We have added 9 BitLocker settings that were previously only available in Group Policy (GP) to the Microsoft Intune settings catalog. To access the settings, go to Devices > Configuration and create a settings catalog profile for devices running Windows 10 and later. Then search BitLocker in the settings catalog to view all settings related to BitLocker. For more information about the settings catalog, see Create a policy using settings catalog. The added settings include:

  • Provide the unique identifiers for your organization
  • Enforce drive encryption type on fixed data drives
  • Allow devices compliant with InstantGo or HSTI to opt out of preboot PIN
  • Allow enhanced PINs for startup
  • Disallow standard users from changing the PIN or password
  • Enable use of BitLocker authentication requiring preboot keyboard input on slates
  • Enforce drive encryption type on operating system drives
  • Control use of BitLocker on removable drives
  • Enforce drive encryption type on removable data drives

Security Management with Defender for Endpoint (public preview)

This feature is in public preview and will roll out to tenants gradually over the next few weeks. You can confirm your tenant has received this capability when the relevant toggles show in both the Microsoft Intune admin center and Microsoft Defender for Endpoint.

Security Management with Microsoft Defender for Endpoint is a new configuration channel. Use this channel to manage the security configuration for Microsoft Defender for Endpoint (MDE) on devices that don't enroll into Microsoft Intune. With this scenario, it's Defender for Endpoint on a device that retrieves, enforces, and reports on the policies for Defender for Endpoint that you deploy from Microsoft Intune. The devices are joined to your Microsoft Entra ID and are also visible in the Microsoft Intune admin center alongside other devices you manage with Intune and Configuration Manager.

For more information, see Manage Microsoft Defender for Endpoint on devices with Microsoft Intune.

Monitor and troubleshoot

Remote Help app is available as a public preview

As a public preview, you can use of the Remote Help app with your Intune tenant. With Remote Help, users who authenticate to your Azure Active directly can remotely assist others by connecting a Remote Help session between devices.

With permissions in Remote Help managed by Intune role-based access controls, you control:

  • Who has permissions to help others
  • The actions they can take while helping others

The capabilities of Remote Help include:

  • Enable Remote Help for your tenant –If you choose to turn on Remote Help, its use is enabled tenant-wide.
  • Requires Organization login - To use Remote Help, both the helper and the sharer must sign in with a Microsoft Entra account from your organization.
  • Use Remote Help with unenrolled devices – You can choose to allow help to devices that aren't enrolled with Intune.
  • Compliance Warnings - Before connecting to device, a helper sees a non-compliance warning about that device if it's not compliant to its assigned policies. This warning doesn't block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
  • Role-based access control – Admins can set RBAC rules that determine the scope of a helper's access and what the actions they can take while providing assistance.
  • Elevation of privilege - When needed, a helper with the correct RBAC permissions can interact with the UAC prompt on the sharer's machine to enter credentials.
  • Monitor active Remote Help sessions, and view details about past sessions – In the Microsoft Intune admin center you can view reports that include details about who helped who, on what device, and for how long. You'll also find details about active sessions.

This feature is rolling out over the next week and should soon be available for your tenant. For more information, see Use Remote Help.

MDM support data to refresh automatically in Group Policy analytics tool

Now whenever Microsoft makes changes to the mappings in Intune, the MDM Support column in the GP analytics tool automatically updates to reflect the changes. The automation is an improvement over the previous behavior, which required you to reimport your Group Policy object (GPO) to refresh the data. For more information about Group Policy analytics, see Use Group Policy analytics.

October 2021

App management

You can configure both Managed Universal Links and Universal Link Exemptions for iOS/IPadOS apps via Application Protection Policy (APP) settings. Managed Universal Links allows http/s links to open into the registered APP protected application instead of the protected browser. Universal Link Exemptions allows http/s links to open into the registered unprotected application instead of the protected browser. For more information, see Data Transfer and Universal Links.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Appian for Intune by Appian Corporation
  • Space Connect by SpaceConnect Pty Ltd
  • AssetScan For Intune by Align

For more information about protected apps, see Microsoft Intune protected apps.

Connected app support for Android personally owned and corporate-owned work profiles

You can now allow users to turn on Connected apps experiences for supported apps. This app configuration setting enables users to connect the app information across the work and personal app instances. In Microsoft Intune admin center, choose Apps > App configuration policies > Add > Managed devices. For more information, see Add app configuration policies for managed Android Enterprise devices.

Improved flow when saving logs in Android Company Portal app

In the Android Company Portal app, when users download a copy of the Android Company Portal logs, they will now be able to choose which folder the logs will be saved in. To save Android Company Portal logs, users can select Settings > Diagnostic logs > SAVE LOGS.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • iAnnotate for Intune/O365 by Branchfire, Inc.
  • Dashflow for Intune by Intellect Automation International Pty Limited
  • HowNow by Wonderush Limited

For more information about protected apps, see Microsoft Intune protected apps.

Device enrollment

User Assignment

Last week we made a change to the authentication experience during user enrollment for Autopilot. This change affects all Autopilot deployments where a user is assigned to a specific device prior to going through enrollment.

One-time self-deployment and pre-provisioning

We made a change to the Windows Autopilot self-deployment mode and pre-provisioning mode experience, adding in a step to delete the device record as part of the device re-use process. This change affects all Windows Autopilot deployments where the Autopilot profile is set to self-deployment or pre-provisioning mode. This change will only affect a device when it's re-used or when it's reset and attempts to redeploy. For more information, see Updates to the Windows Autopilot sign-in and deployment experience.

Device management

Removal of Wi-Fi MAC address on specific Android Enterprise devices

Intune will no longer display a Wi-Fi MAC address for newly enrolled personally owned work profile devices and devices managed with device administrator running Android 9 and later. Google is requiring all app updates to target API 30 by November 2021. With this change, Android prevents apps from collecting the MAC address used by the device. For more information, see Hardware device details.

Use Feature Updates to upgrade devices to Windows 11

You can use Feature updates for Windows 10 and later policy to upgrade devices that meet the Windows 11 minimum requirements to Windows 11. It's as easy as configuring a new feature updates policy that specifies the available Windows 11 version as the feature update you want to deploy.

For more information, see Upgrade devices to Windows 11.

Windows 11 hardware readiness insights

The Work from anywhere report in Endpoint analytics now provides Windows 11 hardware readiness insights. You can quickly determine how many of your enrolled devices meet the minimum system requirements for Windows 11 and which requirements are the top blockers within your organization. Drill in for a device-level view for Windows 11 hardware readiness status. For more information, see Windows 11 hardware readiness.

Introducing Microsoft Surface Management Portal in Microsoft Intune

In light of our continued commitment to bring commercial customers the best possible experience, we partnered with teams across Microsoft to streamline Surface management into a single view within Microsoft Intune.

If you lead a large organization with thousands of devices or manage IT for a small-medium business, you can gain insights into the health of all your Surface devices. In this portal, you can also monitor device warranty and support requests. Microsoft Surface management portal is available to U.S. customers now and will be rolling out globally later. For the latest information about Microsoft Surface and the new management portal, follow the Surface IT Pro Blog.

Block or allow personal apps for Android Enterprise corporate-owned work profile devices

In device configuration, you can create a list of personal apps that will be blocked or allowed on the device. You can choose to leave the setting as not configured, or create a list of blocked or allowed apps in the personal profile. This setting is available in Microsoft Intune admin center by selecting Devices > Android > Configuration profiles > Create > New policy. For information about Android Enterprise corporate-owned work profile device settings, see Android Enterprise device settings to allow or restrict features using Intune.

New settings when configuring Kerberos single sign-on extension on iOS/iPadOS and macOS

There are new device feature settings available when configuring the Kerberos SSO extension on iOS/iPadOS and macOS devices. In Microsoft Intune admin center, choose Devices > iOS/iPadOS or macOS > Configuration profiles > Create > New policy > select Device features for profile > Single sign-on app extension > Kerberos for SSO app extension type. For more information, see iOS/iPadOS device feature settings and macOS device feature settings in Intune.

Four new shared iPad enrollment settings in public preview

Four new shared iPad settings are available in Intune for public preview. These settings are applied at the time of automated device enrollment.

For iPadOS 14.5 and later in Shared iPad mode:
- Require Shared iPad temporary setting only: Configures the device so that users only see the guest version of the sign-in experience, and must sign in as guest users. They can't sign in with a Managed Apple ID. - Maximum seconds of inactivity until temporary session logs out: If there isn't any activity after the specified time, the temporary session automatically signs out. - Maximum seconds of inactivity until user session logs out: If there isn't any activity after the specified time, the user session automatically signs out.

For iPadOS 13.0 and later in Shared iPad mode:
- Maximum seconds after screen lock before password is required for Shared iPad: If the screen lock exceeds this amount of time, a device password will be required to unlock the device.

Introducing Android (AOSP) management for corporate devices

You can use Microsoft Intune to manage corporate-owned devices that run on the Android Open Source Project (AOSP) platform. Microsoft Intune currently supports the new Android (AOSP) management option for RealWear devices only. Management capabilities include:

  • Provision devices as user-associated devices or shared devices.
  • Deploy device configuration and compliance profiles.

For more information about how to set up Android (AOSP) management, see Enroll Android devices.

Device security

MFA changes to Windows Autopilot enrollment flow

To improve the baseline security for Microsoft Entra ID, we changed Microsoft Entra behavior for multifactor authentication (MFA) during device registration. Previously, if a user completed MFA as part of their device registration, the MFA claim was carried over to the user state after registration was complete. Going forward, the MFA claim isn't preserved after registration and users will be prompted to redo MFA for any apps that require MFA by policy. For more information, see Windows Autopilot MFA changes to enrollment flow.

Manage Windows 10 security updates for Windows 10 Enterprise multi-session VMs

You can now use the settings catalog to manage Windows Update settings for quality (security) updates for Windows Enterprise multi-session VMs. To find the settings, you can use with multi-session VMs in the settings catalog:

  1. Create a device configuration policy for Windows 10 that uses the settings catalog, and configure Settings filter for Enterprise multi-session.

  2. Next, expand the Windows Update for Business category to select from the update settings that are available for multi-session VMs.

The settings include:

September 2021

App management

New app categories available to better target app protection policies

We have improved the UX of Microsoft Intune by creating categories of apps that you can use to more easily and quickly target app protection policies. These categories are All public apps, Microsoft apps, and Core Microsoft apps. After you have created the targeted app protection policy, you can select View a list of the apps that will be targeted to view a list of the apps that will be affected by this policy. As new apps are supported, we will dynamically update these categories to include those apps as appropriate, and your policies will be automatically applied to all apps in your selected category. If needed, you can continue to target policies for individual apps as well. For more information, see How to create and assign app protection policies and Create and deploy Windows Information Protection (WIP) policy with Intune.

Syncing the iOS/iPadOS/macOS Company Portal version

The version of the iOS/iPadOS Company Portal and the macOS Company Portal are syncing to version 5.2019 for the next release. Going forward, the iOS/iPadOS and macOS Company Portal apps will have the same version number. For more information, see How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Device configuration

New iOS device restriction settings for built-in apps, doc viewing

There are two new device restriction settings you can configure on iOS devices (Devices > iOS/iPadOS > Configuration profiles > Create > New policy and select Device restrictions for profile) in Intune.

  • Block Siri for translation (Built-in Apps): Disables the connection to Siri servers so that users can't use Siri to translate text. Applies to iOS and iPadOS versions 15 and later.
  • Allow copy/paste to be affected by managed open-in (App Store, Doc Viewing, Gaming): Enforces copy/paste restrictions based on how you configured Block viewing corporate documents in unmanaged apps and Block viewing non-corporate documents in corporate apps.

For more information about iOS device restriction profiles in Intune, see iOS and iPadOS device settings to allow or restrict features using Intune.

New macOS device restriction setting blocks users from erasing all content and settings on device

There's a new macOS device restriction setting available (Devices > macOS > Configuration profiles > Create > New policy > and then select Templates > Device restrictions for profile) in Intune.

Block users from erasing all content and settings on device (General): Disables the reset option on supervised devices so that users can't reset their device to factory settings.

For more information about macOS device restriction profiles in Intune, see macOS device settings to allow or restrict features using Intune.

Applies to:

  • macOS version 12 and later

New software update restriction settings for macOS

There are five new software update settings available when configuring a macOS device restriction profile (Devices > macOS > Configuration profiles > Create > New policy > and then select Templates > Device restrictions for profile) in Intune.

  • Defer software updates (General): Prevents users from seeing certain types of newly released updates until after a deferral period. Deferring software updates doesn't stop or change scheduled updates. Types of software updates you can defer include: Major OS software updates, Minor OS software updates, Non-OS software updates, or any combination of the three.
  • Delay default visibility of software updates (General): Defers the default visibility of all software updates for up to 90 days. After the deferral period, updates will become available to users. This value takes precedence over the default visibility value. Applies to macOS, version 10.13.4 and later.
  • Delay visibility of major OS software updates (General): Delays visibility of major OS software updates for up to 90 days. After the deferral period, updates will become available to users. This value takes precedence over the default visibility value. Applies to macOS, version 11.3 and later.
  • Delay visibility of minor OS software updates (General): Delays visibility of minor OS software updates for up to 90 days. After the deferral period, updates will become available to users. This value takes precedence over the default visibility value. Applies to macOS, version 11.3 and later.
  • Delay visibility of non OS software updates (General): Delays visibility of non-OS software updates (such as Safari updates) for up to 90 days. After the deferral period, updates will become available to users. This value takes precedence over the default visibility value. Applies to macOS, version 11.0 and later.

For more information about macOS device restriction profiles in Intune, see macOS device settings to allow or restrict features using Intune.

New device restriction setting for Android Enterprise: Developer settings

There is a new device restriction setting for Android Enterprise devices (Devices > Android Enterprise > Configuration profiles > Create > New policy and select Device restrictions for profile) in Intune.

  • Developer settings: When set to Allow, users can access the developer settings on their devices. By default, it's set to Not configured. Applies to fully managed, dedicated, and corporate-owned work profile devices.

For more information about Android Enterprise device restriction profiles, see Android Enterprise device settings to allow or restrict features using Intune.

New device restrictions setting prevents sharing work profile contacts with paired Bluetooth devices

A new device restriction setting for corporate-owned work profile devices prevents users from sharing their work profile contacts with paired Bluetooth devices, such as cars or mobile devices. To configure the setting, go to Devices > Configuration > Create > Android Enterprise for platform > Device restrictions for profile.

  • Setting name: Contact sharing via Bluetooth (work profile-level)
  • Setting toggles:
  • Block: Blocks users from sharing work profile contacts via Bluetooth.
  • Not configured: Doesn't enforce any restrictions on the device, so users might be able to share their work profile contacts via Bluetooth.

Device management

Intune now supports iOS/iPadOS 13 and higher

Microsoft Intune, including the Intune Company Portal and Intune app protection policies now requires iOS/iPadOS 13 and higher.

Intune now supports macOS 10.15 and later

Intune enrollment and the Company Portal now support macOS 10.15 and later. Older versions are not supported.

New Android device filtering options

You can now choose the following Android enrollment types when filtering by OS in the All devices list in Intune:

  • Android (personally owned work profile)
  • Android (corporate-owned work profile)
  • Android (fully managed)
  • Android (dedicated)
  • Android (device administrator)

In Microsoft Intune admin center, select Devices > All devices and view the OS column for specific Android enrollment types. For more information about Android enrollment types, see Intune reports.

Settings catalog policies for policy sets

In addition to profiles based on templates, you can add a profile based on the Settings catalog to your policy sets. The Settings catalog is a list of all the settings you can configure. To create a policy set in Microsoft Intune admin center, select Devices > Policy sets > Policy sets > Create. For more information, see Use policy sets to group collections of management objects and Use the settings catalog to configure settings on Windows and macOS devices.

Configure Managed Home Screen sign-in settings for Android Enterprise dedicated devices

You can now configure Managed Home Screen sign-in settings in device configuration when using Android Enterprise dedicated devices enrolled using Microsoft Entra shared device mode. You no longer need to use app configuration for these settings. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Use Feature Updates to upgrade devices to Windows 11

You can use Feature updates for Windows 10 and later policy to upgrade devices that meet the Windows 11 minimum requirements to Windows 11. It's as easy as configuring a new feature updates policy that specifies the available Windows 11 version as the feature update you want to deploy.

Use the Collect diagnostics remote action as a bulk device action for Windows devices

We've added the Collect diagnostics remote action as a Bulk device action that you can run for Windows devices. As a bulk device action for Windows devices, use Collect diagnostics to collect Windows device logs from up to 25 devices at a time without interrupting device users.

Support for Locate device remote action on Android Enterprise dedicated devices

You can use the Locate device remote action to get the current location of a lost or stolen Android Enterprise dedicated device that is online. If you try to locate a device that's currently off-line, then you see its last known location instead, But, only if that device was able to check in with Intune in the last seven days.

For more information, see Locate lost or stolen devices.

Android Enterprise dedicated devices support the Rename remote action

You can now use the Rename remote action on Android Enterprise dedicated devices. You can rename devices individually and in bulk. When you use bulk Rename actions, the device name must include a variable that adds either a random number or the device's serial number.

For more information, see Rename a device in Intune

New Microsoft Entra device ID and Intune device ID search parameters added

When searching devices in Devices > All devices, you can now search by Microsoft Entra device ID or Intune Device ID. For a list of available device details available in Intune, see View device details with Microsoft Intune.

Device security

Tenant attach: Device status for endpoint security policies

You can review the status of endpoint security policies for tenant attached devices. The Device Status page can be accessed for all endpoint security policy types for tenant-attached clients. For more information, see Device status for the endpoint security policy types.

Attack surface reduction profiles for Configuration Manager tenant attach

We've added two endpoint security profiles for attack surface reduction policy that you can use with devices you manage with Configuration Manager tenant attach. These profiles are in preview and manage the same settings as the similarly named profiles you use for devices managed by Intune. You'll find these new profiles when you configure attack surface reduction policy for the Windows 10 and later (ConfigMgr) platform.

The new profiles for tenant attach:

  • Exploit Protection(ConfigMgr)(preview) - Exploit protection helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of many mitigations that can be applied to either the operating system or individual apps.
  • Web Protection (ConfigMgr)(preview) - Web protection in Microsoft Defender for Endpoint uses network protection to secure your machines against web threats. Web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you have blocked in your custom indicator list.

Expanded support for Windows Defender Security Center for tenant attach devices

We've updated the Windows Security experience (preview) profile in endpoint security Antivirus policy to support more settings for devices you manage with Configuration Manager tenant attach.

Previously, this profile was limited to Tamper Protection for your tenant attached devices. The updated profile now includes settings for the Windows Defender Security Center. You can use these new settings to manage the same details for tenant attached devices that you already manage with the similarly named profile for Intune managed devices.

For more information about this profile, see Endpoint security Antivirus policy.

Intune apps

Notifications from the iOS/iPadOS Company Portal app

Notifications from the iOS/iPadOS Company Portal app are now delivered to devices using the default Apple sound, rather than being delivered silently. To turn the notification sound off from the iOS/iPadOS Company Portal app, select Settings > Notifications > Comp Portal and select the Sound toggle. For more information, see Company Portal app notifications.

Monitor and troubleshoot

Organizational report focused on device configuration

We have released a new Device configuration organizational report. This report replaces the existing Assignment status report found in the Microsoft Intune admin center under Devices > Monitor. The Device configuration report allows you to generate a list of profiles in the tenant that have devices in a state of success, error, conflict, or not applicable. You can use filters for the profile type, OS, and state. The returned results will provide search, sort, filter, pagination, and export capabilities. In addition to device configuration details, this report provides resource access details, and new settings catalog profile details. For more information, see Intune Reports.

Updated support experience in Microsoft Intune admin center

Available for Intune and co-management support flows, we've updated an improved support experience in the Microsoft Intune admin center. The new experience guides you to issue-specific troubleshooting insights and web-based solutions, to get you a resolution faster.

To learn more about this change, see the support blog post.

Safeguard holds are now visible in the Feature update failures report

When a device is blocked from installing a Windows update due to a safeguard hold, you can view details about that hold in the Microsoft Intune admin center > Feature update failures report.

A device with a safeguard hold appears as a device with an error in the report. When you view details for such a device, the Alert Message column displays Safeguard Hold, and the Deployment Error Code column displays the ID of the safeguard hold.

Microsoft occasionally places safeguard holds to block installation of an update on a device when something detected on that device is known to result in a poor post-update experience. For example, software or drivers are common reasons to place a safeguard hold. The hold remains in place until the underlying issue is resolved, and the update is safe to install.

To learn more about active safeguard holds and expectations for their resolution, go to the Windows release health dashboard at https://aka.ms/WindowsReleaseHealth.

Update to the Assignment failures operational report

Security baselines and endpoint security profiles have been added to the existing Assignment failures report. The profile types are differentiated using the Policy type column with the ability to filter. Role-based access control (RBAC) permissions have been applied to the report to filter on the set of policies that an admin can see. Those RBAC permissions include the Security Baseline permission, the Device Configuration permission, and the Device Compliance Policies permission. The report shows the number of devices in a state of error and conflict for a given profile. You can drill down into a detailed list of those devices or users and into the setting details. You can find the Assignment failures report in Microsoft Intune admin center by selecting Devices > Monitor, or by selecting Endpoint Security > Monitor. For more information, see Assignment failures report (Operational).

August 2021

Windows 365 now generally available

Windows 365 is a new service from Microsoft that automatically creates Cloud PCs for your end users. Cloud PCs are a new hybrid personal computing category that uses the power of the cloud and the accessing device to provide a full and personalized Windows virtual machine. Admins can use Microsoft Intune to define the configurations and applications that are provisioned for each user's Cloud PC. End users can access their Cloud PC from any device and any location. Windows 365 stores the end user's Cloud PC and data in the cloud, not on the device, providing a secure experience.

For more information about Windows 365, see Windows 365.

For documentation on how to manage Windows 365 in your organization, see the Windows 365 documentation.

App management

Device filter evaluation reports now include filter results for assigned apps

If you're using filters for assigning apps as available, you can now use the filter evaluation report on a device to determine if an app has been made available for install. You can see this report per device, under Devices > All Devices > select a device > Filter evaluation (preview).

Applies to:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10

Another Android SafetyNet evaluation type support for conditional launch policies

Conditional launch now supports a sub-setting of SafetyNet device attestation. If you select SafetyNet device attestation as required for conditional launch, you can specify that a specific SafetyNet evaluation type is used. This evaluation type is a hardware-backed key. The presence of a hardware-backed key as the evaluation type will indicate greater integrity of a device. Devices that don't support hardware-backed keys will be blocked by the MAM policy if they are targeted with this setting. For more information about SafetyNet evaluation and hardware-backed key support, see Evaluation types in the Android developer documentation. For more information about Android conditional launch settings, see Conditional launch.

Update to Outlook S/MIME settings for iOS and Android devices

You can now enable Outlook S/MIME settings to always sign and/or always encrypt on iOS and Android devices when using the managed apps option. You can find this setting in Microsoft Intune admin center when using managed apps by selecting Apps > App configuration policies. In addition, you can add an LDAP (Lightweight Directory Access Protocol) URL for Outlook S/MIME on iOS and Android devices for both managed apps and managed devices. For more information, see App configuration policies for Microsoft Intune.

Scope tags for Managed Google Play apps

Scope tags determine which objects an admin with specific rights can view in Intune. Most newly created items in Intune take on the scope tags of the creator. This scenario doesn't apply to Managed Google Play Store apps. You can now optionally assign a scope tag to apply to all newly synced Managed Google Play apps on the Managed Google Play connector pane. The chosen scope tag will only apply to new Managed Google Play apps, not Managed Google Play apps that have already been approved in the tenant. For more information, see Add Managed Google Play apps to Android Enterprise devices with Intune and Use role-based access control (RBAC) and scope tags for distributed IT.

Content of macOS LOB apps will be displayed in Intune

Intune can now display the contents of macOS LOB apps (.intunemac files) in the console. You can review and edit the app detection details in the Intune console that are captured from the .intunemac file when adding a macOS LOB app. When uploading a PKG file, detection rules will be auto-created. In the Microsoft Intune admin center, select Apps > All apps > Add. Continue by selecting the Line-of-business app type and the App package file containing the .intunemac file. For more information, see How to add macOS line-of-business (LOB) apps to Microsoft Intune.

App management

Intune Company Portal for macOS devices is now a universal app

When you download Intune Company Portal for macOS devices version 2.18.2107 and later, it installs the new universal version of the app that runs natively on Apple Silicon Macs. The same app installs the x64 version of the app on Intel Mac machines. For more information, see Add the Company Portal for macOS app.

Device configuration

New version of the Certificate Connector for Microsoft Intune

We've released a new version of the Certificate Connector for Microsoft Intune, version 6.2108.18.0. This update includes:

  • A fix to correctly display the current connector status in Microsoft Intune admin center.
  • A fix to correctly report on failures to deliver SCEP certificates.

For more information about the certificate connector, including a list of connector releases and updates, see Certificate Connector for Microsoft Intune.

Use filters on DFCI configuration profiles on Windows 10/11 devices

In Intune, you can create filters to target devices based on different properties. When you create a Device Firmware Configuration Interface (DFCI) profile, you can use filters when assigning the profile.

Applies to:

  • Windows 11 on supported UEFI
  • Windows 10 RS5 (1809) and newer on supported UEFI

New Deployment Channel setting for custom device configuration profiles on macOS devices

When creating a custom device restriction policy for macOS devices, there is a new deployment channel setting available (Devices > Configuration > Create > macOS for platform > Templates > Custom for profile).

Use the Deployment channel setting to deploy the configuration profile to the user channel or the device channel. If you send the profile to the wrong channel, then deployment can fail. For more information on using a payload in a device profile or a user profile, see Profile-Specific Payload Keys (opens Apple developer website).

For more information about custom macOS profiles in Intune, see Use custom settings for macOS devices.

Applies to:

  • macOS

Use Wi-Fi networks set up using configuration profiles setting for iOS/iPadOS 14.5 devices and newer

When creating a device restrictions policy for iOS/iPadOS devices, there's a new setting available (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile):

  • Require devices to use Wi-Fi networks set up via configuration profiles: Set to Yes to require devices to only use Wi-Fi networks set up through configuration profiles.

To see the settings you can currently configure, go to iOS and iPadOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS/iPadOS 14.5 and newer

New macOS device configuration profile settings, and change to iOS/iPadOS setting name

There are new settings you can configure on macOS 10.13 devices and newer (Devices > Configuration > Create > macOS for platform > Templates > Device restrictions for profile type):

  • Block adding Game Center friends (App Store, Doc Viewing, Gaming): Prevents users from adding friends to the Game Center.
  • Block Game Center (App Store, Doc Viewing, Gaming): Disables the Game Center, and the Game Center icon is removed from the Home screen.
  • Block multiplayer gaming in the Game Center (App Store, Doc Viewing, Gaming): Prevents multiplayer gaming when using the Game Center.
  • Block modification of wallpaper (General): Prevents the wallpaper from being changed.

To see the settings you can currently configure, go to macOS device settings to allow or restrict features.

Also, the iOS/iPadOS Block Multiplayer Gaming setting name is changing to Block multiplayer gaming in the Game Center (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile type).

For more information about this setting, go to iOS and iPadOS device settings to allow or restrict features.

Applies to:

  • iOS/iPadOS
  • macOS 10.13 and newer

More iOS/iPadOS home screen layout grid size options

On iOS/iPadOS devices, you can configure the grid size on the home screen (Devices > Configuration > Create > iOS/iPadOS for platform > Device features for profile > Home screen layout). For example, you can set the grid size to 4 columns x 5 rows.

The grid size will have more options:

  • 4 columns x 5 rows
  • 4 columns x 6 rows
  • 5 columns x 6 rows

To see the home screen layout settings you can currently configure, go to device settings to use common iOS/iPadOS features in Intune.

Applies to:

  • iOS/iPadOS

Add certificate server names to enterprise Wi-Fi profiles on Android Enterprise personally owned devices with a work profile

On Android devices, you can use certificate-based authentication for Wi-Fi networks on personal devices with a work profile (Devices > Configuration > Create > Android Enterprise for platform > Personally owned work profile > Wi-Fi).

When you use the Enterprise Wi-Fi type, and select the EAP type, there's a new Certificate server names setting. Use this setting to add a list of the certificate server domain names used by your certificate. For example, enter srv.contoso.com.

On Android 11 and newer devices, if you use the Enterprise Wi-Fi type, then you must add the certificate server names. If you don't add the certificate server names, users will have connection issues.

For more information on the Wi-Fi settings you can configure on Android Enterprise devices, see Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune.

Applies to:

  • Android Enterprise personally owned devices with work profile

Device enrollment

Modern authentication method with Apple Setup Assistant is out of preview for automated device enrollment

The modern authentication method with Apple Setup Assistant is now out of preview and generally available for use for automated device enrollment.

For information on how to use this authentication method on iOS/iPadOS devices, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment.

For information on how to use this authentication method on macOS devices, see Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager.

Device management

Endpoint analytics per device scoring

To help you identify devices that could be affecting user experience, Endpoint analytics shows some scores per device. Reviewing scores per device might help you find and resolve end-user issues before a call is made to the help desk. You can display and sort by the Endpoint analytics, startup performance, and application reliability scores for each device. For more information, see Per device scores.

Adding Windows Hello for Business to Windows 10 Diagnostics

We've added the information from the Operational Event Viewer for Windows Hello for Business to the data that's collected for Windows 10 device diagnostics. See Data collected.

Device security

Changes to settings in the settings catalog for Microsoft Defender for Endpoint on macOS

We've added eight new settings to manage Microsoft Defender for Endpoint on macOS to the Intune settings catalog.

The new settings are found as follows under the following four categories in the settings catalog. For information about these settings, see Set preferences for Microsoft Defender for Endpoint on macOS in the Microsoft Defender for Endpoint on Mac documentation.

  • Microsoft Defender - Antivirus engine:

    • Disallowed threat actions
    • Exclusions merge
    • Scan history size
    • Scan Results Retention
    • Threat type settings merge
  • Microsoft Defender - Cloud delivered protection preferences:

    • Automatic security intelligence updates
  • Microsoft Defender - User interface preferences:

    • User initiated feedback
  • Microsoft Defender - Network protection - This category is a new category for Microsoft Defender for Endpoint in the catalog:

    • Enforcement level

Confirm Tunnel Gateway servers can access your internal network from within the Microsoft Intune admin center

We've added the capability to the Microsoft Intune admin center to confirm that your Tunnel Gateway servers can access your internal network, without someone having to access the servers directly. To enable this feature, you'll configure a new option called URL for internal network access check in the properties of each Tunnel Gateway site.

After adding a URL from your internal network to a Tunnel Gateway site, each server in that site periodically attempts to access it, and then reports on the result.

The status for this internal network access check is reported as Internal network accessibility on a server's Health check tab. Status values for this check include:

  • Healthy - The server can access the URL specified in the site properties.
  • Unhealthy - The server can't access the URL specified in the site properties.
  • Unknown - This status appears when you haven't set a URL in the site properties, and doesn't affect the overall status of the site.

Your servers will need to upgrade to the latest version of the Tunnel Gateway server software for this feature to work.

Compliance setting for SafetyNet hardware-backed key attestation for Android Enterprise personally owned work profile

We've added a new device compliance setting for Android Enterprise personally owned work profile devices, [Required SafetyNet evaluation type](../protect/compliance-policy-create-android-for-work.md#google-play-protect---for-personally owned-work-profile). This new setting becomes available after you configure SafetyNet device attestation to either Check basic integrity or Check basic integrity & certified devices. The new setting:

Required SafetyNet evaluation type:

  • Not configured (defaults to basic evaluation) – This setting is the setting default.
  • Hardware-backed key – Require that hardware-backed key attestation is used for SafetyNet evaluation. Devices that don't support hardware-backed key attestation are marked as not compliant.

For more information about SafetyNet and which devices support hardware-backed key attestation, see Evaluation types in the SafetyNet documentation for Android.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • F2 Touch Intune by cBrain A/S

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Export GPO XML file size increased to 4 MB when using group policy analytics on Windows client devices

In Microsoft Intune, you can use group policy analytics to analyze your on-premises GPOs, and determine how your GPOs translate in the cloud. To use this feature, you export your GPO as an XML file. The XML file size has increased from 750 KB to 4 MB.

For more information on using group policy analytics, see Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Intune.

Applies to:

  • Windows 11
  • Windows 10

Device configuration reporting has been updated

All device configuration and endpoint security profiles are now merged into one report. You can view all the policies applied to your device in the new single report that contains improved data. For instance, you can see the distinction of profile types in the new Policy type field. Also, selecting a policy will provide more details about settings applied to the device and status of the device. Role-based access control (RBAC) permissions have been applied to filter the list of profiles based on your permissions. In the Intune admin center, you will select Devices > All devices > select a device > Device configuration to see this report when it's available. For more information, see Microsoft Intune reports.

New details for the Intune antivirus reports

We've added two new columns of detail to both the Windows 10 unhealthy endpoints report and the Antivirus agent status report.

The new details include:

  • MDE Onboarding status - (HealthState/OnboardingState) Identifies the presence of the Microsoft Defender for Endpoint agent on the device.
  • MDE Sense running state - (HealthState/SenseIsRunning) Reports on the operational status of the Microsoft Defender for Endpoint health sensor on a device.

For more information about these settings, see WindowsAdvancedThreatProtection CSP.

Customize health status thresholds for Microsoft Tunnel Gateway servers

You can now customize the thresholds that determine the health status for several metrics of Microsoft Tunnel Gateway.

Health status metrics have default values that determine whether the status reports as healthy, warning, or unhealthy. When you customize a metric, you change the performance requirements for the metrics status. You can customize the following metrics:

  • CPU usage
  • Memory usage
  • Disk space usage
  • Latency

When you change a threshold value, the change applies to all Tunnel servers in your tenant. You can also select an option to reset all the metrics o their default value.

After you update the thresholds, the values in the Health check tab automatically update to reflect status based on the updated thresholds.

You can view health status trends for several Microsoft Tunnel Gateway health metrics in the form of a chart. The health status trend charts are available for individual servers you select from the Health status page.

The metrics that support trend charts include:

  • Connections
  • CPU usage
  • Disk space usage
  • Memory usage
  • Average latency
  • Throughput

July 2021

Device configuration

Improved policy support for iPadOS devices enrolled as Shared iPads for Business (public preview)

We've added support for user-assigned device configuration policies for Shared iPads for Business.

With this change, settings like the home screen layout and most device restrictions assigned to user groups apply to Shared iPad devices while a user from the assigned user groups is active on the device

Certificate Connector for Microsoft Intune combines separate certificate connectors

We've released the Certificate Connector for Microsoft Intune. This new connector replaces the use of separate certificate connectors for SCEP and PKCS, and includes the following features:

  • Configure each instance of the connector to support one or more of the following capabilities:
    • SCEP
    • PKCS
    • PFX imported certificates
    • Certificate revocation
  • Use a normal Active Directory account or the system account for the connector service.
  • Based on your tenant location, select government vs. commercial environments.
  • Removes the need to select a client certificate for SCEP integration with NDES.
  • Auto-updates to the latest version of the connector. Manual update of this connector is also supported.
  • Improved logging.

The previous connectors remain in support but are no longer available for download. If you need to install or reinstall a connector, install the new Certificate Connector for Microsoft Intune.

Windows Autopilot diagnostics page (public preview)

Available settings on the Enrollment Status Page are updated from Allow users to collect logs about installation errors to Turn on log collection and diagnostics page for end users to support the Windows Autopilot diagnostics page, available in Windows 11. For more information, see What's new in Windows Autopilot.

Device management

Use filters to assign Windows client update rings in Intune admin center - public preview

In the Intune admin center, you can create filters, and then use these filters when assigning apps and policies.

When assigning Windows client update ring policies, you can use filters (Devices > Windows > Windows 10 Update Rings). You can filter the devices that get the update rings policy based on a device property, such as the OS version, device manufacturer, and more. After you create the filter, use the filter when you assign the update rings policy.

Applies to:

  • Windows 11
  • Windows 10

Collect diagnostics remote action moved to general availability

The Collect diagnostics remote action lets you collect diagnostics from corporate devices without interrupting or waiting for the end user. Collected diagnostics include MDM, Autopilot, event viewers, registry key, Configuration Manager client, networking, and other critical troubleshooting diagnostics. For more information, see Collect diagnostics from a Windows device.

Autopilot support for Microsoft HoloLens is now generally available

For more information, see Windows Autopilot for HoloLens 2.

Device security

Work from anywhere report

Endpoint analytics has a new report named Work from anywhere. The Work from anywhere report is an evolution of the Recommended software report. The new report contains metrics for Windows 10, cloud management, cloud identity, and cloud provisioning. For more information, see the Work from anywhere report article.

Settings catalog support for Microsoft Defender for Endpoint on macOS

We've added the settings to manage Microsoft Defender for Endpoint on macOS to the Intune settings catalog to configure Microsoft Defender for Endpoint on macOS.

The new settings can be found as follows under the following four categories in the settings catalog. For information about these settings, see Set preferences for Microsoft Defender for Endpoint on macOS in the Microsoft Defender for Endpoint on Mac documentation.

Microsoft Defender - Antivirus engine:

  • Allowed threats
  • Enable passive mode
  • Enable real-time protection
  • Scan exclusions
  • Threat type settings

Microsoft Defender - Cloud delivered protection preferences:

  • Diagnostic collection level
  • Enable - disable automatic sample submissions
  • Enable - disable cloud delivered protection

Microsoft Defender - EDR preferences:

  • Device tags
  • Enable - disable early preview

Microsoft Defender - User interface preferences:

  • Show - hide status menu icon

Intune apps

Improvements to SSO app extension screen for Company Portal for macOS

We've improved the Intune Company Portal authentication screen that prompts macOS users to sign in to their account using single sign-on (SSO). Users can now:

  • See the app that's requesting SSO.
  • Select Don't ask me again to opt out of future SSO requests.
  • Opt back in to SSO requests by going to Company Portal > Preferences and deselecting Don't ask me to sign in with single sign-on for this account.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Webex for Intune by Cisco Systems, Inc.
  • LumApps for Intune by LumApps
  • ArchXtract (MDM) by CEGB CO., Ltd.

For more information about protected apps, see Microsoft Intune protected apps.

June 2021

App management

Android Company Portal app and Intune app now include Portugal Portuguese support

The Android Company Portal app and the Android Intune app now support Portuguese from Portugal (language code pt-PT). Intune already supports Portuguese from Brazil.

Improvements for viewing managed apps status

We've added some improvements to how Intune displays status information about the managed apps that have deployed to users or devices.

Intune now displays only the apps that are specific to the platform of the device you're viewing. We've also introduced performance enhancements and more support for the Android and Windows platforms.

Updated default license type for Apple VPP apps

When you create a new assignment for an Apple Volume Purchase Program (VPP) app, the default license type is now device. Existing assignments remain unchanged. For more information about Apple VPP apps, see How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Confidential File Viewer by Hitachi Solutions, Ltd.
  • AventX Mobile Work Orders by STR Software
  • Slack for Intune by Slack Technologies, Inc.
  • Dynamics 365 Sales by Microsoft
  • Leap Work for Intune by LeapXpert Limited
  • iManage Work 10 For Intune by iManage, LLC
  • Microsoft Whiteboard by Microsoft (Android version)

For more information about protected apps, see Microsoft Intune protected apps.

Device configuration

Manage cookies and cross site tracking in Safari on iOS/iPadOS devices

When creating a device restriction policy for iOS/iPadOS devices, you can manage cookies in the Safari app (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile > Built-in Apps).

The Safari cookies setting is updated to help manage cookies and cross site tracking. For more information on this setting, see Built-in Apps for iOS/iPadOS devices.

Applies to:

  • iOS/iPadOS versions 4 and newer

Device enrollment

Browser access automatically enabled during corporate Android enrollment

Browser access is now automatically turned on during new enrollments of the following devices:

  • Android Enterprise dedicated devices enrolled with Microsoft Entra shared device mode
  • Android Enterprise fully managed devices
  • Android Enterprise corporate-owned work profile devices

Compliant devices can use the browser to access resources protected by conditional access.

This change has no effect on devices that are already enrolled.

Intune support for Android Enterprise corporate-owned devices with a work profile

Intune support for Android Enterprise corporate-owned devices with a work profile is now generally available. For more information, see Announcing general availability of Android Enterprise corporate-owned devices with a work profile

Device management

Use filters on Settings Catalog configuration profiles, and Risk Score and Threat Level compliance policy settings

When you use filters to assign your policies, you can:

  • Use filters on compliance policies that use the Risk Score and Threat Level settings.
  • Use filters on configuration profiles that use the Settings Catalog profile type.

For more information on what you can do, see List of platforms, policies, and app types supported by filters.

Applies to:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10

Use the EnrollmentProfileName property when creating a filter for Android Enterprise

In Intune, you can create filters to target devices based on different properties, including device name, manufacturer, and more. On iOS/iPadOS and Windows 10/11 devices, you can create a filter using the enrollment profile name. The enrollment profile name property is available for Android Enterprise devices.

To see the filter properties you can configure, go to Device properties, operators, and rule editing when creating filters.

Applies to:

  • Android Enterprise

New iOS/iPadOS remote action lets you update the eSIM cellular plan (public preview)

The new Update cellular data plan (preview) action lets you remotely activate the eSIM cellular plan on iOS/iPadOS devices that support it. This feature is currently in public preview. For more information, see Update cellular data plan.

Tenant attach: Offboarding

While we know customers get enormous value by enabling tenant attach, there are rare cases where you might need to offboard a hierarchy. For example, you might need to offboard following a disaster recovery scenario where the on-premises environment was removed. To remove your Configuration Manager hierarchy from the Microsoft Intune admin center, select Tenant administration, Connectors and tokens then Microsoft Endpoint Configuration Manager. Choose the name of the site you would like to offboard, then select Delete. For more information, see Enable tenant attach.

Device security

Microsoft Defender for Endpoint for Microsoft Tunnel on Android is out of preview

The Microsoft Defender for Endpoint app that supports Microsoft Tunnel functionality on Android is now out of preview and generally available for use. With this change:

  • You no longer need to opt in to use Defender of Endpoint as the tunnel app on Android.
  • The standalone app for Android is now deprecated and will be removed from the Google app store when support ends on January 31, 2022.

Plan to download and use the updated Microsoft Defender for Endpoint app for Microsoft Tunnel app for Android. If you participated in the preview, update your devices with the new version of Defender for Endpoint from the Google Play store. If you still use the standalone tunnel app, plan to migrate to the Microsoft Defender for Endpoint app before support for the standalone app ends.

The standalone tunnel app for iOS remains in preview.

Monitor and troubleshoot

Export option for Proactive remediations

Proactive remediations are script packages that can detect and fix common support issues on a user's device before they even realize there's a problem. To help you easily analyze returned outputs, an Export option was added that allows you to save the output as a .csv file. For more information, see Proactive remediations.

Updated certificates report

The Certificates report, which shows the current device certificates in use, has been updated to include better capabilities to search, page, sort, and export the report. In the Microsoft Intune admin center, select Devices > Monitor > Certificates. For more information about reports in Intune, see Intune reports.

May 2021

App management

Improved Conditional Access messaging for Android and iOS/iPadOS users

Microsoft Entra ID has updated the wording on a Conditional Access screen to better explain access and setup requirements to users. Android and iOS/iPadOS users see this screen when they try to access corporate resources from a device that's not enrolled in Intune management. For more information about this change, see What's new in Microsoft Entra ID.

New tiles provided app install failure count

The Home, Dashboard, and Apps Overview panes now provide updated tiles to show the number of app installation failures for the tenant. In the Microsoft Intune admin center, select Home to view the Home pane, or Dashboard to view the Dashboard pane. Select Apps > Overview to view the Apps Overview pane. For more information, see Intune reports.

Device configuration

Per setting status report in Settings Catalog

When you create a Settings Catalog profile, you can see how many devices are in each state, including success, conflict, and error (Devices > Configuration > select the policy). This report includes a Per setting status that:

  • Shows the total number of devices affected by a specific setting.
  • Has controls to search, sort, filter, export, and go to the next/previous pages.

For more information on the settings catalog, see Use the settings catalog to configure settings on Windows and macOS devices.

New settings for iOS/iPadOS 14.5 devices and newer

When creating a device restrictions policy for iOS/iPadOS devices, there are new settings available (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile):

  • Block Apple Watch auto unlock: Set to Yes to block users from unlocking their device with Apple Watch.
  • Allow users to boot devices into recovery mode with unpaired devices: Set to Yes to allow users to boot their device into recovery with an unpaired device.
  • Block Siri for dictation: Set to Yes to disable connections to Siri servers so that users can't use Siri to dictate text.

To see these settings, go to iOS and iPadOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS/iPadOS 14.5 and newer

Device management

Support has ended for Restart remote action on Android Enterprise corporate-owned devices with a work profile

Support has ended for the Restart remote action on corporate-owned devices with a work profile. The Restart button has been removed from the Device page for corporate-owned devices with a work profile. If you try to restart devices using bulk device actions, the corporate-owned work profile devices won't restart and those device actions will be marked report as Not supported. Other device types that are included in the bulk device action will restart as normal for that action.

Windows 10/11 Enterprise multi-session support (public preview)

Windows 10/11 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Azure Virtual Desktop on Azure, which allows multiple concurrent user sessions. This feature gives users a familiar Windows client experience while IT can benefit from the cost advantages of multi-session and use existing per-user Microsoft 365 licensing.

Microsoft Intune lets you manage multi-session remote desktops with device-based configurations like a shared, user-less Windows client. You can now enroll Microsoft Entra hybrid joined VMs in Intune automatically and target with OS scope policies and apps.

You can:

  • Host multiple concurrent user sessions using the Windows 10/11 Enterprise multi-session SKU exclusive to Azure Virtual Desktop on Azure.
  • Manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10/11 Enterprise client.
  • Automatically enroll Microsoft Entra hybrid joined virtual machines in Intune and target them with device scope policies and apps.

For more information, see Windows 10/11 Enterprise multi-session remote desktops.

Use filters to assign policies in Intune admin center

There's a new Filters option that can be used when assigning apps or policies to groups. To create a filter, go to:

  • Devices > Filters > Create
  • Apps > Filters > Create
  • Tenant administration > Filters > Create

You can filter the scope of affected devices using device properties. For example, you can filter on the OS version, device manufacturer, and more. After you create the filter, you can use the filter when you assign a policy or profile.

For more information, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Applies to:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10

Use Intune policy to expedite installation of Windows 10/11 security updates

In public preview, you can use Intune's Windows 10 quality updates policy to expedite the install of the most recent Windows 10/11 security updates to devices you manage with Intune.

When you expedite an update, devices can start the download and install of the update as soon as possible, without having to wait for the device to check in for updates. Other than expediting the install of the update, use of this policy leaves your existing update deployment policies and processes untouched.

To help monitor expedited updates, you can use the following options:

Device security

Windows Security experience profiles support tri-state settings

For Windows 10 devices, we've updated the bi-state settings to be tri-state settings in the Windows Security experience profile for Endpoint security Antivirus policy.

Most settings in the profile previously supported only two options of Yes and Not configured. Moving forward, those same settings now include Yes, Not configured, and a new option of No.

  • For existing profiles, settings that are set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now choose to explicitly specify No.

Also, the following information applies to configuration of the Hide the Virus and threat protection area in the Windows Security app setting and its child Hide the Ransomware data recovery option in the Windows Security app setting:

  • If the parent setting (Hide the Virus and threat protection area) was set to Not configured and the child setting was set to Yes, then the parent and child settings are set to Not configured.

New Microsoft Tunnel Gateway version

We've released a new version of the Microsoft Tunnel Gateway. It includes the following changes:

  • Minor bug fixes.
  • Image updates with security updates for all dependencies.

For sites that are configured to update automatically, the Tunnel Gateway server will automatically update to the new version. For sites that are configured to update manually, you'll need to approve the update.

Conditional access on Jamf-managed macOS devices for Government Cloud now available

You can now use Intune's compliance engine to evaluate Jamf-managed macOS devices for Government Cloud. To do so, activate the compliance connector for Jamf. For more information, see Integrate Jamf Pro with Intune for compliance.

Changes for the Microsoft Tunnel Gateway

We have a pair of updates to announce for the Microsoft Tunnel Gateway this month:

  • Microsoft Tunnel Gateway is now generally available
    With this service release, Microsoft Tunnel Gateway is now out of preview, and generally available. While the Microsoft Tunnel Gateway server component is out of preview, the following Microsoft Tunnel client apps remain in preview:

    • Microsoft Tunnel standalone app for Android
    • Microsoft Tunnel standalone app for iOS
    • Microsoft Defender for Endpoint with support for Microsoft Tunnel for Android
  • Custom setting support in VPN profiles for Microsoft Tunnel for Microsoft Defender for Endpoint for Android

    When you use the Microsoft Defender for Endpoint as your Microsoft Tunnel client app for Android and as a mobile threat defense (MTD) app, you can now use custom settings in the VPN Profile for Microsoft Tunnel to configure Microsoft Defender for Endpoint.

    In this scenario, using custom settings to configure Microsoft Defender for Endpoint in the VPN profile removes the need to deploy a separate app configuration profile for Microsoft Defender for Endpoint.

    For the following platforms, you can choose to use either the custom settings in the VPN profile or to use a separate app configuration profile for Microsoft Defender for Endpoint:

    • Android Enterprise Fully Managed
    • Android Enterprise Corporate-Owned Work Profile

    However, for an Android Enterprise Personally Owned Work profile, use only the VPN profile with custom settings. Personally Owned Work Profile devices that receive a separate app configuration profile for Microsoft Defender for Endpoint and a Microsoft Tunnel VPN profile might be unable to connect to the Microsoft Tunnel.

Monitor and troubleshoot

New operational report providing app install status

The new App Install Status report provides a list of apps with versions and installation details. App installation details are included as separate columns in the list. Also, the installation details provide the app install and failure totals for devices and users. You have the ability to sort and search this report as well. In the Microsoft Intune admin center, select Apps > Monitor > App Install Status. For more information about reports in Intune, see Intune reports.

New operational report providing app install status based on device

Based on a selected app, the new Device Install Status report provides a list of devices and status information related to the specific app. App installation details related to the device includes UPN, Platform, Version, Status, Status details, and Last check-in. You have the ability to sort, filter, and search this report as well. In the Microsoft Intune admin center, select Apps > All Apps > Select an app > Device Install status. For more information about reports in Intune, see Intune reports.

New operational report providing app install status based on user

Based on a selected app, the new User Install Status report provides a list of users and status information related to the specific app. App installation details related to the user include Name, UPN, Failures, Installs, Pending, Not Installed, and Not Applicable. You have the ability to sort, filter, and search this report as well. In the Microsoft Intune admin center, select Apps > All apps > Select an app > User Install Status. For more information about reports in Intune, see Intune reports.

Export Intune reports using Graph API v1.0 or beta

Intune reporting export API now is available in Graph v1.0, and continues to be available in Graph beta. For more information, see Intune reports and Export Intune reports using Graph APIs.

Scripts

New property value supported for Android Open Source Project devices

The IntuneAosp property value is now supported in the managementAgentType enum. The ManagementAgentTypeID value for this property is 2048. It represents the device type that is managed by Intune's MDM for AOSP (Android Open Source Project) devices. For more information, see managementAgentType in the beta section of the Intune Data Warehouse API.

April 2021

App management

Updated privacy screen in Company Portal for iOS

We added more text to the Company Portal privacy screen to clarify how Company Portal uses collected data. It assures users that the collected data is only used to verify that devices are compliant with their organization's policies.

Installation status for device-assigned required apps

From the Installed apps page of the Windows Company Portal or the Company Portal website, end users can view the installation status and details for device-assigned required apps. This functionality is provided in addition to the installation status and details of user-assigned required apps. For more information about the Company Portal, see How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Win32 app version displayed in console

The version of your Win32 app is now displayed in the Microsoft Intune admin center. The app version is provided in the All apps list, where you can filter by Win32 apps and select the optional version column. In the Microsoft Intune admin center, select Apps > All apps > Columns > Version to display the app version in the app list. For more information, see Win32 app management in Microsoft Intune.

Maximum OS version setting for app conditional launch on iOS devices

Using Intune app protection policies, you can add a new conditional launch setting to ensure end users are not using any pre-release or beta OS build to access work or school account data on iOS devices. This setting ensures that you can vet all OS releases before end users are actively using new OS functionality on iOS devices. In Microsoft Intune admin center, select Apps > App protection policies. For more information, see How to create and assign app protection policies.

Device configuration

New modern authentication method with Apple Setup Assistant (public preview)

When creating an Automated Device Enrollment profile, you can now choose a new authentication method: Setup Assistant with modern authentication. This method provides all the security from Setup Assistant but avoids the issue of leaving end users stuck on a device they can't use while the Company Portal installs on the device. The user has to authenticate using Microsoft Entra multifactor authentication during the setup assistant screens. To gain access to corporate resources protected by Conditional Access, this feature requires another Microsoft Entra sign-in post-enrollment in the Company Portal app. The correct Company Portal version will automatically be sent down as a required app to the device for iOS/iPadOS. For macOS, here are the options to get the Company Portal on the device - Add the Company Portal for macOS app.

Enrollment is completed once the user lands on the home screen, and users can freely use the device for resources not protected by Conditional Access. User affinity is established when the user lands on the home screen after the setup screens. However, the device isn't fully registered with Microsoft Entra ID until the Company Portal sign in. The device will not show up in a given user's device list in the Microsoft Entra admin center until the Company Portal sign in. If the tenant has multifactor authentication turned on for these devices or users, the users will be asked to complete multifactor authentication during enrollment during Setup Assistant. Multifactor authentication isn't required, but it's available for this authentication method within Conditional Access if needed.

This method has the following options for installing the Company Portal:

  • For iOS/iPadOS: The Install Company Portal setting will not be there when choosing this flow for iOS/iPadOS. The Company Portal app will be a required app on the device with the correct app configuration policy on the device when the end user goes to the home screen. To gain access to resources protected by Conditional Access and be fully Microsoft Entra registered, after enrollment, users must sign in to the Company Portal app with Microsoft Entra credentials.
  • For macOS: Users must sign into the Company Portal to complete Microsoft Entra registration and gain access to resources protected by Conditional Access. The end user will not be locked to the Company Portal app after landing on the home page. But, another sign-in into the Company Portal app is required to access corporate resources and be compliant. For more information, see Add the macOS Company Portal app.

For information on how to use this authentication method on iOS/iPadOS devices, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment.

For information on how to use this authentication method on macOS devices, see Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager.

Updated OEMConfig policy reporting for Android Enterprise devices

On Android Enterprise devices, you can create an OEMConfig policy to add, create, and customize OEM-specific settings. Now, the policy reporting is updated to also show success on a user, a device, and for each setting in the policy.

For more information, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise

Disable NFC pairing on iOS/iPadOS devices running 14.2 and newer

On supervised iOS/iPadOS devices, you can create a device restrictions profile that disables NFC (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile > Connected devices > Disable near field communication (NFC)). When you disable this feature, it prevents devices from pairing with other NFC-enabled devices, and disables NFC.

To see this setting, go to iOS and iPadOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS/iPadOS 14.2 and newer

Device management

Locate device remote action for Windows client devices

You can now use a new locate device remote action to get the geographical location of a device. Supported devices include:

  • Windows 11
  • Windows 10 version 20H2 (10.0.19042.789) or later
  • Windows 10 version 2004 (10.0.19041.789) or later
  • Windows 10 version 1909 (10.0.18363.1350) or later
  • Windows 10 version 1809 (10.0.17763.1728) or later

To see the new action, sign in to the Microsoft Intune admin center and choose Devices > Windows > choose a device > Locate device.

This action will work in a similar manner as the current Locate device action for Apple devices (but will not include any lost mode functionality).

Location services must be enabled on devices for this remote action to work. If Intune is unable to fetch the device's location and the user has set a default location in device settings, it will display the default location.

Microsoft Intune ending support for Android 5.x

Microsoft Intune no longer supports Android 5.x devices.

Support to display phone numbers for corporate Android Enterprise devices

For corporate Android Enterprise devices (Dedicated, Fully Managed, and Fully managed with work profile), the associated device phone numbers are now displayed in the Microsoft Intune admin center. If multiple numbers are associated with the device, only one number will be displayed.

EID property support for iOS/iPadOS devices

The eSIM identifier (EID) is a unique identifier for the embedded SIM (eSIM). The EID property now appears on the hardware details page for iOS/iPadOS devices.

Intune support for provisioning Microsoft Entra shared devices

The ability to provision Android Enterprise dedicated devices with Microsoft Authenticator automatically configured into Microsoft Entra shared device mode is now Generally Available. For more info on how to use this enrollment type, see Set up Intune enrollment of Android Enterprise dedicated devices.

View end of support details for your feature update profiles

To help you plan for end-of-service for Windows 10 feature updates you deploy with Intune, there are new columns of information to Feature Updates profiles in the Microsoft Intune admin center.

The first new column displays a status. This status identifies when the update in the profile is near or has reached its end of service. The second column displays that end of service date. When an update reaches its end of service, it's no longer deployed to devices, and the policy can be removed from Intune.

The new columns and details include:

  • Support – This column displays the status of the feature update:

    • Supported – The update is supported for distribution.
    • Support ending – The update is within two months of its end of service date.
    • Not supported – The update is no longer supported, having reached its end of service date.
  • Support End Date – This column displays the end-of-service date for the feature update in the profile.

For information about end of service dates for Windows 10 releases, see Windows 10 release information in the Windows release health documentation.

Device security

Use Antivirus profiles to prevent or allow merger of Antivirus exclusion lists on devices

You can now configure Defender local admin merge as a setting in a Microsoft Defender Antivirus profile to block merger of local exclusion lists for Microsoft Defender Antivirus on Windows 10 devices.

Exclusion lists for Microsoft Defender Antivirus can be configured locally on a device, and specified by Intune Antivirus policy:

  • When exclusion lists are merged, locally defined exclusions are merged with exclusions from Intune.
  • When merge is blocked, only exclusions from policy will be effective on the device.

For more information about this and related settings, see Microsoft Defender Antivirus Exclusions.

Improved flow for conditional access on Surface Duo devices

We've streamlined the conditional access flow on Surface Duo devices. These changes happen automatically and don't require any configuration updates by administrators. (Endpoint security > Conditional access)

On a Duo device:

  • When access to a resource is blocked by conditional access, users are now redirected to the Company Portal app that was preinstalled on the device. Previously, they were sent to the Google Play store listing of the Company Portal app.
  • For devices that are enrolled as a personally owned work profile, when a user tries to sign in to a personal version of an app using their work credentials they are now sent to the work version of the Company Portal where guidance messaging is shown. Previously, users were sent to the Google Play store listing of the personal version of the Company Portal app. They would have to reenable the personal Company Portal app to see the guidance messaging.

Configure options that apply to Tunnel Gateway server upgrades

We've added options to help you manage the upgrade of your Microsoft Tunnel Gateway servers. The new options apply to the Sites configuration and include:

  • Set a maintenance window for each tunnel site. The window defines when the tunnel servers that assigned to that site can start to upgrade.

  • Configure the server upgrade type, which determines how all servers at the site proceed with upgrades. You can choose between:

    • Automatic - All servers at the site will upgrade as soon as possible after a new server version becomes available.
    • Manual - Servers at the site will upgrade only after an admin explicitly chooses to allow the upgrade.
  • The Health check tab now displays status for the server's software version to help you understand when your tunnel server software is out of date. Status includes:

    • Healthy - up to date with the most recent software version.
    • Warning - one version behind
    • Unhealthy - two or more versions behind

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Omnipresence Go by Omnipresence Technologies, Inc.
  • Comfy by Building Robotics, Inc.
  • M-Files for Intune by M-Files Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

New UI to filter data for new operational reports

New operational reports will now support a new UI to add data filters. The new filter pill offers an improved experience to help slice, refine, and view report data. For more information about reports in Intune, see Intune reports.

Windows restart frequency report in Endpoint analytics is generally available

Endpoint analytics startup performance currently provides IT with insights to measure and optimize PC boot times. However, restart frequency can be as impactful to the user experience since a device that reboots daily because of blue screens will have a poor user experience even if the boot times are fast. We have now included a report on restart frequencies within your organization to help you identify problematic devices. For more information, see Restart frequency in endpoint analytics.

March 2021

App management

Intune management agent for macOS devices is now a universal app

When you deploy shell scripts or custom attributes for macOS devices from Microsoft Intune, it deploys the new universal version of the Intune management agent app that runs natively on Apple Silicon Mac machines. The same deployment installs the x64 version of the app on Intel Mac machines. Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script in Intune. For more information, see Microsoft Intune management agent for macOS.

Microsoft 365 Apps for macOS devices are now universal apps

When you deploy Microsoft 365 Apps for macOS devices from Microsoft Intune, it now deploys the new universal versions of the app that runs natively on Apple Silicon Macs. The same deployment installs the x64 versions of the app on Intel Macs running macOS 10.14 and higher. To add Microsoft 365 Apps for macOS, in the Microsoft Intune admin center > Apps > All apps > Add. Select macOS in the App type list under Microsoft 365 Apps. For more information, see Assign Microsoft 365 to macOS devices with Microsoft Intune.

More configuration keys for the Microsoft Launcher app

You can now set folder configuration settings for Microsoft Launcher on Android Enterprise corporate owned fully managed devices. By using an app configuration policy and configuration key values, you can set values for folder shape, folder opened to full screen, and folder scroll direction. Also, you can position the folder on the home screen in addition to positioning apps and weblinks. Also, you can choose to allow end users to modify the folder style values within the app. For more information about Microsoft Launcher, see Configure Microsoft Launcher for Android Enterprise with Intune.

Support for Win32 app supersedence in Intune

We've enabled a public preview of app supersedence in Intune. You can now create supersedence relationships between apps, which allows you to update and replace existing Win32 apps with newer versions of the same app, or entirely different Win32 apps. For more information, see Win32 app supersedence.

Maximum OS version setting for app conditional launch on Android devices

Using Intune app protection policies, you can add a new conditional launch setting to ensure end users are not using any pre-release or beta OS build to access work or school account data on Android devices. This setting ensures that you can vet all OS releases before end users are actively using new OS functionality on Android devices. In Microsoft Intune admin center, this setting is in Apps > App protection policies. For more information, see How to create and assign app protection policies.

Device configuration

New version of the PFX Certificate Connector

We've released a new version of the PFX Certificate Connector, version 6.2101.16.0. This update adds improvements to the PFX Create flow to prevent duplication of Certificate Request files on on-premises servers that host the connector.

For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors.

Use Cisco AnyConnect as a VPN connection type for Windows 10/11 and Windows Holographic for Business

You can create VPN profiles using Cisco AnyConnect as a connection type (Devices > Configuration > Create > Windows 10 and later for platform > VPN for profile > Cisco AnyConnect for connection type) without needing to use custom profiles.

This policy uses the Cisco AnyConnect app available in the Microsoft store. It doesn't use the Cisco AnyConnect desktop application.

For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.

Applies to:

  • Windows 11
  • Windows 10
  • Windows Holographic for Business

Run Microsoft Edge version 87 and newer in single app kiosk mode on Windows 10/11 devices

On Windows client devices, you configure a device to run as a kiosk that runs one app, or runs many apps (Devices > Configuration > Create > Windows 10 and later for platform > Templates > Kiosk). When you select single app mode, you can:

  • Run Microsoft Edge version 87 and newer.
  • Select Add Microsoft Edge legacy browser to run Microsoft Edge version 77 and older.

For more information on the settings you can configure in kiosk mode, see Kiosk settings for Windows client devices.

Applies to:

  • Windows 11 in single-app kiosk mode
  • Windows 10 in single-app kiosk mode
  • Microsoft Edge version 87 and newer
  • Microsoft Edge version 77 and older

Administrative Templates is available in Settings Catalog, and has more settings

In Intune, you can use Administrative Templates to create policies (Devices > Configuration > Create > Windows 10 and later for platform > Administrative Templates for profile).

In the Settings Catalog, Administrative Templates are also available, and have more settings (Devices > Configuration > Create > Windows 10 and later for platform > Settings Catalog for profile).

With this release, admins can configure other settings that only existed in on-premises group policy, and weren't available in cloud-based MDM. These settings are available for Windows Insider client endpoint builds, and might be backported to in-market Windows versions, such as 1909, 2004, or 2010.

If you want to create Administrative Templates, and use all the available settings exposed by Windows, then use the Settings Catalog.

For more information, see:

Applies to:

  • Windows 11
  • Windows 10

More Microsoft Edge settings, and setting categories are removed in Settings Catalog for macOS

On macOS devices, you can use the Settings Catalog to configure Microsoft Edge version 77 and newer (Devices > Configuration > Create > macOS for platform > Settings Catalog).

In this release:

  • More Microsoft Edge settings are added.
  • Temporarily, the setting categories are removed. To find a specific setting, use the Microsoft Edge - All category, or search for the setting name. For a list of settings, see Microsoft Edge - Policies.

For more information on the Settings Catalog, see Use the settings catalog to configure settings.

Applies to:

  • macOS
  • Microsoft Edge

Windows 10/11 in cloud configuration is available as a Guided Scenario

Windows 10/11 in cloud configuration is a Microsoft-recommended device configuration for Windows 10/11. Windows 10/11 in cloud configuration is optimized for the cloud and designed for users with focused workflow needs.

There's a guided scenario that automatically adds the apps, and creates the policies that configure your Windows 10/11 devices in a cloud configuration.

For more information, see Guided scenario for Windows 10/11 in cloud configuration.

Applies to:

  • Windows 11
  • Windows 10

Device enrollment

Sync status of enrollment program tokens

The sync status for automated device enrollment tokens listed on the Enrollment program tokens pane has been removed to minimize confusion. The per-token information continues to be displayed. Enrollment program tokens are used to manage automated device enrollment with Apple Business Manager and Apple School Manager. In the Microsoft Intune admin center, you can find the token list for iOS/iPadOS devices by selecting Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens. To find the token list for macOS devices, select Devices > macOS > macOS enrollment > Enrollment program tokens. For more information, see Automatically enroll iOS/iPadOS devices and Automatically enroll macOS devices.

Device management

Previously, we recommended that you don't exceed 60,000 iOS/iPadOS or macOS devices per Automated Device Enrollment (ADE) token. This recommended limit is now increased to 200,000 devices per token. For more information about ADE tokens, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment.

Update of column names in All devices view and Export report

To accurately reflect the data in the columns, we've updated the column names in the All devices view and the Export report to be Primary User UPN, Primary User email address, and Primary User display name.

End of support for Internet Explorer 11

Intune will end support for Internet Explorer 11 admin access to the Admin Portal web app UI on March 31, 2021. Move to Edge or another supported browser before that time to administer any of your Microsoft services built on Azure.

Collect diagnostics remote action

A new remote action, Collect diagnostics, lets you collect the logs from corporate devices without interrupting or waiting for the end user. Collected logs include MDM, Autopilot, event viewers, key, Configuration Manager client, networking, and other critical troubleshooting logs. For more information, see Collect diagnostics from a Windows device.

New options for export device data

The following new options are available when exporting device data:

  • Only include selected columns in the exported file.
  • Include all inventory data in the exported file. To see these options, go to Microsoft Intune admin center > Devices > All devices > Export.

Device security

Use the variable CN={{UserPrincipalName}} in the subject and SAN of SCEP and PKCS certificate profiles for Android Enterprise devices

You can now use the User attribute CN={{UserPrincipalName}} variable in the subject or SAN of a PKCS certificate profile or SCEP certificate profile for Android devices. This support requires the device have a user, such as devices enrolled as:

  • Android Enterprise fully managed
  • Android Enterprise personally owned work profile

User attributes are not supported for devices that don't have user associations, such as devices that are enrolled as Android Enterprise dedicated. For example, when there isn't a user on the device, a profile that uses CN={{UserPrincipalName}} in the subject or SAN can't get the user principal name.

Use app protection policies for Defender for Endpoint on Android and iOS

You can now use Microsoft Defender for Endpoint in app protection policies for devices that run Android or iOS.

  • Configure your MAM conditional launch policy to include Max allowed threat level signals from Microsoft Defender for Endpoint on iOS devices and Android devices.
  • Choose to Block Access or Wipe Data based on whether or not the device meets the expected threat level.

When configured, end users are prompted to install and set up the Microsoft Defender for Endpoint app from the applicable app store. As a prerequisite, you must set up your Microsoft Defender for Endpoint connector and switch on the toggle to send risk data to your app protection policies. For more information, see App protection policies overview, and Use Microsoft Defender for Endpoint in Microsoft Intune.

Configure Attack surface reduction rules to block malware from gaining persistence through WMI

You can now configure the rule named Block persistence through WMI event subscription as part of an Attack surface reduction rules profile in Endpoint security.

This rule prevents malware from abusing WMI to attain persistence on a device. Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.

When configured as setting for Attack surface reduction policy for Endpoint security, the following options are available:

  • Not configured (default) – The setting returns to the Windows default, which is off and persistence isn't blocked.
  • Block – Persistence through WMI is blocked.
  • Audit – Evaluate how this rule affects your organization if it's enabled (set to Block).
  • Disable - Turn this rule off. Persistence isn't blocked.

This rule doesn't support the Warn option, and is also available as a Device configuration setting from the Settings catalog.

Update for Microsoft Tunnel

We've released a new version of the Microsoft Tunnel Gateway, which includes the following changes:

  • Various bug fixes and enhancements.

The Tunnel Gateway server will automatically update to the new release.

Health status details for Microsoft Tunnel Gateway servers

We've added the ability to see detailed heath status information for Tunnel Gateway servers within the Microsoft Intune admin center.

On the new Health check tab, you see the following information:

  • Last check-in - When the server last checked-in with Intune.
  • Number of current connections - The number of active connections at last check-in
  • Throughput - The megabits per second that traverse the serves NIC at last check-in.
  • CPU usage - The average CPU use.
  • Memory usage - The average memory use.
  • Latency - The average time for IP packets to traverse the NIC.
  • TLS certificate expiration status and days before expiration - How long the TLS certificate that secures client to server communication for the tunnel remains valid.

Public preview of Tunnel client functionality in Microsoft Defender for Endpoint app for Android

As announced at Ignite, Microsoft Tunnel client functionality is migrating into the Microsoft Defender for Endpoint app. With this preview, you can start to use a preview version of Microsoft Defender for Endpoint as the Tunnel app for supported devices. The existing Tunnel client remains available, but will eventually be phased out in favor of the Defender for Endpoint app.

This public preview applies to:

  • Android Enterprise
    • Fully managed
    • Corporate-owned work profile
    • Personally owned work profile

For this preview, you must opt in to gain access to the preview version of Microsoft Defender for Endpoint, and then migrate supported devices from the standalone Tunnel client app to the preview app. For details, see Migrate to the Microsoft Defender for Endpoint app.

Intune apps

Microsoft Launcher configuration keys

For Android Enterprise fully managed devices, the Microsoft Launcher for Intune app now provides more customization. In Launcher, you can configure the set of displayed apps and weblinks, and the order of these apps and weblinks. The displayed app list and position (order) of app configurations have been merged together to simplify home screen customization. For more information, see Configure Microsoft Launcher.

Microsoft Edge for macOS devices will be a universal app

When you deploy the Microsoft Edge app for macOS devices from Microsoft Intune, it now deploys the new universal version of the app that runs natively on Apple Silicon Macs. The same deployment installs the x64 version of the app on Intel Macs. To add Microsoft Edge for macOS, in the Microsoft Intune admin center > Apps > All apps > Add. Select macOS in the App type list under Microsoft Edge, version 77 and later. For more information, see Add Microsoft Edge to macOS devices using Microsoft Intune.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • FleetSafer by Cogosense Technology Inc.
  • Senses by Mazrica Inc.
  • Fuze Mobile for Intune by Fuze, Inc.
  • MultiLine for Intune by Movius Interactive Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Improved notification experience in the iOS/iPadOS Company Portal app

The Company Portal app can now store, and display, push notifications sent to your users' iOS/iPadOS devices from the Microsoft Intune admin center. Users who have opted in to receive Company Portal push notifications can view and manage the customized stored messages that you send to their devices in the Notifications tab of the Company Portal. For more information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Company Portal website improved load performance

To improve page load performance, app icons will now load in batches. End users might see a placeholder icon for some of their applications when visiting the Company Portal website. The related icons will load shortly after. For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app and Manage apps from the Company Portal website.

Monitor and troubleshoot

Endpoint analytics in Microsoft Adoption Score

There's a new Endpoint Analytics page in Microsoft Adoption Score that shares organizational level insights with the other roles outside of Microsoft Intune. Understanding how your devices contribute to your end-users' experience is critical to enabling users to reach their goals. For more information, see Endpoint analytics in Microsoft Adoption Score.

Endpoint analytics Application Reliability report

A new Application Reliability report is available in Endpoint analytics. This report provides insight into potential issues for desktop applications on managed PCs. You can quickly identify the top applications that are affecting end user productivity, and see aggregate app usage and app failure metrics for these applications. You can troubleshoot by drilling into a specific device and viewing a timeline of app reliability events. This report is expected to be available in public preview during March 2021. For more information, see Endpoint analytics application reliability.

Restart frequency (preview) in Endpoint analytics

Endpoint analytics startup performance currently provides IT with insights to measure and optimize PC boot times. However, restart frequency can be as impactful to the user experience since a device that reboots daily because of blue screens will have a poor user experience even if the boot times are fast. We have now included a preview report on restart frequencies within your organization to help you identify problematic devices. For more information, see Restart frequency (preview) in endpoint analytics.

Role-based access control

Role-based access permissions update for Microsoft Tunnel Gateway

To help control who has rights to manage the Microsoft Tunnel, we've added Microsoft Tunnel Gateway as a new permissions group to Intune role-based access control. This new group includes the following permissions:

  • Create - Configure Microsoft Tunnel Gateway servers, server configurations, and sites.
  • Update (modify) - Update Microsoft Tunnel Gateway servers, server configurations, and sites.
  • Delete - Delete Microsoft Tunnel Gateway servers, server configurations, and sites.
  • Read - View Microsoft Tunnel Gateway servers, server configurations, and sites.

By default, Intune Administrators and Microsoft Entra administrators have these permissions. You can also add these permissions to custom roles you create for your Intune tenant.

Scope tag support for customization policies for Intune for Government and 21Vianet

You can now assign scope tags to Customization policies for Intune for Government and Intune operated by 21Vianet. To do so, go to Microsoft Intune admin center > Tenant administration > Customization where you see Scope tags configuration options.

Scripting

Export localized Intune report data using Graph APIs

You can now specify that the report data that you export using the Microsoft Intune reporting export API can contain localized columns only, or localized and non-localized columns. The localized and non-localized columns option is selected by default for most reports, which will prevent breaking changes. For related information about reports, see Export Intune reports using Graph APIs and Intune reports and properties available using Graph API.

February 2021

App management

End users can restart an app install from the Windows Company Portal

Using the Windows Company Portal, end users can restart an app installation if the progress seems to have stalled or is frozen. This functionality is allowed if the app installation progress has not changed in two hours. For more information, see Add apps to Microsoft Intune.

Configure whether a required iOS/iPadOS app is removable

You can now configure whether a required iOS/iPadOS app is installed as a removable app by end users. This new setting applies to iOS store, LOB and built-in apps. You can find this setting in the Microsoft Intune admin center by selecting Apps > iOS/iPadOS > Add. When setting the app assignments, you can select Install as removable. The default value is Yes, which means the app is removable. Existing required installs on iOS 14 have been updated to the default (removable) setting value. For more information about iOS/iPadOS apps, see Microsoft Intune app management.

Line-of-business apps supported on Shared iPad devices

You can now deploy line-of-business (LOB) apps to Shared iPad devices. The line-of-business app must be assigned as required to a device group containing Shared iPad devices from the Microsoft Intune admin center. In the Microsoft Intune admin center, select Apps > All apps > Add. For more information, see Add an iOS/iPadOS line-of-business app to Microsoft Intune.

Microsoft Endpoint Configuration Manager connector

The connector for Microsoft Configuration Manager now displays in the admin center. To review the connector, go to Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager. Select a Configuration Manager hierarchy running version 2006, or later to display more information.

Device configuration

Google's compliance screens are automatically shown on Android Enterprise 9.0+ dedicated devices running in kiosk mode

In Intune, you can create a device configuration password policy and a device compliance password policy on Android Enterprise devices.

When you create the policies, Android Enterprise dedicated devices running in kiosk mode automatically use Google's compliance screens. These screens guide and force users to set a password that meets your policy rules.

For more information on creating password and kiosk policies, see:

Applies to:

  • Android Enterprise 9 and newer in kiosk mode

New version of the PFX Certificate Connector

We've released a new version of the PFX Certificate Connector, version 6.2101.13.0. This new connector version adds improvements for logging to the PFX Connector:

  • New location for Event Logs, with logs broken down into Admin, Operational & Debug
  • Admin & Operational logs default to 50 MB - with auto archiving enabled.
  • EventIDs for PKCS Import, PKCS Create and Revocation.

For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors.

New version of the PFX Certificate Connector

We've released a new version of the PFX Certificate Connector, version 6.2009.2.0. This new connector version:

  • Improves upgrade of the Connector to persist accounts that run Connector Services.

For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors.

Use device configuration to create folders and set the grid size on the Managed Home Screen

On Android Enterprise dedicated devices, you can configure the Managed Home Screen settings (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device restrictions for profile > Device experience).

When using the Managed Home Screen in multi-app kiosk mode, there's a Custom app layout setting. With this setting, you can:

  • Create folders, add apps to these folders, and put the folder on the Managed Home Screen. You don't have to order the folders.

  • Choose whether or not to order apps and folders on the Managed Home Screen. If you order, you can also:

    • Set the grid size.
    • Add apps and folders to different places on the grid.

Previously, you had to use an app configuration policy.

For more information, see Android Enterprise dedicate devices device experience settings.

Applies to:

  • Android Enterprise dedicated devices

Use the settings catalog to configure Microsoft Edge browser on macOS devices

Currently on macOS devices, you configure the Microsoft Edge browser using a .plist preference file (Devices > Configuration > Create > macOS for platform > Preference file for profile).

There's an updated UI to configure the Microsoft Edge browser: Devices > Configuration > Create > macOS for platform > Settings catalog for profile. Select the Microsoft Edge settings you want, and then configure them. In your profile, you can also add settings, or remove existing settings.

To see a list of the settings you can configure, go to Microsoft Edge - Policies. Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then it's recommended to continue using the preference file only.

For more information, see:

To see the policies you have configured, open Microsoft Edge, and go to edge://policy.

Applies to:

  • Microsoft Edge browser version 77 and newer on macOS

Use NetMotion Mobility as a VPN connection type for Android Enterprise devices

When you create a VPN profile, NetMotion Mobility is available as a VPN connection type for Android Enterprise:

  • Devices > Configuration > Create > Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile > VPN for profile > NetMotion Mobility for connection type
  • Devices > Configuration > Create > Android Enterprise > Personally Owned Work Profile > VPN for profile > NetMotion Mobility for connection type

For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.

Applies to:

  • Android Enterprise Personally Owned Work Profile
  • Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile

Settings catalog and Templates when creating device configuration profiles for macOS and Windows client devices

There are UI updates when creating device configuration profiles for macOS and Windows 10/11 devices (Devices > Configuration > Create > macOS or Windows 10 and later for platform).

The profile shows Settings catalog and Templates:

  • Settings catalog: Use this option to start from scratch and select settings you want from the library of available settings. For macOS, the settings catalog includes settings to configure the Microsoft Edge version 77 and newer. Settings catalog for Windows client includes many existing settings, and new settings, all in one place.
  • Templates: Use this option to configure all the existing profiles, such as device restrictions, device features, VPN, Wi-Fi, and more.

This change is only a UI change, and doesn't affect existing profiles.

For more information, see Settings catalog.

Applies to:

  • macOS
  • Windows 11
  • Windows 10

Home screen layout updates on supervised iOS/iPadOS devices

On iOS/iPadOS devices, you can configure the Home Screen layout (Devices > Configuration > Create > iOS/iPadOS for platform > Device features for profile > Home screen layout). In Intune, the Home Screen Layout feature is updated:

- The home screen layout has a new design. This feature allows admins to see in real time how the apps and app icons look on pages, the dock, and within folders. When adding apps in this new designer, you can't add separate pages. But, when you add nine or more apps to a folder, then those apps automatically go on the next page. Existing policies are not affected, and don't need to be changed. The setting values are transferred to the new UI without any negative effects. The setting behavior on devices is the same. - Add a web link (web app) to a page, or to the dock. Be sure you add a specific URL of the web link only once. Existing policies are not affected, and don't need to be changed.

For more information on the settings you can configure, including the home screen layout, see iOS/iPadOS device settings to use common iOS/iPadOS features in Intune.

Applies to:

  • iOS/iPadOS supervised devices

Limit Apple's personalized advertising on iOS/iPadOS devices

On iOS/iPadOS devices, you can configure Apple's personalized advertising. When enabled, personalized ads are limited in the App Store, Apple News, and Stocks apps (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile > General > Limit Apple personalized advertising).

This setting only affects personalized ads. Configuring this setting sets Settings > Privacy > Apple Advertising to off. It doesn't affect non-personalized ads in the App Store, Apple News, and Stocks apps. For more information on Apple's advertising policy, see Apple Advertising & Privacy (opens Apple's web site).

To see the current settings you can configure in Intune, go to iOS and iPadOS device settings to allow or restrict features.

Applies to:

  • iOS/iPadOS 14.0 and newer, devices enrolled with device enrollment or automated device enrollment

Administrative templates includes new policies for Microsoft Edge version 88

You can configure and deploy new ADMX settings that apply to Microsoft Edge version 88. To see the new policies, go to Microsoft Edge release notes.

For more information on this feature in Intune, see Configure Microsoft Edge policy settings.

Applies to:

  • Windows 11
  • Windows 10

Locale support in email notifications for non-compliance

Compliance policies now support Notification message templates that include separate messages for different locales. Support for multiple languages no longer requires you to create separate templates and policies for each locale.

When you configure locale-specific messages in a template, noncompliant end users receive the appropriate localized email notification message based on their Microsoft 365 preferred language. You also designate one localized message in the template as the default message. The default message is sent to users that haven't set a preferred language or when the template doesn't include a specific message for their locale.

Device enrollment

Hide more screens for the Apple Automated Device Enrollment Setup Assistant

You can now set Automated Device Enrollment (ADE) profiles to hide these Setup Assistant Screens for iOS/iPadOS 14.0+ and macOS 11+ devices:

  • Restore Completed, for iOS/iPadOS 14.0+.
  • Software Update Completed, for iOS/iPadOS 14.0+.
  • Accessibility, for macOS 11+ (the mac device must be connected to an Ethernet).

Device management

Migrate device security policies from Basic Mobility and Security to Intune

The policy migration tool lets you permanently move Mobile Device Management (MDM) device security policies deployed by Basic Mobility and Security (formerly MDM for Office 365 or Office MDM) to standard Intune MDM configuration profiles and compliance policies. Using this tool will disable all future policy creation and edits in Basic Mobility and Security device security policies.

To use the tool, you must:

  • Already have purchased (but not yet assigned) Intune licenses for all the users of devices managed by Basic Mobility and Security.
  • Contact support to check eligibility if you have purchased an Intune for Education subscription.

For more information, see Migrate your mobile device management from Basic Mobility and Security to Intune.

Subnet ID and IP addresses on Properties page for corporate-owned Windows devices

Subnet ID and IP addresses are now displayed on the Properties page for corporate-owned Windows devices. To see them, go to Intune admin center > Devices > All devices > choose a corporate-owned Windows device > Properties.

Device security

Intune support for Microsoft Defender Application Guard now includes isolated Windows environments

When you configure Turn on Application Guard in an Intune App and browser isolation profile in Endpoint security Attack surface reduction policy, you can choose from the following options when you enable Application Guard:

  • Microsoft Edge - Previously available
  • Isolated Windows environments - New with this update
  • Microsoft Edge and isolated Windows environments - New with this update

Before this release, the setting was named Turn on Application Guard for Edge (Options).

The new options for this setting expand Application Guard support beyond just URLs for Edge. You can now enable Application Guard to help protect devices by opening potential threats in a hardware isolated Windows VM environment (container). For example, with support for isolated Windows environments, Application Guard can open untrusted Office documents in an isolated Windows VM.

With this change:

New Application Guard settings in Attack surface reduction policy

We've added two new settings to the App and browser isolation profile of Intune's Endpoint security Attack surface reduction policy:

  • Application Guard allow camera and microphone access – Manage access by Application Guard apps to a devices camera and microphone.
  • Application Guard allow use of Root Certificate Authorities from the user's device – When you specify one or more root certificate thumbprints, the matching certificates are transferred to the Microsoft Defender Application Guard container.

For more information, see the settings for App and browser isolation.

Updates for security baselines

We have new versions available for the following security baselines:

Updated baseline versions bring support for recent settings to help you maintain the best-practice configurations recommended by the respective product teams.

To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes.

Endpoint Security Firewall reports

We've added two new reports that are dedicated to Firewall policies in Endpoint Security:

  • Windows 10 MDM devices with firewall off is found in the Endpoint security node and displays the list of Windows 10 devices with the Firewall turned off. This report identifies each device by device name, device ID, user information, and the Firewall status.
  • Windows 10 MDM Firewall status is an organizational report found in the Reports node, which lists the firewall status for your Windows 10 devices. This report displays status information that includes if the firewall is enabled, disabled, limited, or temporarily disabled.

Summary view for Defender Antivirus reports

We've updated the view for the Microsoft Defender Antivirus reports found in the Reports node of the Microsoft Intune admin center. Now, when you select Microsoft Defender Antivirus in the Reports node, you see the default view of the Summary tab, and a second tab for Reports. The Reports tab is where you'll find the previously available Antivirus agent status and Detected malware organizational reports.

The new Summary tab displays the following information:

  • Displays aggregate details for the Antivirus reports.
  • Includes a Refresh option that updates the counts of devices in each antivirus state.
  • Reflects the same data as found in the Antivirus agent status organizational report, which is now accessed from the Reports tab.

App protection policy support on Android and iOS/iPadOS for more Mobile Threat Defense partners

In October of 2019, Intune app protection policy added the capability to use data from our Microsoft Threat Defense partners.

With this update, we're expanding this support to the following partner for using an app protection policy to block or selectively wipe a user's corporate data based on the health of the device:

  • McAfee MVision Mobile on Android, iOS and iPadOS

For more information, see Create Mobile Threat Defense app protection policy with Intune.

Increased certificate validity period for SCEP and PKCS profiles

Intune now supports a Certificate validity period of up to 24 months in certificate profiles for Simple Certificate Enrollment Protocol (SCEP) and Public Key Cryptography Standards (PKCS). This change is an increase from the previous support period of up to 12 months.

This support applies to Windows and Android. Certificate validity periods are ignored by iOS/iPadOS and macOS.

Monitor and troubleshoot

New co-management eligibility organizational report

The Co-management eligibility report provides an eligibility evaluation for devices that can be co-managed. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. You can view a summary for this report in the Microsoft Intune admin center by selecting Reports > Cloud attached devices > Reports tab > Co-management eligibility. For related report information, see Intune reports.

New co-managed workloads organizational report

The Co-Managed Workloads report provides a report of devices that are currently co-managed. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. You can view this report in the Microsoft Intune admin center by selecting Reports > Cloud attached devices > Reports tab > Co-Managed Workloads. For more information, see Intune reports.

Log Analytics includes device details log

Intune device detail logs are now available. In Microsoft Intune admin center, select Reports > Log analytics. You can correlate a set of device details to build custom queries and Azure workbooks. For more information, see Azure Monitor integration reports (Specialist).

Role-based access control

Scope tag support for the Enrollment Status Page

You can now assign scope tags to the Enrollment Status Page so only the roles you define can see it. For more information, see Create Enrollment Status Page profile and assign to a group.

Scripts

More Data Warehouse beta properties

More properties are now available using the Intune Data Warehouse beta API. The following properties are exposed via the devices entity in the beta API:

  • SubnetAddressV4Wifi - The subnet address for IPV4 Wi-Fi connection.
  • IpAddressV4Wifi - The IP address for IPV4 Wi-Fi connection.

For more information, see Microsoft Intune Data Warehouse API.

January 2021

App management

Application icon update for iOS, macOS, and web Company Portal

We've updated the app icon for the Company Portal for iOS, macOS, and web. This icon is also used by the Company Portal for Windows. End users see the new icon in their device's application launcher and home screen, in Apple's App Store, and in experiences within the Company Portal apps.

Android Enterprise system app support in personally owned work profiles

You can now deploy Android Enterprise system apps to Android Enterprise personally owned work profile devices. System apps are apps that don't appear in the Managed Google Play Store and often come pre-installed on the device. Once a system app is deployed, you will be unable to uninstall, hide, or otherwise remove the system app. For related information about system apps, see Add Android Enterprise system apps to Microsoft Intune.

Deleting Win32 apps in a dependency relationship

Win32 apps added to Intune cannot be removed if they are in a dependency relationship. These apps can only be deleted after the dependency relationship is removed. This requirement is applied to both parent and child apps in a dependency relationship. Also, this requirement ensures that dependencies are enforced properly and that dependency behavior is more predictable. For more information, see Win32 app management in Microsoft Intune.

Scope tag support for customization policies

You can now assign scope tags to Customization policies. To do so, go to Microsoft Intune admin center > Tenant administration > Customization where you see Scope tags configuration options. This feature is now available for Intune for Government or Intune operated by 21Vianet.

Browser access enabled automatically during Android work profile enrollment

During new Android Enterprise personally owned work profile enrollments, browser access is now automatically enabled on the device. With this change, compliant devices can use the browser to access resources that are protected by conditional access without needing to take other actions. Before this change, users had to launch the Company Portal and select Settings > Enable Browser Access > Enable.

This change has no effect on devices that are already enrolled.

Win32 app download progress bar

End users will now see a progress bar in the Windows Company Portal while a Win32 app is being downloaded. This feature will help customers better understand the app installation progress.

Update to Company Portal for Android app icon

We've updated the Company Portal for Android app icon to create a more modern look and feel for device users. To see what the new icon looks like, go to the Intune Company Portal listing on Google Play.

Device configuration

Microsoft Tunnel now supports Red Hat Enterprise Linux 8

You can now use Red Hat Enterprise Linux (RHEL) 8 with the Microsoft Tunnel. To use RHEL 8, you won't need to take any actions. Support has been added to the Docker containers, which update automatically. In addition, this update also suppresses some extraneous logging.

New version of the PFX Certificate Connector

We've released a new version of the PFX Certificate Connector, version 6.2009.1.9. This new connector version:

  • Improvements to the renewal of the connector certificate.

For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors.

Monitor and troubleshoot

Update when exporting Intune reports using the Graph API

When you use the exportJobs Graph API to export Intune reports without selecting any columns for the devices report, you will receive the default column set. To reduce confusion, we have removed columns from the default column set. The removed columns are PhoneNumberE164Format, _ComputedComplianceState, _OS, and OSDescription. These columns are still available for selection if you need them, but only explicitly, and not by default. If you have built automation around the default columns of the device export, and that automation uses any of these columns, you need to refactor your processes to explicitly select these and any other relevant columns. For more information, see Export Intune reports using Graph APIs.

December 2020

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Dynamics 365 Remote Assist
  • Box - Cloud Content Management
  • STid Mobile ID
  • FactSet 3.0
  • Notate for Intune
  • Field Service (Dynamics 365)

For more information about protected apps, see Microsoft Intune protected apps.

November 2020

App management

Improvements to work profile messaging in Company Portal for Android

We've updated messaging in Company Portal for Android to better introduce and explain how work profile works. The new messaging appears:

  • After the work profile setup flow: Users see a new informational screen explaining where to find work apps, with links to help documentation.
  • When a user accidentally re-enables the Company Portal app in the personal profile: We redesigned a screen (Your device now has a profile just for work) with clearer explanations and new illustrations to guide users to their work apps, with links to help documentation.
  • On the Help page: In the Frequently Asked Questions section, there's a new link to help documentation about how to set up work profile and find apps.

PowerShell scripts execute before apps, and time out reduced

There are some updates to PowerShell scripts:

  • Microsoft Intune management extension execution flow is reverted back to processing PowerShell scripts first, and then running Win32 apps.
  • To resolve an Enrollment Status Page (ESP) time out issue, PowerShell scripts time out after 30 minutes. Previously, they timed out after 60 minutes.

For more information, see Use PowerShell scripts on Windows 10 devices in Intune.

Device configuration

Power menu, status bar notifications, and more restrictive settings available for Android Enterprise dedicated devices

On Intune enrolled Android Enterprise dedicated devices running single or multi-app kiosk mode, you can:

  • Restrict the power menu, system error warnings, and access to the Settings app.
  • Choose if users can see the home and overview buttons, and notifications.

To configure these settings, create a device restrictions configuration profile: Devices > Configuration > Create > Android Enterprise for platform > Fully managed, dedicated, and Corporate-owned work profile > Device restrictions > General.

For more information on these settings, and the other settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise dedicated devices

New show previews setting for app notifications on iOS/iPadOS devices

On iOS/iPadOS devices, there's a Show Previews setting (Devices > Configuration > Create > iOS/iPadOS for platform > Device features for profile > App Notifications). Use this setting to choose when recent app notification previews are shown on devices.

For more information on app notification settings, and other settings you can configure, see device settings to use common iOS/iPadOS features.

On-demand rules with Microsoft Tunnel for iOS

The Microsoft Tunnel now supports on-demand rules for iOS/iPad devices. With on-demand rules, you can specify the use of the VPN when conditions are met for specific FQDNs or IP addresses.

To configure on-demand rules for iOS/iPadOS with Microsoft Tunnel, configure a VPN Profile for iOS/iPadOS as part of device configuration policy. On the profiles Configuration settings page, select Microsoft Tunnel as the Connection type and you'll then have access to configure On-Demand VPN Rules.

For information about the on-demand VPN rules you can configure, see Automatic VPN settings.

Applies to:

  • iOS/iPadOS

More authentication settings for Wi-Fi profiles on Windows 10 and newer devices

New settings and features for Wi-Fi profiles on devices running Windows 10 and newer (Devices > Configuration > Create > Windows 10 and later for platform > Wi-Fi for profile > Enterprise):

  • Authentication mode: Authenticate the user, device, either, or use guest authentication.

  • Remember credentials at each logon: Force users to enter credentials whenever they connect to the VPN. Or, cache the credentials so users only enter their credentials once.

  • More granular control over authentication behavior, including:

    • Authentication period
    • Authentication retry delay period
    • Start period
    • Maximum EAPOL-Start messages
    • Maximum authentication failures
  • Use separate VLANs for device and user authentication: When using single sign-on, the Wi-Fi profile can use a different virtual LAN based on the user's credentials. Your Wi-Fi server must support this feature.

To see these settings, and all the settings you can configure, go to Add Wi-Fi settings for Windows 10 and later devices in Intune.

Applies to:

  • Windows 10 and newer

Device management

Personally owned work profile terminology

To avoid confusion, the term for the work profile Android Enterprise management scenario will be changed to "personally owned devices with a work profile" or personally owned work profile throughout the Intune documentation and user interface. This change differentiates it from the "corporate-owned work profile" (COPE) management scenario.

Windows Autopilot for HoloLens 2 (preview)

Windows Autopilot for HoloLens 2 devices is now in public preview. Admins no longer have to register their tenants for flighting. For more information on using Autopilot for HoloLens, see Windows Autopilot for HoloLens 2.

Ending support for iOS 11

Intune enrollment and the Company Portal now support iOS versions 12 and later. Older versions aren't supported but will continue to receive policies.

Ending support for macOS 10.12

Since macOS Big Sur has released, Intune enrollment and the Company Portal now support macOS versions 10.13 and later. Older versions aren't supported.

Device security

New setting for Device Control profile for endpoint security

We've added a new setting, Block write access to removable storage to the Device control profile for Attack surface reduction policy in endpoint security. When set to Yes, write access to removable storage is blocked.

Improvements to settings in Attack surface reduction rule profiles

We've updated the options for applicable settings in the Attack surface reduction rule profile, which is part of endpoint securities Attack surface reduction policy.

We've brought consistency across settings to existing options, like Disable and Enable, and added a new option, Warn:

  • Warn - On devices that run Windows 10 version 1809 or later, the device user receives a message that they can bypass the setting. For example, on the setting Block Adobe Reader from creating child processes, the option of Warn presents users with the option to bypass that block and allow Adobe Reader to create a child process. On devices that run earlier versions of Windows 10, the rule enforces the behavior without the option to bypass it.

Policy merge support for USB device IDs in Device control profiles for endpoint security Attack surface reduction policy

We've added support for policy merge of USB device IDs to the Device control profile for the endpoint security Attack surface reduction policy. The following settings from device control profiles are evaluated for policy merge:

  • Allow hardware device installation by device identifiers
  • Block hardware device installation by device identifiers
  • Allow hardware device installation by setup classes
  • Block hardware device installation by setup classes
  • Allow hardware device installation by device instance identifiers
  • Block hardware device installation by device instance identifiers

Policy merge applies to the configuration of each setting across the different profiles that apply to a device. It doesn't include evaluation between different settings, even when two settings are closely related.

For a more detailed example of what merges, and how to allow and blocklists for each supported setting gets merged and applies on a device, see Policy merge for settings for device control profiles.

Improved Antivirus status operations report for endpoint security

We've added new details to the Antivirus status operations report for Windows Defender Antivirus, which is an endpoint security policy report.

The following new columns of information will be available for each device:

  • Product status – The status of Windows Defender on the device.
  • Tamper protection – Is tamper protection enabled or disabled.
  • Virtual machine – Is the device a virtual machine, or physical device.

Improved rule merge for Attack surface reduction rules

Attack surface reduction rules now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while settings that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed.

Attack surface reduction rule merge behavior is as follows:

  • Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
  • Settings that don't have conflicts are added to a superset of policy for the device.
  • When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy. Settings that don't conflict are added to the superset policy that applies to a device.
  • Only the configurations for conflicting settings are held back.

MVISION Mobile – New Mobile Threat Defense partner

You can control mobile device access to corporate resources using Conditional Access based on risk assessment conducted by MVISION Mobile, a Mobile Threat Defense solution from McAfee that integrates with Microsoft Intune.

Monitor and troubleshoot

New Intune operational report to help troubleshoot configuration profile issues

A new Assignment failures operational report is available in public preview to help troubleshoot errors and conflicts for configuration profiles that have been targeted to devices. This report will show a list of configuration profiles for the tenant and the number of devices in a state of error or conflict. Using this information, you can drill down to a profile to see a list of devices and users in a failure state related to the profile. Also, you can drill down even further to view a list of settings and setting details related to the cause of the failure. You have the ability to filter, sort, and search across all of the records throughout the report. In the Microsoft Intune admin center, you can find this report by selecting Devices > Monitor > Assignment failures (preview). For more information about reports in Intune, see Intune reports.

Reporting updates for Azure Virtual Desktop VMs

The following settings are marked as Not applicable in the Policy reports:

  • BitLocker settings
  • Device encryption
  • Defender Application Guard settings
  • Defender Tamper Protection
  • Wi-Fi profiles

Noncompliant policies report helps troubleshoot devices in error or that are noncompliant

In preview, the new Noncompliant policies report is an operational report you can use to help troubleshoot errors and conflicts for compliance policies targeting devices. The Noncompliant policies report displays a list of compliance policies that have one or more devices with errors or that are in a state of noncompliance to the policy.

Use this report to:

  • View the device compliance policies with devices in a noncompliant or error state, and then drill in to view of the list of devices and users in a failed state.
  • Drill down further to see the list of settings and setting information causing a failure.
  • Filter, sort, and search across all records in the report. We've added paging controls and improved export capability to a csv file.
  • Identify when issues are occurring, and streamline troubleshooting.

For more information on monitoring device compliance, see Monitor Intune Device compliance policies.

October 2020

App management

Apps that require enrollment are hidden when enrollment is set to unavailable

Apps assigned with the Available for enrolled devices and Required intents won't be displayed in the Company Portal for users where the device enrollment setting is set to Unavailable. This change is only applicable when viewing the Company Portal app or website from an unenrolled device, including unenrolled devices with MAM managed applications. The apps will still be visible for users viewing the Company Portal from an enrolled device, regardless of the value of the Device enrollment setting. For more information, see Device enrollment setting options.

Improvements to iOS Company Portal privacy message customization

You now have greater ability to customize the privacy messaging in the iOS Company Portal. In addition to the previous support for being able to customize what your organization can't see, you can customize what your organization can see in the privacy message displayed to end users in the iOS Company Portal. To support this feature, devices will need to be running at least Company Portal version 4.11 to see the customized messaging about what can be seen. This feature will be available in the Microsoft Intune admin center by selecting Tenant administration > Customization. For more information, see the Company Portal Privacy message.

Android app protection policies (MAM) on COPE devices

Newly added Mobile Application Management (MAM) support enables Android app protection policies on Android Enterprise corporate-owned devices with a work profile (COPE). For more information about app protection policies, see App protection policies overview.

Max Company Portal version age for Android devices

You can set an age limit as the maximum number of days for the Company Portal app version for Android devices. This setting ensures that end users are within a certain range of Company Portal app releases (in days). When the setting for the devices isn't met, the selected action for this setting is triggered. Actions include Block access, Wipe data, or Warn. You can find this setting in the Microsoft Intune admin center by selecting Apps > App protection policies > Create policy. The Max Company Portal version age (days) setting will be available in the Device conditions section of the Conditional launch step. For more information, see Android app protection policy settings - Conditional launch.

Mac LOB apps will be supported as managed apps on macOS 11 and higher

Intune supports the Install as managed app property that can be configured for Mac line-of-business (LOB) apps deployed to macOS 11 and higher. When this setting is on, the Mac LOB app will be installed as a managed app on supported devices (macOS 11 and higher). Managed line-of-business apps can be removed using the uninstall assignment type on supported devices (macOS 11 and higher). In addition, removing the MDM profile removes all managed apps from the device. In the Microsoft Intune admin center, select Apps > macOS > Add. For more information about adding apps, see Add apps to Microsoft Intune.

Enable Outlook S/MIME emails to be always signed or encrypted

You can enable Outlook S/MIME emails to be always signed or encrypted when you create an Outlook email profile under app configuration for iOS/iPadOS and Android Enterprise devices. The setting is available when you choose Managed devices when creating an Outlook app configuration policy. You can find this setting in Microsoft Intune admin center by selecting Apps > App configuration policies > Add > Managed devices. For more information, see App configuration policies for Microsoft Intune.

Win32 app support for Workplace join (WPJ) devices

Existing Win32 apps are supported for Workplace join (WPJ) devices. PowerShell scripts, which were not previously supported on WPJ devices, can now be deployed to WPJ devices. Specifically, device context PowerShell scripts work on WPJ devices, but user context PowerShell scripts are ignored, which is by design. User context scripts will be ignored on WPJ devices and will not be reported to the Microsoft Intune console. For more information about PowerShell, see Use PowerShell scripts on Windows 10 devices in Intune.

Device configuration

Device Firmware Configuration Interface (DFCI) is generally available

DFCI is an open-source Unified Extensible Firmware Interface (UEFI) framework. It allows you to securely manage the UEFI (BIOS) settings of your Windows Autopilot devices using Microsoft Intune. It also limits end-user control over firmware configurations.

Unlike traditional UEFI management, DFCI removes the need for managing third-party solutions. It also provides zero-touch firmware management by using Microsoft Intune for cloud management. DFCI also accesses the existing Windows Autopilot device information for authorization.

For more information on this feature, see Use DFCI profiles on Windows devices in Intune.

Important

DFCI policy reporting in the Intune admin center wasn't working as expected. All policies reported a "Pending" status. This behavior is fixed.

Use the Connect Automatically setting on Android Enterprise basic Wi-Fi profiles

On Android Enterprise devices, you can create basic Wi-Fi profiles that include common Wi-Fi settings, such as the connection name. You can configure the Connect automatically setting that automatically connects to your Wi-Fi network when devices are in range.

To see these settings, go to Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices.

Applies to:

  • Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile

New user experience and new Enable direct download setting on macOS devices using associated domains

When you create an Associated Domain configuration profile on macOS devices, the user experience is updated (Devices > Configuration > Create > macOS for platform > Device features for profile > Associated domains). You still enter your App ID and Domains.

On macOS 11+ supervised devices enrolled with user approved device enrollment or automated device enrollment, you can use the Enable direct download setting. Enabling direct downloads allows domain data to downloaded directly from the devices, instead of downloading through a content delivery network (CDN).

For more information, see Associated domains on macOS devices.

Applies to:

  • macOS 11+ (supervised)

New lockout password settings on macOS devices

New settings are available when you create a macOS password profile (Devices > Configuration > Create > macOS for platform > Device restrictions for profile > Password):

  • Maximum allowed sign-in attempts: The maximum number of times users can try to consecutively sign in before the device locks them out, is from 2-11. Set this value to a higher number. Setting this value to 2 or 3 isn't recommended, as mistakes are common.

    Applies to all enrollment types.

  • Lockout duration: Choose how long the lockout lasts, in minutes. During a device lockout, the sign-in screen is inactive, and users can't sign in. When the lockout duration ends, user can sign in again. To use this setting, configure the Maximum allowed sign-in attempts setting.

    Applies to macOS 10.10 and newer, and all enrollment types.

To see these settings, go to macOS password device restrictions.

Applies to:

  • macOS

Required password type default setting is changing on Android Enterprise devices

On Android Enterprise devices, you can create a device password profile that sets the Required password type (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device restrictions > Device password).

The Required password type setting default is changing from Numeric to Device default.

Existing profiles aren't affected. New profiles will automatically use Device default.

Most devices don't require a password when Device default is selected. If you want to require your users to set up a passcode on their devices, configure the Required password type setting to something more secure than Device default.

To see the settings you can restrict, go to Android Enterprise device settings to allow or restrict features.

Applies to:

  • Android Enterprise

Configure the macOS Microsoft Enterprise SSO plug-in

Important

On macOS, the Microsoft Entra SSO extension is listed in the Intune user interface, but wasn't working as expected. This feature is now working, and is available to use in public preview.

The Microsoft Entra team created a redirect single sign-on (SSO) app extension. This app extension allows macOS 10.15+ users to access Microsoft apps, organization apps, and websites that support Apple's SSO feature. It authenticates using Microsoft Entra ID, with one sign-on.

With the Microsoft Enterprise SSO plug-in release, you can configure the SSO extension with the new Microsoft Entra app extension type in Intune (Devices > Configuration > Create > macOS for platform > Device features for profile > Single sign-on app extension > SSO app extension type > Microsoft Entra ID).

To get SSO with the Microsoft Entra SSO app extension type, users need to install and sign in to the Company Portal app on their macOS devices.

For more information about macOS SSO app extensions, see Single sign-on app extension.

Applies to:

  • macOS 10.15 and newer

Changes for Password settings in Device restriction profiles for Android device administrator

Recently we added Password complexity as a new setting for Device compliance policy and Device restriction for Android device administrator. We've now added more changes to the UI for settings in both policy types to help Intune accommodate the password changes in Android version 10 and later. These changes help ensure settings for passwords continue to apply to devices as expected.

You'll find the following changes to the Intune UI for passwords settings for the two policy types, which won't affect existing profiles:

  • Settings are reorganized into sections that are based on which device versions the setting applies to, like Android 9 and earlier, or Android 10 and later.
  • Updates to labels and example text in the UI.
  • Clarifications for references to PINs as numerical or alphabetical, or alphanumeric.

Applies to:

  • Android device administrator

New version of the PFX Certificate Connector

We've released a new version of the PFX Certificate Connector, version 6.2008.60.612. This new connector version:

  • Fixes an issue with PKCS certificate delivery to Android Enterprise Fully Managed devices. The issue required the cryptography Key Storage Provider (KSP) be a legacy provider. You can now use a Cryptographic Next Generation (CNG) Key Storage Provider as well.
  • Changes to CA Account tab of the PFX Certificate Connector: The Username and password (credentials) that you specify are now used to issue certificates and to revoke certificates. Previously these credentials were used only for certificate revocation.

For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors.

Device enrollment

Intune support for provisioning Microsoft Entra shared devices

With Intune, you can now provision Android Enterprise dedicated devices with Microsoft Authenticator automatically configured into Microsoft Entra shared device mode. For more information on how to use this enrollment type, see Set up Intune enrollment of Android Enterprise dedicated devices.

New and updated planning, setup, and enrollment deployment guides

The existing planning and migration guides are rewritten, and updated with new guidance. There's also some new deployment guides that focus on Intune setup, and enrollment for Android, iOS/iPadOS, macOS, and Windows devices.

For more information, go to Microsoft Intune planning guide, Deployment guide: Setup or move to Microsoft Intune, and Deployment guidance: Enroll devices in Microsoft Intune.

Device security

Update for Microsoft Tunnel

We've released a new version of the Microsoft Tunnel Gateway, which includes the following changes:

The Tunnel Gateway server will automatically update to the new release.

App protection policy support on Android and iOS/iPadOS for more partners

In October of 2019, Intune app protection policy added the capability to use data from our Microsoft Threat Defense partners.

With this update, we're expanding this support to the following two partners for using an app protection policy to block or selectively wipe a user's corporate data based on the health of the device:

  • Check Point Sandblast on Android, iOS and iPadOS
  • Symantec Endpoint Security on Android, iOS and iPadOS

For more information, see Create Mobile Threat Defense app protection policy with Intune.

Intune Security tasks include details about misconfigured settings from Microsoft Defender for Endpoint TVM

Microsoft Intune Security tasks now report on and provide remediation details for misconfigurations discovered by Threat Vulnerability Management (TVM). The misconfigurations that are reported to Intune are limited to issues for which remediation guidance can be provided.

TVM is part of Microsoft Defender for Endpoint. Prior to this update, details from TVM only included details and remediation steps for Applications.

When you view Security tasks, you'll find a new column named Remediation Type that identifies the type of issue:

  • Application – Vulnerable applications and remediation steps. This issue type has been available in Security tasks prior to this update.
  • Configuration – A new category of details from TVM that identify misconfiguration and provides steps to help you remediate them.

For more information on security tasks, see Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint.

Endpoint security Firewall policies for tenant attached devices

As a public preview, you can deploy endpoint security policy for Firewalls to devices you manage with Configuration Manager. This scenario requires you to configure a tenant attach between a supported version of Configuration Manager and your Intune subscription.

Firewall policy for tenant attached devices is supported for devices that run Windows 10 and later, and requires your environment to run Configuration Manager current branch 2006 with the in-console hotfix KB4578605.

For more information, see the requirements for Intune endpoint security policies to support Tenant Attach.

Expanded settings to manage hardware device installation through block and allowlist

In Device control profiles, which are part of endpoint security Attack surface reduction policy, we've revised and expanded our settings for managing hardware device installation. You'll now find settings to define blocklists and separate allowlists using device IDs, setup classes, and instance identifiers. The following six settings are now available:

  • Allow hardware device installation by device identifiers
  • Block hardware device installation by device identifiers
  • Allow hardware device installation by setup class
  • Block hardware device installation by setup class
  • Allow hardware device installation by device instance identifiers
  • Block hardware device installation by device instance identifiers

Each of these settings supports the options of Yes, No, and Not configured. When you configure Yes, you can then define the block or allowlist for that setting. On a device, hardware that is specified in an allowlist can install or update. However, if that same hardware is specified on a blocklist, the block overrides the allowlist and installation or update of the hardware is prevented.

Improvements to endpoint security Firewall rules

We've made several changes to improve the experience of configuring firewall rules in the Microsoft Defender Firewall rules profile for endpoint security Firewall policy.

Improvements include:

  • Improved layout in the UI, including section headers to organize the view.
  • Increasing the character limit for the description field.
  • Validation of IP address entries.
  • Sorting of IP address lists.
  • Option to select all addresses when you clear entries from an IP address list.

Use Microsoft Defender for Endpoint in compliance policies for iOS

As a public preview, you can now use Intune device compliance policy to onboard iOS devices to Microsoft Defender for Endpoint.

After you onboard your enrolled iOS/iPadOS devices, your compliance policies for iOS can use the threat level signals from Microsoft Defender. These signals are the same signals that you can use for Android and Windows 10 devices.

The Defender for iOS app should move from public preview to generally availability by the end of the year.

Security Experience profiles for Endpoint Security Antivirus policy now have tri-state options

We've added a third state of configuration for settings in the Windows Security experience profile for Endpoint security Antivirus policies. This update applies to the Windows Security experience for Windows 10 and later).

For example, where a setting previously offered Not configured and Yes, if supported by the platform, you now can select No.

Updated version of the Edge security baseline

We've added a new security baseline for Edge to Intune: September 2020 (Edge version 85 and later).

Updated baseline versions bring support for recent settings to help you maintain the best-practice configurations recommended by the respective product teams.

To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes.

New Microsoft Tunnel version

We've released a new version of the Microsoft Tunnel Gateway. The following changes are included in the new version:

  • Microsoft Tunnel now logs operational and monitoring details to Linux server logs in the syslog format. You can View the Microsoft Tunnel system logs when you run the journalctl -t command line on the tunnel server.
  • Various bug fixes.

Monitor and troubleshoot

New Windows 10 feature update failures report

The Feature update failures operational report provides failure details for devices that are targeted with a Windows 10 feature updates policy and have attempted an update. In the Microsoft Intune admin center, select Devices > Monitor > Feature update failures to view this report. For more information, see Feature update failures report.

Updates to Antivirus reports

Both the Antivirus agent status report and the Detected malware report have been updated. These reports now show data visualizations and provide more columns of information (SignatureUpdateOverdue, MalwareID, displayName, and InitialDetectionDateTime). In addition, remote actions are included in the Antivirus agent status report. For more information, see the Antivirus agent status report and the Detected malware report.

Updated Help and Support for Microsoft Intune

The Help and Support experience uses machine learning to display solutions, diagnostics, and insights that will help you resolve your issues. We've updated the help and support page in Microsoft Intune admin center with a new, easier to navigate, consistent UX experience. The new UX has now been rolled out in all blades in the console and will help us get you more relevant help.

You'll now find an updated and consolidated support experience for the following cloud-based offerings from within the admin center:

  • Intune
  • Configuration Manager
  • Co-management
  • Microsoft Managed Desktop

Scripts

View PowerShell scripts in the Intune Troubleshooting pane

You can now view your assigned PowerShell scripts in the Troubleshooting pane. PowerShell scripts provide Windows 10 client communication with Intune to run enterprise management tasks, such as advanced device configuration and troubleshooting. For more information, see Use PowerShell scripts on Windows 10 devices in Intune.

Collect custom device or user properties using shell scripts on managed Macs

You can create a custom attribute profile that enables you to collect custom properties from a managed macOS device using shell scripts. You can find this feature in the Microsoft Intune admin center by selecting Devices > macOS > Custom attributes. For more information, see Use shell scripts on macOS devices in Intune.

September 2020

App management

Improved work profile messaging in Company Portal for Android

The Company Portal screen previously titled "You're Halfway There!" has been updated to better explain how work profile management works. Users see this screen if they re-enable Company Portal in the personal profile after they've already gone through work profile enrollment. They might also see this screen during work profile enrollment on some Android OS versions, as shown in the help doc, Enroll with Android work profile.

Unified delivery of Microsoft Entra Enterprise and Office Online applications in the Windows Company Portal

In the 2006 release, we announced Unified delivery of Microsoft Entra Enterprise and Office Online applications in the Company Portal website. The Windows Company Portal supports this feature. On the Customization pane of Intune, select to Hide or Show both Microsoft Entra Enterprise applications and Office Online applications in the Windows Company Portal. Each end user sees their entire application catalog from the chosen Microsoft service. By default, each app source will be set to Hide. In the Microsoft Intune admin center, select Tenant administration > Customization to find this configuration setting. For more information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Windows Company Portal app descriptions with rich text

Using markdown, you can now display app descriptions using rich text in the Windows Company Portal. For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

App protection policies allow administrators to configure incoming Org data locations

You can now control which trusted data sources are allowed to open into organization documents. Similar to the existing Save copies of org data app protection policy option, you can define which incoming data locations are trusted. This functionality relates to the following app protection policy settings:

  • Save copies of org data
  • Open data into org documents
  • Allow users to open data from selected services

In the Microsoft Intune admin center, select Apps > App protection policies > Create policy. To use this functionality, Intune policy-managed applications must implement support for this control. For more information, see iOS app protection policy settings and Android app protection policy settings.

Device configuration

COPE preview update: New settings to create requirements for the work profile password for Android Enterprise corporate-owned devices with a work profile

New settings now give admins the ability to set requirements for the work profile password for Android Enterprise corporate-owned devices with a work profile:

  • Required password type
  • Minimum password length
  • Number of days until password expires
  • Number of passwords required before user can reuse a password
  • Number of sign-in failures before wiping device

For more information, see Android Enterprise device settings to allow or restrict features using Intune.

COPE preview update: New settings to configure the personal profile for Android Enterprise corporate-owned devices with a work profile

For Android Enterprise corporate-owned devices with a work profile, there are new settings you can configure that only apply to the personal profile (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work profile > Device restrictions for profile > Personal profile):

  • Camera: Use this setting to block access to the camera during personal usage.
  • Screen capture: Use this setting to block screen captures during personal usage.
  • Allow users to enable app installation from unknown sources in the personal profile: Use this setting to allow users to install apps from unknown sources in the personal profile.

Applies to:

  • Android Enterprise corporate-owned devices with a work profile, personally enabled devices.

To see all the settings you can configure, go to Android Enterprise device settings to allow or restrict features.

Analyze your on-premises GPOs using Group Policy analytics

In Devices > Group Policy analytics, you can import your group policy objects (GPOs) in the Intune admin center. When you import, Intune automatically analyzes the GPO, and shows the policies that have equivalent settings in Intune. It also shows GPOs that are deprecated, or aren't supported anymore. For deeper information, go to Reports > Group policy analytics > Migration readiness report.

For more information on this feature, see Group Policy analytics.

Applies to:

  • Windows 10 and newer

Block App Clips on iOS/iPadOS, and Defer non-OS software updates on macOS devices

When you create a Device Restrictions profile on iOS/iPadOS and macOS devices, there are some new settings:

iOS/iPadOS 14.0+ Block App Clips

  • Applies to iOS/iPadOS 14.0 and newer.
  • Devices must be enrolled with device enrollment or automated device enrollment (supervised devices).
  • The Block App Clips setting blocks App Clips on managed devices (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile > General). When blocked, users can't add any App Clips, and existing App Clips are removed.

macOS 11+ Defer software updates

  • Applies to macOS 11 and newer. On supervised macOS devices, the device must have user approved device enrollment, or enrolled through automated device enrollment.
  • The existing Defer software updates setting can now delay OS and non-OS updates (Devices > Configuration > Create > macOS for platform > Device restrictions for profile > General). The existing Delay visibility of software updates setting applies to OS and non-OS updates. Deferring non-OS software updates doesn't affect scheduled updates.
  • The behavior of existing policies isn't changed, affected, or deleted. Existing policies will automatically migrate to the new setting with your same configuration.

To see the device restrictions settings you can configure, see iOS/iPadOS and macOS.

New settings using per-app VPN or on-demand VPN on iOS/iPadOS and macOS devices

You can configure automatic VPN profiles in Devices > Configuration > Create > iOS/iPadOS or macOS for platform > VPN for profile > Automatic VPN. There are new per-app VPN settings you can configure:

  • Prevent users from disabling automatic VPN: When creating an automatic Per-app VPN or On-demand VPN connection, you can force users to keep the automatic VPN enabled and running.
  • Associated domains: When creating an automatic Per-app VPN connection, you can add associated domains in the VPN profile that automatically start the VPN connection. For more information on associated domains, see Associated domains.
  • Excluded domains: When creating an automatic Per-app VPN connection, you can add domains that can bypass the VPN connection when per-app VPN is connected.

To see these settings, and other settings you can configure, go to iOS/iPadOS VPN settings and macOS VPN settings.

Set up per-app Virtual Private Network (VPN) for iOS/iPadOS devices.

Applies to:

  • iOS/iPadOS 14 and newer
  • macOS Big Sur (macOS 11)

Set maximum transmission unit for IKEv2 VPN connections on iOS/iPadOS devices

Starting with iOS/iPadOS 14 and newer devices, you can configure a custom maximum transmission unit (MTU) when using IKEv2 VPN connections (Devices > Configuration > Create > iOS/iPadOS for platform > VPN for profile > IKEv2 for connection type).

For more information on this setting, and the others you can configure, see IKEv2 settings.

Applies to:

  • iOS/iPadOS 14 and newer

Per-account VPN connection for email profiles on iOS/iPadOS devices

Starting with iOS/iPadOS 14, email traffic for the native Mail app can be routed through a VPN based on the account the user is using. In Intune, you can configure the VPN profile for per account VPN setting (Devices > Configuration > Create > iOS/iPadOS for platform > Email for profile > Exchange ActiveSync email settings).

This feature lets you select a per-app VPN profile to use for an account-based VPN connection. The per-app VPN connection automatically turns on when users use their organization account in the Mail app.

To see this setting and the others you can configure, go to Add e-mail settings for iOS and iPadOS devices.

Applies to:

  • iOS/iPadOS 14 and newer

Disable MAC address randomization on Wi-Fi networks on iOS/iPadOS devices

Starting with iOS/iPadOS 14, by default, devices present a randomized MAC address instead of the physical MAC address when connecting to a network. This behavior is recommended for privacy, as it's harder to track a device by its MAC address. This feature also breaks functionality that relies on a static MAC address, including network access control (NAC).

You can disable MAC address randomization on a per-network basis in Wi-Fi profiles (Devices > Configuration > Create > iOS/iPadOS for platform > Wi-Fi for profile > Basic or Enterprise for Wi-Fi type).

To see this setting, and the others you can configure, go to Add Wi-Fi settings for iOS and iPadOS devices.

Applies to:

  • iOS/iPadOS 14 and newer

New settings for Device control profiles

We've added a pair of settings to the Device control profile for the Attack surface reduction policy for devices that run Windows 10 or later:

  • Removable storage
  • USB connections (HoloLens only)

Attack surface reduction policy is part of Endpoint security in Intune.

Device enrollment

Enrollment Status Page shows critical kiosk policies

You'll now be able to see the following policies tracked on the Enrollment Status Page

  • Assigned access
  • Kiosk browser settings
  • Edge browser settings

All other kiosk policies aren't currently tracked.

Device management

Support for PowerPrecision and PowerPrecision+ Batteries for Zebra devices

On a device's hardware details page, you can now see the following information about Zebra devices using PowerPrecision and PowerPrecision+ batteries:

  • State-of-Health rating as determined by Zebra (PowerPrecision+ batteries only)
  • Number of full charge cycles consumed
  • Date of last check-in for battery last found in the device
  • Serial number of the battery pack last found in the device

COPE preview update: Reset work profile password for Android Enterprise corporate-owned devices with a work profile

You can now reset the work profile password on Android Enterprise corporate-owned devices with a work profile. For more information, see Reset a passcode.

Rename a co-managed device that is Microsoft Entra joined

You can now rename a co-managed device that is Microsoft Entra joined. For more information, see Rename a device in Intune.

Tenant attach: Device timeline in the admin center

When Configuration Manager synchronizes a device to Microsoft Intune through tenant attach, you can see a timeline of events. This timeline shows past activity on the device that can help you troubleshoot problems. For more information, see Tenant attach: Device timeline in the admin center.

Tenant attach: Resource explorer in the admin center

From the Microsoft Intune admin center, you can view hardware inventory for uploaded Configuration Manager devices by using resource explorer. For more information, see Tenant attach: Resource explorer in the admin center.

Tenant attach: CMPivot from the admin center

Bring the power of CMPivot to the Microsoft Intune admin center. Allow other personas, like Helpdesk, to initiate real-time queries from the cloud against an individual ConfigMgr managed device and return the results back to the admin center. This feature gives the traditional benefits of CMPivot. It allows IT Admins and other designated personas the ability to quickly assess the state of devices in their environment and take action.

For more information about CMPivot from the admin center, see CMPivot prerequisites, CMPivot overview, and CMPivot sample scripts.

Tenant attach: Run scripts from the admin center

Bring the power of the Configuration Manager on-premises Run scripts feature to the Microsoft Intune admin center. Allow other personas, like Helpdesk, to run PowerShell scripts from the cloud against an individual Configuration Manager managed device in real time. This feature gives all the traditional benefits of PowerShell scripts that are already defined and approved by the Configuration Manager admin to this new environment. For more information, see Tenant attach: Run Scripts from the admin center.

Tamper Protection policy for Tenant Attached devices in preview

In preview, we've added a new profile to Intune endpoint security Antivirus policy that you can use to manage Tamper Protection on tenant attached devices: Windows Security experience (preview).

The new profile is found under the Windows 10 and Windows Server (ConfigMgr) platform when you create a new Antivirus policy.

Before you can use Intune endpoint security policies with tenant attached devices, you need to configure Configuration Manager tenant attach, and synchronize devices with Intune.

Also be aware of the specific prerequisites that are required to use and support tamper protection with Intune policy.

Device security

Microsoft Tunnel Gateway VPN solution in preview

You can now deploy Microsoft Tunnel Gateway to provide remote access to on-premises resources on iOS and Android Enterprise (Fully managed, Corporate-Owned Work Profile, Work profile) devices.

Microsoft Tunnel supports per-app and full device VPN, split tunneling, and conditional access capabilities using modern authentication. Tunnel can support multiple gateway servers for high availability for production readiness.

Biometric authentication support for Android devices

New Android devices are making use of a more diverse set of biometrics beyond fingerprints. When OEMs implement support for non-fingerprint biometrics, end users have the potential to use this capability for secure access and a better experience. With the 2009 release of Intune, you can allow your end users to use fingerprint or Face Unlock, depending on what the Android device supports. You can configure whether all biometric types beyond fingerprint can be used to authenticate. For more information, see App protection experience for Android devices.

New details in the Endpoint security configuration for a device

You can now view more details for devices as part of a devices Endpoint security configuration. When you drill in to view status details about policies you've deployed to devices, you'll now find the following setting:

  • UPN (User Principal Name): The UPN identifies which endpoint security profile is assigned to a given user on the device. This information is useful to help differentiate between multiple users on a device and multiple entries of a profile or baseline that's assigned to the device.

For more information, see Resolve conflicts for security baselines.

Expanded RBAC permissions for the Endpoint Security role

The Endpoint Security Manager role for Intune has more role-based access control (RBAC) permissions for remote tasks.

This role grants access to the Microsoft Intune admin center. It can be used by individuals who manage security and compliance features, including security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint.

New permissions for remote tasks include:

  • Reboot now
  • Remote lock
  • Rotate BitLockerKeys (Preview)
  • Rotate FileVault key
  • Sync devices
  • Microsoft Defender
  • Initiate Configuration Manger action

To view the full set of permission for any Intune RBAC role, go to (Tenant admin > Intune roles > select a role > Permissions).

Updates for Security Baselines

We have new versions available for the following security baselines:

Updated baseline versions bring support for recent settings to help you maintain the best-practice configurations recommended by the respective product teams.

To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes.

Use Endpoint security configuration details to identify the source of policy conflicts for devices

To aid in conflict resolution, now you can drill in through a security baseline profile to view the Endpoint security configuration for a selected device. Then, you can select settings that show a Conflict or Error. Continue to drill in further to view a list of details that includes the profiles and policies that are part of the conflict.

If you then select a policy that is a source of a conflict, Intune opens that policies Overview pane where you can review or modify the policies configuration.

The following policy types can be identified as a source of conflict when you drill in through a security baseline:

  • Device configuration policy
  • Endpoint security policies

For more information, see Resolve conflicts for security baselines.

Support for certificates with a key size of 4096 on iOS and macOS devices

When you configure a SCEP certificate profile for iOS/iPadOS or macOS devices, you can now specify a Key size (bits) of 4096 bits.

Intune supports 4096-bit keys for the following platforms:

  • iOS 14 and later
  • macOS 11 and later

To configure SCEP certificate profiles, see Create a SCEP certificate profile.

Android 11 deprecates deployment of trusted root certificates to device administrator enrolled devices

Beginning with Android 11, trusted root certificates can no longer install the trusted root certificate on devices that enroll as Android device administrator. This limitation doesn't affect Samsung Knox devices. For non-Samsung devices, users must manually install the trusted root certificate on the device.

After the trusted root certificate is manually installed on a device, you can use SCEP to provision certificates to the device. You must still create and deploy a trusted certificate policy to the device, and link that policy to the SCEP certificate profile.

  • If the trusted root certificate is on the device, the SCEP certificate profile can install successfully.
  • If the trusted certificate can't be found on the device, the SCEP certificate profile will fail.

For more information, see Trusted certificate profiles for Android device administrator.

Tri-state options for more settings in Endpoint Security Firewall policy

We've added a third state of configuration to a few more settings in Endpoint security Firewall policies for Windows 10.

The following settings are updated:

  • Stateful File Transfer Protocol (FTP) now supports Not configured, Allow, and Disabled.
  • Require keying modules to only ignore the authentication suites they don't support now supports Not configured, Enabled, and Disabled.

Improved certificate deployment for Android Enterprise

We've improved our support for using S/MIME certificates for Outlook for encryption and signing on Android Enterprise devices that enroll as Fully Managed, Dedicated, and Corporate-Owned Work Profiles. Previously, use of S/MIME required the device user to allow access. Now, the S/MIME certificates can be used without user interaction.

To deploy S/MIME certificates to supported Android devices, use a PKCS imported certificate profile or SCEP certificate profile for Device configuration. Create a profile for Android Enterprise and then select PKCS imported certificate from the category for Fully Managed, Dedicated, and Corporate-Owned Work Profile.

Improved status details in security baseline reports

We've begun improving many of the status details for Security baseline. You'll now see more meaningful and detailed status when viewing information about the baseline Versions you've deployed.

Specifically, when you select a baseline, select Version, and the select an instance of that baseline, the initial Overview displays the following information:

  • Security baseline posture chart - This chart now displays the following status details:
    • Matches default baseline – This status replaces Matches baseline and identifies when a devices configuration matches the default (unmodified) baseline configuration.
    • Matches custom settings – This status identifies when a devices configuration matches the baseline that you've configured (customized) and deployed.
    • Misconfigured – This status is a rollup that represents three status conditions from a device: Error, Pending, or Conflict. These separate states are available from other views, as detailed below.
    • Not applicable - This status represents a device that can't receive the policy. For example, the policy updates a setting specific to the latest version of Windows, but the device runs an older (earlier) version that doesn't support that setting.
  • Security baseline posture by category - This view is a list view that displays device status by category. The available columns mirror much of the Security baseline posture chart, but in place of Misconfigured, you see three columns for the status that make up Misconfigured:
    • Error: The policy failed to apply. The message typically displays with an error code that links to an explanation.
    • Conflict: Two settings are applied to the same device, and Intune can't sort out the conflict. An administrator should review.
    • Pending: The device hasn't checked in with Intune to receive the policy yet.

New setting for Password complexity for Android 10 and later for device administrator enrolled devices

To support new options for Android 10 and later on devices enrolled as Android device administrator, we've added a new setting called Password complexity to both Device compliance policy and Device restriction policy. You use this new setting to manage a measure of the password strength that factors in the password type, length, and quality.

Password Complexity doesn't apply to Samsung Knox devices. On these devices, password length and type settings override Password complexity.

Password complexity supports the following options:

  • None - No password
  • Low - The password satisfies one of the following:
    • Pattern
    • PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
  • Medium - The password satisfies one of the following:
    • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4
    • Alphabetic, length at least 4
    • Alphanumeric, length at least 4
  • High - The Password satisfies one of the following:
    • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8
    • Alphabetic, length at least 6
    • Alphanumeric, length at least 6

This new setting remains a work in progress. In late October 2020, Password complexity will take effect on devices.

If you set Password complexity to something other than None, then you must also configure another setting. The other settings ensure that end users who use a password that doesn't meet your complexity requirements receive a warning to update their password.

  • Device compliance: Set Require a password to unlock mobile devices to Require.
  • Device restriction: Set Password to Require

If you don't set the other setting to Require, users with weak passwords won't receive the warning.

Monitor and troubleshoot

Endpoint analytics is generally available

Endpoint analytics aims to improve user productivity and reduce IT support costs by providing insights into the user experience. These insights enable IT to optimize the end-user experience with proactive support and to detect regressions to the user experience by assessing user impact of configuration changes. For more information, see Endpoint analytics.

Bulk actions for devices listed in operational report

As part of the new antivirus reports coming out under Microsoft Intune security, the Windows 10 detected malware operational report provides bulk actions that are applicable to the devices selected within the report. Actions include Restart, Quick scan, and Full scan. For more information, see Windows 10 detected malware report.

Export Intune reports using Graph APIs

All reports that have been migrated to the Intune reporting infrastructure will be available for export from a single top-level export API. For more information, see Export Intune reports using Graph APIs.

New and improved Microsoft Defender Antivirus reporting for Windows 10 and newer

We're adding four new reports for Microsoft Defender Antivirus on Windows 10 in Microsoft Intune. These reports include:

  • Two operational reports, Windows 10 unhealthy endpoints and Windows 10 detected malware. In Microsoft Intune admin center, select Endpoint security > Antivirus.
  • Two organizational reports, Antivirus agent status and Detected malware. In Microsoft Intune admin center, select Reports > Microsoft Defender Antivirus.

For more information, see Intune reports and Manage endpoint security in Microsoft Intune.

New Windows 10 feature update report

The Windows 10 feature update report provides an overall view of compliance for devices that are targeted with a Windows 10 feature updates policy. In the Microsoft Intune admin center, select Reports > Windows updates to view the summary for this report. To see reports for specific policies, from the Windows updates workload, select the Reports tab and open the Windows Feature Update Report. For more information, see Windows 10 feature updates.

August 2020

App management

Associated licenses revoked before deletion of Apple VPP token

When you delete an Apple VPP token in Microsoft Intune, all Intune-assigned licenses associated with that token are automatically revoked before the deletion.

Improvement to Update device settings page in Company Portal app for Android to shows descriptions

In the Company Portal app on Android devices, the Update device settings page lists the settings that need updated to be compliant. Users expand the issue to see more information, and see the Resolve button.

This user experience is improved. The listed settings are expanded by default to show the description, and show the Resolve button, when applicable. Previously, the issues were collapsed by default. This new default behavior reduces the number of clicks, so users can resolve issues more quickly.

The Company Portal adds Configuration Manager application support

The Company Portal now supports Configuration Manager applications. This feature allows end users to see both Configuration Manager and Intune deployed applications in the Company Portal for co-managed customers. This new version of the Company Portal will display Configuration Manager deployed apps for all co-managed customers. This support will help administrators consolidate their different end-user portal experiences. For more information, see Use the Company Portal app on co-managed devices.

Device configuration

Use NetMotion as a VPN connection type for iOS/iPadOS and macOS devices

When you create a VPN profile, NetMotion is available as a VPN connection type (Devices > Configuration > Create > iOS/iPadOS or macOS for platform > VPN for profile > NetMotion for connection type).

For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.

Applies to:

  • iOS/iPadOS
  • macOS

More Protected Extensible Authentication Protocol (PEAP) options for Windows 10 Wi-Fi profiles

On Windows 10 devices, you can create Wi-Fi profiles using the Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections (Devices > Configuration > Create > Windows 10 and later for platform > Wi-Fi for profile > Enterprise).

When you select Protected EAP (PEAP), there are new settings available:

  • Perform server validation in PEAP phase 1: In PEAP negotiation phase 1, the server is verified by the certificate validation.
    • Disable user prompts for server validation in PEAP phase 1: In PEAP negotiation phase 1, user prompts asking to authorize new PEAP servers for trusted certification authorities aren't shown.
  • Require cryptographic binding: Prevents connections to PEAP servers that don't use cryptobinding during the PEAP negotiation.

To see the settings you can configure, go to Add Wi-Fi settings for Windows 10 and later devices.

Applies to:

  • Windows 10 and newer

Prevent users from unlocking Android Enterprise work profile devices using face and iris scanning

You can now prevent users from using face or iris scanning to unlock their work profile-managed devices, either at the device level or the work profile level. This feature can be set in Devices > Configuration > Create > Android Enterprise for platform > Work profile > Device restrictions for profile > Work profile settings and Password sections.

For more information, see Android Enterprise device settings to allow or restrict features on personally owned devices using Intune.

Applies to:

  • Android Enterprise work profile

Use SSO app extensions on more iOS/iPadOS apps with the Microsoft Enterprise SSO plug-in

The Microsoft Enterprise SSO plug-in for Apple devices can be used with all apps that support SSO app extensions. In Intune, this feature means the plug-in works with mobile iOS/iPadOS apps that don't use the Microsoft Authentication Library (MSAL) for Apple devices. The apps don't need to use MSAL, but they do need to authenticate with Microsoft Entra endpoints.

To configure your iOS/iPadOS apps to use SSO with the plug-in, add the app bundle identifiers in an iOS/iPadOS configuration profile (Devices > Configuration > Create > iOS/iPadOS for platform > Device features for profile > Single sign-on app extension > Microsoft Entra ID for SSO app extension type > App bundle IDs).

To see the current SSO app extension settings you can configure, go to Single sign-on app extension.

Applies to:

  • iOS/iPadOS

New version of the PFX Certificate Connector and changes for PKCS certificate profile support

We've released a new version of the PFX Certificate Connector, version 6.2008.60.607. This new connector version:

  • Supports PKCS certificate profiles on all supported platforms except Windows 8.1

    We've consolidated all of the PCKS support in the PFX Certificate Connector. So if you don't use SCEP in your environment, and don't use NDES for other intents, then you can remove the Microsoft Certificate Connector and uninstall NDES from your environment.

  • Because the Microsoft Certificate Connector hasn't had functionality removed, you can continue to use them to support PKCS certificate profiles.

  • Supports certificate revocation for Outlook S/MIME

  • Requires .NET Framework 4.7.2

For more information about certificate connectors, including a list of connector release for both certificate connectors, see Certificate connectors

Device management

Tenant attach: Install an application from the admin center

You can now initiate an application install in real time for a tenant attached device from the Microsoft Intune admin center. For more information, see Tenant attach: Install an application from the admin center.

Device security

Deploy endpoint security Antivirus policy to tenant attached devices (preview)

As a preview, you can deploy endpoint security policy for Antivirus to devices you manage with Configuration Manager. This scenario requires you to configure a tenant attach between a supported version of Configuration Manager and your Intune subscription. The following versions of Configuration Manager are supported:

  • Configuration Manager current branch 2006

For more information, see the [requirements for Intune endpoint security policies](../protect/tenant-attach-intune.md# requirements-for-intune-endpoint-security-policies) to support Tenant Attach.

Changes for Endpoint security Antivirus policy exclusions

We've introduced two changes for managing the Microsoft Defender Antivirus exclusion lists you configure as part of an Endpoint Security Antivirus policy. The changes help you to prevent conflicts between different policies and resolve exclusion list conflicts that might exist in your previously deployed policies.

Both of the changes apply to policy settings for the following Microsoft Defender Antivirus Configuration Service Providers (CSPs):

  • Defender/ExcludedPaths
  • Defender/ExcludedExtensions
  • Defender/ExcludedProcesses

The changes are:

  • New profile type: Microsoft Defender Antivirus exclusions - Use this new profile type for Windows 10 and later to define a policy that is focused only on Antivirus exclusions. This profile helps simplify management of your exclusion lists by separating them from other policy configurations.

    The exclusions you can configure include Defender processes, file extensions, and files and folders that you don't want Microsoft Defender to scan.

  • Policy merge – Intune now merges the list of exclusions you've defined in separate profiles into a single list of exclusions to apply to each device or user. For example, if you target a user with three separate policies, the exclusion lists from those three policies merge into a single superset of Microsoft Defender Antivirus exclusions, that then apply to that user.

Import and export lists of address ranges for Windows Firewall rules

We've added support to Import or Export a list of address ranges using .csv files to the Microsoft Defender Firewall rules profile in the Firewall policy for Endpoint security. The following Windows Firewall rule settings now support import and export:

  • Local address ranges
  • Remote address ranges

We've also improved validation of both local and remote address range entry to help prevent duplicate or invalid entries.

For more information about these settings, see the settings for Microsoft Defender Firewall rules.

Set device compliance state from third-party MDM providers

Intune now supports third-party MDM solutions as a source of device compliance details. This third-party compliance data can be used to enforce Conditional Access policies for Microsoft 365 apps on iOS and Android through integration with Microsoft Intune. Intune evaluates the compliance details from the third-party provider to determine if a device is trusted, and then sets the conditional access attributes in Microsoft Entra ID. You'll continue to create your Microsoft Entra Conditional Access policies from within the Microsoft Intune admin center or the Microsoft Entra admin center.

The following third-party MDM providers are supported with this release, as a public preview:

  • VMware Workspace ONE UEM (previously known as AirWatch)

This update is rolling out to customers globally. You should see this capability within the next week.

Intune apps

Custom brand image now displayed in the Windows Company Portal profile page

As a Microsoft Intune administrator, you can upload a custom brand image to Intune. This image is displayed as a background image on the user's profile page in the Windows Company Portal app. For more information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

July 2020

App management

Update to device icons in Company Portal and Intune apps on Android

We have updated the device icons in the Company Portal and Intune apps on Android devices to create a more modern look and feel and to align with the Microsoft Fluent Design System. For more information, see Update to icons in Company Portal app for iOS/iPadOS and macOS.

Exchange On-Premises Connector support

Intune is removing support for the Exchange On-Premises Connector feature from the Intune service beginning in the 2007 (July) release. Existing customers with an active connector can continue with the current functionality at this time. New customers and existing customers that don't have an active connector will no longer be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those customers, Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through Outlook Mobile for Exchange on-premises.

S/MIME for Outlook on iOS and Android devices without enrollment

You can now enable S/MIME for Outlook on iOS and Android devices using an app configuration policy for managed apps. This feature allows for policy delivery regardless of device enrollment state. In Microsoft Intune admin center, select Apps > App configuration policies > Add > Managed apps. Also, you can choose whether or not to allow users to change this setting in Outlook. However, to automatically deploy S/MIME certificates to Outlook for iOS and Android, the device must be enrolled. For general information about S/MIME, see S/MIME overview to sign and encrypt email in Intune. For more information about Outlook configuration settings, see Microsoft Outlook configuration settings and Add app configuration policies for managed apps without device enrollment. For Outlook for iOS and Android S/MIME information, see S/MIME scenarios and Configuration keys - S/MIME settings.

Device configuration

New VPN settings for Windows 10 and newer devices

When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure (Devices > Configuration > Create > Windows 10 and later for platform > VPN for profile > Base VPN):

  • Device Tunnel: Allows devices to automatically connect to VPN without requiring any user interaction, including user sign-in. This feature requires you to enable Always On, and use Machine certificates as the authentication method.
  • Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations, which allow you to match client and server settings.

To see the settings you can configure, go to Windows device settings to add VPN connections using Intune.

Applies to:

  • Windows 10 and newer

Configure more Microsoft Launcher settings in a device restrictions profile on Android Enterprise devices (COBO)

On Android Enterprise Fully Managed devices, you can configure more Microsoft Launcher settings using a device restrictions profile (Devices > Configuration > Create > Android Enterprise for platform > Device Owner only > Device restrictions > Device experience > Fully managed).

To see these settings, go to Android Enterprise device settings to allow or restrict features.

You can also configure the Microsoft Launcher settings using an app configuration profile.

Applies to:

  • Android Enterprise device owner fully managed devices (COBO)

New features for Managed Home Screen on Android Enterprise device owner dedicated devices (COSU)

On Android Enterprise devices, administrators can use device configuration profiles to customize the Managed Home Screen on dedicated devices using multi-app kiosk mode (Devices > Configuration > Create > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile > Device experience > Dedicated device > Multi-app).

Specifically, you can:

  • Customize icons, change the screen orientation, and show app notifications on badge icons
  • Hide the Managed Settings shortcut
  • Easier access to the debug menu
  • Create an allowed list of Wi-Fi networks
  • Easier access to the device information

For more information, see Android Enterprise device settings to allow or restrict features and this blog.

Applies to:

  • Android Enterprise device owner, dedicated devices (COSU)

Administrative templates updated for Microsoft Edge 84

The ADMX settings available for Microsoft Edge have been updated. End users can now configure and deploy new ADMX settings added in Edge 84. For more information, see the Edge 84 release notes.

Device enrollment

iOS Company Portal will support Apple's Automated Device Enrollment without user affinity

The iOS Company Portal is now supported on devices enrolled using Apple's Automated Device Enrollment without requiring an assigned user. An end user can sign in to the iOS Company Portal to establish themselves as the primary user on an iOS/iPadOS device enrolled without device affinity. For more information about Automated Device Enrollment, see Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrollment.

Corporate-owned, personally enabled devices (preview)

Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8 and later. Corporate-owned devices with a work profile are one of the corporate management scenarios in the Android Enterprise solution set. This scenario is for single user devices intended for corporate and personal use. This corporate-owned, personally enabled (COPE) scenario offers:

  • work and personal profile containerization
  • device-level control for admins
  • a guarantee for end users that their personal data and applications will remain private

The first public preview release will include a subset of the features that will be included in the generally available release. More features will be added on a rolling basis. The features that will be available in the first preview include:

  • Enrollment: Admins can create multiple enrollment profiles with unique tokens that don't expire. Device enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
  • Device configuration: A subset of the existing fully managed and dedicated device settings.
  • Device compliance: The compliance policies that are currently available for fully managed devices.
  • Device Actions: Delete device (factory reset), reboot device, and lock device.
  • App management: App assignments, app configuration, and the associated reporting capabilities
  • Conditional Access

For more information about corporate-owned with work profile preview, see the support blog.

Device management

Tenant attach: ConfigMgr client details in the admin center (preview)

You can now see ConfigMgr client details including collections, boundary group membership, and real-time client information for a specific device in the Microsoft Intune admin center. For more information, see Tenant attach: ConfigMgr client details in the admin center (preview).

Updates to the remote lock action for macOS devices

Changes to the remote lock action for macOS devices include:

  • The recovery pin is displayed for 30 days before deletion (instead of seven days).
  • If an admin has a second browser open and tries to trigger the command again from a different tab or browser, Intune lets the command go through. But the reporting status is set to failed rather than generating a new pin.
  • The admin isn't allowed to issue another remote lock command if the previous command is still pending or if the device hasn't checked back in. These changes are designed to prevent the correct pin from being overwritten after multiple remote lock commands.

Device actions report differentiates between wipe and protected wipe

The Device actions report now differentiates between the wipe and protected wipe actions. To see the report, go to Microsoft Intune admin center > Devices > Monitor > Device Actions (under Other).

Device security

Microsoft Defender Firewall rule migration tool preview

As a public preview, we're working on a PowerShell based tool that will migrate Microsoft Defender Firewall rules. When you install and run the tool, it automatically creates endpoint security firewall rule policies for Intune. The rules are based on the current configuration of a Windows 10 client. For more information, see Endpoint security firewall rule migration tool overview.

Endpoint detection and response policy for onboarding Tenant Attached devices to Microsoft Defender for Endpoint is Generally Available

As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies for use with devices managed by Configuration Manager are Generally Available.

To use EDR policy with devices from a supported version of Configuration Manager, configure Tenant attach for Configuration Manager. After you complete the tenant attach configuration, you can deploy EDR policies to onboard devices managed by Configuration Manager to Microsoft Defender for Endpoint.

Bluetooth settings are available in Device Control profiles for Endpoint security Attack surface reduction policy

We've added settings to manage Bluetooth on Windows 10 devices to the Device control profile for Endpoint security Attack surface Reduction policy. These settings are the same settings that have been available in Device restriction profiles for Device configuration.

Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices

There are new settings to the Updates category of endpoint security antivirus policy for Windows 10 devices. These settings can help you manage how devices get update definitions:

  • Define file shares for downloading definition updates
  • Define the order of sources for downloading definition updates

With the new settings, you can add UNC file shares as download source locations for definition updates, and define the order in which different source locations are contacted.

Improved security baselines node

We've made some changes to improve the usability of the security baseline node in the Microsoft Intune admin center. Now when you drill in to Endpoint security > Security baselines and then select a security baseline type like the MDM Security Baseline, you're presented with the Profiles pane. On the Profiles pane, you view the profiles you've created for that Baseline type. Previously the console presented an Overview pane, which included an aggregate data roll up that didn't always match the details found in the reports for individual profiles.

Unchanged, from the Profiles pane you can select a profile to drill in to view that profiles properties and various reports that are available under Monitor. Similarly, at the same level as Profiles you can still select Versions to view the various versions of that profile type that you've deployed. When you drill in to a version, you also gain access to reports, similar to the profile reports.

Derived credentials support for Windows

You can now use derived credentials with your Windows devices. This feature expands existing support for iOS/iPadOS and Android, and will be available for the same derived credential providers:

  • Entrust
  • Intercede
  • DISA Purebred

Support for Widows includes use of a derived credential to authenticate to Wi-Fi or VPN profiles. For Windows devices, the derived credential is issued from the client app that's provided by the derived credential provider that you use.

Manage FileVault encryption for devices that were encrypted by the device user and not by Intune

Intune can now assume management of FileVault disk encryption on a macOS device that was encrypted by the device user, and not by Intune policy. This scenario requires:

  • The device to receive disk encryption policy from Intune that enables FileVault.
  • The device user to use the Company Portal website to upload their personal recovery key for the encrypted device to Intune. To upload the key, they select the Store recovery key option for their encrypted macOS device.

After the user uploads their recovery key, Intune rotates the key to confirm the key is valid. Intune can now manage the key and encryption as if it used policy to encrypt the device directly. Should a user need to recover their device, they can access the recovery key using any device from the following locations:

  • Company Portal website
  • Company Portal app for iOS/iPadOS
  • Company Portal app for Android
  • Intune app

Hide the personal recovery key from a device user during macOS FileVault disk encryption

When you use endpoint security policy to configure macOS FileVault disk encryption, use the Hide recovery key setting to prevent display of the personal recovery key to the device user, while the device is being encrypted. By hiding the key during encryption, you can help keep it secure as users won't be able to write it down while waiting for the device to encrypt.

Later, if recovery is needed, a user can use any device to view their personal recovery key through the options:

  • Intune Company Portal website
  • The iOS/iPadOS Company Portal app
  • The Android Company Portal app
  • The Intune app

Improved view of security baseline details for devices

Now you can drill in to the details for a device to view the settings details for security baselines that apply to the device. The settings appear in a simple, flat list, which includes the setting category, setting name, and status. For more information, see View Endpoint security configurations per device.

Monitor and troubleshoot

Device compliance logs now in English

The Intune DeviceComplianceOrg logs previously only had enumerations for ComplianceState, OwnerType, and DeviceHealthThreatLevel. Now, these logs have English information in the columns.

Power BI compliance report template V2.0

Power BI template apps enable Power BI partners to build Power BI apps with little or no coding, and deploy them to any Power BI customer. Admins can update the version of the Power BI compliance report template from V1.0 to V2.0. V2.0 includes an improved design, and changes to the calculations and data that are surfaced as part of the template. For more information, see Connect to the Data Warehouse with Power BI and Update a template app. Also, see the blog post Announcing a New Version of the Power BI Compliance Report with Intune Data Warehouse.

Role-based access control

Assign profile and Update profile permission changes

Role-based access control permissions have changed for Assign profile and Update profile for the Automated Device Enrollment flow:

Assign profile: Admins with this permission can also assign the profiles to tokens and assign a default profile to a token for Automated Device Enrollment.

Update profile: Admins with this permission can update existing profiles only for Automated Device Enrollment.

To see these roles, go to Microsoft Intune admin center > Tenant administration > Roles > All roles > Create > Permissions > Roles.

Scripting

Data Warehouse v1.0 properties

More properties are available using the Intune Data Warehouse v1.0. The following properties are now exposed via the devices entity:

  • ethernetMacAddress - The unique network identifier of this device.
  • office365Version - The version of Microsoft 365 that is installed on the device.

The following properties are now exposed via the devicePropertyHistories entity:

  • physicalMemoryInBytes - The physical memory in bytes.
  • totalStorageSpaceInBytes - Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API.

June 2020

App management

Telecommunications data transfer protection for managed apps

When a hyperlinked phone number is detected in a protected app, Intune check if an assigned app protection policy allows the number to be transferred to a dialer app. You can choose how to handle this type of content transfer when it's initiated from a policy managed app. When creating an app protection policy in Microsoft Intune, select a managed app option from the Send org data to other apps, then select an option from Transfer telecommunications data to. For more information about this data protection setting, see Android app protection policy settings in Microsoft Intune and iOS app protection policy settings.

Unified delivery of Microsoft Entra Enterprise and Office Online applications in the Windows Company Portal

On the Customization pane of Intune, you can select to Hide or Show both Microsoft Entra Enterprise applications and Office Online applications in the Company Portal. Each end-user sees their entire application catalog from the chosen Microsoft service. By default, each app source will be set to Hide. This feature will first take effect in the Company Portal website, with support in the Windows Company Portal expected to follow. In the Microsoft Intune admin center, select Tenant administration > Customization to find this configuration setting. For more information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Improvements to the Company Portal for macOS enrollment experience

The Company Portal for macOS enrollment experience has a simpler enrollment process that aligns more closely with the Company Portal for iOS enrollment experience. Device users will see:

  • A sleeker user interface.
  • An improved enrollment checklist.
  • Clearer instructions about how to enroll their devices.
  • Improved troubleshooting options.

For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Improvements to Devices page of iOS/iPadOS and macOS Company Portals

We've made changes to the Company Portal Devices page to improve the app experience for iOS/iPadOS and Mac users. In addition to creating a more modern look and feel, we reorganized the device details under a single column with defined section headers so that it's easier for users to see their device status. We also added clearer messaging and troubleshooting steps for users whose devices fall out of compliance. For more information about Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app. To manually sync a device, see Sync your iOS device manually.

Cloud setting for iOS/iPadOS Company Portal app

A new Cloud setting for the iOS/iPadOS Company Portal allows users to redirect their authentication towards the appropriate cloud for your organization. By default, the setting is configured to Automatic, which directs authentication towards the cloud automatically detected by the user's device. If authentication for your organization must be redirected towards a cloud other than the cloud that is automatically detected (such as Public or Government), your users can manually select the appropriate cloud by selecting the Settings app > Company Portal > Cloud. Your users should only change the Cloud setting from Automatic if they sign in from another device and the appropriate cloud isn't automatically detected by their device.

Duplicate Apple VPP tokens

Apple VPP tokens with the same Token Location are now marked as Duplicate and can be synced again when the duplicate token has been removed. You can still assign and revoke licenses for tokens that are marked as duplicate. However, licenses for new apps and books purchased might not be reflected once a token is marked as duplicate. To find Apple VPP tokens for your tenant, from Microsoft Intune admin center, select Tenant administration > Connectors and tokens > Apple VPP Tokens. For more information about VPP tokens, see How to manage iOS and macOS apps purchased through Apple Volume Purchase Program with Microsoft Intune.

Updates to informational screen in Company Portal for iOS/iPadOS

An informational screen in Company Portal for iOS/iPadOS has been updated to better explain what an admin can see and do on devices. These clarifications are only about corporate-owned devices. Only the text has been updated, no actual modifications have been made to what the admin can see or do on user devices. To see the updated screens, go to UI updates for Intune end-user apps.

Updated Android APP Conditional Launch end-user experience

The 2006 release of the Android Company Portal has changes that build on the updates from the 2005 release. In 2005, we rolled out an update where end users of Android devices that are issued a warning, block, or wipe by an app protection policy see a full page message describing the reason for the warn, block, or wipe and the steps to remediate the issues. In 2006, first-time users of Android apps assigned an app protection policy will be taken through a guided flow to remediate issues that cause their app access to be blocked.

Newly available protected apps for Intune

The following protected apps are now available:

  • BlueJeans Video Conferencing
  • Cisco Jabber for Intune
  • Tableau Mobile for Intune
  • ZERO for Intune

For more information about protected apps, see Microsoft Intune protected apps.

Device configuration

Add multiple root certificates for EAP-TLS authentication in Wi-Fi profiles on macOS devices

On macOS devices, you can create a Wi-Fi profile, and select the Extensible Authentication Protocol (EAP) authentication type (Devices > Configuration > Create > macOS for platform > Wi-Fi for profile > Wi-Fi type set to Enterprise).

When you set the EAP Type to EAP-TLS, EAP-TTLS, or PEAP authentication, you can add multiple root certificates. Previously, you could only add one root certificate.

For more information on the settings you can configure, see Add Wi-Fi settings for macOS devices in Microsoft Intune.

Applies to:

  • macOS

Use PKCS certificates with Wi-Fi profiles on Windows 10 and newer devices

You can authenticate Windows Wi-Fi profiles with SCEP certificates (Devices > Configuration > Create > Windows 10 and later for platform > Wi-Fi for profile type > Enterprise > EAP type). Now, you can use PKCS certificates with your Windows Wi-Fi profiles. This feature allows users to authenticate Wi-Fi profiles using new or existing PKCS certificate profiles in your tenant.

For more information on the Wi-Fi settings you can configure, see Add Wi-Fi settings for Windows 10 and later devices in Intune.

Applies to:

  • Windows 10 and newer

Wired network device configuration profiles for macOS devices

A new macOS device configuration profile is available that configures wired networks (Devices > Configuration > Create > macOS for platform > Wired Network for profile). Use this feature to create 802.1x profiles to manage wired networks, and deploy these wired networks to your macOS devices.

For more information in this feature, see Wired networks on macOS devices.

Applies to:

  • macOS

Use Microsoft Launcher as the default launcher for fully managed Android Enterprise devices

On Android Enterprise device owner devices, you can set Microsoft Launcher as the default launcher for fully managed devices (Devices > Configuration > Create > Android Enterprise for platform > Device owner > Device restrictions for profile > Device experience). To configure all other Microsoft Launcher settings, use app configuration policies.

Also, there are some other UI updates, including Dedicated devices being renamed to Device experience.

To see all the settings you can restrict, see Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise device owner fully managed devices (COBO)

Use Autonomous Single App Mode settings to configure the iOS Company Portal app to be a sign in/sign out app

On iOS/iPadOS devices, you can configure apps to run in autonomous single app mode (ASAM). Now, the Company Portal app supports ASAM, and can be configured to be a "sign in/sign out" app. In this mode, users must sign in to the Company Portal app to use other apps and the Home screen button on the device. When they sign out of the Company Portal app, the device returns to single app mode, and locks on the Company Portal app.

To configure the Company Portal to be in ASAM, go to Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile > Autonomous Single App Mode.

For more information, see Autonomous single app mode (ASAM) and single app mode (opens Apple's web site).

Applies to:

  • iOS/iPadOS

Configure content caching on macOS devices

On macOS devices, you can create a configuration profile that configures content caching (Devices > Configuration > Create > macOS for platform > Device features for profile). Use these settings to delete cache, allow shared cache, set a cache limit on the disk, and more.

For more information on content caching, see ContentCaching (opens Apple's web site).

To see the settings you can configure, go to macOS device feature settings in Intune.

Applies to:

  • macOS

Add new schema settings, and search for existing schema settings using OEMConfig on Android Enterprise

In Intune, you can use OEMConfig to manage settings on Android Enterprise devices (Devices > Configuration > Create > Android Enterprise for platform > OEMConfig for profile). When you use the Configuration designer, the properties in the app schema are shown. Now, in the Configuration designer, you can:

  • Add new settings to the app schema.
  • Search for new and existing settings in the app schema.

For more information on OEMConfig profiles in Intune, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise

Block Shared iPad temporary sessions on Shared iPad devices

In Intune, there's a new Block Shared iPad temporary sessions setting that blocks temporary sessions on Shared iPad devices (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile type > Shared iPad). When enabled, end users can't use the Guest account. They must sign in to the device with their Managed Apple ID and password.

For more information, see iOS and iPadOS device settings to allow or restrict features.

Applies to:

  • Shared iPad devices running iOS/iPadOS 13.4 and newer

Device enrollment

Bring-your-own-devices can use VPN to deploy

The new Autopilot profile Skip Domain Connectivity Check toggle lets you deploy Microsoft Entra hybrid join devices without access to your corporate network using your own third party/partner Win32 VPN client. To see the new toggle, go to Microsoft Intune admin center > Devices > Windows > Windows enrollment > Deployment profiles > Create profile > Out-of-box experience (OOBE).

Enrollment Status Page profiles can be set to device groups

Previously, Enrollment Status Page (ESP) profiles could only be targeted to user groups. Now you can also set them to target device groups. For more information, see Set up an Enrollment Status Page.

Automated Device Enrollment sync errors

New errors will be reported for iOS/iPadOS and macOS devices, including

  • Invalid characters in the phone number or if that field is empty.
  • Invalid or empty configuration name for the profile.
  • Invalid/expired cursor value or if no cursor is found.
  • Rejected or expired token.
  • The department field is empty or the length is too long.
  • Profile is not found by Apple and a new one needs to be created.
  • A count of removed Apple Business Manager devices will be added to the overview page where you see the status of your devices.

Shared iPads for Business

You can use Intune and Apple Business Manager to easily and securely set up Shared iPad so that multiple employees can share devices. Apple's Shared iPad provides a personalized experience for multiple users while preserving user data. Using a Managed Apple ID, users can access their apps, data, and settings after signing into any Shared iPad in their organization. Shared iPad works with federated identities.

To see this feature, go to Microsoft Intune admin center > Devices > iOS > iOS enrollment > Enrollment program tokens > choose a token > Profiles > Create profile > iOS. On the Management Settings page, select Enroll without User Affinity and you see the Shared iPad option.

Requires: iPadOS 13.4 and later. This release added support for temporary sessions with Shared iPad so that users can access a device without a Managed Apple ID. Upon sign out, the device erases all user data so that the device is immediately ready for use, eliminating the need for a device wipe.

Updated user interface for Apple's Automated Device Enrollment

The user interface has been updated to replace Apple's Device Enrollment Program to Automated Device Enrollment to reflect Apple terminology.

Device management

Device remote lock pin available for macOS

The availability for macOS device remote lock pins has been increased from 7 days to 30 days.

Change primary user on co-managed devices

You can change a device's primary user for co-managed Windows devices. For more information on how to find and change it, see Find the primary user of an Intune device. This feature will be rolling out gradually over the next few weeks.

Setting the Intune primary user also sets the Microsoft Entra owner property

This new feature automatically sets the owner property on newly enrolled Microsoft Entra hybrid joined devices at the same time that the Intune primary user is set. For more information on the primary user, see Find the primary user of an Intune device.

This behavior is a change to the enrollment process and only applies to newly enrolled devices. For existing Microsoft Entra hybrid joined devices, you must manually update the Microsoft Entra Owner property. To update, you can use the Change primary user feature or a script.

When Windows 10 devices become Microsoft Entra hybrid joined, the first user of the device becomes the primary user in Intune. Currently, the user isn't set on the corresponding Microsoft Entra device object. This behavior causes an inconsistency when comparing the owner property from a Microsoft Entra admin center with the primary user property in Microsoft Intune admin center. The Microsoft Entra owner property is used for securing access to BitLocker recovery keys. The property isn't populated on Microsoft Entra hybrid joined devices. This limitation prevents setup of self-service of BitLocker recovery from Microsoft Entra ID. This upcoming feature solves this limitation.

Device security

Hide the recovery key from users during FileVault 2 encryption for macOS devices

We've added a new setting to the FileVault category within the macOS Endpoint Protection template: Hide recovery key. This setting hides the personal key from the end user during FileVault 2 encryption.

To view the personal recovery key of an encrypted macOS device, the device user can go to any of the following locations and select get recovery key for the macOS device:

  • The iOS/iPadOS company portal app
  • The Intune app
  • The company portal website
  • The Android company portal app

Support for S/MIME signing and encryption certificates with Outlook on Android Fully Managed

You can now use certificates for S/MIME signing and encryption with Outlook on devices that run Android Enterprise Fully Managed.

This feature expands on the support added last month for other Android versions (Support for S/MIME signing and encryption certificates with Outlook on Android). You can provision these certificates by using SCEP and PKCS imported certificate profiles.

For more information about this support, see Sensitivity labeling and protection in Outlook for iOS and Android in the Exchange documentation.

When you configure a notification message template for sending email notifications for noncompliance, use the new setting Company Portal Website Link to automatically include a link to your Company Portal website. When set to Enable, users with noncompliant devices who receive email based on this template can use the link to open a website to learn more about why their device isn't compliant.

Use Microsoft Defender for Endpoint in compliance policies for Android

You can now use Intune to onboard Android devices to Microsoft for Endpoint. After your enrolled devices are onboarded, your compliance policies for Android can use the threat level signals from Microsoft Defender for Endpoint. These signals are the same signals that you could previously use for Windows 10 devices.

Configure Defender for Endpoint web protection for Android devices

When you use Microsoft Defender for Endpoint for Android devices, you can configure Microsoft Defender for Endpoint web protection to disable the phishing scan feature, or prevent the scan from using VPN.

Depending on how your Android device enrolls with Intune, the following options are available:

  • Android device administrator - Use custom OMA-URI settings to disable the web protection feature, or disable only the use of VPNs during scans.
  • Android Enterprise work profile - Use an app configuration profile and the configuration designer to disable all web protection capabilities.

Licensing

Admins no longer require an Intune license to access Microsoft Intune admin center

You can now set a tenant-wide toggle that removes the Intune license requirement for admins to access the Intune admin center and query graph APIs. Once you remove the license requirement, you can never reinstate it.

Note

Some actions, including the Teamviewer Connector flow, still require an Intune license to complete.

Monitor and troubleshoot

Use Endpoint analytics to improve user productivity and reduce IT support costs

During the next week, this feature will be rolled out. Endpoint analytics aims to improve user productivity and reduce IT support costs by providing insights into the user experience. The insights enable IT to optimize the end-user experience with proactive support and to detect regressions to the user experience by assessing user impact of configuration changes. For more information, see Endpoint analytics preview.

Proactively remediate end user device issues using script packages

You can create and run script packages on end user devices to proactively find and fix the top support issues in your organization. Deploying script packages will help you reduce support calls. Choose to create your own script packages or deploy one of the script packages we've written and used in our environment to reduce support tickets. Intune allows you to see the status of your deployed script packages and to monitor the detection and remediation results. In Microsoft Intune admin center, select Reports > Endpoint analytics > Proactive remediations. For more information, see Proactive remediations.

Scripts

Availability of Shell scripts on macOS devices

Shell scripts for macOS devices are now available for Government Cloud and China customers. For more information about shell scripts, see Use shell scripts on macOS devices in Intune.

May 2020

App management

Windows 32-bit (x86) apps on ARM64 devices

Windows 32-bit (x86) apps that are deployed as available to ARM64 devices will now be displayed in the Company Portal. For more information about Windows 32-bit apps, see Win32 app management.

Windows Company Portal app icon

The icon for the Windows Company Portal app has been updated. For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Update to icons in Company Portal app for iOS/iPadOS and macOS

We've updated the icons in Company Portal to create a more modern look and feel that's supported on dual screen devices and aligns with the Microsoft Fluent Design System. To see the updated icons, go to UI updates for Intune end-user apps.

Customize self-service device actions in the Company Portal

You can customize the available self-service device actions that are shown to end-users in the Company Portal app and website. To help prevent unintended device actions, you can configure these settings for the Company Portal app by selecting Tenant Administration > Customization. The following actions are available:

Auto update VPP available apps

Apps that are published as Volume Purchase Program (VPP) available apps will be automatically updated when Automatic App Updates is enabled for the VPP token. Previously, VPP available apps did not automatically update. Instead, end-users had to go to the Company Portal and reinstall the app if a newer version was available. Required apps continue to support automatic updates.

Android Company Portal user experience

In the 2005 release of Android Company Portal, end-users of Android devices that are issued a warning, block, or wipe by an app protection policy will see a new user experience. Instead of the current dialog experience, end-users will see a full page message describing the reason for the warn, block, or wipe and the steps to remediate the issue. For more information, see App protection experience for Android devices and Android app protection policy settings in Microsoft Intune.

Support for multiple accounts in Company Portal for macOS

The Company Portal on macOS devices now caches user accounts, making sign-in easier. Users no longer need to sign into the Company Portal every time they launch the application. Also, the Company Portal will display an account picker if multiple user accounts are cached, so that users don't have to enter their user name.

Newly available protected apps

The following protected apps are now available:

  • Board Papers
  • Breezy for Intune
  • Hearsay Relate for Intune
  • ISEC7 Mobile Exchange Delegate for Intune
  • Lexmark for Intune
  • Meetio Enterprise
  • Microsoft Whiteboard
  • Now® Mobile - Intune
  • Qlik Sense Mobile
  • ServiceNow® Agent - Intune
  • ServiceNow® Onboarding - Intune
  • Smartcrypt for Intune
  • Tact for Intune
  • Zero - email for attorneys

For more information about protected apps, see Microsoft Intune protected apps.

Search the Intune docs from the Company Portal

You can now search the Intune documentation directly from the Company Portal for macOS app. In the menu bar, select Help > Search and enter the key words of your search to quickly find answers to your questions.

Company Portal for Android guides users to get apps after work profile enrollment

We've improved the in-app guidance in Company Portal to make it easier for users to find and install apps. After they enroll in work profile management, users will get a message explaining how to find suggested apps in the badged version of Google Play. The last step in Enroll device with Android profile has been updated to show the new message. Users will also see a new Get Apps link in the Company Portal drawer on the left. To make way for these new and improved experiences, the APPS tab was removed. To see the updated screens, go to UI updates for Intune end-user apps.

Device configuration

Improvements to OEMConfig support for Zebra Technologies devices

Intune fully supports all features provided by Zebra OEMConfig. Customers managing Zebra Technologies devices with Android Enterprise and OEMConfig can deploy multiple OEMConfig profiles to one device. Customers can also view rich reporting about the status of their Zebra OEMConfig profiles.

For more information, see Deploy multiple OEMConfig profiles to Zebra devices in Microsoft Intune.

There is no change in OEMConfig behavior for other OEMs.

Applies to:

  • Android Enterprise
  • Zebra Technologies devices that support OEMConfig. For specific details on support, contact Zebra.

Configure system extensions on macOS devices

On macOS devices, you can create a kernel extensions profile to configure settings at the kernel-level (Devices > Configuration > macOS for platform > Kernel extensions for profile). Apple is eventually deprecating kernel extensions, and replacing them with system extensions in a future release.

System extensions run in the user space, and don't have access to the kernel. The goal is to increase security and provide more end user control, while limiting attacks at the kernel level. Both kernel extensions and system extensions allow users to install app extensions that extend the native capabilities of the operating system.

In Intune, you can configure both kernel extensions and system extensions (Devices > Configuration > macOS for platform > System extensions for profile). Kernel extensions apply to 10.13.2 and newer. System extensions apply to 10.15 and newer. From macOS 10.15 to macOS 10.15.4, kernel extensions and system extensions can run side-by-side.

To learn about these extensions on macOS devices, see Add macOS extensions.

Applies to:

  • macOS 10.15 and newer

Configure app and process privacy preferences on macOS devices

With the release of macOS Catalina 10.15, Apple added new security and privacy enhancements. By default, applications and processes are unable to access specific data without user consent. If users don't provide consent, the applications and processes might fail to function. Intune is adding support for settings that enable IT administrators to allow or disallow data access consent on behalf of end-users on devices running macOS 10.14 and later. These settings will ensure that applications and processes continue to function properly, and reduce the number of prompts.

For more information on the settings you can manage, see macOS privacy preferences.

Applies to:

  • macOS 10.14 and newer

Device enrollment

Enrollment restrictions support scope tags

You can now assign scope tags to enrollment restrictions. To do so, go to Microsoft Intune admin center > Devices > Enrollment restrictions > Create restriction. Create either type of restriction and you see the Scope tags page. For more information, see Set enrollment restrictions.

Autopilot support for HoloLens 2 devices

Windows Autopilot now supports HoloLens 2 devices. For more information on using Autopilot for HoloLens, see Windows Autopilot for HoloLens 2.

Device management

Use sync remote action in bulk for iOS

You can now use the sync remote action on up to 100 iOS devices at a time. To see this feature, go to Microsoft Intune admin center > Devices > All devices > Bulk device actions.

Automated device sync interval down to 12 hours

For Apple's Automated Device Enrollment, the automated device sync interval between Intune and Apple Business Manager has been reduced from 24 hours to 12 hours. For more information on sync, see Sync managed devices.

Device security

Derived credentials support for DISA Purebred on Android devices

You can now use DISA Purebred as a derived credentials provider on Android Enterprise fully managed devices. Support includes retrieving a derived credential for DISA Purebred. You can use a derived credential for app authentication, Wi-Fi, VPN, or S/MIME signing and/or encryption with apps that support it.

Send push notifications as an action for noncompliance

You can now configure an action for noncompliance that sends a push notification to a user when their device fails to meet conditions of a compliance policy. The new action is Send push notification to end user, and supports Android and iOS devices.

When users select the push notification on their device, the Company Portal or Intune app opens to display details about why they are noncompliant.

Endpoint security content and new features

The documentation for Intune Endpoint Security is now available. In the endpoint security node of the Microsoft Intune admin center, you can:

  • Create and deploy focused security policies to your managed devices
  • Configure integration with Microsoft Defender for Endpoint, and manage security tasks help remediate risks for at-risk devices as identified by your Defender for Endpoint team
  • Configure security baselines
  • Manage device compliance and conditional access policies
  • View compliance status for all your devices from both Intune and Configuration Manager when Configuration Manager is configured for client attach.

In addition to the availability of content, the following are new for Endpoint Security this month:

  • Endpoint security policies are out of preview and are now ready to use in production environments, as generally available, with two exceptions:

    • In a new public preview, you can use the Microsoft Defender Firewall rules profile for Windows 10 Firewall policy. With each instance of this profile, you can configure up to 150 firewall rules to complement your Microsoft Defender Firewall profiles.
    • Account protection security policy remains in preview.
  • You can now create a duplicate of endpoint security policies. Duplicates keep the settings configuration of the original policy, but get a new name. Then new policy instance doesn't include any assignments to groups until you edit the new policy instance to add them. You can duplicate the following policies:

    • Antivirus
    • Disk encryption
    • Firewall
    • Endpoint detection and response
    • Attack surface reduction
    • Account protection
  • You can now create a duplicate of a security baseline. Duplicates keep the settings configuration of the original baseline, but get a new name. The new baseline instance doesn't include any assignments to groups until you edit the new baseline instance to add them.

  • A new report for endpoint security antivirus policy is available: Windows 10 unhealthy endpoints. This report is a new page you can select when your viewing your endpoint security antivirus policy. The report displays the antivirus status of your MDM-managed Windows 10 devices.

Support for S/MIME signing and encryption certificates with Outlook on Android

You can now use certificates for S/MIME signing and encryption with Outlook on Android. With this support, you can provision these certificates by using SCEP, PKCS, and PKCS imported certificate profiles. The following Android platforms are supported:

  • Android Enterprise Work Profile
  • Android Device Administrator

Support for Android Enterprise Fully Managed devices is coming soon.

For more information about this support, see Sensitivity labeling and protection in Outlook for iOS and Android in the Exchange documentation.

Use Endpoint detection and response policy to onboard devices to Defender for Endpoint

Use endpoint security policy for Endpoint detection and response (EDR) to onboard and configure devices for your deployment of Microsoft Defender for Endpoint. EDR supports policy for Windows devices managed by Intune (MDM), and a separate policy for Windows devices managed by Configuration Manager.

To use the policy for Configuration Manager devices, you must set up Configuration Manager to support the EDR policy. Set up includes:

  • Configure your Configuration manager for tenant attach.
  • Install an in-console update for Configuration Manager to enable support for the EDR policies. This update applies only to hierarchies that have enabled tenant attach.
  • Synchronize your device collections from your hierarchy to the Microsoft Intune admin center.

Monitor and troubleshoot

Device reports UI update

The reports overview pane will now provide a Summary and a Reports tab. In the Microsoft Intune admin center, select Reports, then select the Reports tab to see the available report types. For more information, see Intune reports.

Scripting

macOS script support

Script support for macOS is now generally available. In addition, we have added support for both user assigned scripts and macOS devices that have been enrolled with Apple's Automated Device Enrollment (formerly Device Enrollment Program). For more information, see Use shell scripts on macOS devices in Intune.

App management

Microsoft Office 365 ProPlus rename

Microsoft Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. To learn more, see Name change for Office 365 ProPlus. In our documentation, we'll commonly refer to it as Microsoft 365 Apps. In the Microsoft Intune admin center, you can find the apps suite by selecting Apps > Windows > Add. For information about adding apps, see Add apps to Microsoft Intune.

Manage S/MIME settings for Outlook on Android Enterprise devices

You can use app configuration policies to manage the S/MIME setting for Outlook on devices that run Android Enterprise. You can also choose whether or not to allow the device users to enable or disable S/MIME in Outlook settings. To use app configuration policies for Android, in the Microsoft Intune admin center go to Apps > App configuration policies > Add > Managed devices. For more information about configuring settings for Outlook, see Microsoft Outlook configuration settings.

Pre-release testing for Managed Google Play apps

Organizations that are using Google Play's closed test tracks for app pre-release testing can manage these tracks with Intune. You can selectively assign apps that are published to Google Play's pre-production tracks to pilot groups in order to perform testing. In Intune, you can see whether an app has a pre-production build test track published to it, and be able to assign that track to Microsoft Entra user or device groups. This feature is available for all of our currently supported Android Enterprise scenarios (work profile, fully managed, and dedicated). In the Microsoft Intune admin center, you can add a Managed Google Play app by selecting Apps > Android > Add. For more information, see Working with Managed Google Play Closed Testing Tracks.

Microsoft Teams is now included in Microsoft 365 for macOS

Users who are assigned Microsoft 365 for macOS in Microsoft Intune will now receive Microsoft Teams in addition to the existing Microsoft 365 apps (Word, Excel, PowerPoint, Outlook, and OneNote). Intune will recognize the existing Mac devices that have the other Office for macOS apps installed. Then, it will attempt to install Microsoft Teams the next time the device checks in with Intune. In the Microsoft Intune admin center, you can find the Office 365 Suite for macOS by selecting Apps > macOS > Add. For more information, see Assign Office 365 to macOS devices with Microsoft Intune.

Update to Android app configuration policies

Android app configuration policies have been updated to allow admins to select the device enrollment type before creating an app config profile. The functionality is being added to account for certificate profiles that are based on enrollment type (Work profile or Device Owner).

With this update:

  1. If a new profile is created and Work Profile and Device Owner Profile are selected for device enrollment type, then you can't associate a certificate profile with the app config policy.
  2. If a new profile is created and Work Profile only is selected, then Work Profile certificate policies created under Device Configuration can be utilized.
  3. If a new profile is created and Device Owner only is selected, then Device Owner certificate policies created under Device Configuration can be utilized.

Important

Existing policies created prior to the release of this feature (April 2020 release - 2004) that don't have any certificate profiles associated with the policy will default to Work Profile and Device Owner Profile for device enrollment type. Also, existing policies created prior to the release of this feature that have certificate profiles associated with them will default to Work Profile only.

Also, we are adding Gmail and Nine email configuration profiles that will work for both Work Profile and Device Owner enrollment types, including the use of certificate profiles on both email configuration types. Any Gmail or Nine policies that you have created under Device Configuration for Work Profiles will continue to apply to the device. You don't to move them to app configuration policies.

In the Microsoft Intune admin center, you can find app configuration policies by selecting Apps > App configuration policies. For more information about app configuration policies, see App configuration policies for Microsoft Intune.

Push notification when device ownership type is changed

You can configure a push notification to send to both your Android and iOS Company Portal users when their device ownership type has been changed from Personal to Corporate as a privacy courtesy. This push notification is set to off by default. The setting can be found in the Microsoft Intune admin center by selecting Tenant administration > Customization. To learn more about how device ownership affects your end-users, see Change device ownership.

Group targeting support for Customization pane

You can target the settings in the Customization pane to user groups. To find these settings in Intune, navigate to the Microsoft Intune admin center, select Tenant administration > Customization. For more information about customization, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Device configuration

Multiple "Evaluate each connection attempt" on-demand VPN rules supported on iOS, iPadOS, and macOS

The Intune user experience allows multiple on-demand VPN rules in the same VPN profile with the Evaluate each connection attempt action (Devices > Configuration > Create > iOS/iPadOS or macOS for platform > VPN for profile > Automatic VPN > On-demand).

It only honored the first rule in the list. This behavior is fixed, and Intune evaluates all rules in the list. Each rule is evaluated in the order it appears in the on-demand rules list.

Note

If you have existing VPN profiles that use these on-demand VPN rules, the fix applies the next time you change the VPN profile. For example, make a minor change, such as change the connection the name, and then save the profile.

If you're using SCEP certificates for authentication, this change causes the certificates for this VPN profile to be re-issued.

Applies to:

  • iOS/iPadOS
  • macOS

For more information on VPN profiles, see Create VPN profiles.

More options in SSO and SSO app extension profiles on iOS/iPadOS devices

On iOS/iPadOS devices, you can:

  • In SSO profiles (Devices > Configuration > Create > iOS/iPadOS for platform > Device features for profile > Single sign-on), set the Kerberos principal name to be the Security Account Manager (SAM) account name in SSO profiles.
  • In SSO app extension profiles (Devices > Configuration > Create > iOS/iPadOS for platform > Device features for profile > Single sign-on app extension), configure the iOS/iPadOS Microsoft Entra extension with fewer clicks by using a new SSO app extension type. You can enable the Microsoft Entra extension for devices in shared device mode and send extension-specific data to the extension.

Applies to:

  • iOS/iPadOS 13.0+

For more information on using single sign-on on iOS/iPadOS devices, see Single sign-on app extension overview and Single sign-on settings list.

New shell script settings for macOS devices

When configuring shell scripts for macOS devices, you can now configure the following new settings:

  • Hide script notifications on devices
  • Script frequency
  • Maximum number of times to retry if script fails

For more information, see Use shell scripts on macOS devices in Intune.

Device enrollment

Delete Apple Automated Device Enrollment token when default profile is present

Previously, you couldn't delete a default profile, which meant that you couldn't delete the Automated Device Enrollment token associated with it. Now, you can delete the token when:

  • no devices are assigned to the token
  • a default profile is present To do so, delete the default profile, and then delete the associated token. For more information, see Delete an ADE token from Intune.

Scaled up support for Apple Automated Device Enrollment and Apple Configurator 2 devices, profiles, and tokens

To help distributed IT departments and organizations, Intune now supports up to 1000 enrollment profiles per token, 2000 Automated Device Enrollment (formerly known as DEP) tokens per Intune account, and 75,000 devices per token. There is no specific limit for devices per enrollment profile, below the maximum number of devices per token.

Intune now supports up to 1000 Apple Configurator 2 profiles.

For more information, see Limits.

All devices page column entry changes

On the All devices page, the entries for the Managed by column have changed:

  • Intune is now displayed instead of MDM
  • Co-managed is now displayed instead of MDM/ConfigMgr Agent

The export values are unchanged.

Device management

Trusted Platform Manager (TPM) Version information now on Device Hardware page

You can now see the TPM version number on a device's hardware page (Microsoft Intune admin center > Devices > choose a device > Hardware > look under System enclosure).

Microsoft Intune tenant attach: Device sync and device actions

Microsoft Intune is bringing together Configuration Manager and Intune into a single console. Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service and take actions on them in the admin center. For more information, see Microsoft Intune tenant attach: Device sync and device actions.

Monitor and troubleshoot

Collect logs to better troubleshoot scripts assigned to macOS devices

You can now collect logs for improved troubleshooting of scripts assigned to macOS devices. You can collect logs up to 60 MB (compressed) or 25 files, whichever occurs first. For more information, see Troubleshoot macOS shell script policies using log collection.

Security

Derived credentials to provision Android Enterprise Fully Managed devices with certificates

Intune now supports use of derived credentials as an authentication method for Android devices. Derived credentials are an implementation of the National Institute of Standards and Technology (NIST) 800-157 standard for deploying certificates to devices. Our support for Android expands on our support for devices that run iOS/iPadOS.

Derived credentials rely on the use of a Personal Identity Verification (PIV) or Common Access Card (CAC) card, like a smart card. To get a derived credential for their mobile device, users start in the Microsoft Intune app and follow an enrollment workflow that is unique to the provider you use. Common to all providers is the requirement to use a smart card on a computer to authenticate to the derived credential provider. That provider then issues a certificate to the device that's derived from the user's smart card.

You can use derived credentials as the authentication method for device configuration profiles for VPN and WiFi. You can also use them for app authentication, and S/MIME signing and encryption for applications that support it.

Intune now supports the following derived credential providers with Android:

  • Entrust
  • Intercede

A third provider, DISA Purebred, will be available for Android in a future release.

Microsoft Edge security baseline is now Generally Available

A new version of the Microsoft Edge security baseline is now available, and is released as generally available (GA). The previous Microsoft Edge baseline was in Preview. The new baseline version is April 2020 (Microsoft Edge version 80 and later).

With the release of this new baseline, you'll no longer be able to create profiles based on the previous baseline versions, but you can continue to use profiles you created with those versions. You can also choose to update your existing profiles to use the latest baseline version.

March 2020

App management

Improved sign-in experience in Company Portal for Android

We've updated the layout of several sign-in screens in the Company Portal app for Android to make the experience more modern, simple, and clean for users. For a look at the improvements, see What's New in the app UI.

Configure Delivery Optimization agent when downloading Win32 app content

You can configure the Delivery Optimization agent to download Win32 app content either in background or foreground mode based on assignment. For existing Win32 apps, content will continue to download in background mode. In the Microsoft Intune admin center, select Apps > All apps > select the Win32 app > Properties. Select Edit next to Assignments. Edit the assignment by selecting Include under Mode in the Required section. You will find the new setting in the App settings section. For more information about Delivery Optimization, see Win32 app management - Delivery Optimization.

Company Portal for iOS supports landscape mode

Users can now enroll their devices, find apps, and get IT support using the screen orientation of their choice. The app will automatically detect and adjust screens to fit portrait or landscape mode, unless users lock the screen in portrait mode.

Script support for macOS devices (Public Preview)

You can add and deploy scripts to macOS devices. This support extends your ability to configure macOS devices beyond what is possible using native MDM capabilities on macOS devices. For more information, see Use shell scripts on macOS devices in Intune.

macOS and iOS Company Portal updates

The Profile pane of the macOS and iOS Company Portal has been updated to include the sign-out button. Also, UI improvements have been made to the Profile pane in the macOS Company Portal. For more information about the Company Portal, see How to configure the Microsoft Intune Company Portal app.

Retarget web clips to Microsoft Edge on iOS devices

Newly deployed web clips (pinned web apps) on iOS devices that are required to open in a protected browser, will open in Microsoft Edge rather than the Intune Managed Browser. You must retarget pre-existing web clips to ensure they open in Microsoft Edge rather than the Managed Browser. For more information, see Manage web access by using Microsoft Edge with Microsoft Intune and Add web apps to Microsoft Intune.

Use the Intune diagnostic tool with Microsoft Edge for Android

Microsoft Edge for Android is now integrated with the Intune diagnostic tool. Similarly to the experience on Microsoft Edge for iOS, entering "about:intunehelp" into the URL bar (the address box) of Microsoft Edge on the device will start the Intune diagnostic tool. This tool will provide detailed logs. Users can be guided to collect and send these logs to their IT department, or view MAM logs for specific apps.

Updates to Intune branding and customization

We have updated the Intune pane that was named "Branding and customization" with improvements, including:

  • Renaming the pane to Customization.
  • Improving the organization and design of the settings.
  • Improving the settings text and tooltips.

To find these settings in Intune, navigate to the Microsoft Intune admin center, select Tenant administration > Customization. For information about existing customization, see How to configure the Microsoft Intune Company Portal app.

User's personal encrypted recovery key

A new Intune feature is available that enables users to retrieve their personal encrypted FileVault recovery key for Mac devices through the Android Company Portal application or through the Android Intune application. There is a link in both the Company Portal application and Intune application that will open a Chrome browser to the Web Company Portal where the user can see the FileVault recovery key needed to access their Mac devices. For more information about encryption, see Use device Encryption with Intune.

Optimized dedicated device enrollment

We're optimizing the enrollment for Android Enterprise dedicated devices and making it easier for SCEP certificates associated with Wi-Fi to apply to dedicated devices enrolled prior to November 22, 2019. For new enrollments, the Intune app will continue to install, but end-users will no longer need to perform the Enable Intune Agent step during enrollment. Installment will happen in the background automatically and SCEP certificates associated with Wi-Fi can be deployed and set without end-user interaction.

These changes roll out in phases throughout the month of March as the Intune service backend deploys. All tenants will have this new behavior by the end of March. For more information, see Support for SCEP certificates in Android Enterprise dedicated devices.

Device configuration

New user experience when creating administrative templates on Windows devices

Based on customer feedback, and our move to the new Azure full screen experience, we've rebuilt the Administrative Templates profile experience with a folder view. We haven't made changes to any settings or existing profiles. So, your existing profiles will stay the same, and will be usable in the new view. You can still navigate all settings options by selecting All Settings, and using search. The tree view is split by Computer and User configurations. You will find Windows, Office, and Microsoft Edge settings in their associated folders.

Applies to:

  • Windows 10 and newer

VPN profiles with IKEv2 VPN connections can use always on with iOS/iPadOS devices

On iOS/iPadOS devices, you can create a VPN profile that uses an IKEv2 connection (Devices > Configuration > Create > iOS/iPadOS for platform > VPN for profile type). Now, you can configure always-on with IKEv2. When configured, IKEv2 VPN profiles connect automatically, and stay connected (or quickly reconnect) to the VPN. It stays connected even when moving between networks or restarting devices.

On iOS/iPadOS, always-on VPN is limited to IKEv2 profiles.

To see the IKEv2 settings you can configure, go to Add VPN settings on iOS devices in Microsoft Intune.

Applies to:

  • iOS/iPadOS

Delete bundles and bundle arrays in OEMConfig device configuration profiles on Android Enterprise devices

On Android Enterprise devices, you create and update OEMConfig profiles (Devices > Configuration > Create > Android Enterprise for platform > OEMConfig for profile type). Users can now delete bundles and bundle arrays using the Configuration designer in Intune.

For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise

Configure the iOS/iPadOS Microsoft Entra SSO app extension

The Microsoft Entra team created a redirect single sign-on (SSO) app extension to allow iOS/iPadOS 13.0+ users to gain access to Microsoft apps and websites with one sign-on. All apps that previously had brokered authentication with the Microsoft Authenticator app will continue to get SSO with the new SSO extension. With the Microsoft Entra SSO app extension release, you can configure the SSO extension with the redirect SSO app extension type (Devices > Configuration > Create > iOS/iPadOS for platform > Device features for profile type > Single sign-on app extension).

Applies to:

  • iOS 13.0 and newer
  • iPadOS 13.0 and newer

For more information about iOS SSO app extensions, see Single sign-on app extension.

Enterprise app trust settings modification setting is removed from iOS/iPadOS device restriction profiles

On iOS/iPadOS devices, you create a device restrictions profile (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile type). The Enterprise app trust settings modification setting is removed by Apple, and is removed from Intune. If you currently use this setting in a profile, it has no impact, and is removed from existing profiles. This setting is also removed from any reporting in Intune.

Applies to:

  • iOS/iPadOS

To see the settings you can restrict, go to iOS and iPadOS device settings to allow or restrict features.

Troubleshooting: Pending MAM policy notification changed to informational icon

The notification icon for a pending MAM policy on the Troubleshooting blade has been changed to an informational icon.

UI update when configuring compliance policy

We've updated the UI for creating compliance policies in the Microsoft Intune admin center (Devices > Compliance policies > Policies > Create Policy). We've a new user experience that includes the same settings and details you've used previously. The new experience follows a wizard-like process to create the compliance policy. It includes a page where you can add Assignments for the policy, and a Review + Create page where you can review your configuration before creating the policy.

Retire noncompliant devices

We've added a new action for noncompliant devices that you can add to any policy, to retire the noncompliant device. The new action, Retire the noncompliant device, results in removal of all company data from the device, and also removes the device from being managed by Intune. This action runs when the configured value in days is reached and at that point the device becomes eligible to be retired. The minimum value is 30 days. Explicit IT admin approval will be required to retire the devices by using the Retire Non-compliant devices section, where admins can retire all eligible devices.

Support for WPA and WPA2 in iOS Enterprise Wi-Fi profiles

Enterprise Wi-Fi profiles for iOS now support the Security type field. For Security type, you can select either of WPA Enterprise or WPA/WPA2 Enterprise, and then specify a selection for the EAP type. (Devices > Configuration > Create and select iOS/iPadOS for Platform and then Wi-Fi for Profile).

The new Enterprise options are like those that have been available for a Basic Wi-Fi profile for iOS.

New user experience for certificate, email, VPN, and Wi-Fi, VPN profiles

We've updated the user experience in the Intune admin center (Devices > Configuration > Create) for creating and modifying the following profile types. The new experience presents the same settings as before, but uses a wizard-like experience that doesn't require as much horizontal scrolling. You won't need to modify existing configurations with the new experience.

  • Derived credential
  • Email
  • PKCS certificate
  • PKCS imported certificate
  • SCEP certificate
  • Trusted certificate
  • VPN
  • Wi-Fi

Improved user interface experience when creating device restrictions profiles on Android and Android Enterprise devices

When you create a profile for Android or Android Enterprise devices, the experience in the Intune admin center is updated. This change affects the following device configuration profiles (Devices > Configuration > Create > Android device administrator or Android Enterprise for platform):

  • Device restrictions: Android device administrator
  • Device restrictions: Android Enterprise device owner
  • Device restrictions: Android Enterprise work profile

For more information on the device restrictions you can configure, see Android device administrator and Android Enterprise.

Improved user interface experience when creating configuration profiles on iOS/iPadOS and macOS devices

When you create a profile for iOS or macOS devices, the experience in the Intune admin center is updated. This change affects the following device configuration profiles (Devices > Configuration > Create > iOS/iPadOS or macOS for platform):

  • Custom: iOS/iPadOS, macOS
  • Device features: iOS/iPadOS, macOS
  • Device restrictions: iOS/iPadOS, macOS
  • Endpoint protection: macOS
  • Extensions: macOS
  • Preference file: macOS

Hide from user configuration setting in device features on macOS devices

When you create a device features configuration profile on macOS devices, there's a new Hide from user configuration setting (Devices > Configuration > Create > macOS for platform > Device features for profile > Login items).

This feature sets an app's hide checkmark in the Users & Groups login items apps list on macOS devices. Existing profiles show this setting within the list as unconfigured. To configure this setting, administrators can update existing profiles.

When set to Hide, the hide checkbox is checked for the app, and users can't change it. It also hides the app from users after users sign in to their devices.

Hide apps on macOS devices after users sign in to the device in Microsoft Intune

For more information on the setting you can configure, see macOS device feature settings.

This feature applies to:

  • macOS

Device enrollment

Configure if enrollment is available in Company Portal for Android and iOS

You can configure whether device enrollment in the Company Portal on Android and iOS devices is available with prompts, available without prompts, or unavailable to users. To find these settings in Intune, navigate to the Microsoft Intune admin center and, select Tenant administration > Customization > Edit > Device enrollment.

Support for the device enrollment setting requires end users have these Company Portal versions:

  • Company Portal on iOS: version 4.4 or later
  • Company Portal on Android: version 5.0.4715.0 or later

For more information about existing Company Portal customization, see How to configure the Microsoft Intune Company Portal app.

Device management

New Android report on Android Devices overview page

We've added a report to the Microsoft Intune admin center in the Android Devices overview page that displays how many Android devices have been enrolled in each device management solution. This chart (like the same chart already in the Azure console) shows work profile, fully managed, dedicated, and device administrator enrolled device counts. To see the report, choose Devices > Android > Overview.

Guide users from Android device administrator management to work profile management

We're releasing a new compliance setting for the Android device administrator platform. This setting lets you make a device noncompliant if it's managed with device administrator.

On these noncompliant devices, on the Update device settings page users will see the Move to new device management setup message. If they tap the Resolve button, they'll be guided through:

  1. Unenrolling from device administrator management
  2. Enrolling in work profile management
  3. Resolving compliance issues

Google is decreasing device administrator support in new Android releases to move to modern, richer, and more secure device management with Android Enterprise. Intune can only provide full support for device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-managed devices (except Samsung) that are running Android 10 or later after this time won't be able to be entirely managed. In particular, affected devices won't receive new password requirements.

For more information about this setting, see Move Android devices from device administrator to work profile management.

New URL for the Microsoft Intune admin center

To align with the announcement of Microsoft Intune at Ignite last year, we have changed the URL for the Microsoft Intune admin center (formerly Microsoft 365 Device Management) to https://intune.microsoft.com.

Change Primary User for Windows devices

You can change the Primary User for Windows hybrid and Microsoft Entra joined devices. To do so, go to Intune > Devices > All devices > choose a device > Properties > Primary User. For more information, see Change a device's primary user.

A new RBAC permission (Managed Devices / Set primary user) has also been created for this task. The permission has been added to built-in roles including Helpdesk Operator, School Administrator, and Endpoint Security Manager.

This feature is rolling out to customers globally under preview. You should see the feature within the next few weeks.

Microsoft Intune tenant attach: Device sync and device actions

Microsoft Intune is bringing together Configuration Manager and Intune into a single console. Starting in Configuration Manager technical preview version 2002.2, you can upload your Configuration Manager devices to the cloud service and take actions on them in the admin center. For more information, see Features in Configuration Manager technical preview version 2002.2.

Review the Configuration Manager technical preview article before installing this update. This article familiarizes you with the general requirements and limitations for using a technical preview, how to update between versions, and how to provide feedback.

Bulk remote actions

You can now issue bulk commands for the following remote actions: restart, rename, Autopilot reset, wipe, and delete. To see the new bulk actions, go to Microsoft Intune admin center > Devices > All devices > Bulk actions.

All devices list improved search, sort, and filter

The All devices list has been improved for better performance, searching, sorting, and filtering. For more information, see this Support Tip.

Monitor and troubleshoot

The Data Warehouse now provides the MAC address

The Intune Data Warehouse provides the MAC address as a new property (EthernetMacAddress) in the device entity to allow admins to correlate between the user and host mac address. This property helps to reach specific users and troubleshoot incidents occurring on the network. Admins can also use this property in Power BI reports to build richer reports. For more information, see the Intune Data Warehouse device entity.

Data Warehouse device inventory properties

More device inventory properties are available using the Intune Data Warehouse. The following properties are now exposed via the devices beta collection:

  • ethernetMacAddress - The unique network identifier of this device.
  • model - The device model.
  • office365Version - The version of Microsoft 365 that is installed on the device.
  • windowsOsEdition - The Operating System version.

The following properties are now exposed via the devicePropertyHistory beta collection:

  • physicalMemoryInBytes - The physical memory in bytes.
  • totalStorageSpaceInBytes - Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API.

Help and support workflow update to support more services

We've updated the Help and support page in the Microsoft Intune admin center where you now choose the management type you use. With this change, you can select from the following management types:

  • Configuration Manager (includes Desktop Analytics)
  • Intune
  • Co-management

Security

Use a preview of security administrator focused policies as part of Endpoint security

As a public preview, we've added several new policy groups under the Endpoint security node in the Microsoft Intune admin center. As a security admin you can use these new policies to focus on specific aspects of device security to manage discrete groups of related settings without the overhead of the larger Device Configuration policy body.

Except for the new Antivirus policy for Microsoft Defender Antivirus (see below), the settings in each new of these new preview policies and profiles are the same settings that you might already configure through Device configuration profiles today.

The following are the new policy types that are all in preview, and their available profile types:

  • Antivirus (Preview):

    • macOS:

    • Windows 10 and later:

      • Microsoft Defender Antivirus - Manage Antivirus policy settings for cloud protection, Antivirus exclusions, remediation, scan options, and more.

        The Antivirus profile for Microsoft Defender Antivirus is an exception that introduces a new instance of settings that are found as part of a device restriction profile. These new Antivirus settings:

        • Are the same settings as found in device restrictions, but support a third option for configuration that's not available when configured as a device restriction.
        • Apply to devices that are co-managed with Configuration Manager, when the co-management workload slider for Endpoint Protection is set to Intune.

      Plan to use the new Antivirus > Microsoft Defender Antivirus profile in place of configuring them through a device restriction profile.

    • Windows Security experience - Manage the Windows Security settings that end users can view in the Microsoft Defender Security center and the notifications they receive. These settings are unchanged from the settings available as a Device configuration Endpoint Protection profile.

  • Disk encryption (Preview):

    • macOS:
      • FileVault
    • Windows 10 and later:
      • BitLocker
  • Firewall (Preview):

    • macOS:
      • macOS firewall
    • Windows 10 and later:
      • Microsoft Defender Firewall
  • Endpoint detection and response (Preview):

    • Windows 10 and later: -Windows 10 Intune
  • Attack surface reduction (Preview):

    • Windows 10 and later:
      • App and browser isolation
      • Web protection
      • Application control
      • Attack surface reduction rules
      • Device control
      • Exploit protection
  • Account protection (Preview):

    • Windows 10 and later:
      • Account protection

February 2020

App management

Microsoft Defender for Endpoint app for macOS

Intune provides an easy way to deploy the Microsoft Defender for Endpoint app for macOS to managed Mac devices. For more information, see Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune and Microsoft Defender for Endpoint for Mac.

macOS Company Portal user experience improvements

We have made improvements to the macOS device enrollment experience and the Company Portal app for Mac. You will see the following improvements:

  • A better Microsoft AutoUpdate experience during enrollment that will ensure your users have the latest version of the Company Portal.
  • An enhanced compliance check step during enrollment.
  • Support for copied Incident IDs, so your users can send errors from their devices to your company support team faster.

For more information about enrollment and the Company Portal app for Mac, see Enroll your macOS device using the Company Portal app.

App protection policies for Better Mobile now supports iOS and iPadOS

In October of 2019, Intune app protection policy added the capability to use data from our Microsoft Threat Defense partners. With this update, you can use an app protection policy to block, or selectively wipe the users corporate data based on the health of a device using Better Mobile on iOS and iPadOS. For more information, see Create Mobile Threat Defense app protection policy with Intune.

Microsoft Edge version 77 and later on Windows 10 devices

Intune now supports uninstalling Microsoft Edge version 77 and later on Windows 10 devices. For more information, see Add Microsoft Edge for Windows 10 to Microsoft Intune.

Screen removed from Company Portal, Android work profile enrollment

The What's next? screen has been removed from the Android work profile enrollment flow in Company Portal to streamline the user experience. Go to Enroll with Android work profile to see the updated Android work profile enrollment flow.

Company Portal app improved performance

The Company Portal app has been updated to support improved performance for devices that use ARM64 processors, such as the Surface Pro X. Previously, the Company Portal operated in an emulated ARM32 mode. Now, in version 10.4.7080.0 and later, the Company Portal app is natively compiled for ARM64. For more information about the Company Portal app, see How to configure the Microsoft Intune Company Portal app.

Microsoft's new Office app

Microsoft's new Office app is now generally available for download and use. The Office app is a consolidated experience where your users can work across Word, Excel, and PowerPoint within a single app. You can target the app with an app protection policy to ensure the data being accessed is protected.

For more information, see How to enable Intune app protection policies with the Office mobile preview app.

Device configuration

Enable network access control (NAC) with Cisco AnyConnect VPN on iOS devices

On iOS devices, you can create a VPN profile, and use different connection types, including Cisco AnyConnect (Devices > Configuration > Create > iOS for platform > VPN for profile type > Cisco AnyConnect for connection type).

You can enable network access control (NAC) with Cisco AnyConnect. To use this feature:

  1. At Cisco Identity Services Engine Administrator Guide, use the steps in Configuring Microsoft Intune as an MDM Server to configure the Cisco Identity Services Engine (ISE) in Azure.
  2. In the Intune device configuration profile, select the Enable Network Access Control (NAC) setting.

To see all the available VPN settings, go to Configure VPN settings on iOS devices.

Device enrollment

Serial number on the Apple MDM Push certificate page

The Apple MDM Push certificate page now shows the serial number. The serial number is needed to regain access to the Apple MDM Push certificate if access to the Apple ID that created the certificate is lost. To see the serial number, go to Devices > iOS > iOS enrollment > Apple MDM Push certificate.

Device management

New update schedule options for pushing OS updates to enrolled iOS/iPadOS devices

You can choose from the following options when scheduling operating system updates for iOS/iPadOS devices. These options apply to devices that that used the Apple Business Manager or Apple School Manager enrollment types.

  • Update at next check-in
  • Update during scheduled time
  • Update outside of scheduled time

For the latter two options, you can create multiple time windows.

To see the new options, go to the Intune admin center > Devices > iOS > Update policies for iOS/iPadOS > Create profile.

Choose which iOS/iPadOS updates to push to enrolled devices

You can choose a specific iOS/iPadOS update (except for the most recent update) to push to devices that have enrolled by using either Apple Business Manager or Apple School Manager. Such devices must have a device configuration policy set to delay software update visibility for some number of days. To see this feature, go to the Intune admin center > Devices > iOS > Update policies for iOS/iPadOS > Create profile.

Exports from the All devices list now in zipped CSV format

Exports from the Devices > All devices page are now in zipped CSV format.

Windows 7 ends extended support

Windows 7 reached end of extended support on January 14, 2020. Intune deprecated support for devices running Windows 7 at the same time. Technical assistance and automatic updates that help protect your PC are no longer available. You should upgrade to Windows 10. For more information, see the Plan for Change blog post.

Device security

Improved Intune reporting experience

Intune now provides an improved reporting experience. There are new report types, better report organization, more focused views, improved report functionality, and more consistent and timely data. The reporting experience will move from public preview to GA (general availability). Also, the GA release will provide localization support, bug fixes, design improvements, and aggregate device compliance data on tiles in the Microsoft Intune admin center.

New report types focus on the following information:

  • Operational - Provides fresh records with a negative health focus.
  • Organizational - Provides a broader summary of the overall state.
  • Historical - Provides patterns and trends over a period of time.
  • Specialist - Allows you to use raw data to create your own custom reports.

The first set of new reports focuses on device compliance. For more information, see Blog - Microsoft Intune reporting framework and Intune reports.

Consolidated the location of security baselines in the UI

We've consolidated the paths to find security baselines in the Microsoft Intune admin center by removing Security baselines from several UI locations. To find security baselines, you now use the following path: Endpoint security > Security baselines.

Expanded support for imported PKCS certificates

We've expanded support for using imported PKCS certificates to support Android Enterprise fully managed devices. Generally, importing PFX certificates is used for S/MIME encryption scenarios, where a user's encryption certificates are required on all of their devices so that email decryption can occur.

The following platforms support import of PFX certificates:

  • Android - Device Administrator
  • Android Enterprise - Fully Managed
  • Android Enterprise - Work profile
  • iOS
  • Mac
  • Windows 10

View the endpoint security configuration for devices

We've updated the name of the option in the Microsoft Intune admin center, for viewing endpoint security configurations that apply to a specific device. This option is renamed to Endpoint security configuration because it shows applicable security baselines and other policies created outside of security baselines. Previously, this option was named Security baselines.

Role-based access control

Intune Roles user interface changes coming

The user interface for Microsoft Intune admin center > Tenant administration > Roles has been improved to a more user-friendly and intuitive design. This experience provides the same settings and details that you use now, however the new experience employs a wizard-like process.

January 2020

App management

Intune support for Microsoft Edge version 77 deployment channel for macOS

Microsoft Intune now supports the Stable deployment channel for the Microsoft Edge app for macOS. The Stable channel is the recommended channel for deploying Microsoft Edge broadly in Enterprise environments. It updates every six weeks, each release incorporating improvements from the Beta channel. In addition to the Stable and Beta channels, Intune supports a Dev channel. The public preview offers stable and dev channels for Microsoft Edge version 77 and later for macOS. Automatic updates of the browser are On by default. For more information, see Add Microsoft Edge for macOS devices using Microsoft Intune.

Retirement of Intune Managed Browser

The Intune Managed Browser will be retired. Use Microsoft Edge for your protected Intune browser experience.

User experience change when adding apps to Intune

There's a new user experience when adding apps to via Intune. This experience provides the same settings and details that you have used previously, however the new experience follows a wizard-like process before adding an app to Intune. This new experience also provides a review page before adding the app. From the Microsoft Intune admin center, select Apps > All apps > Add. For more information, see Add apps to Microsoft Intune.

Require Win32 apps to restart

You can require that a Win32 app must restart after a successful install. Also, you can choose the amount of time (the grace period) before the restart must occur.

User experience change when configuring apps in Intune

There's a new user experience when creating app configuration policies in Intune. This experience provides the same settings and details that you have used previously, however the new experience follows a wizard-like process before adding a policy to Intune. From the Microsoft Intune admin center, select Apps > App configuration policies > Add. For more information, see App configuration policies for Microsoft Intune.

Intune support for Microsoft Edge for Windows 10 deployment channel

Microsoft Intune now supports the Stable deployment channel for the Microsoft Edge (version 77 and later) for Windows 10 app. The Stable channel is the recommended channel for deploying Microsoft Edge for Windows 10 broadly in Enterprise environments. This channel updates every six weeks, each release incorporating improvements from the Beta channel. In addition to the Stable and Beta channels, Intune supports a Dev channel. For more information, see Microsoft Edge for Windows 10 - Configure app settings.

S/MIME support for Microsoft Outlook for iOS

Intune supports delivering S/MIME signing and encryption certificates that can be used with Outlook for iOS on iOS devices. For more information, see Sensitivity labeling and protection in Outlook for iOS and Android.

Cache Win32 app content using Microsoft Connected Cache server

You can install a Microsoft Connected Cache server on your Configuration Manager distribution points to cache Intune Win32 app content. For more information, see Microsoft Connected Cache in Configuration Manager - Support for Intune Win32 apps.

Device configuration

Improved user interface experience when configuring Exchange ActiveSync on-premises connector UI

We've updated the experience for configuring the Exchange ActiveSync on-premises connector. The updated experience uses a single pane to configure, edit, and summarize the details of your on-premises connectors.

Add automatic proxy settings to Wi-Fi profiles for Android Enterprise work profiles

On Android Enterprise Work Profile devices, you can create Wi-Fi profiles. When you choose the Wi-Fi Enterprise type, you can also enter the Extensible Authentication Protocol (EAP) type used on your Wi-Fi network.

Now when you choose the Enterprise type, you can also enter automatic proxy settings, including a proxy server URL, such as proxy.contoso.com.

To see the current Wi-Fi settings you can configure, go to Add Wi-Fi settings for devices running Android Enterprise and Android kiosk in Microsoft Intune.

Applies to:

  • Android Enterprise work profile

Device enrollment

Block Android enrollments by device manufacturer

You can block devices from enrolling based on the manufacturer of the device. This feature applies to Android device administrator and Android Enterprise work profile devices. To see enrollment restrictions, go to the Microsoft Intune admin center > Devices > Enrollment restrictions.

Improvements to the iOS/iPadOS Create enrollment type profile UI

For iOS/iPadOS User Enrollment, the Create enrollment type profile Settings page has been streamlined to improve the Enrollment type choice process while keeping the same functionality. To see the new UI, go to Microsoft Intune admin center > Devices > iOS > iOS enrollment > Enrollment types > Create profile > Settings page. For more information, see Create a User Enrollment profile in Intune.

Device management

New information in device details

The following information is now on the Overview page for devices:

  • Memory Capacity (amount of physical memory on the device)
  • Storage Capacity (amount of physical storage on the device)
  • CPU architecture

iOS Bypass Activation Lock remote action renamed to Disable Activation Lock

The remote action Bypass Activation Lock has been renamed to Disable Activation Lock. For more information, see Disable iOS Activation Lock with Intune.

Windows 10 feature update deployment support for Autopilot devices

Intune now supports targeting Autopilot registered devices using Windows 10 feature update deployments.

Windows 10 feature update policies cannot be applied during the Windows Autopilot out of box experience (OOBE). They only apply at the first Windows Update scan after a device has finished provisioning, which is typically a day.

Monitor and troubleshoot

Windows Autopilot deployment reports (preview)

A new report details each device deployed through Windows Autopilot. For more information, see Autopilot deployment report.

Role-based access control

New Intune built-in role Endpoint security manager

A new Intune built-in role is available: the Endpoint security manager. This new role gives admins full access to the Endpoint Manager node in Intune and ready-only access to other areas. The role is an expansion of the "Security Administrator" role from Microsoft Entra ID. If you currently just have Global Admins as roles, then there's no changes needed. If you use roles, and you'd like the granularity that the Endpoint Security Manager provides, then assign that role when the role is available. For more information about built-in roles, see Role-based access control.

Windows 10 administrative templates (ADMX) profiles now support scope tags

You can now assign scope tags to administrative template profiles (ADMX). To do so, go to Intune > Devices > Configuration > choose an administrative templates profile in the list > Properties > Scope tags. For more information about scope tags, see Assign scope tags to other objects.

December 2019

App management

Retrieve personal recovery key from encrypted macOS devices

End users can retrieve their personal recovery key (FileVault key) using the iOS Company Portal app. The device that has the personal recovery key must be enrolled with Intune and encrypted with FileVault through Intune. Using the iOS Company Portal app, an end user can retrieve their personal recovery key on their encrypted macOS device by selecting Get recovery key. You can also retrieve the recovery key from Intune by selecting Devices > the encrypted and enrolled macOS device > Get recovery key. For more information about FileVault, see FileVault encryption for macOS.

iOS and iPadOS user-licensed VPP apps

For user enrolled iOS and iPadOS devices, end users will no longer be presented with newly created device-licensed VPP applications deployed as available. However, end users will continue to see all user-licensed VPP apps within the Company Portal. For more information about VPP apps, see How to manage iOS and macOS apps purchased through Apple Volume Purchase Program with Microsoft Intune.

Notice - Windows 10 1703 (RS2) will be moving out of support

Starting October 9, 2018, Windows 10 1703 (RS2) moved out of Microsoft platform support for Home, Pro, and Pro for Workstations editions. For Windows 10 Enterprise and Education editions, Windows 10 1703 (RS2) moved out of platform support on October 8, 2019. Starting December 26, 2019, we will be updating the minimum version of the Windows Company Portal application to Windows 10 1709 (RS3). Computers running versions prior to 1709 will no longer receive updated versions for the application from the Microsoft Store. We have previously communicated this change to customers who are managing older versions of Windows 10 via the message center. For more information, see Windows lifecycle fact sheet.

App management

Migrating to Microsoft Edge for managed browsing scenarios

As we move closer to the retirement of the Intune Managed Browser, we made changes to app protection policies to simplify the steps needed to move your users over to Edge. We have updated the options for the app protection policy setting Restrict web content transfer with other apps to be one of the following:

  • Any app
  • Intune Managed Browser
  • Microsoft Edge
  • Unmanaged browser

When you select Microsoft Edge, your end users will see conditional access messaging notifying them that Microsoft Edge is required for managed browsing scenarios. They will be prompted to download and sign in to Microsoft Edge with their Microsoft Entra accounts, if they haven't signed already. This behavior will be the equivalent to having targeted your MAM-enabled apps with the app config setting com.microsoft.intune.useEdge set to True. Existing app protection policies that used the Policy managed browsers setting will now have Intune Managed Browser selected, and you will see no change in behavior. So, your users will see messaging to use Microsoft Edge if you've set the useEdge app configuration setting to True. We encourage all customers using managed browsing scenarios to update their app protection policies with Restrict web content transfer with other apps to ensure users are seeing the proper guidance to transition to Microsoft Edge, no matter which app they are launching links from.

Configure app notification content for organization accounts

Intune app protection policies (APP) on Android and iOS devices allow you to control app notification content for Org accounts. You can select an option (Allow, Block org Data, or Blocked) to specify how notifications for org accounts are shown for the selected app. This feature requires support from applications and might not be available for all APP enabled applications. Outlook for iOS version 4.15.0 (or later) and Outlook for Android 4.83.0 (or later) will support this setting. The setting is available in the console, but the functionality will begin to take effect after December 16, 2019. For more about APP, see What are app protection policies?.

Microsoft app icons update

The icons used for Microsoft apps in the app targeting pane for App protection policies and App configuration policies have been updated.

Require use of approved keyboards on Android

As part of an app protection policy, you can specify the setting Approved keyboards to manage which Android keyboards can be used with managed Android apps. When a user opens the managed app and doesn't already use an approved keyboard for that app, they are prompted to switch to one of the approved keyboards already installed on their device. If needed, they're presented with a link to download an approved keyboard from the Google Play Store, which they can install and set up. The user can only edit text fields in a managed app when their active keyboard isn't one of the approved keyboards.

Device configuration

Updates to Administrative Templates for Windows 10 devices

You can use ADMX templates in Microsoft Intune to control and manage settings for Microsoft Edge, Office, and Windows. Administrative Templates in Intune made the following policy setting updates:

For more information on ADMX templates in Intune, see Use Windows 10 templates to configure group policy settings in Microsoft Intune.

Applies to:

  • Windows 10 and later

Updated single sign-on experience for apps and websites on your iOS, iPadOS, and macOS devices

Intune has added more single sign-on (SSO) settings for iOS, iPadOS, and macOS devices. You can now configure redirect SSO app extensions written by your organization or by your identity provider. Use these settings to configure a seamless single sign-on experience for apps and websites that use modern authentication methods, such as OAuth and SAML2.

These new settings expand on the previous settings for SSO app extensions and Apple's built-in Kerberos extension (Devices > Configuration > Create > iOS/iPadOS or macOS for platform type > Device features for profile type).

To see the full range of SSO app extension settings you can configure, go to SSO on iOS and SSO on macOS.

Applies to:

  • iOS/iPadOS
  • macOS

We have updated two device restriction settings for iOS and iPadOS devices to correct their behavior

For iOS devices, you can create device restriction profiles that Allow over-the-air PKI updates and Blocks USB Restricted mode (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile type). Prior to this release, the UI settings and descriptions for the following settings were incorrect, and they have now been corrected. Beginning with this release, the settings behavior is as follows:

Block over-the-air PKI updates: Block prevents your users from receiving software updates unless the device is connected to a computer. Not configured (default): allows a device to receive software updates without being connected to a computer.

  • Previously, this setting let you configure it as: Allow, which let your users receive software updates without connecting their devices to a computer. Allow USB accessories while device is locked: Allow lets USB accessories exchange data with a device that's been locked for over an hour. Not configured (default) doesn't update USB Restricted mode on the device, and USB accessories will be blocked from transferring data from the device if locked for over an hour.
  • Previously, this setting let you configure it as: Block to disable USB Restricted mode on supervised devices.

For more information on the setting you can configure, see iOS and iPadOS device settings to allow or restrict features using Intune.

This feature applies to:

  • OS/iPadOS

Block users from configuring certificate credentials in the managed keystore on Android Enterprise device owner devices

On Android Enterprise device owner devices, you can configure a new setting that blocks users from configuring their certificate credentials in the managed keystore (Devices > Configuration > Create > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile type > Users + Accounts).

New Microsoft Configuration Manager co-management licensing

Configuration Manager customers with Software Assurance can get Intune co-management for Windows 10 PCs without having to purchase another Intune license for co-management. Customers no longer need to assign individual Intune/EMS licenses to their end users for co-managing Windows 10.

  • Devices managed by Configuration Manager and enrolled into co-management have almost the same rights as Intune Standalone MDM-managed PCs. However, after resetting they can't be re-provisioned by using Autopilot.
  • Windows 10 devices enrolled into Intune by using other means require full Intune licenses.
  • Devices on other platforms still require full Intune licenses.

For more information, see Licensing terms.

Device management

Protected wipe action now available

You now can use the Wipe device action to perform a protected wipe of a device. Protected wipes are the same as standard wipes, except that they can't be circumvented by powering off the device. A protected wipe will keep trying to reset the device until successful. In some configurations, this action might leave the device unable to reboot. For more information, see Retire or wipe devices.

Device Ethernet MAC address added to device's Overview page

You can now see a device's Ethernet MAC address on the device details page (Devices > All devices > choose a device > Overview.

Device security

Improved experience on a shared device when device-based conditional access policies are enabled

We improved the experience on a shared device with multiple users who are targeted with device-based conditional access policy by checking the latest compliance evaluation for the user when enforcing policy. For more information, see the following overview articles:

Use PKCS certificate profiles to provision devices with certificates

You can now use PKCS certificate profiles to issue certificates to devices that run Android for Work, iOS/iPadOS, and Windows, when associated with profiles like those for Wi-Fi and VPN. Previously those three platforms supported only user-based certificates, with device-based support being limited to macOS.

Note

PKCS certificate profiles are not supported with Wi-Fi profiles. Instead, use SCEP certificate profiles when you use an EAP type.

To use a device-based certificate, while creating a PKCS certificate profile for the supported platforms, select Settings. You'll now see the setting for Certificate type, which supports the options for Device, or User.

Monitor and troubleshoot

Centralized audit logs

A new centralized audit log experience now collects audit logs for all categories into one page. You can filter the logs to get the data you're looking for. To see the audit logs, go to Tenant administration > Audit logs.

Scope tag information included in audit log activity details

Audit log activity details now include scope tag information (for Intune objects that support scope tags). For more information about audit logs, see Use audit logs to track and monitor events.

November 2019

App management

UI update when selectively wiping app data

The UI to selectively wipe app data in Intune has been updated. UI changes include:

  • A simplified experience by using a wizard-style format condensed within one pane.
  • An update to the create flow to include assignments.
  • A summarized page of all things set when viewing properties, prior to creating a new policy or when editing a property. Also, when editing properties, the summary will only show a list of items from the category of properties being edited.

For more information, see How to wipe only corporate data from Intune-managed apps.

iOS and iPadOS third party keyboard support

In March 2019, we announced the removal of support for the iOS App protection policy setting Third party keyboards. The feature is returning to Intune with both iOS and iPadOS support. To enable this setting, visit the Data protection tab of a new or existing iOS/iPadOS app protection policy and find the Third party keyboards setting under Data Transfer.

The behavior of this policy setting differs slightly from the previous implementation. In multi-identity apps using SDK version 12.0.16 and later, targeted by app protection policies with this setting configured to Block, end users will be unable to opt for third party/partner keyboards in both their organization and personal accounts. Apps using SDK versions 12.0.12 and earlier will continue to exhibit the behavior documented in our blog post title, Known issue: Third party keyboards are not blocked in iOS for personal accounts.

Improved macOS enrollment experience in Company Portal

The Company Portal for macOS enrollment experience has a simpler enrollment process that aligns more closely with the Company Portal for iOS enrollment experience. Device users now see:

  • A sleeker user interface.
  • An improved enrollment checklist.
  • Clearer instructions about how to enroll their devices.
  • Improved troubleshooting options.

Web apps launched from the Windows Company Portal app

End users can now launch web apps directly from the Windows Company Portal app. End users can select the web app and then choose the option Open in browser. The published web URL is opened directly in a web browser. This functionality will be rolled out over the next week. For more information about Web apps, see Add web apps to Microsoft Intune.

New assignment type column in Company Portal for Windows 10

The Company Portal > Installed Apps > Assignment type column has been renamed to Required by your organization. Under that column, users will see a Yes or No value to indicate that an app is either required or made optional by their organization. These changes were made because device users were confused about the concept of available apps. Your users can find more information about installing apps from Company Portal in Install and share apps on your device. For more information about configuring the Company Portal app for your users, see How to configure the Microsoft Intune Company Portal app.

Device configuration

Target macOS user groups to require Jamf management

You can target specific groups of users that will get their macOS devices managed by Jamf. This targeting enables you to apply the Jamf compliance integration to a subset of macOS devices while other devices are managed by Intune. If you already use the Jamf integration, the All Users group will be targeted for the integration by default.

New Exchange ActiveSync settings when creating an Email device configuration profile on iOS devices

On iOS/iPadOS devices, you can configure email connectivity in a device configuration profile (Devices > Configuration > Create > iOS/iPadOS for platform > Email for profile type).

There are new Exchange ActiveSync settings available, including:

  • Exchange data to sync: Choose the Exchange services to sync (or block syncing) for Calendar, Contacts, Reminders, Notes, and Email.
  • Allow users to change sync settings: Allow (or block) users to change the sync settings for these services on their devices.

For more information on these settings, go to Email profile settings for iOS devices in Intune.

Applies to:

  • iOS 13.0 and newer
  • iPadOS 13.0 and newer

Prevent users from adding personal Google accounts to Android Enterprise fully managed and dedicated devices

On Android Enterprise fully managed and dedicated devices, there's a new setting that prevents users from creating personal Google accounts (Devices > Configuration > Create > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile type > Users and Accounts settings > Personal Google Accounts).

To see the settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise fully managed devices
  • Android Enterprise dedicated devices

Server-side logging for Siri commands setting is removed in iOS/iPadOS device restrictions profile

On iOS and iPadOS devices, the Server-side logging for Siri commands setting is removed from the Microsoft Intune admin center (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile type > Built-in apps).

This setting has no effect on devices. To remove the setting from existing profiles, open the profile, make any change, and then save the profile. The profile is updated, and the setting is deleted from devices.

To see all the settings you can configure, see iOS and iPadOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS/iPadOS

Windows 10 feature updates (public preview)

You can now deploy Windows 10 feature updates to Windows 10 devices. Windows 10 feature updates are a new software update policy that sets the version of Windows 10 that you want devices to install and remain at. You can use this new policy type along with your existing Windows 10 update rings.

Devices that receive Windows 10 feature updates policy install the specified version of Windows, and then remain at that version until the policy is edited or removed. Devices that run a later version of Windows remain at their current version. Devices that are held at a specific version of Windows can still install quality and security updates for that version from Windows 10 update rings.

This new type of policy begins rolling out to tenants this week. If this policy isn't available for your tenant yet, it will be soon.

Add and change key information in plist files for macOS applications

On macOS devices, you can now create a device configuration profile that uploads a property list file (.plist) associated with an app or with the device (Devices > Configuration > Create > macOS for platform > Preference File for profile type).

Only some apps support managed preferences, and these apps might not allow you to manage all settings. Be sure to upload a property list file that configures device channel settings, not user channel settings.

For more information on this feature, see Add a property list file to macOS devices using Microsoft Intune.

Applies to:

  • macOS devices running 10.7 and newer

Device management

Edit device name value for Autopilot devices

You can edit the Device Name value for Microsoft Entra joined Autopilot devices. For more information, see Edit Autopilot device attributes.

Edit Group Tag value for Autopilot devices

You can edit the Group Tag value for Autopilot devices. For more information, see Edit Autopilot device attributes.

Monitor and troubleshoot

Updated support experience

Starting today, an updated and streamlined in-console experience for getting help and support for Intune is rolling out to tenants. If this new experience isn't available for you yet, it will be soon.

We've improved the in-console search and feedback for common issues, and the workflow you use to contact support. When opening a support issue, you see real-time estimates for when you can expect a callback or email reply. Premier and Unified support customers can specify a severity for their issue, to help get support faster.

Improved Intune reporting experience (public preview)

Intune now provides an improved reporting experience. It includes new report types, better report organization, more focused views, improved report functionality, and more consistent and timely data. New report types focus on:

  • Operational - Provides fresh records with a negative health focus.
  • Organizational - Provides a broader summary of the overall state.
  • Historical - Provides patterns and trends over a period of time.
  • Specialist - Allows you to use raw data to create your own custom reports.

The first set of new reports focuses on device compliance. For more information, see Blog - Microsoft Intune reporting framework and Intune reports.

Role-based access control

Duplicate custom or built-in roles

You can now copy built-in and custom roles. For more information, see Copy a role.

New permissions for school administrator role

Two new permissions, Assign profile and Sync device, have been added to the school administrator role > Permissions > Enrollment programs. The sync profile permission lets group admins sync Windows Autopilot devices. The assign profile permission lets them delete user-initiated Apple enrollment profiles. It also gives them permission to manage Autopilot device assignments and Autopilot deployment profile assignments. For a list of all school administrator/group admin permissions, see Assign group admins.

Security

BitLocker key rotation

You can use an Intune device action to remotely rotate BitLocker recovery keys for managed devices that run Windows version 1909 or later. To qualify to have recovery keys rotated, devices must be configured to support recovery key rotation.

Updates to dedicated device enrollment to support SCEP device certificate deployment

Intune now supports SCEP device certificate deployment to Android Enterprise dedicated devices for certificate-based access to Wi-Fi profiles. The Microsoft Intune app must be present on the device for deployment to work. As a result, we've updated the enrollment experience for Android Enterprise dedicated devices. New enrollments still start the same (with QR, NFC, Zero-touch, or device identifier) but now have a step that requires users to install the Intune app. Existing devices will start getting the app automatically installed on a rolling basis.

Intune audit logs for business-to-business collaboration

Business-to-business (B2B) collaboration allows you to securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Intune now supports audit logs for B2B guest users. For example, when guest users make changes, Intune can capture this data through audit logs. For more information, see What is guest user access in Microsoft Entra B2B?

Security baselines are supported on Microsoft Azure Government

Instances of Intune that are hosted on Microsoft Azure Government can now use security baselines to help you secure and protect your users and devices.

October 2019

App management

Improved checklist design in Company Portal app for Android

The setup checklist in the Company Portal app for Android has been updated with a lightweight design and new icons. The changes align with the recent updates made to the Company Portal app for iOS. For a side-by-side comparison of the changes, see What's new in the app UI. For a look at the updated enrollment steps, see Enroll with Android work profile and Enroll your Android device.

Win32 apps on Windows 10 S mode devices

You can install and run Win32 apps on Windows 10 S mode managed devices. For this task, you can create one or more supplemental policies for S mode using the Windows Defender Application Control (WDAC) PowerShell tools. Sign the supplemental policies with the Device Guard Signing Portal and then upload and distribute the policies via Intune. In Intune, you will find this capability by selecting Client apps > Windows 10 S supplemental policies. For more information, see Enable Win32 apps on S mode devices.

Set Win32 app availability based on a date and time

As an admin, you can configure the start time and deadline time for a required Win32 app. At the start time, Intune management extension will start the app content download and cache it. The app will be installed at the deadline time. For available apps, start time will dictate when the app is visible in Company Portal. For more information, see Intune Win32 app management.

Require device restart based on grace period after Win32 app install

You can require that a device must restart after a Win32 app successfully installs. For more information, see Win32 app management.

Dark Mode for iOS Company Portal

Dark Mode is available for the iOS Company Portal. Users can download company apps, manage their devices, and get IT support in the color scheme of their choice based on device settings. The iOS Company Portal will automatically match the end user's device settings for dark or light mode. For more information, see Introducing dark mode on Microsoft Intune Company Portal for iOS. For more information about the iOS Company Portal, see How to configure the Microsoft Intune Company Portal app.

Android Company Portal enforced minimum app version

By using the Min Company Portal version setting of an app protection policy, you can specify a specific minimum defined version of the Company Portal that is enforced on an end user device. This conditional launch setting allows you to Block access, Wipe data, or Warn as possible actions when the value isn't met. The possible formats for this value follow the [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision] pattern.

The Min Company Portal version setting, if configured, will affect any end user who gets version 5.0.4560.0 of the Company Portal and any future versions of the Company Portal. This setting will have no effect on users using a version of Company Portal that is older than the version that this feature is released with. End users using app auto-updates on their device will likely not see any dialogs from this feature, given that they will likely be on the latest Company Portal version. This setting is Android only with app protection for enrolled and unenrolled devices. For more information, see Android app protection policy settings - Conditional launch.

Add Mobile Threat Defense apps to unenrolled devices

You can create an Intune app protection policy that can block, or selectively wipe the users corporate data based on the health of a device. The health of the device is determined using your chosen Mobile Threat Defense (MTD) solution. This capability exists today with Intune enrolled devices as a device compliance setting. With this new feature, we extend the threat detection from a Mobile Threat Defense vendor to function on unenrolled devices. On Android, this feature requires the latest Company Portal on the device. On iOS, this feature will be available for use when apps integrate the latest Intune SDK (v 12.0.15+). We'll update the What's New article when the first app adopts the latest Intune SDK. The remaining apps will become available on a rolling basis. For more information, see Create Mobile Threat Defense app protection policy with Intune.

Available Google Play app reporting for Android work profiles

For available app installs on Android Enterprise work profile, dedicated, and fully managed devices you can view app installation status and the installed version of managed Google Play apps. For more information, see How to monitor app protection policies, Manage Android work profile devices with Intune and Managed Google Play app type.

Microsoft Edge version 77 and later for Windows 10 and macOS (public preview)

Microsoft Edge version 77 and later will be available to deploy to PCs running Windows 10 and macOS.

The public preview offers Dev and Beta channels for Windows 10 and a Beta channel for macOS. The deployment is in English (EN) only, however end users can change the display language in the browser under Settings > Languages. Microsoft Edge is a Win32 app installed in system context and on like architectures (x86 app on x86 OS, and x64 app on x64 OS). In addition, automatic updates of the browser are On by default, and Microsoft Edge cannot be uninstalled. For more information, see Add Microsoft Edge for Windows 10 to Microsoft Intune and Microsoft Edge documentation.

Update to app protection UI and iOS app provisioning UI

The UI to create and edit app protection policies and iOS app provisioning profiles in Intune has been updated. UI changes include:

  • A simplified experience by using a wizard-style format condensed within one blade.
  • An update to the create flow to include assignments.
  • A summarized page of all things set when viewing properties, prior to creating a new policy or when editing a property. Also, when editing properties, the summary will only show a list of items from the category of properties being edited.

For more information, see How to create and assign app protection policies and Use iOS app provisioning profiles.

Intune guided scenarios

Intune now provides guided scenarios to help you complete a specific task or set of tasks within Intune. A guided scenario is a customized series of steps (workflow) centered around one end-to-end use-case. Common scenarios are defined based on the role an admin, user, or device plays in your organization. These workflows typically require a collection of carefully orchestrated profiles, settings, applications, and security controls to provide the best user experience and security. New guided scenarios include:

For more information, see Intune guided scenarios overview.

App configuration variable available

When creating an app configuration policy, you can include the AAD_Device_ID configuration variable as part of your configuration settings. In Intune, select Client apps > App configuration policies > Add. Enter your configuration policy details and select Configuration settings to view the Configuration settings blade. For more information, see App configuration policies for managed Android Enterprise devices - Use the configuration designer.

Create groups of management objects called policy sets

Policy sets allow you to create a bundle of references to already existing management entities that need to be identified, targeted, and monitored as a single conceptual unit. Policy sets don't replace existing concepts or objects. You can continue to assign individual objects in Intune and you can reference individual objects as part of a policy set. Therefore, any changes to those individual objects will be reflected in the Policy set. ​ In Intune, you will select Policy sets > Create to create a new Policy set.

Device configuration

'

New device firmware configuration interface profile for Windows 10 and later devices (public preview)

On Windows 10 and later, you can create a device configuration profile to control settings and features (Devices > Configuration > Create > Windows 10 and later for platform). In this update, there's a new device firmware configuration interface profile type that allows Intune to manage UEFI (BIOS) settings.

For more information on this feature, see Use DFCI profiles on Windows devices in Microsoft Intune.

Applies to:

  • Windows 10 RS5 (1809) and newer on supported firmware

UI update for creating and editing Windows 10 Update Rings

We've updated the UI ex'erience for creating and editing Windows 10 Update Rings for Intune. Changes to UI include:

  • A wizard-style format condensed into a single blade, which does away with the blade sprawl seen previously as you configure update rings.
  • The revised workflow includes Assignments, before completing the initial configuration of the ring.
  • A summary page you can use to review all the configurations you made, before saving and deploying a new update ring. When editing an update ring, the summary shows only the list of items set within the category of properties you edited.

UI update for creating and editing iOS software update policy

We've updated the UI experience for creating and editing iOS software update policies for Intune. Changes to UI include:

  • A wizard-style format condensed into a single blade, which does away with the blade sprawl seen previously as you configure update policies.
  • The revised workflow includes Assignments, before completing the initial configuration of the policy.
  • A summary page you can use to review all the configurations you made, before saving and deploying a new policy. When editing a policy, the summary shows only the list of items set within the category of properties you edited.

Engaged restart settings are removed from Windows Update rings

As previously announced, Intune's Windows 10 Update rings now support settings for deadlines and no longer support Engaged restart. Settings for Engaged restart are no longer available when you configure or manage Update rings in Intune.

This change aligns with recent Windows servicing changes and on devices that run Windows 10 1903 or later, deadlines supersede configurations for engaged restart.

Prevent installation of apps from Unknown Sources on Android Enterprise work profile devices

On Android Enterprise work profile devices, users can't ever install apps from unknown sources. In this update, there's a new setting - Prevent app installations from unknown sources in the personal profile. By default, this setting prevents users from side-loading apps from unknown sources into the personal profile on the device.

To see the setting you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise work profile

Create a global HTTP proxy on Android Enterprise device owner devices

On Android Enterprise devices, you can configure a global HTTP Proxy to meet your organization's web browsing standards (Devices > Configuration > Create > Android Enterprise for platform > Device owner > Device restrictions for profile type > Connectivity). Once configured, all HTTP traffic will use this proxy.

To configure this feature, and see all the settings you configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise device owner

Connect automatically setting is removed in Wi-Fi profiles on Android device administrator and Android Enterprise

On Android device administrator and Android Enterprise devices, you can create a Wi-Fi profile to configure different settings (Devices > Configuration > Create > Android device administrator or Android Enterprise for platform > Wi-Fi for profile type). In this update, the Connect automatically setting is removed, as it's not support by Android.

If you use this setting in a Wi-Fi profile, you might have noticed that Connect automatically doesn't work. You don't need to take any action, but be aware this setting is removed in the Intune user interface.

To see the current settings, go to Android Wi-Fi settings or Android Enterprise Wi-Fi settings.

Applies to:

  • Android device administrator
  • Android Enterprise

New device configuration settings for supervised iOS and iPadOS devices

On iOS and iPadOS devices, you can create a profile to restrict features and settings on devices (Devices > Configuration > Create > iOS/iPadOS for platform > Device restrictions for profile type). In this update, there are new settings you can control:

  • Access to network drive in Files app
  • Access to USB drive in Files app
  • Wi-Fi always turned on

To see these settings, go to iOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS 13.0 and newer
  • iPadOS 13.0 and newer

Device enrollment

Toggle to only show Enrollment Status Page on devices provisioned by out-of-box experience (OOBE)

You can now choose to only show the Enrollment Status Page on devices provisioned by Autopilot OOBE.

To see the new toggle, choose Intune > Device enrollment > Windows enrollment > Enrollment Status Page > Create Profile > Settings > Only show page to devices provisioned by out-of-box experience (OOBE).

Specify which Android device operating system versions enroll with work profile or device administrator enrollment

Using Intune device type restrictions, you can use the device's OS version to specify which user devices will use Android Enterprise work profile enrollment or Android device administrator enrollment. For more information, see Set enrollment restrictions.

Device management

Intune supports iOS 11 and later

Intune enrollment and Company Portal now support iOS versions 11 and later. Older versions aren't supported.

New restrictions for renaming Windows devices

When renaming a Windows device, you must follow new rules:

  • 15 characters or less (must be less than or equal to 63 bytes, not including trailing NULL)
  • Not null or an empty string
  • Allowed ASCII: Letters (a-z, A-Z), numbers (0-9), and hyphens
  • Allowed Unicode: characters >= 0x80, must be valid UTF8, must be IDN-mappable (that is, RtlIdnToNameprepUnicode succeeds; see RFC 3492)
  • Names must not contain only numbers
  • No spaces in the name
  • Disallowed characters: { | } ~ [ \ ] ^ ' : ; < = > ? & @ ! " # $ % ` ( ) + / , . _ *)

For more information, see Rename a device in Intune.

New Android report on Devices overview page

A new report to the Devices overview page displays how many Android devices have been enrolled in each device management solution. This chart shows work profile, fully managed, dedicated, and device administrator enrolled device counts. To see the report, choose Intune > Devices > Overview.

Device security

Microsoft Edge baseline (Preview)

We've added a security baseline Preview for Microsoft Edge settings.

PKCS certificates for macOS

You can now use PKCS certificates with macOS. You can select the PKCS certificate as a profile type for macOS, and deploy user and device certificates that have customized subject and subject alternative name fields.

PKCS certificate for macOS also supports a new setting, Allow All Apps Access. With this setting, you can enable all associated apps access to the private key of the certificate. For more information about this setting, see the Apple documentation at https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf.

Derived Credentials to provision iOS mobile devices with certificates

Intune supports use of derived credentials as an authentication method and for S/MIME signing and encryption for iOS devices. Derived credentials are an implementation of the National Institute of Standards and Technology (NIST) 800-157 standard for deploying certificates to devices.

Derived credentials rely on the use of a Personal Identity Verification (PIV) or Common Access Card (CAC) card, like a smart card. To get a derived credential for their mobile device, users start in the Company Portal app and follow an enrollment workflow that is unique to the provider you use. Common to all providers is the requirement to use a smart card on a computer to authenticate to the derived credential provider. That provider then issues a certificate to the device that's derived from the user's smart card.

Intune supports the following derived credential providers:

  • DISA Purebred
  • Entrust
  • Intercede

You use derived credentials as the authentication method for device configuration profiles for VPN, Wi-Fi, and email. You can also use them for app authentication, and S/MIME signing and encryption.

For more information about the standard, see Derived PIV Credentials at www.nccoe.nist.gov.

Use Graph API to specify an on-premises User Principal Name as a variable for SCEP certificates

When you use the Intune Graph API, you can specify onPremisesUserPrincipalName as a variable for the Subject Alternative Name (SAN) for SCEP certificates.

'

Microsoft 365 Device Management

Improved administration experience in Microsoft 365 Device Management

A refreshed and streamlined administration experience is now generally available in the Microsoft 365 Device Management specialist workspace at https://endpoint.microsoft.com, including:

  • Updated navigation: You will find a simplified first level navigation that logically groups features.
  • New platform filters: You can select a single platform, which shows only the policies and apps for the selected platform, on the Devices and Apps pages.
  • A new home page: Quickly see service health, state of your tenant, news, etc. on the new home page. ' For more information about these improvements, see the Enterprise Mobility + Security blog post on the Microsoft Tech Community web site.

Introducing Endpoint Security node in Microsoft 365 Device Management

Endpoint Security node is now generally available in Microsoft 365 Device Management specialist workspace at https://endpoint.microsoft.com, which groups together the capabilities to secure endpoints such as:

  • Security baselines: Pre'configured group of settings that help you apply known group of settings and default values that recommended by Microsoft.
  • Security Tasks: Take advantage of Microsoft Defender for Endpoints Threat and Vulnerability Management (TVM) and use Intune to remediate endpoint weaknesses.
  • Microsoft Defender for Endpoint: Integrated Microsoft Defender for Endpoint to help prevent security breaches.""

These settings will continue to be accessible from other applicable nodes, such as devices. Current configured state will be the same no matter where you access and enable these capabilities.

For more information about these improvements, see the Intune Customer Success blog post on the Microsoft Tech Community web site.

September 2019

App management

Managed Google Play private LOB apps'

Intune now allows IT admins to publish private Android LOB apps to Managed Google Play via an iframe embedded in the Intune console. Previously, IT admins needed to publish LOB apps directly to Google's Play publishing console, which required several steps and was time consuming. This new feature allows for easy publishing of LOB apps with a minimal set of steps, without needing to leave the Intune console. Admins will no longer need to manually register as a developer with Google, and will no longer need to pay the Google $25 registration fee. Any of the Android Enterprise management scenarios that use Managed Google Play can take advantage of this feature (work profile, dedicated, fully managed, and non-enrolled devices). From Intune, select Client apps > Apps > Add. Then, select Managed Google Play from the App type list. For more information about Managed Google Play apps, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Windows Company Portal experience

The Windows Company Portal is being updated. You can use multiple filters on the Apps page within the Windows Company Portal. The Device Details page is also being updated with an improved user experience. We are in the process of rolling out these updates to all customers and expect to be completed by the end of next week.

macOS support for web apps

Web apps, which allow you to add a shortcut to a URL on the web, can be installed to the Dock using the macOS Company Portal. End users can access the Install action from the app details page for a web app in the macOS Company Portal. For more information about the Web link app type, see Add apps to Microsoft Intune and Add web apps to Microsoft Intune.

macOS support for VPP apps

macOS apps purchased using Apple Business Manager, are displayed in the console when Apple VPP tokens are synced in Intune. You can assign, revoke and reassign device and user-based licenses for groups using the Intune console. Microsoft Intune helps you manage VPP apps purchased for use at your company by:

  • Reporting license information from the app store.
  • Tracking how many of the licenses you have used.
  • Helping you prevent installation of more copies of the app than your organization owns.

For more information about Intune and VPP, see Manage volume-purchased apps and books with Microsoft Intune.

Managed Google Play iframe support

Intune now provides support for adding and managing web links directly in the Intune console via the Managed Google Play iframe. This feature lets IT admins submit a URL and icon graphic, and then deploy those links to devices just like regular Android apps. Any of the Android Enterprise management scenarios that use Managed Google Play can take advantage of this feature (work profile, dedicated, fully managed, and non-enrolled devices). From Intune, select Client apps > Apps > Add. Then, select Managed Google Play from the App type list. For more information about Managed Google Play apps, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Silently install Android LOB apps on Zebra devices

When installing Android line-of-business (LOB) apps on Zebra devices, rather than being prompted to both download and install the LOB app, you can install the app silently. In Intune, select Client apps > Apps > Add. In the Select app type pane, select Line-of-business app. For more information, see Add an Android line-of-business app to Microsoft Intune.

Currently, after the LOB app is downloaded, a download success notification will appear on the user's device. The notification can only be dismissed by tapping Clear All in the notification shade. This notification issue will be fixed in an upcoming release, and the installation will be silent with no visual indicators.

Read and write Graph API operations for Intune apps

Applications can call the Intune Graph API with both read and write operations using app identity without user credentials. For more information about accessing the Microsoft Graph API for Intune, see Working with Intune in Microsoft Graph.

Protected data sharing and encryption for Intune App SDK for iOS

The Intune App SDK for iOS will use 256-bit encryption keys when encryption is enabled by App Protection Policies. All apps will need to have an SDK version 8.1.1 to allow protected data sharing.

Updates to Microsoft Intune app

The Microsoft Intune app for Android has been updated with the following improvements:

  • Updated and improved the layout to include bottom navigation for the most important actions.
  • Added another page that shows the user's profile.
  • Added the display of actionable notifications in the app for the user, such as the need to update their device settings.
  • Added the display of custom push notifications, aligning the app with the support recently added in the Company Portal app for iOS and Android. For more information, see Send custom notifications in Intune. ""

For iOS devices, customize the enrollment process privacy screen of the Company Portal

Using Markdown, you can customize the Company Portal's privacy screen that end users see during iOS enrollment. Specifically, you can customize the list of things that your organization can't see or do on the device. For more information, see How to configure the Intune Company Portal app.

Device configuration

Support for IKEv2 VPN profiles for iOS

In this update, you can create VPN profiles for the iOS native VPN client using the IKEv2 protocol. IKEv2 is a new connection type in Devices > Configuration > Create > iOS for platform > VPN for profile type > Connection Type.

These VPN profiles configure the native VPN client, so no VPN client apps are installed or pushed to managed devices. This feature requires devices be enrolled in Intune (MDM enrollment).

To see the current VPN settings you can configure, go to Configure VPN settings on iOS devices.

Applies to:

  • iOS

Device features, device restrictions, and extension profiles for iOS and macOS settings are shown by enrollment type

In Intune, you create profiles for iOS and macOS devices (Devices > Configuration > Create > iOS or macOS for platform > Device features, Device restrictions, or Extensions for profile type).

In this update, the available settings in the Intune admin center are categorized by the enrollment type they apply to:

  • iOS

    • User enrollment
    • Device enrollment
    • Automated device enrollment (supervised)
    • All enrollment types
  • macOS

    • User approved
    • Device enrollment
    • Automated device enrollment
    • All enrollment types

Applies to:

  • iOS

New voice control settings for supervised iOS devices running in kiosk mode

In Intune, you can create policies to run supervised iOS devices as a kiosk, or dedicated device (Devices > Configuration > Create > iOS for platform > Device restrictions for profile type > Kiosk).

In this update, there are new settings you can control:

  • Voice control: Enables Voice Control on the device while in kiosk mode.
  • Modification of voice control: Allow users to change the Voice Control setting on the device while in kiosk mode.

To see the current settings, go to iOS Kiosk settings.

Applies to:

  • iOS 13.0 and later

Use single sign-on for apps and websites on your iOS and macOS devices

In this update, there are some new single sign-on settings for iOS and macOS devices (Devices > Configuration > Create > iOS or macOS for platform > Device features for profile type).

Use these settings to configure a single sign-on experience, especially for apps and websites that use Kerberos authentication. You can choose between a generic credential single sign-on app extension, and Apple's built-in Kerberos extension.

To see the current device features you can configure, go to iOS device features and macOS device features.

Applies to:

  • iOS 13.' and newer
  • macOS 10.15 and newer

Associate domains to apps on macOS 10.15+ devices

On macOS devices, you can configure different features, and push these features to your devices using a policy (Devices > Configuration > Create > macOS for platform > Device features for profile type). In this update, you can associate domains to your apps. This feature helps share credentials with websites related to your app, and can be used with Apple's single sign-on extension, universal links, and password autofill.

To see the current features you can configure, go to macOS device feature settings in Intune.

Applies to:

  • macOS 10.15 and newer

Use "iTunes" and "apps" in the iTunes App store URL when showing or hiding apps on iOS supervised devices

In Intune, you can create policies to show or hide apps on your supervised iOS devices (Devices > Configuration > Create > iOS for platform > Device restrictions for profile type > Show or hide apps).

You can enter the iTunes App store URL, such as https://itunes.apple.com/us/app/work-folders/id950878067?mt=8. In this update, both apps and itunes can be used in the URL, such as:

  • https://itunes.apple.com/us/app/work-folders/id950878067?mt=8
  • https://apps.apple.com/us/app/work-folders/id950878067?mt=8

For more information on these settings, see Show or hide apps.

Applies to:

  • iOS

Windows 10 compliance policy password type values are clearer and match CSP

On Windows 10 devices, you can create a compliance policy that requires specific password features (Device compliance > Policies > Create policy > Windows 10 and later for platform > System Security). In this update:

For more information on Windows 10 compliance settings, see Windows 10 and later settings to mark devices as compliant or not compliant.

Applies to:

  • Windows 10 and later

Updated UI for configuring Microsoft Exchange on-premises access

We've updated the console where you configure access Microsoft Exchange on-premises access. All of the configurations for Exchange on-premises access are now available on the same pane of the console where you Enable Exchange on-premises access control.

Allow or restrict adding app widgets to the home screen on Android Enterprise work profile devices

On Android Enterprise devices, you can configure features in the work profile (Devices > Configuration > Create > Android Enterprise for platform > Work profile only > Device restrictions for profile type). In this update, you can allow users to add widgets exposed by work profile apps to the device home screen.

To see the settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise work profile

Device enrollment

New tenants will default away from Android device administrator management

Android's device administrator capabilities have been superseded by Android Enterprise. Therefore, we recommend using Android Enterprise for new enrollments instead. In a future update, new tenants will need to complete the following prerequisite steps in Android enrollment to use device administrator management: Go to Intune > Device enrollment > Android enrollment > Personal and corporate-owned devices with device administration privileges > Use device administrator to manage devices.

Existing tenants will experience no change in their environments.

For more information about Android device administrator in Intune, see Android device administrator enrollment.

List of DEP devices associated with a profile

You can now see a paged list of Apple Automated Device Enrollment Program (DEP) devices that are associated with a profile. You can search the list from any page in the list. To see the list, go to Intune > Device enrollment > Apple enrollment > Enrollment program tokens > choose a token > Profiles > choose a profile > Assigned devices (under Monitor).

iOS User Enrollment in Preview

Apple's iOS 13.1 release includes User Enrollment, a new form of lightweight management for iOS devices. It can be used in place of Device Enrollme