In development for Microsoft Intune - January 2020

To help in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition to the information on this page:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office message center.
  • When a feature enters production, whether it's a preview or generally available, the feature description will move from this page to What's new.
  • This page and the What's new page are updated periodically. Check back for additional updates.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.


This page reflects our current expectations about Intune capabilities in a future release. Dates and individual features might change. This page doesn't describe all features in development.

RSS feed: Find out when this page is updated by copying and pasting the following URL into your feed reader:

App management

Display notifications for the Company Portal app on Windows

We'll update the Company Portal app on Windows devices to display toast notifications to users, even when the application is closed. The update will show notifications for available apps only when the installation status is completed or failed. The Company Portal app won't show notifications for required applications.

Display installation status messages for the Company Portal app

The Company Portal app will show additional app installation status messages to end users. The following conditions will apply to new Win32 dependency features:

  • App failed to install. Dependencies defined by the admin were not met.

Retarget web clips to Microsoft Edge on iOS devices

Web clips, which act as pinned web apps on iOS devices, will need to be updated. Newly deployed web clips will open in Microsoft Edge instead of the Intune Managed Browser if required to open in a protected browser. You must retarget pre-existing web clips to ensure they open in Microsoft Edge instead of the Managed Browser.

User experience change when adding apps to Intune

You will see a new user experience when adding apps via Intune. This experience provides the same settings and details that you have used previously, however the new experience follows a wizard-like process before adding an app to Intune. This new experience also provides a review page before adding the app. From the Microsoft Endpoint Manager admin center, select Apps > All apps > Add. For more information, see Add apps to Microsoft Intune.

Require Win32 apps to restart

You can require that a Win32 app must restart after a successful install. Also, you can choose the amount of time (the grace period) before the restart must occur.

Device configuration

Add automatic proxy settings to Wi-Fi profiles for Android Enterprise work profiles

On Android Enterprise Work Profile devices, you can create Wi-Fi profiles. When you choose the Wi-Fi Enterprise type, you can also enter the Extensible Authentication Protocol (EAP) type used on your Wi-Fi network.

In a future update, when you choose the Enterprise type, you'll be able to enter automatic proxy settings, including a proxy server URL, such as

To see the current Wi-Fi settings you can configure, go to Add Wi-Fi settings for devices running Android Enterprise and Android kiosk in Microsoft Intune.

Applies to:

  • Android Enterprise work profile

Wired network device configuration profiles for macOS devices

A new macOS device configuration profile will be available that configures wired networks (Device configuration > Profiles > Create profile > macOS for platform > Wired Network for profile type). Use this feature to create 802.1x profiles to manage wired networks, and deploy these wired networks to your macOS devices.

Applies to:

  • macOS

VPN profiles with IKEv2 VPN connections can use always on with iOS devices

On iOS devices, you can create a VPN profile that uses an IKEv2 connection (Device configuration > Profiles > Create profile > iOS/iPadOS for platform > VPN for profile type). In a future update, you can configure always-on with IKEv2. When configured, IKEv2 VPN profiles connect automatically, and stay connected (or quickly reconnect) to the VPN. It stays connected even when moving between networks or restarting devices.

On iOS, always-on VPN is limited to IKEv2 profiles.

To see the current IKEv2 settings you can configure, go to Add VPN settings on iOS devices in Microsoft Intune.

Applies to:

  • iOS

Improved user interface experience when creating configuration profiles on iOS and macOS devices

When you create a profile for iOS or macOS devices, the experience in the Endpoint Management Admin Center will be updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > iOS or macOS for platform):

  • Custom: iOS, macOS
  • Device features: iOS, macOS
  • Device restrictions: iOS, macOS
  • Endpoint protection: macOS
  • Extensions: macOS
  • Preference file: macOS

Improved user interface experience when creating OEMConfig configuration profiles on Android Enterprise devices

When you create or edit an OEMConfig profile for Android Enterprise devices, the experience in the Endpoint Management admin center is updated. The updated experience will provide a summary of settings you've configured at a glance. This change impacts the OEMConfig device configuration profile (Devices > Configuration profiles > Create profile > Android Enterprise for platform > OEMConfig for profile type).

This feature applies to:

  • Android Enterprise

Device enrollment

Block Android enrollments by device manufacturer

You'll be able to block devices from enrolling based on the manufacturer of the device. This applies to Android device administrator and Android Enterprise work profile devices. To see enrollment restrictions, go to the Microsoft Endpoint Manager Admin Center> Devices > Enrollment restrictions.

Device management

New information in device details

The following information will be added to the Overview page for devices:

  • Memory Capacity (amount of physical memory on the device)
  • Storage Capacity (amount of physical storage on the device)
  • CPU Processor Type and Speed
  • RAM and processor data

Role-based access control

New Intune built-in role Endpoint security manager

A new Intune built-in role will be available: the Endpoint security manager. This new role gives admins full access to the Endpoint Manager node in Intune and ready-only access to other areas. The role is an expansion of the “Security Administrator” role from Azure AD. If you currently just have Global Admins as roles, then there’s no changes needed. If you use roles, and you’d like the granularity that the Endpoint Security Manager provides, then assign that role when it is available. For more information about built-in roles, see Role-based access control.

Intune Roles user interface changes coming

The user interface for Microsoft Endpoint Manager Admin Center > Tenant administration > Roles will be changing to a more user-friendly and intuitive design. This experience provides the same settings and details that you use now, however the new experience employs a wizard-like process.


Derived credentials support on Android COBO devices

You'll be able to use derived credentials on Android Enterprise fully managed devices. Support will be included for retrieving a derived credential for Entrust Datacard, Intercede, and DISA Purebred. You'll be able to use a derived credential for app authentication, Wi-Fi, VPN, or S/MIME signing and/or encryption with apps that support it.


These notices provide important information that can help you prepare for future Intune changes and features.

Updated Feature: New RBAC role coming to Intune

In the January Intune service update, we plan to release a new security role in Intune. You will see this role listed as “Endpoint Security Manager” in Intune and the role is an expansion of the “Security Administrator” role from Azure AD.

How does this affect me?

Today there are three roles available in Azure AD for your security professionals:

  • Security Reader role in Azure AD which gives read only access to Intune.
  • Security Operator role in Azure AD which gives read only access to Intune.
  • Security Administrator in Azure AD. When Intune ships the January update, along with read only permissions to Intune, the new permissions provided by the Endpoint Security Manager role are as follows:
    • Read, Create, Update, Delete, and Assign Device Compliance Policies
    • Read, Delete, and Update Managed devices
    • Read, Create, Update, Delete, and Assign Security baselines
    • Read and Update Security tasks

What do I need to do to prepare for this change?

Review your Intune RBAC roles today. If you currently just have Global Admins as roles, then there’s no changes needed. If you use roles, and you’d like the granularity that the Endpoint Security Manager provides, then assign that role when it is available. Check the Intune What’s New page for up-to-date Intune release information.

Updated support statement for 'Adobe Acrobat Reader for Intune' mobile app

We shared in MC188653 at the end of August, that the Adobe Acrobat Reader for Intune mobile app was reaching end-of-life on December 1, 2019 and that Adobe was planning on supporting Intune’s app protection policies within their main Acrobat Reader app. Since then, we received customer feedback that we needed to provide more time to continue allowing IT admins to target, and end users to begin using Adobe Acrobat Reader for Intune. Given the high usage of Adobe Acrobat Reader for Intune on end user devices and its importance in enterprise scenarios, we want to make sure any experience meets your organization's app protection needs.

While we still recommend targeting the general Acrobat Reader mobile app in your policies since the Acrobat Reader mobile app supports App Protection Policies and has integrated the Intune SDK, the Adobe Acrobat Reader for Intune app will continue to be supported until March 31, 2020.

How does this affect me?

You are receiving this message because our reporting indicates one or more policies in your organization are targeting the Adobe Acrobat Reader for Intune application and/or you may have received our previous EOL communication.

What do I need to do to prepare for this change?

Let your end users and helpdesk know of this change. You can use the Company Portal's support information functionality to establish a channel for Intune-related questions.

Additional Information

End Support for Windows Phone 8.1

Microsoft mainstream support for Windows Phone 8.1 ended in July 2017, and extended support ended in June 2019. The Company Portal app for Windows Phone 8.1 has been in sustain mode since October 2017. Microsoft Intune will now end support on February 20, 2020 for Windows Phone 8.1.

How does this affect me?

After February 20, 2020 these devices won't receive any security updates, and you won't be able to enroll any new devices. Existing Windows Phone 8.1 devices will stay enrolled (policy, apps, reporting) but note any troubleshooting of an existing enrollment won't be supported after this date, as many components, such as third party certificates, have already ended support for the platform. Intune will stop compatibility testing with Intune and Windows Phone 8.1.

What do I need to do to prepare for this change?

You can check your Intune reporting to see what devices or users may be affected. Go to Devices > All devices and filter by OS. You can add in additional columns to help identify who in your organization has devices running Windows Phone 8.1. Request that your end users upgrade their devices to a supported OS version.

Take Action: Use Microsoft Edge for your Protected Intune Browser Experience

As we have been sharing over the past year, Microsoft Edge mobile supports the same set of management features as the Managed Browser, while providing a much-improved end user experience. To make way for the robust experiences provided in Microsoft Edge, we will be retiring the Intune Managed Browser. Starting on January, 27, 2020, Intune will no longer support the Intune Managed Browser.

How does this affect me?

Starting on February 1, 2020, the Intune Managed Browser will no longer be available in the Google Play Store or the iOS App Store. At this point, you will still be able to target new app protection policies to the Intune Managed Browser, though new users won't be able to download the Intune Managed Browser app. In addition, on iOS, new web clips that are pushed down to MDM-enrolled device will open in Microsoft Edge instead of the Intune Managed Browser.

On March, 31 2020, the Intune Managed Browser will be removed from the Azure console. This means you will no longer be able to create new policies for the Intune Managed Browser. If you have existing Intune Managed Browser policies in place, they won't be affected. The Intune Managed Browser will show up in the console as an LOB app with no icon, and existing policies will show as targeted to the app still. At this point, we will also remove the option to redirect web content to the Intune Managed Browser within the Data Protection section of App protection policies.

What do I need to do to prepare for this change?

To ensure a smooth transition from the Intune Managed Browser to Microsoft Edge, we recommend you take the following steps proactively:

  1. Target Microsoft Edge for iOS and Android with app protection policy (also referred to as MAM) and app config settings. You can reuse your Intune Managed Browser policies for Microsoft Edge by targeting those existing policies to Microsoft Edge as well.
  2. Ensure all MAM-protected apps in your environment have the app protection policy setting "Restrict web content transfer with other apps" set to "Policy managed browsers".
  3. Target all the MAM-protected with the managed app configuration setting "" set to true. Starting next month with the release of 1911, you will be able to accomplish steps 2 and 3 simply by configuring the setting "Restrict web content transfer with other apps" to have "Microsoft Edge" selected in the Data Protection section of your app protection policies.

Support for web clips on iOS and Android is coming. When this support is released, you will need to retarget pre-existing web clips to ensure they open in in Microsoft Edge instead of the Managed Browser.

Additional information

Please visit our docs on using Microsoft Edge with app protection policies for more info, or view our support blog post.

Plan for Change: Updated experience when enrolling Android Enterprise dedicated devices in Intune

With the November or 1911 release to Intune, we’re adding support for SCEP device certificate deployment to Android Enterprise dedicated devices to enable certificate-based access to Wi-Fi profiles. This change also involves some minor changes the flow when enrolling Android Enterprise dedicated devices.

How does this affect me?

If you manage Android Enterprise dedicated devices in your environment, you will start to see some changes roll out in November.

  • For new Android Enterprise dedicated device enrollments: End users will see a different set of steps on devices during enrollment. Enrollment will still start the way it does today (with QR, NFC, Zero-touch, or device identifier) but after the November service release, there will be a mandatory app install step.
  • For existing Android devices enrolled as dedicated devices: Intune will start to automatically install the Microsoft Intune app on devices starting in early November. You don't need to take any action. The app will automatically download and install on devices.

What can I do to prepare for this change?

You should plan to update your end user guidance and let your helpdesk know of this change. Click Additional Information for more details and screenshots. We’ll update our What’s New page when this change starts to roll out.

Additional information

End of support for legacy PC management

Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as Mobile Device Management (MDM) devices to keep them managed by Intune.

Learn more

Decreasing support for Android device administrator

Android device administrator (sometimes referred to "legacy" Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is now available with Android Enterprise (released with Android 5.0). In an effort to move to modern, richer, and more secure device management, Google is decreasing device administrator support in new Android releases.

How does this affect me?

Because of these changes by Google, Intune users will be impacted in the following ways:

  • Intune will only be able to provide full support for device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-managed devices that are running Android 10 or later after this time won't be able to be entirely managed. In particular, impacted devices won’t receive new password requirements.
    • Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you more time to plan the transition off device admin management.   
  • Device administrator-managed Android devices that remain on Android versions below Android 10 won't be impacted and can continue to be entirely managed with device administrator.
  • For all devices running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device updates to Android 10 or later:
    • Network access control for VPN will no longer work.
    • Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned.
    • The IMEI and serial number will no longer be visible to IT admins in Intune.


      This only impacts device administrator-managed devices on Android 10 and later and does not affect devices being managed as Android Enterprise.

What do I need to do to prepare for this change?

To avoid the reduction in functionality coming in Q3 CY2020, we recommend the following:

  • Don't onboard new devices into device administrator management.
  • If a device is expected to receive an update to Android 10, migrate it off of device administrator management to Android Enterprise management and/or app protection policies.

Additional information

Plan for change: Intune App SDK and app protection policies for Android moving to support Android 5.0 and higher in an upcoming release

Intune will be moving to support Android 5.x (Lollipop) and higher in an upcoming release. Update any wrapped apps with the latest Intune App SDK and update your devices.

How does this affect me?

If you're not using or plan to use either the SDK or APP for Android, this change won't affect you. If you are using the Intune App SDK, be sure to update to the latest version and also update your devices to Android 5.x and higher. If you don't update, apps won't receive updates, and the quality of their experience will diminish over time.

Below find a list of common devices enrolled in Intune that run Android version 4.x. If you have one of these devices, take the appropriate steps to make sure that this device will support Android version 5.0 or higher or that it will be replaced with a device that supports Android version 5.0 or higher. This list isn't exhaustive of all devices that may need to be evaluated:

  • Samsung SM-T561
  • Samsung SM-T365
  • Samsung GT-I9195
  • Samsung SM-G800F
  • Samsung SM-G357FZ
  • Motorola XT1080
  • Samsung GT-I9305
  • Samsung SM-T231

What do I need to do to prepare for this change?

Wrap your apps with the latest Intune App SDK. You may also set the "Require minimum OS version (Warning only)" conditional launch setting to notify end users on personal devices to upgrade.

Intune plan for change: Nearing end of support for Windows 7

As we messaged in MC148476, posted last September 2018, and again in MC176794 back in March 2019, Windows 7 reaches its end of extended support on January 14, 2020. At that time, Intune will retire support for devices running Windows 7 so we can focus our investment on supporting newer technologies and providing great new end-user experiences. After that date, technical assistance and automatic updates that help protect your Windows 7 PC will no longer be available through Intune. Microsoft strongly recommends that you move to Windows 10 before January 2020 to avoid a scenario where you need service or support that is no longer available. Read more about the Windows support lifecycle here.

How does this affect me?

You are receiving this message because you are currently managing Windows 7 PCs using the legacy Intune PC software agent. Because less than a year remains before the end of Windows 7 extended support, we strongly encourage your organization to begin upgrading to Windows 10 as soon as possible.

PC management capabilities are built directly into the Windows 10 operating system, and you no longer need to install a client agent such as the Intune software client for Windows 7. Starting with Windows 8.1, Microsoft uses the Mobile Device Management (MDM) architecture to provision, configure, update, and manage Windows PCs. When you have set up Intune, you can simplify Windows enrollment by enrolling Windows 10 PCs into Intune through the MDM channel. We recommend that you use this "agentless" MDM management solution to manage your Windows 10 PCs.

What do I need to do to prepare for this change?

We encourage your organization to immediately consider this action plan:

  • Plan and upgrade the Windows 7 fleet to Windows 10 before January 14, 2020.
  • Explore Windows 10 deployment support to learn more about how to upgrade your existing fleet of Windows 7 PCs to Windows 10.
  • Review the Desktop App Assure offer through FastTrack, which will assist with the Microsoft application compatibility promise.
  • Transition existing legacy Intune software client managed devices to the Microsoft-recommended solution to manage Windows 10 using MDM management. Enroll all new Windows 10 PCs using MDM management for Intune in the Azure portal.

See the blog post here for more information.

See also

For details about recent developments, see What's new in Microsoft Intune.