What's new in Microsoft Intune

Learn what’s new each week in Microsoft Intune. You can also find important notices, past releases, and information about how Intune service updates are released.

Note

Each monthly update may take up to three days to rollout and will be in the following order:

  • Day 1: Asia Pacific (APAC)
  • Day 2: Europe, Middle East, Africa (EMEA)
  • Day 3: North America

Some features may roll out over several weeks and might not be available to all customers in the first week.

Check the In development page for a list of upcoming features in a release.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: https://docs.microsoft.com/api/search/rss?search=%22What%27s+new+in+microsoft+intune%3F+-+Azure%22&locale=en-us

Week of November 11, 2019

App management

Web apps launched from the Windows Company Portal app

End-users can now launch web apps directly from the Windows Company Portal app. End-users can select the web app and then choose the option Open in browser. The published web URL is opened directly in a web browser. This functionality will be rolled out over the next week. For more information about Web apps, see Add web apps to Microsoft Intune.

Week of November 4, 2019

Device security

Security baselines are supported on Microsoft Azure Government

Instances of Intune that are hosted on Microsoft Azure Government can now use security baselines to help you secure and protect your users and devices.

Week of October 28, 2019

App management

Improved checklist design in Company Portal app for Android

The setup checklist in the Company Portal app for Android has been updated with a lightweight design and new icons. The changes align with the recent updates made to the Company Portal app for iOS. For a side-by-side comparison of the changes, see What's new in the app UI. For a look at the updated enrollment steps, see Enroll with Android work profile and Enroll your Android device.

Win32 apps on Windows 10 S mode devices

You can install and run Win32 apps on Windows 10 S mode managed devices. To do this, you can create one or more supplemental policies for S mode using the Windows Defender Application Control (WDAC) PowerShell tools. Sign the supplemental policies with the Device Guard Signing Portal and then upload and distribute the policies via Intune. In Intune, you will find this capability by selecting Client apps > Windows 10 S supplemental policies. For more information, see Enable Win32 apps on S mode devices.

Set Win32 app availability based on a date and time

As an admin, you can configure the start time and deadline time for a required Win32 app. At the start time, Intune management extension will start the app content download and cache it. The app will be installed at the deadline time. For available apps, start time will dictate when the app is visible in Company Portal. For more information, see Intune Win32 app management.

Require device restart based on grace period after Win32 app install

You can require that a device must restart after a Win32 app successfully installs. For more information, see Win32 app management - Configure app installation details.

Dark Mode for iOS Company Portal

Dark Mode is available for the iOS Company Portal. Users can download company apps, manage their devices, and get IT support in the color scheme of their choice based on device settings. The iOS Company Portal will automatically match the end user's device settings for dark or light mode. For more information, see Introducing dark mode on Microsoft Intune Company Portal for iOS. For more information about the iOS Company Portal, see How to configure the Microsoft Intune Company Portal app.

Android Company Portal enforced minimum app version

By using the Min Company Portal version setting of an app protection policy, you can specify a specific minimum defined version of the Company Portal that is enforced on an end user device. This conditional launch setting allows you to Block access, Wipe data, or Warn as possible actions when the value is not met. The possible formats for this value follows the pattern [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision].

The Min Company Portal version setting, if configured, will affect any end user who gets version 5.0.4560.0 of the Company Portal and any future versions of the Company Portal. This setting will have no effect on users using a version of Company Portal that is older than the version that this feature is released with. End users using app auto-updates on their device will likely not see any dialogs from this feature, given that they will likely be on the latest Company Portal version. This setting is Android only with app protection for enrolled and unenrolled devices. For more information, see Android app protection policy settings - Conditional launch.

Microsoft 365 Device Management

Introducing Endpoint Security node in Microsoft 365 Device Management

Endpoint Security node is now generally available in Microsoft 365 Device Management specialist workspace at https://devicemanagement.microsoft.com, which groups together the capabilities to secure endpoints such as:

  • Security Baselines: Pre-configured group of settings that help you apply known group of settings and default values that are recommended by Microsoft.

  • Security Tasks: Take advantage of Microsoft Defender ATPs Threat and Vulnerability Management (TVM) and use Intune to remediate endpoint weaknesses.

  • Microsoft Defender ATP: Integrated Microsoft Defender Advanced Threat Protection (ATP) to help prevent security breaches.

These settings will continue to be accessible from other applicable nodes such as devices, and current configured state will be the same no matter where you access and enable these capabilities.

For more information about these improvements, see the Intune Customer Success blog post on the Microsoft Tech Community web site.

Device management

Intune supports iOS 11 and later

Intune enrollment and Company Portal now support iOS versions 11 and later. Older versions aren't supported.

Device security

Microsoft Edge baseline (Preview)

We've added a security baseline Preview for Microsoft Edge settings.

Week of October 21, 2019

Microsoft 365 Device Management

Improved administration experience in Microsoft 365 Device Management

A refreshed and streamlined administration experience is now generally available in the Microsoft 365 Device Management specialist workspace at https://devicemanagement.microsoft.com, including:

  • Updated navigation: You will find a simplified 1st level navigation that logically groups features.
  • New platform filters: You can select a single platform, which shows only the policies and apps for the selected platform, on the Devices and Apps pages.
  • A new home page: Quickly see service health, state of your tenant, news, etc. on the new home page.

For more information about these improvements, see the Enterprise Mobility + Security blog post on the Microsoft Tech Community web site.

App management

Add Mobile Threat Defense apps to unenrolled devices

You can create an Intune app protection policy that may block, or selectively wipe the users corporate data based on the health of a device. The health of the device is determined using your chosen Mobile Threat Defense (MTD) solution. This capability exists today with Intune enrolled devices as a device compliance setting. With this new feature, we extend the threat detection from an Mobile Threat Defense vendor to function on unenrolled devices. On Android, this feature requires the latest Company Portal on the device. On iOS, this feature will be available for use when apps integrate the latest Intune SDK (v 12.0.15+). We'll update the What's New topic when the first app adopts the latest Intune SDK. The remaining apps will become available on a rolling basis. For more information, see Create Mobile Threat Defense app protection policy with Intune.

Device configuration

New device firmware configuration interface profile for Windows 10 and later devices (public preview)

On Windows 10 and later, you can create a device configuration profile to control settings and features (Device configuration > Profiles > Create profile > Windows 10 and later for platform). In this update, there's a new device firmware configuration interface profile type that allows Intune to manage UEFI (BIOS) settings.

For more information on this feature, see Use DFCI profiles on Windows devices in Microsoft Intune.

Applies to:

  • Windows 10 RS5 (1809) and newer on supported firmware

Device enrollment

Toggle to only show Enrollment Status Page on devices provisioned by out-of-box experience (OOBE)

You can now choose to only show the Enrollment Status Page on devices provisioned by Autopilot OOBE.

To see the new toggle, choose Intune > Device enrollment > Windows enrollment > Enrollment Status Page > Create Profile > Settings > Only show page to devices provisioned by out-of-box experience (OOBE).

Week of October 14, 2019

App management

Available Google Play app reporting for Android work profiles

For available app installs on Android Enterprise work profile, dedicated, and fully managed devices you can view app installation status as well as the installed version of managed Google Play apps. For more information, see How to monitor app protection policies, Manage Android work profile devices with Intune and Managed Google Play app type.

Microsoft Edge version 77 and later for Windows 10 and macOS (public preview)

Microsoft Edge version 77 and later will be available to deploy to PCs running Windows 10 and macOS.

The public preview offers Dev and Beta channels for Windows 10 and a Beta channel for macOS. The deployment is in English (EN) only, however end users can change the display language in the browser under Settings > Languages. Microsoft Edge is a Win32 app installed in system context and on like architectures (x86 app on x86 OS, and x64 app on x64 OS). In addition, automatic updates of the browser is On by default, and Microsoft Edge cannot be uninstalled. For more information, see Add Microsoft Edge for Windows 10 to Microsoft Intune and Microsoft Edge documentation.

Update to app protection UI and iOS app provisioning UI

The UI to create and edit app protection policies and iOS app provisioning profiles in Intune has been updated. UI changes include:

  • A simplified experience by using a wizard-style format condensed within one blade.
  • An update to the create flow to include assignments.
  • A summarized page of all things set when viewing properties, prior to creating a new policy or when editing a property. Also, when editing properties, the summary will only show a list of items from the category of properties being edited.

For more information, see How to create and assign app protection policies and Use iOS app provisioning profiles.

Intune guided scenarios

Intune now provides guided scenarios to help you complete a specific task or set of tasks within Intune. A guided scenario is a customized series of steps (workflow) centered around one end-to-end use-case. Common scenarios are defined based on the role an admin, user, or device plays in your organization. These workflows typically require a collection of carefully orchestrated profiles, settings, applications, and security controls to provide the best user experience and security. New guided scenarios include:

For more information, see Intune guided scenarios overview.

Additional app configuration variable available

When creating an app configuration policy, you can include the AAD Device ID configuration variable as part of your configuration settings. In Intune, select Client apps > App configuration policies > Add. Enter your configuration policy details and select Configuration settings to view the Configuration settings blade. For more information, see App configuration policies for managed Android Enterprise devices - Use the configuration designer.

Create groups of management objects called policy sets

Policy sets allow you to create a bundle of references to already existing management entities that need to be identified, targeted, and monitored as a single conceptual unit. Policy sets do not replace existing concepts or objects. You can continue to assign individual objects in Intune and you can reference individual objects as part of a policy set. Therefore, any changes to those individual objects will be reflected in the Policy set. ​ In Intune, you will select Policy sets > Create to create a new Policy set.

Device configuration

UI update for creating and editing Windows 10 Update Rings

We’ve updated the UI experience for creating and editing Windows 10 Update Rings for Intune. Changes to UI include:

  • A wizard-style format condensed into a single console blade, which does away with the blade sprawl seen previously as you configure update rings.
  • The revised workflow includes Assignments, before completing the initial configuration of the ring.
  • A summary page you can use to review all the configurations you made, before saving and deploying a new update ring. When editing an update ring, the summary shows only the list of items set within the category of properties you edited.

UI update for creating and editing iOS software update policy

We’ve updated the UI experience for creating and editing iOS software update policies for Intune. Changes to UI include:

  • A wizard-style format condensed into a single console blade, which does away with the blade sprawl seen previously as you configure update policies.
  • The revised workflow includes Assignments, before completing the initial configuration of the policy.
  • A summary page you can use to review all the configurations you made, before saving and deploying a new policy. When editing a policy, the summary shows only the list of items set within the category of properties you edited.

Engaged restart settings are removed from Windows Update rings

As previously announced, Intune's Windows 10 Update rings now support settings for deadlines and no longer support Engaged restart. Settings for Engaged restart are no longer available when you configure or manage Update rings in Intune.

This change aligns with recent Windows servicing changes and on devices that run Windows 10 1903 or later, deadlines supersede configurations for engaged restart.

Prevent installation of apps from Unknown Sources on Android Enterprise work profile devices

On Android Enterprise work profile devices, users can't ever install apps apps from unknown sources. In this update, there's a new setting - Prevent app installations from unknown sources in the personal profile. By default, this setting prevents users from side-loading apps from unknown sources into the personal profile on the device.

To see the setting you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise work profile

Create a global HTTP proxy on Android Enterprise device owner devices

On Android Enterprise devices, you can configure a global HTTP Proxy to meet your organization’s web browsing standards (Device configuration > Profiles > Create profile > Android Enterprise for platform > Device owner > Device restrictions for profile type > Connectivity). Once configured, all HTTP traffic will use this proxy.

To configure this feature, and see all the settings you configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise device owner

Connect automatically setting is removed in Wi-Fi profiles on Android device administrator and Android Enterprise

On Android device administrator and Android Enterprise devices, you can create a Wi-Fi profile to configure different settings (Device configuration > Profiles > Create profile > Android device administrator or Android Enterprise for platform > Wi-Fi for profile type). In this update, the Connect automatically setting is removed, as it's not support by Android.

If you use this setting in a Wi-Fi profile, you may have noticed that Connect automatically doesn't work. You don't need to take any action, but be aware this setting is removed in the Intune user interface.

To see the current settings, go to Android Wi-Fi settings or Android Enterprise Wi-Fi settings.

Applies to:

  • Android device administrator
  • Android Enterprise

New device configuration settings for supervised iOS and iPadOS devices

On iOS and iPadOS devices, you can create a profile to restrict features and settings on devices (Device configuration > Profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type). In this update, there are new settings you can control:

  • Access to network drive in Files app
  • Access to USB drive in Files app
  • Wi-Fi always turned on

To see these settings, go to iOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS 13.0 and newer
  • iPadOS 13.0 and newer

Device enrollment

Specify which Android device operating system versions enroll with work profile or device administrator enrollment

Using Intune device type restrictions, you can use the device's OS version to specify which user devices will use Android Enterprise work profile enrollment or Android device administrator enrollment. For more information, see Set enrollment restrictions.

Windows Autopilot deployment reports

A new report details each device deployed through Windows Autopilot. For more information, see Autopilot deployment report. We're in the process of rolling out this feature to all customers and expect to be completed by the end of next week.

Device management

New restrictions for renaming Windows devices

When renaming a Windows device, you must follow new rules:

  • 15 characters or less (must be less than or equal to 63 bytes, not including trailing NULL)
  • Not null or an empty string
  • Allowed ASCII: Letters (a-z, A-Z), numbers (0-9), and hyphens
  • Allowed Unicode: characters >= 0x80, must be valid UTF8, must be IDN-mappable (that is, RtlIdnToNameprepUnicode succeeds; see RFC 3492)
  • Names must not contain only numbers
  • No spaces in the name
  • Disallowed characters: { | } ~ [ \ ] ^ ' : ; < = > ? & @ ! " # $ % ` ( ) + / , . _ *)

For more information, see Rename a device in Intune.

New Android report on Devices overview page

A new report to the Devices overview page displays how many Android devices have been enrolled in each device management solution. This chart shows work profile, fully managed, dedicated, and device administrator enrolled device counts. To see the report, choose Intune > Devices > Overview.

Device security

PKCS certificates for macOS

You can now use PKCS certificates with macOS. You can select the PKCS certificate as a profile type for macOS, and deploy user and device certificates that have customized subject and subject alternative name fields.

PKCS certificate for macOS also support a new setting, Allow All Apps Access. With this setting you can enable all associated apps access to the private key of the certificate. For more information about this setting, see the Apple documentation at https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf.

Derived Credentials to provision iOS mobile devices with certificates

Intune supports use of derived credentials as an authentication method and for S/MIME signing and encryption for iOS devices. Derived credentials are an implementation of the National Institute of Standards and Technology (NIST) 800-157 standard for deploying certificates to devices.

Derived credentials rely on the use of a Personal Identity Verification (PIV) or Common Access Card (CAC) card, like a smart card. To get a derived credential for their mobile device, users start in the Company Portal app and follow an enrollment workflow that is unique to the provider you use. Common to all providers is the requirement to use a smart card on a computer to authenticate to the derived credential provider. That provider then issues a certificate to the device that's derived from the user’s smart card.

Intune supports the following derived credential providers:

  • DISA Purebred
  • Entrust Datacard
  • Intercede

You use derived credentials as the authentication method for device configuration profiles for VPN, Wi-Fi, and email. You can also use them for app authentication, and S/MIME signing and encryption.

For more information about the standard, see Derived PIV Credentials at www.nccoe.nist.gov.

Use Graph API to specify a on-premises User Principal Name as a variable for SCEP certificates

When you use the Intune Graph API, you can specify onPremisesUserPrincipalName as a variable for the Subject Alternative Name (SAN) for SCEP certificates.

Week of September 23, 2019

iOS User Enrollment in Preview

Apple's iOS 13.1 release includes User Enrollment, a new form of lightweight management for iOS devices. It can be used in place of Device Enrollment or Automated Device Enrollment (formerly Device Enrollment Program) for personally-owned devices. Intune's Preview is supporting this feature set by letting you:

  • Target User Enrollment to user groups.
  • Give end users the ability to select between lighter User Enrollment or stronger Device Enrollment when they enroll their devices.

Starting on 9/24/2019 with the release of iOS 13.1, we're in the process of rolling out these updates to all customers and expect to be completed by the end of next week. Applies to:

iOS 13.1 and later

Intune support for iPadOS and iOS 13.1 devices

Intune now supports managing both iPadOS and iOS 13.1 devices. For more information, see this blog post.

Week of September 16, 2019

App management

Managed Google Play private LOB apps

Intune now allows IT admins to publish private Android LOB apps to Managed Google Play via an iframe embedded in the Intune console. Previously, IT admins needed to publish LOB apps directly to Google's Play publishing console, which required several steps and was time consuming. This new feature allows for easy publishing of LOB apps with a minimal set of steps, without needing to leave the Intune console. Admins will no longer need to manually register as a developer with Google, and will no longer need to pay the Google $25 registration fee. Any of the Android Enterprise management scenarios that use Managed Google Play can take advantage of this feature (work profile, dedicated, fully managed, and non-enrolled devices). From Intune, select Client apps > Apps > Add. Then, select Managed Google Play from the App type list. For more information about Managed Google Play apps, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Windows Company Portal experience

The Windows Company Portal is being updated. You will be able to use multiple filters on the Apps page within the Windows Company Portal. The Device Details page is also being updated with an improved user experience. We are in the process of rolling out these updates to all customers and expect to be completed by the end of next week.

macOS support for web apps

Web apps, which allow you to add a shortcut to a URL on the web, can be installed to the Dock using the macOS Company Portal. End users can access the Install action from the app details page for a web app in the macOS Company Portal. For more information about the Web link app type, see Add apps to Microsoft Intune and Add web apps to Microsoft Intune.

macOS support for VPP apps

macOS apps, purchased using Apple Business Manager, are displayed in the console when Apple VPP tokens are synced in Intune. You can assign, revoke and reassign device and user-based licenses for groups using the Intune console. Microsoft Intune helps you manage VPP apps purchased for use at your company by:

  • Reporting license information from the app store.
  • Tracking how many of the licenses you have used.
  • Helping you prevent installation of more copies of the app than you own.

For more information about Intune and VPP, see Manage volume-purchased apps and books with Microsoft Intune.

Managed Google Play iframe support

Intune now provides support for adding and managing web links directly in the Intune console via the Managed Google Play iframe. This lets IT admins submit a URL and icon graphic, and then deploy those links to devices just like regular Android apps. Any of the Android Enterprise management scenarios that use Managed Google Play can take advantage of this feature (work profile, dedicated, fully managed, and non-enrolled devices). From Intune, select Client apps > Apps > Add. Then, select Managed Google Play from the App type list. For more information about Managed Google Play apps, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Silently install Android LOB apps on Zebra devices

When installing Android line-of-business (LOB) apps on Zebra devices, rather than being prompted to both download and install the LOB app, you will be able to install the app silently. In Intune, select Client apps > Apps > Add. In the Add app pane, select Line-of-business app. For more information, see Add an Android line-of-business app to Microsoft Intune.

Currently, after the LOB app is downloaded, a download success notification will appear on the user's device. The notification can only be dismissed by tapping Clear All in the notification shade. This notification issue will be fixed in an upcoming release, and the installation will be completely silent with no visual indicators.

Read and write Graph API operations for Intune apps

Applications can call the Intune Graph API with both read and write operations using app identity without user credentials. For more information about accessing the Microsoft Graph API for Intune, see Working with Intune in Microsoft Graph.

Protected data sharing and encryption for Intune App SDK for iOS

The Intune App SDK for iOS will use 256-bit encryption keys when encryption is enabled by App Protection Policies. All apps will need to have a SDK version 8.1.1 to allow protected data sharing.

Device configuration

Support for IKEv2 VPN profiles for iOS

In this update, you can create VPN profiles for the iOS native VPN client using the IKEv2 protocol. IKEv2 is a new connection type in Device configuration > Profiles > Create profile > iOS for platform > VPN for profile type > Connection Type.

These VPN profiles configure the native VPN client, so no VPN client apps are installed or pushed to managed devices. This feature requires devices be enrolled in Intune (MDM enrollment).

To see the current VPN settings you can configure, go to Configure VPN settings on iOS devices.

Applies to:

  • iOS

Device features, device restrictions, and extension profiles for iOS and macOS settings are shown by enrollment type

In Intune, you create profiles for iOS and macOS devices (Device configuration > Profiles > Create profile > iOS or macOS for platform > Device features, Device restrictions, or Extensions for profile type).

In this update, the available settings in the Intune portal are categorized by the enrollment type they apply to:

  • iOS

    • User enrollment
    • Device enrollment
    • Automated device enrollment (supervised)
    • All enrollment types
  • macOS

    • User approved
    • Device enrollment
    • Automated device enrollment
    • All enrollment types

Applies to:

  • iOS

New voice control settings for supervised iOS devices running in kiosk mode

In Intune, you can create policies to run supervised iOS devices as a kiosk, or dedicated device (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > Kiosk).

In this update, there are new settings you can control:

  • Voice control: Enables Voice Control on the device while in kiosk mode.
  • Modification of voice control: Allow users to change the Voice Control setting on the device while in kiosk mode.

To see the current settings, go to iOS Kiosk settings.

Applies to:

  • iOS 13.0 and later

Use single sign-on for apps and websites on your iOS and macOS devices

In this update, there are some new single sign-on settings for iOS and macOS devices (Device configuration > Profiles > Create profile > iOS or macOS for platform > Device features for profile type).

Use these settings to configure a single sign-on experience, especially for apps and websites that use Kerberos authentication. You can choose between a generic credential single sign-on app extension, and Apple's built-in Kerberos extension.

To see the current device features you can configure, go to iOS device features and macOS device features.

Applies to:

  • iOS 13.0 and newer
  • macOS 10.15 and newer

Associate domains to apps on macOS 10.15+ devices

On macOS devices, you can configure different features, and push these features to your devices using a policy (Device configuration > Profiles > Create profile > macOS for platform > Device features for profile type). In this update, you can associate domains to your apps. This feature helps share credentials with websites related to your app, and can be used with Apple’s single sign-on extension, universal links, and password autofill.

To see the current features you can configure, go to macOS device feature settings in Intune.

Applies to:

  • macOS 10.15 and newer

Use "iTunes" and "apps" in the iTunes App store URL when showing or hiding apps on iOS supervised devices

In Intune, you can create policies to show or hide apps on your supervised iOS devices (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > Show or hide apps).

You can enter the iTunes App store URL, such as https://itunes.apple.com/us/app/work-folders/id950878067?mt=8. In this update, both apps and itunes can be used in the URL, such as:

  • https://itunes.apple.com/us/app/work-folders/id950878067?mt=8
  • https://apps.apple.com/us/app/work-folders/id950878067?mt=8

For more information on these settings, see Show or hide apps.

Applies to:

  • iOS

Windows 10 compliance policy password type values are clearer and match CSP

On Windows 10 devices, you can create a compliance policy that requires specific password features (Device compliance > Policies > Create policy > Windows 10 and later for platform > System Security). In this update:

For more information on Windows 10 compliance settings, see Windows 10 and later settings to mark devices as compliant or not compliant.

Applies to:

  • Windows 10 and later

Updated UI for configuring Microsoft Exchange on-premises access

We've updated the console where you configure access Microsoft Exchange on-premises access. All of the configurations for Exchange on-premises access are now available on the same pane of the console where you Enable Exchange on-premises access control.

Allow or restrict adding app widgets to the home screen on Android Enterprise work profile devices

On Android Enterprise devices, you can configure features in the work profile (Device configuration > Profiles > Create profile > Android Enterprise for platform > Work profile only > Device restrictions for profile type). In this update, you can allow users to add widgets exposed by work profile apps to the device home screen.

To see the settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise work profile

Device enrollment

New tenants will default away from Android device administrator management

Android's device administrator capabilities have been superseded by Android Enterprise. Therefore, we recommend using Android Enterprise for new enrollments instead. In a future update, new tenants will need to complete the following prerequisite steps in Android enrollment to use device administrator management: Go to Intune > Device enrollment > Android enrollment > Personal and corporate-owned devices with device administration privileges > Use device administrator to manage devices.

Existing tenants will experience no change in their environments.

For more information about Android device administrator in Intune, see Android device administrator enrollment.

List of DEP devices associated with a profile

You can now see a paged list of Apple Automated Device Enrollment Program (DEP) devices that are associated with a profile. You can search the list from any page in the list. To see the list, go to Intune > Device enrollment > Apple enrollment > Enrollment program tokens > choose a token > Profiles > choose a profile > Assigned devices (under Monitor).

Device management

More Android Fully Managed support

We've added the following support for Android Fully Managed devices:

  • SCEP certificates for fully managed Android are available for cert authentication on devices managed as Device Owner. SCEP certificates are already supported on Work Profile devices. With SCEP certificates for Device Owner, you will be able to:
    • create SCEP profile under DO section of Android Enterprise
    • link SCEP certificates to DO Wi-Fi profile for authentication
    • link SCEP certificates to DO VPN profiles for authentication
    • link SCEP certificates to DO Email profiles for authentication (via AppConfig)
  • System apps are supported on Android Enterprise devices. In Intune, add an Android Enterprise system app by selecting Client apps > Apps > Add. In the App type list, select Android Enterprise system app. For more information, see Add Android Enterprise system apps to Microsoft Intune.
  • In Device compliance > Android Enterprise > Device Owner, you can create a compliance policy that sets the Google SafetyNet attestation level.
  • On Android Enterprise fully managed devices, the mobile threat defense providers is supported. In Device compliance > Android Enterprise > Device Owner, you can choose an acceptable threat level. Android Enterprise settings to mark devices as compliant or not compliant using Intune lists the current settings.
  • On Android Enterprise fully managed devices, the Microsoft Launcher app can now be configured via app configuration policies to allow a standardized end-user experience on the fully managed device. The Microsoft Launcher app can be used to personalize your Android device. Using the app along with a Microsoft account or work/school account, you can access your calendar, documents, and recent activities in your personalized feed.

With this update we are happy to announce that Intune support for Android Enterprise Fully Managed is now generally available.

Applies to:

  • Android Enterprise fully managed devices

Send custom notifications to a single device

You can now select a single device, and then use a remote device action to send a custom notification to only that device.

Wipe and Passcode Reset actions aren't available for iOS devices that are enrolled by using User Enrollment

User Enrollment is a new type of Apple device enrollment. When you enroll devices using User Enrollment, the Wipe and Passcode Reset remote actions won't be available for such devices.

Intune support for iOS 13 and macOS Catalina devices

Intune now supports managing both iOS 13 and macOS Catalina devices. For more information see the Microsoft Intune Support for iOS 13 and iPadOS blog post.

Device security

BitLocker support for client-driven recovery password rotation

Use Intune Endpoint Protection settings to configure Client-driven recovery password rotation for BitLocker on devices that run Windows version 1909 or later.

This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting refreshes the specific recovery password that was used, and other unused passwords on the volume remain unchanged. For more information see the BitLocker CSP documentation for ConfigureRecoveryPasswordRotation.

Tamper Protection for Windows Defender Antivirus

Use Intune to manage Tamper Protection for Windows Defender Antivirus. You’ll find the setting for Tamper Protection in the Microsoft Defender Security Center group when you use device configuration profiles for Windows 10 endpoint protection. You can set Tamper Protection to Enabled to turn on Temper Protection restrictions, set Disabled to turn them off, or setNot configured to leave a devices current configuration in place.

For more information about Tamper Protection, see Prevent security settings changes with tamper protection in the Windows documentation.

Advanced settings for Windows Defender Firewall are now generally available

The Windows Defender custom firewall rules for endpoint protection, which you configure as part of a device configuration profile, are out of public preview and are generally available (GA). You can use these rules to specify inbound and outbound behavior to applications, network addresses, and ports. These rules were released in July as a public preview.

Role-based access control

Scope tags now support Terms of Use policies

You can now assign scope tags to Terms of Use policies. To do so, go to Intune > Device enrollment > Terms and conditions > choose an item in the list > Properties > Scope tags > choose a scope tag.

Week of September 9, 2019

App management

Updates to Microsoft Intune app

The Microsoft Intune app for Android has been updated with the following improvements:

  • Updated and improved the layout to include bottom navigation for the most important actions.
  • Added an additional page that shows the user's profile.
  • Added the display of actionable notifications in the app for the user, such as the need to update their device settings.
  • Added the display of custom push notifications, aligning the app with the support recently added in the Company Portal app for iOS and Android. For more information, see Send custom notifications in Intune.

For iOS devices, customize the enrollment process privacy screen of the Company Portal

Using Markdown, you can customize the Company Portal's privacy screen that end users see during iOS enrollment. Specifically, you'll be able to customize the list of things that your organization can't see or do on the device. For more information, see How to configure the Intune Company Portal app.

Week of September 2, 2019

Monitor and troubleshoot

Intune user interface update – Tenant Status dashboard

The user interface for the Tenant Status dashboard has been updated to align with Azure user interface styles. For more information, see Tenant status.

Week of August 26, 2019

Configure Microsoft Edge settings using administrative templates for Windows 10 and newer

On Windows 10 and newer devices, you can create administrative templates to configure group policy settings in Intune. In this update, you can configure settings that apply to Microsoft Edge version 77 and newer.

To learn more about administrative templates, see Use Windows 10 templates to configure group policy settings in Intune.

Applies to:

  • Windows 10 and newer (Windows RS4+)

Week of August 12, 2019

App management

Control iOS app uninstall behavior at device unenrollment

Admins can manage whether an app is removed or retained on a device when the device is unenrolled at a user or device group level.

Categorize Microsoft Store for Business apps

You can categorize Microsoft Store for Business apps. To do so, choose Intune > Client apps > Apps > Select a Microsoft Store for Business app > App Information > Category. On the drop-down menu, assign a category.

Customized notifications for Microsoft Intune app users

The Microsoft Intune app for Android now supports the display of custom push notifications, aligning it with the support recently added in the Company Portal apps for iOS and Android. For more information, see Send custom notifications in Intune.

Device configuration

New features for Android Enterprise dedicated devices in multi-app mode

In Intune, you can control features and settings in a kiosk-style experience on your Android Enterprise dedicated devices (Device configuration > Profiles > Create profile > Android Enterprise for platform > Device Owner only, Device restrictions for profile type).

In this update, the following features are being added:

  • Dedicated devices > Multi-app: The Virtual home button can be shown by swiping up on the device, or floating on the screen so users can move it.
  • Dedicated devices > Multi-app: Flashlight access allows users to use the flashlight.
  • Dedicated devices > Multi-app: Media volume control allows users to control the device's media volume using a slider.
  • Dedicated devices > Multi-app: Enable a screensaver, upload a custom image, and control when the screensaver is shown.

To see the current settings, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise dedicated devices

New app and configuration profiles for Android Enterprise fully managed devices

Using profiles, you can configure settings that apply VPN, email, and Wi-Fi settings to your Android Enterprise device owner (fully managed) devices. In this update, you can:

Important

With this feature, users authenticate with their username and password for VPN, Wi-Fi, and e-mail profiles. Currently, certificate-based authentication isn't available.

Applies to:

  • Android Enterprise device owner (fully managed)

Control the apps, files, documents, and folders that open when users sign in to macOS devices

You can enable and configure features on macOS devices (Device configuration > Profiles > Create profile > macOS for platform > Device features for profile type).

In this update, there's a new Login Items setting to control which apps, files, documents, and folders open when a user signs in to the enrolled device.

To see the current settings, go to macOS device feature settings in Intune.

Applies to:

  • macOS

Deadlines replace Engaged restart settings for Windows Update rings

To align with recent Windows servicing changes, Intune's Windows 10 Update rings now support settings for deadlines. Deadlines determine when a device installs feature and security updates. On devices that run Windows 10 1903 or later, deadlines supersede configurations for engaged restart. In the future, deadlines will supersede engaged restart on earlier versions of Windows 10 as well.

When you don’t’ configure deadlines, devices continue to use their engaged restart settings, however Intune will deprecate support for engaged restart settings in a future update.

Plan to use deadlines for all your Windows 10 devices. After settings for deadlines are in place, you can change your Intune configurations for engaged restart to be Not configured. When set to Not configured, Intune stops managing those settings on devices but doesn’t remove the last configurations for the setting from the device. Therefore, the last configurations that were set for engaged restart remain active and in use on devices until those settings are modified by a method other than Intune. Later, when the devices version of Windows changes or when Intune support for deadlines expands to the devices Windows version, the device will begin to use the new settings, which are already in place.

Support for multiple Microsoft Intune Certificate Connectors

Intune now supports install and use of multiple Microsoft Intune Certificate Connectors for PKCS operations. This change supports load balancing and high availability of the connector. Each connector instance can process certificate requests from Intune. If one connector is unavailable, other connectors continue to process requests.

To use multiple connectors, you don’t need to upgrade to the latest version of the connector software.

New settings, and changes to existing settings to restrict features on iOS and macOS devices

You can create profiles to restrict settings on devices running iOS and macOS (Device configuration > Profiles > Create profile > iOS or macOS for platform type > Device restrictions). This update includes the following features:

  • On macOS > Device restrictions > Cloud and storage, use the new Handoff setting to block users from starting work on one macOS device, and continue working on another macOS or iOS device.

    To see the current settings, go to macOS device settings to allow or restrict features using Intune.

  • On iOS > Device restrictions, there are a few changes:

    • Built-in apps > Find my iPhone (supervised only): New setting that blocks this feature in the Find My app feature.
    • Built-in apps > Find my Friends (supervised only): New setting that blocks this feature in the Find My app feature. ​
    • Wireless > Modification of Wi-Fi state (supervised only): New setting that prevents users from turning on or turning off Wi-Fi on the device.
    • Keyboard and Dictionary > QuickPath (supervised only): New setting that blocks the QuickPath feature.
    • Cloud and storage: Activity continuation is renamed to Handoff.

    To see the current settings, go to iOS device settings to allow or restrict features using Intune.

Applies to:

  • macOS 10.15 and newer
  • iOS 13 and newer

Some unsupervised iOS device restrictions will become supervised-only with the iOS 13.0 release

In this update, some settings apply to supervised-only devices with the iOS 13.0 release. If these settings are configured and assigned to unsupervised devices prior to the iOS 13.0 release, the settings are still applied to those unsupervised devices. They also still apply after the devices upgrade to iOS 13.0. These restrictions are removed on unsupervised devices that are backed up and restored.

These settings include:

  • App Store, Doc Viewing, Gaming
    • App store
    • Explicit iTunes, music, podcast, or news content
    • Adding Game Center friends
    • Multiplayer gaming
  • Built-in Apps
    • Camera
      • FaceTime
    • Safari
      • Autofill
  • Cloud and Storage
    • Backup to iCloud
    • Block iCloud Document sync
    • Block iCloud Keychain sync

To see the current settings, go to iOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS 13.0 and newer

Improved device status for macOS FileVault encryption

We've updated several of the device status messages for FileVault encryption on macOS devices.

Some Windows Defender Antivirus scan settings in the reporting show a Failed status

In Intune, you can create policies to use Windows Defender Antivirus to scan your Windows 10 devices (Device configuration > Profiles > Create profile > Windows 10 and later for platform > Device restrictions for profile type > Windows Defender Antivirus). The Time to perform a daily quick scan and Type of system scan to perform reporting shows a failed status, when it’s actually a success status.

In this update, this behavior is fixed. So, the Time to perform a daily quick scan and Type of system scan to perform settings shows a success status when the scans complete successfully, and show a failed status when the settings fail to apply.

For more information on the Windows Defender Antivirus settings, see Windows 10 (and newer) device settings to allow or restrict features using Intune.

Device enrollment

Default scope tags

A new built-in default scope tag is now available. All un-tagged Intune objects that support scope tags are automatically assigned to the default scope tag. The Default scope tag is added to all existing role assignments to maintain parity with the admin experience today. If you don't want an admin to see Intune objects with the default scope tag, remove the default scope tag from the role assignment. This feature is similar to the security scopes feature in System Center Configuration Manager. For more information, see Use RBAC and scope tags to for distributed IT.

Android enrollment device administrator support

The Android device administrator enrollment option has been added to the Android enrollment page (Intune > Device enrollment > Android enrollment). Android device administrator will still be enabled by default for all tenants. For more information, see Android device administrator enrollment.

Skip more screens in Setup Assistant

You can set Device Enrollment Program profiles to skip the following Setup Assistant screens:

  • For iOS
    • Appearance
    • Express Language
    • Preferred Language
    • Device to Device Migration
  • For macOS
    • Screen Time
    • Touch ID Setup

For more information about Setup Assistant customization, see Create an Apple enrollment profile for iOS and Create an Apple enrollment profile for macOS .

Add a user column to the Autopilot device CSV upload process

You can now add a user column to the CSV upload for Autopilot devices. This lets you bulk assign users at the time you import the CSV. For more information, see Enroll Windows devices in Intune by using the Windows Autopilot.

Device management

Configure automatic device clean-up time limit down to 30 days

You can set the automatic device clean-up time limit as short as 30 days (instead of previous limit of 90 days) after the last sign-in. To do so, go to Intune > Devices > Setup > Device Clean Up Rules.

Build number included on Android device Hardware page

A new entry on the Hardware page for each Android device includes the device's operating system build number. For more information, see View device details in Intune.

Week of August 5, 2019

Zebra Technologies is a supported OEM for OEMConfig on Android Enterprise devices

In Intune, you can create device configuration profiles, and apply settings to Android Enterprise devices using OEMConfig (Device configuration > Profiles > Create profile > Android enterprise for platform > OEMConfig for profile type).

In this update, Zebra Technologies is a supported original equipment manufacturer (OEM) for OEMConfig. For more information on OEMConfig, see Use and manage Android Enterprise devices with OEMConfig.

Applies to:

  • Android enterprise

Week of July 22, 2019

App management

Customized notifications for users and groups

Send custom push notifications from the Company Portal application to users on iOS and Android devices that you manage with Intune. These mobile push notifications are highly customizable with free text and can be used for any purpose. You can target them to different user groups in your organization. For more information, see custom notifications.

Google's Device Policy Controller app

The Managed Home Screen app now provides access to Google's Android Device Policy app. The Managed Home Screen app is a custom launcher used for devices enrolled in Intune as Android Enterprise (AE) dedicated devices using multi-app kiosk mode. You can access the Android Device Policy app, or guide users to the Android Device Policy app, for support and debug purposes. This launching capability is available at the time the device enrolls and locks into Managed Home Screen. No additional installations are needed to use this functionality.

Outlook protection settings for iOS and Android devices

You can now configure both general app and data protection configuration settings for Outlook for iOS and Android using simple Intune admin controls without device enrollment. The general app config settings provide parity with the settings administrators can enable when managing Outlook for iOS and Android on enrolled devices. For more information about Outlook settings, see Deploying Outlook for iOS and Android app configuration settings.

Device configuration

Use "applicability rules" when creating Windows 10 device configuration profiles

You create Windows 10 device configuration profiles (Device configuration > Profiles > Create profile > Windows 10 for platform > Applicability rules). In this update, you can create an applicability rule so the profile only applies to a specific edition or specific version. For example, you create a profile that enables some BitLocker settings. Once you add the profile, use an applicability rule so the profile only applies to devices running Windows 10 Enterprise.

To add an applicability rule, see Applicability rules.

Applies to: Windows 10 and later

Use tokens to add device-specific information in custom profiles for iOS and macOS devices

You can use custom profiles on iOS and macOS devices to configure settings and features not built in to Intune (Device configuration > Profiles > Create profile > iOS or macOS for platform > Custom for profile type). In this update, you can add tokens to your .mobileconfig files to add device-specific information. For example, you can add Serial Number: {{serialnumber}} to your configuration file to show the serial number of the device.

To create a custom profile, see iOS custom settings or macOS custom settings.

Applies to:

  • iOS
  • macOS

New configuration designer when creating an OEMConfig profile for Android Enterprise

In Intune, you can create a device configuration profile that uses an OEMConfig app (Device Configuration > Profiles > Create profile > Android enterprise for platform > OEMConfig for profile type). When you do this, a JSON editor opens with a template and values for you to change.

This update includes a Configuration Designer with an improved user experience that shows details embedded in the app, including titles, descriptions, and more. The JSON editor is still available, and shows any changes you make in the Configuration Designer.

To see the current settings, go to Use and manage Android Enterprise devices with OEMConfig.

Applies to: Android Enterprise

Updated UI for configuring Windows Hello

We've updated the console where you configure Intune to use Windows Hello for Business. All of the configuration settings are now available on the same pane of the console where you enable support for Windows Hello.

Intune PowerShell SDK

The Intune PowerShell SDK, which provides support for the Intune API through Microsoft Graph, has been updated to version 6.1907.1.0. The SDK now supports the following:

  • Works with Azure Automation.
  • Supports app-only auth read operations.
  • Supports friendly shortened names as aliases.
  • Conforms to PowerShell naming conventions. Specifically, the PSCredential parameter (on the Connect-MSGraph cmdlet) has been renamed to Credential.
  • Supports manually specifying the value of the Content-Type header when using the Invoke-MSGraphRequest cmdlet.

For more information, see PowerShell SDK for Microsoft Intune Graph API.

Device enrollment

Updates for Enrollment Restrictions

Enrollment Restrictions for new tenants have been updated so that Android Enterprise work profiles are allowed by default. Existing tenants will experience no change. To use Android Enterprise work profiles, you still need to connect your Intune account to your Managed Google Play account.

UI updates for Apple enrollment and enrollment restrictions

Both of the following processes use a wizard-style user interface:

Handling pre-configuration of corporate device identifiers for Android Q devices

In Android Q (v10), Google will remove the ability for MDM agents on legacy-managed (device administrator) Android devices to collect device identifier information. Intune has a feature that enables IT admins to pre-configure a list of device serial numbers or IMEIs in order to automatically tag these devices as corporate-owned. This feature won't work for Android Q devices that are device admin-managed. Regardless of whether the serial number or IMEI for the device is uploaded, it will always be considered to be personal during Intune enrollment. You can manually switch ownership to corporate after enrollment. This affects new enrollments only, and existing enrolled devices are not affected. Android devices managed with work profiles are not affected by this change and will continue working as they do today. Additionally, Android Q devices enrolled as device administrator will no longer be able to report serial number or IMEI in the Intune console as device properties.

Icons have changed for Android Enterprise enrollments (work profile, dedicated devices, and fully managed devices)

The icons for Android Enterprise enrollment profiles have changed. To see the new icons, go to Intune > Enrollment > Android enrollment > look under Enrollment profiles.

Windows Diagnostic Data collection change

The default value for diagnostic data collection has changed for devices running Windows 10, version 1903 and later. Starting with Windows 10 1903, diagnostic data collection is enabled by default. Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. For more information, see Configure Windows diagnostic data in your organization. Autopilot devices are also opted into “Full” telemetry unless otherwise set in the Autopilot profile with System/AllowTelemetry.

Device management

Improve device location

You can zoom in to the exact coordinates of a device using the Locate device action. For more information about locating lost iOS devices, see Find lost iOS devices.

Device security

Advanced settings for Windows Defender Firewall (public preview)

Use Intune to manage custom firewall rules as part of a device configuration profile for endpoint protection on Windows 10. Rules can specify inbound and outbound behavior to applications, network addresses, and ports.

Updated UI for managing security baselines

We've updated the create and edit experience in the Intune console for our security baselines. Changes include:

A simpler wizard-style format that's been condensed to a single blade. within one blade. This new design does away with blade sprawl that requires IT Pros to drill down into several separate panes.
You can now create Assignments as part of the create and edit experience, instead of having to return later to assign baselines. We've added a summarization of settings you can view prior to creating a new baseline and when editing an existing one. When editing, the summary only shows the list of items set within the one category of properties being edited.

Week of July 15, 2019

App management

Managed Home Screen and Managed Settings icons

The Managed Home Screen app icon and the Managed Settings icon have been updated. The Managed Home Screen app is only used by devices enrolled in Intune as Android Enterprise (AE) dedicated devices and running in multi-app kiosk mode. For more information about the Managed Home Screen app, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Android Device Policy on Android Enterprise dedicated devices

You can access the Android Device Policy application from the Managed Home Screen app's debug screen. The Managed Home Screen app is only used by devices enrolled in Intune as Android Enterprise (AE) dedicated devices and running in multi-app kiosk mode. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

iOS Company Portal updates

Your company name on iOS app management prompts will replace the current "i.manage.microsoft.com" text. For instance, users will see their company name instead of "i.manage.microsoft.com" when users attempt to install an iOS app from the Company Portal or when users allow management of the app. This will be rolled out to all customers over the next few days.

Device configuration

Manage FileVault for macOS

You can use Intune to manage FileVault key encryption for macOS devices. To encrypt devices, you use an endpoint protection device configuration profile.

Our support for FileVault includes encrypting unencrypted devices, escrow of a devices personal recovery key, automatic or manual rotation of personal encryption keys, and key retrieval for your corporate devices. End users can also use the Company Portal website to get the personal recovery key for their encrypted devices.

We've also expanded the encryption report to include information about FileVault along-side information for BitLocker, so you can view all your device encryption details in one place.

Device enrollment

Windows Autopilot reset removes the device's primary user

When Autopilot reset is used on a device, the device's primary user will be removed. The next user who signs in after the reset will be set as the primary user. This feature will be rolled out to all customers over the next few days.

Week of July 8, 2019

New Office, Windows, and OneDrive settings in Windows 10 administrative templates

You can create Administrative templates in Intune that mimic on-premises group policy management (Device management > Profiles > Create profile > Windows 10 and later for platform > Administrative template for profile type).

This update includes more Office, Windows, and OneDrive settings you can add to your templates. With these new settings, you can now configure over 2500 settings that are 100% cloud-based.

To learn more about this feature, see Use Windows 10 templates to configure group policy settings in Intune.

Applies to: Windows 10 and later

Week of July 1, 2019

App management

AAD and APP on Android Enterprise devices

When onboarding fully managed Android Enterprise devices, users will now register with Azure Active Directory (AAD) during the initial setup of their new or factory reset device. Previously for a fully managed device, after setup was complete, the user had to manually launch the Microsoft Intune app to start AAD registration. Now when the user lands on the device home page after initial setup, the device is both enrolled and registered.

In addition to the AAD updates, Intune app protection policies (APP) are now supported on fully managed Android Enterprise devices. This functionality will become available as we roll it out. For more information, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Week of June 24, 2019

App management

Intune App Protection Policies (APP) on Android and iOS devices now allow you to transfer Org web links to a specific browser beyond the Intune Managed Browser or Microsoft Edge. For more about APP, see What are app protection policies?.

All apps page identifies online/offline Microsoft Store for Business apps

The All apps page now includes labeling to identify Microsoft Store for Business (MSFB) apps as online or offline apps. Each MSFB app now includes a suffix for Online or Offline. The app details page also includes License Type and Supports device context installation (offline licensed apps only) information.

Company Portal app on Windows shared devices

Users can now access the Company Portal app on Windows shared devices. End users will see a Shared label on the device tile. This applies to the Windows Company Portal app version 10.3.45609.0 and later.

View all installed apps from new Company Portal web page

The Company Portal website's new Installed Apps page lists all managed apps (both required and available) that are installed on a user's devices. In addition to assignment type, users can see the app's publisher, date published, and current installation status. If you haven't made any apps required or available to your users, they'll see a message explaining that no company apps have been installed. To see the new page on the web, go to the Company Portal website and click Installed Apps.

New view lets app users see all managed apps installed on device

The Company Portal app for Windows now lists all managed apps (both required and available) that are installed on a user's device. Users can also see attempted and pending app installations, and their current statuses. If you haven't made apps required or available to your users, they'll see a message explaining that no company apps have been installed. To see the new view, go to the Company Portal navigation pane and select Apps > Installed Apps.

Device configuration

Configure settings for kernel extensions on macOS devices

On macOS devices, you can create a device configuration profile (Device configuration > Profiles > Create profile > choose macOS for platform). This update includes a new group of settings that let you configure and use kernel extensions on your devices. You can add specific extensions, or allow all extensions from a specific partner or developer.

To learn more about this feature, see kernel extensions overview and kernel extension settings.

Applies to: macOS 10.13.2 and later

Apps from the store only setting for Windows 10 devices includes more configuration options

When you create a device restrictions profile for Windows devices, you can use the Apps from the store only setting so users only install apps from the Windows App Store (Device configuration > Profiles > Create profile > Windows 10 and later for platform > Device restrictions for profile type). In this update, this setting is expanded to support more options.

To see the new setting, go to Windows 10 (and newer) device settings to allow or restrict features.

Applies to: Windows 10 and later

Deploy multiple Zebra mobility extensions device profiles to a device, same user group, or same devices group

In Intune, you can use Zebra mobility extensions (MX) in a device configuration profile to customize settings for Zebra devices that aren't built into Intune. Currently, you can deploy one profile to a single device. In this update, you can deploy multiple profiles to:

  • The same user group
  • The same devices group
  • A single device

Use and manage Zebra devices with Zebra Mobility Extensions in Microsoft Intune shows how to use MX in Intune.

Applies to: Android

Some kiosk settings on iOS devices are set using "Block", replacing "Allow"

When you create a device restrictions profile on iOS devices (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > Kiosk), you set the Auto lock, Ringer switch, Screen rotation, Screen sleep button, and Volume buttons.

In this update, the values are Block (blocks the feature) and Not configured (allows the feature). To see the settings, go to iOS device settings to allow or restrict features.

Applies to: iOS

Use Face ID for password authentication on iOS devices

When you create a device restrictions profile for iOS devices, you can use a fingerprint for a password. In this update, the fingerprint password settings also allow facial recognition (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > Password). As a result, the following settings changed:

  • Fingerprint unlock is now Touch ID and Face ID unlock.
  • Fingerprint modification (supervised only) is now Touch ID and Face ID modification (supervised only).

Face ID is available in iOS 11.0 and later. To see the settings, go to iOS device settings to allow or restrict features using Intune.

Applies to: iOS

Restricting gaming and app store features on iOS devices is now dependent on ratings region

On iOS devices, you can allow or restrict features related to gaming, the app store, and viewing documents (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > App Store, Doc Viewing, Gaming). You can also choose the Ratings region, such as the United States.

In this update, the Apps feature is moved to be a child to Ratings region, and is dependent on Ratings region. To see the settings, go to iOS device settings to allow or restrict features using Intune.

Applies to: iOS

Device enrollment

Windows Autopilot support for Hybrid Azure AD Join

Windows Autopilot for existing devices now supports Hybrid Azure AD Join (in addition to the existing Azure AD Join support). Applies to Windows 10 version 1809 and above devices. For more information, see Windows Autopilot for existing devices.

Device management

See the security patch level for Android devices

You can now see the security patch level for Android devices. To do so, choose Intune > Devices > All devices > choose a device > Hardware. The patch level is listed in the Operating System section.

Assign scope tags to all managed devices in a security group

You can now assign scope tags to a security group and all devices in the security group will also be associated with those scope tags. All devices in these groups will also be assigned the scope tag. The scope tags set with this feature will overwrite the scope tags set with the current device scope tags flow. For more information, see Use RBAC and scope tags for distributed IT.

Device security

Use keyword search with Security Baselines

When you create or edit Security Baseline profiles, you can specify keywords in the new Search bar to filter the available groups of settings to those that contain your search criteria.

The Security Baselines feature is now generally available

The Security Baselines feature is out of preview and is now generally available (GA). This means the feature is ready for use in production. However, the individual baseline templates can remain in preview and are evaluated and released to GA on their own schedules.

The MDM Security Baseline template is now generally available

The MDM Security Baseline template has moved out of preview and is now generally available (GA). The GA template is identified as MDM Security Baseline for May 2019. This is a new template and not an upgrade from the preview version. As a new template, you’ll need to review the settings it contains, and then create new profiles to deploy the template to your device. Other security baseline templates can remain in preview. For a list of available baselines, see Available security baselines.

In addition to being a new template, the MDM Security Baseline for May 2019 template includes the two settings that we recently announced in our In Development article:

  • Above Lock: Voice activate apps from a locked screen
  • DeviceGuard: Use virtualization-based security (VBS) at the next reboot of devices.

The MDM Security Baseline for May 2019 also includes the addition of several new settings, the removal of others, and a revision of the default value of one setting. For a detailed list of the changes from Preview to GA, see What’s changed in the new template.

Security baseline versioning

Security baselines for Intune support versioning. With this support, as new versions of each security baseline are released, you can update your existing security baseline profiles to use the newer baseline version without having to recreate and deploy a new baseline from scratch. Additionally, in the Intune console you can view information about each baseline like the number of individual profiles you have that use the baseline, how many of the different baseline versions your profiles use, and when the latest release of a specific security baseline was. For more information, see Security Baselines.

The Use security keys for sign-in setting has moved

The device configuration setting for identity protection named Use security keys for sign-in is no longer found as a sub-setting of Configure Windows Hello for Business. It's now a top-level setting that is always available, even when you don't enable use of Windows Hello for Business. For more information, see Identity protection.

Role-based access control

New permissions for assigned group admins

Intune's built-in School Administrator role now has create, read, update, and delete (CRUD) permissions for Managed Apps. This update means that if you're assigned as a group admin in Intune for Education, you can now create, view, update, and delete the iOS MDM Push Certificate, iOS MDM server tokens, and iOS VPP tokens along with all of the existing permissions you have. To take any of these actions, go to Tenant settings > iOS Device Management.

Applications can use the Graph API to call read operations without user credentials

Applications can call Intune Graph API read operations with app identity without user credentials. For more information about accessing the Microsoft Graph API for Intune, see Working with Intune in Microsoft Graph.

Apply scope tags to Microsoft Store for Business apps

You can now apply scope tags to Microsoft Store for Business apps. For more information about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

Week of June 17, 2019

App management

New features in Microsoft Intune app

We’ve added new features to the Microsoft Intune app (preview) for Android. Users on fully managed Android devices can now:

  • View and manage the devices they've enrolled through the Intune Company Portal or Microsoft Intune app.
  • Contact their organization for support.
  • Send their feedback to Microsoft.
  • View terms and conditions, if set by their organization.

Week of June 10, 2019

App management

New sample apps showing Intune SDK integration available on GitHub

The msintuneappsdk GitHub account has added new sample applications for iOS (Swift), Android, Xamarin.iOS, Xamarin Forms, and Xamarin.Android. These apps are meant to supplement our existing documentation and provide demonstrations of how to integrate the Intune APP SDK into your own mobile apps. If you are an app developer that needs additional Intune SDK guidance, see the following linked samples:

  • Chatr - A native iOS (Swift) instant messaging app that uses the Azure Active Directory Authentication Library (ADAL) for brokered authentication.
  • Taskr - A native Android todo list app that uses ADAL for brokered authentication.
  • Taskr - A Xamarin.Android todo list app that uses ADAL for brokered authentication, this repository also has the Xamarin.Forms app.
  • Xamarin.iOS sample app - A barebones Xamarin.iOS sample app.

Week of May 27, 2019

App management

Reporting for potentially harmful apps on Android devices

Intune now provides additional reporting information about potentially harmful apps on Android devices.

Week of May 20, 2019

App management

Windows Company Portal app

The Windows Company Portal app will now have a new page labeled Devices. The Devices page will show end users all of their enrolled devices. Users will see this change in the Company Portal when they use version 10.3.4291.0 and later. For information about the configuring the Company Portal, see How to configure the Microsoft Intune Company Portal app.

Device enrollment

Autopilot device OrderID attribute name changed to Group Tag

To make it more intuitive, the OrderID attribute name on Autopilot devices has been changed to Group Tag. When using CSVs to upload Autopilot device information, you must use Group Tag as the column header, not OrderID.

Week of May 13, 2019

App management

Intune policies update authentication method and Company Portal app installation

On devices already enrolled via Setup Assistant through one of Apple’s corporate device enrollment methods, Intune will no longer support the Company Portal when it is manually installed by end users from the app store. This change is only relevant when you authenticate with Apple Setup Assistant during enrollment. This change also only affects iOS devices enrolled through:

  • Apple configurator

  • Apple Business Manager

  • Apple School Manager

  • Apple Device Enrollment Program (DEP)

If users install the Company Portal app from the App store, and then try to enroll these devices through it, they will receive an error. These devices will be expected to only use the Company Portal when it's been pushed, automatically, by Intune during enrollment. Enrollment profiles in Intune in the Azure portal will be updated so that you can specify how devices authenticate and if they receive the Company Portal app. If you want your DEP device users to have the Company Portal, you will need to specify your preferences in an enrollment profile.

In addition, the Identify your device screen in the iOS Company Portal is being removed. Therefore, admins who want to enable Conditional Access or deploy company apps must update the DEP enrollment profile. This requirement only applies if the DEP enrollment is authenticated with Setup Assistant. In that case, you must push the Company Portal onto the device. To do so, choose Intune > Device enrollment > Apple enrollment > Enrollment program tokens > choose a token > Profiles > choose a profile > Properties > set Install Company Portal to Yes.

To install the Company Portal on already-enrolled DEP devices, you will need to go to Intune > Client apps, and push it as a managed app with app configuration policies.

Configure how end users update a line-of-business (LOB) app using an app protection policy

You can now configure where your end users can get an updated version of a line-of-business (LOB) app. End users will see this feature in the min app version conditional launch dialog, which will prompt end users to update to a minimum version of the LOB app. You must provide these update details as part of your LOB app protection policy (APP). This feature is available on iOS and Android. On iOS, this feature requires the app to be integrated (or wrapped using the wrapping tool) with the Intune SDK for iOS v. 10.0.7 or above. On Android, this feature would require the latest Company Portal. To configure how an end user updates a LOB app, the app needs a managed app configuration policy sent to it with the key, com.microsoft.intune.myappstore. The value sent will define which store the end user will download the app from. If the app is deployed via the Company Portal, the value must be CompanyPortal. For any other store, you must enter a complete URL.

Intune management extension PowerShell scripts

You can configure PowerShell scripts to run with the user’s admin privileges on the device. For more information, see Use PowerShell scripts on Windows 10 devices in Intune and Win32 app management.

Android Enterprise app management

To make it easier for IT admins to configure and use Android Enterprise management, Intune will automatically add four common Android Enterprise related apps to the Intune admin console. The four Android Enterprise apps are the following apps:

Previously, IT admins would need to manually find and approve these apps in the Managed Google Play store as part of setup. This change removes those previously manual steps to make it easier and faster for customers to use Android Enterprise management.

Admins will see these four apps automatically added to their Intune apps list at the time that they first connect their Intune tenant to managed Google Play. For more information, see Connect your Intune account to your Managed Google Play account. For tenants that have already connected their tenant or who already use Android Enterprise, there is nothing admins need to do. Those four apps will automatically show up within 7 days of the completion of the May 2019 service rollout.

Device configuration

Updated PFX Certificate Connector for Microsoft Intune

We’ve released an update for the PFX Certificate Connector for Microsoft Intune that addresses an issue where existing PFX certificates continue to be reprocessed, which causes the connector to stop processing new requests.

Intune security tasks for Defender ATP (In public preview)

In public preview, you can use Intune to manage security tasks for Microsoft Defender Advanced Threat Protection (ATP). This integration with ATP and adds a risk-based approach to discover, prioritize, and remediate endpoint vulnerabilities and misconfigurations, while reducing the time between discovery to mitigation.

Check for a TPM chipset in a Windows 10 device compliance policy

Many Windows 10 and later devices have Trusted Platform Module (TPM) chipsets. This update includes a new compliance setting that checks the TPM chip version on the device.

Windows 10 and later compliance policy settings describes this setting.

Applies to: Windows 10 and later

Prevent end users from modifying their Personal HotSpot and disable Siri server logging on iOS devices

You create a device restrictions profile on iOS device (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type). This update includes new settings you can configure:

  • Built-in Apps: Server-side logging for Siri commands
  • Wireless: User modification of Personal Hotspot (supervised only)

To see these settings, go to built-in app settings for iOS and wireless settings for iOS.

Applies to: iOS 12.2 and newer

New classroom app device restriction settings for macOS devices

You can create device configuration profiles for macOS devices (Device configuration > Profiles > Create profile > macOS for platform > Device restrictions for profile type). This update includes new classroom app settings, the option to block screenshots, and the option to disable the iCloud Photo Library.

To see the current settings, go to macOS device settings to allow or restrict features using Intune.

Applies to: macOS

The iOS Password to access app store setting is renamed

The Password to access app store setting is renamed to Require iTunes Store password for all purchases (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > App store, Doc viewing, and Gaming).

To see the available settings, go to App Store, Doc Viewing, Gaming iOS settings.

Applies to: iOS

Microsoft Defender Advanced Threat Protection baseline (Preview)

We've added a security baseline Preview for Microsoft Defender Advanced Threat Protection settings. This baseline is available when your environment meets the prerequisites for using Microsoft Defender Advanced Threat Protection.

Device enrollment

Windows Enrollment Status Page (ESP) is now generally available

The Enrollment Status Page is now out of preview. For more information, see Set up an enrollment status page.

Intune user interface update - Autopilot enrollment profile creation

The user interface for creating an Autopilot enrollment profile has been updated to align with Azure user interface styles. For more information, see Create an Autopilot enrollment profile. Moving forward, additional Intune scenarios will be updated to this new UI style.

Enable Autopilot Reset for all Windows devices

Autopilot Reset now works for all Windows devices, even those not configured to use the Enrollment Status Page. If an enrollment status page wasn't configured for the device during initial device enrollment, the device will go straight to the desktop after sign-in. It might take up to eight hours to sync and appear compliant in Intune. For more information, see Reset devices with remote Windows Autopilot Reset.

Exact IMEI format not required when searching All devices

You won't need to include spaces in IMEI numbers when you search All devices.

Deleting a device in the Apple portal will be reflected in the Intune portal

If a device is deleted from Apple's Device Enrollment Program or Apple Business Manager portals, the device will automatically be deleted from Intune during the next sync.

The Enrollment Status Page now tracks Win32 apps

This only applies to devices running Windows 10 version 1903 and above. For more information, see Set up an enrollment status page.

Device management

Reset and wipe devices in bulk by using the Graph API

You can now reset and wipe up to 100 devices in bulk using the Graph API.

Monitor and troubleshoot

The Encryption report is out of Public Preview

The report for BitLocker and device encryption is now generally available, and no longer part of the public preview.

Outlook signature and biometric settings for iOS and Android devices

You can now specify if the default signature is enabled in Outlook on iOS and Android devices. Additionally, you can choose to allow users to change the biometric setting in Outlook on iOS.

Week of May 6, 2019

Device configuration

Network Access Control (NAC) support for F5 Access for iOS devices

F5 released an update to BIG-IP 13 that allows NAC functionality for F5 Access on iOS in Intune. To use this feature:

To see the available setting, go to Configure VPN settings on iOS devices.

Applies to: iOS

Updated PFX Certificate Connector for Microsoft Intune

We’ve released an update for the PFX Certificate Connector for Microsoft Intune that drops the polling interval from 5 minutes to 30 seconds.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Take Action: Use Microsoft Edge for your Protected Intune Browser Experience

As we have been sharing over the past year, Microsoft Edge mobile supports the same set of management features as the Managed Browser, while providing a much-improved end user experience. To make way for the robust experiences provided in Microsoft Edge, we will be retiring the Intune Managed Browser. Starting on January, 27, 2020, Intune will no longer support the Intune Managed Browser.

How does this affect me?

Starting on February 1, 2020, the Intune Managed Browser will no longer be available in the Google Play Store or the iOS App Store. At this point, you will still be able to target new app protection policies to the Intune Managed Browser, though new users will not be able to download the Intune Managed Browser app. In addition, on iOS, new web clips that are pushed down to MDM-enrolled device will open in Microsoft Edge instead of the Intune Managed Browser.

On March, 31 2020, the Intune Managed Browser will be removed from the Azure console. This means you will no longer be able to create new policies for the Intune Managed Browser. If you have existing Intune Managed Browser policies in place, they will not be affected. The Intune Managed Browser will show up in the console as an LOB app with no icon, and existing policies will show as targeted to the app still. At this point, we will also remove the option to redirect web content to the Intune Managed Browser within the Data Protection section of App protection policies.

What do I need to do to prepare for this change?

To ensure a smooth transition from the Intune Managed Browser to Microsoft Edge, we recommend you take the following steps proactively:

  1. Target Microsoft Edge for iOS and Android with app protection policy (also referred to as MAM) and app config settings. You can reuse your Intune Managed Browser policies for Microsoft Edge by simply targeting those existing policies to Microsoft Edge as well.
  2. Ensure all MAM-protected apps in your environment have the app protection policy setting "Restrict web content transfer with other apps" set to "Policy managed browsers".
  3. Target all the MAM-protected with the managed app configuration setting "com.microsoft.intune.useEdge" set to true. Starting next month with the release of 1911, you will be able to accomplish steps 2 and 3 simply by configuring the setting "Restrict web content transfer with other apps" to have "Microsoft Edge" selected in the Data Protection section of your app protection policies.

Support for web clips on iOS and Android is coming. When this support is released, you will need to retarget pre-existing web clips to ensure they open in in Microsoft Edge instead of the Managed Browser.

Additional information

Please visit our docs on using Microsoft Edge with app protection policies for more info, or view our support blog post.

Plan for Change: Updated experience when enrolling Android Enterprise dedicated devices in Intune

With the November or 1911 release to Intune, we’re adding support for SCEP device certificate deployment to Android Enterprise dedicated devices to enable certificate-based access to Wi-Fi profiles. This change also involves some minor changes the flow when enrolling Android Enterprise dedicated devices.

How does this affect me?

If you manage Android Enterprise dedicated devices in your environment, you will start to see some changes roll out in November.

  • For new Android Enterprise dedicated device enrollments: End users will see a different set of steps on devices during enrollment. Enrollment will still start the way it does today (with QR, NFC, Zero-touch, or device identifier) but after the November service release, there will be a mandatory app install step.
  • For existing Android devices enrolled as dedicated devices: Intune will start to automatically install the Microsoft Intune app on devices starting in early November. You don't need to take any action. The app will automatically download and install on devices.

What can I do to prepare for this change?

You should plan to update your end user guidance and let your helpdesk know of this change. Click Additional Information for more details and screenshots. We’ll update our What’s New page when this change starts to roll out.

Additional information

https://aka.ms/Dedicated_devices_enrollment

Plan for Change: The 'Server-side Logging for Siri commands' setting will be removed from the Intune console

We plan to remove the setting "Server-side logging for Siri commands" from the Intune console with the November update to the Intune service. This change aligns with Apple already having removed the setting on their side.

How does this affect me?

When the November update or 1911 rolls out around mid-November, you’ll see that this setting has been removed from the Device restrictions menu (Built-in Apps) for iOS configuration profiles, in the Intune console. It may appear in your policies and the targeted device’s management profile but the setting has no effect on your device. We do not anticipate much impact to functionality since it currently doesn’t work on devices even though you see it in the management profile.

You can choose one of two paths:

  • If you wish to delete this setting from your policies, you can go to the profile that has this setting, make a minor edit and save the policy. The policy will recompute in the backend and the setting will be deleted from your policy.
  • If you choose not to take this action, end users will see this setting in the management profile of their device but the setting will have no effect.

What can I do to prepare for this change?

You can take action according to the section above or leave your policy as is. We’ll update our What’s New page and documentation when this change rolls out.

End of support for legacy PC management

Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as MDM devices to keep them managed by Intune.

Learn more

Decreasing support for Android device administrator

Android device administrator (sometimes referred to "legacy" Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is now available with Android Enterprise (released with Android 5.0). In an effort to move to modern, richer, and more secure device management, Google is decreasing device administrator support in new Android releases.

How does this affect me?

Because of these changes by Google, Intune users will be impacted in the following ways:

  • Intune will only be able to provide support for device administrator-managed Android devices running Android 10 and later (also known as Android Q) through the summer of 2020. This date is when the next major version of Android is expected to be released.
  • Device administrator-managed devices that are running Android 10 or later after the summer of 2020 will no longer be able to be entirely managed.      
  • Device administrator-managed Android devices that remain on Android versions below Android 10 will not be impacted and can continue to be entirely managed with device administrator.
  • For all devices running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This impacts the following Intune features after a device updates to Android 10 or later:
    • Network access control for VPN will no longer work.
    • Identifying devices as corporate-owned with an IMEI or serial number will not automatically mark devices as corporate-owned.
    • The IMEI and serial number will no longer be visible to IT admins in Intune.

      Note

      This only impacts device administrator-managed devices on Android 10 and later and does not affect devices being managed as Android Enterprise.

What do I need to do to prepare for this change?

To avoid the reduction in functionality coming in the summer of 2020, we recommend the following:

  • Don't onboard new devices into device administrator management.
  • If a device is expected to receive an update to Android 10, migrate it off of device administrator management to Android Enterprise management and/or app protection policies.

Additional information

Update your Android Company Portal app to the latest version

Intune periodically releases updates to the Android Company Portal app. In November 2018 we released a company portal update, which included a back-end switch to prepare for Google's change from their existing notification platform to Google's Firebase Cloud Messaging (FCM). When Google retires their existing notification platform and moves to FCM, end users will need to have updated their Company Portal app to at least the November 2018 release to continue communicating with the Google Play store.

How does this affect me?

Our telemetry indicates you have devices with a Company Portal version earlier than 5.0.4269.0. If this version or later of the Company Portal app is not installed, IT-pro-initiated device actions like wipe, reset password, available and required app installs, and certificate enrollment may not work as expected. If your devices are MDM-enrolled in Intune, then you can see the Company Portal versions and users by going to Client apps – Discovered apps. Selecting earlier versions of the Company Portal app will allow you to see which end users have the devices that haven't updated the Company Portal app.

What do I need to do to prepare for this change?

Ask end users of Android devices that have not updated to update the Company Portal app through Google Play. Notify your help desk in case a user has not kept auto-updating the Company Portal app. See the link in Additional information for more on Google's FCM platform and change.

Additional information

https://firebase.google.com/docs/cloud-messaging/

New full-screen experience coming to Intune

We're rolling out updated create and edit UI experiences to Intune in the Azure portal. This new experience will simplify the existing workflows by using a wizard-style format condensed within one blade. This update will do away with "blade sprawl" or any create and edit flows that require you to drill down into deep blade journeys. The create workflows will also be updated to include assignments (except for app assignment).

How does this affect me?

The full-screen experience will be rolled out to Intune both at portal.azure.com and devicemanagement.microsoft.com over the next few months. This update to the UI will not impact functionality of your existing policies and profiles, but you will see a slightly modified workflow. When you create new policies, for example, you will be able to set some assignments as part of this flow instead of doing so after creating the policy. See the blog post at Additional information for screenshots of what the new experience will look like in the console.

What can I do to prepare for this change?

You do not need to take any action but can consider updating your IT-pro guidance if necessary. We'll update our documentation as this experience rolls out to various blades in Intune on the Azure portal.

Additional information

https://aka.ms/intune_fullscreen

Plan for change: Intune App SDK and app protection policies for Android moving to support Android 5.0 and higher in an upcoming release

Intune will be moving to support Android 5.x (Lollipop) and higher in an upcoming release. Update any wrapped apps with the latest Intune App SDK and update your devices.

How does this affect me?

If you're not using or plan to use either the SDK or APP for Android, this change won't affect you. If you are using the Intune App SDK, be sure to update to the latest version and also update your devices to Android 5.x and higher. If you don't update, apps will not receive updates, and the quality of their experience will diminish over time.

Below find a list of common devices enrolled in Intune that run Android version 4.x. If you have one of these devices, take the appropriate steps to make sure that this device will support Android version 5.0 or higher or that it will be replaced with a device that supports Android version 5.0 or higher. This list is not exhaustive of all devices that may need to be evaluated:

  • Samsung SM-T561
  • Samsung SM-T365
  • Samsung GT-I9195
  • Samsung SM-G800F
  • Samsung SM-G357FZ
  • Motorola XT1080
  • Samsung GT-I9305
  • Samsung SM-T231

What do I need to do to prepare for this change?

Wrap your apps with the latest Intune App SDK. You may also set the "Require minimum OS version (Warning only)" conditional launch setting to notify end users on personal devices to upgrade.

Intune plan for change: Nearing end of support for Windows 7

As we messaged in MC148476, posted last September 2018, and again in MC176794 back in March 2019, Windows 7 reaches its end of extended support on January 14, 2020. At that time, Intune will retire support for devices running Windows 7 so we can focus our investment on supporting newer technologies and providing great new end-user experiences. After that date, technical assistance and automatic updates that help protect your Windows 7 PC will no longer be available through Intune. Microsoft strongly recommends that you move to Windows 10 before January 2020 to avoid a scenario where you need service or support that is no longer available. Read more about the Windows support lifecycle here.

How does this affect me?

You are receiving this message because you are currently managing Windows 7 PCs using the legacy Intune PC software agent. Because less than a year remains before the end of Windows 7 extended support, we strongly encourage your organization to begin upgrading to Windows 10 as soon as possible.

PC management capabilities are built directly into the Windows 10 operating system, and you no longer need to install a client agent such as the Intune software client for Windows 7. Starting with Windows 8.1, Microsoft uses the Mobile Device Management (MDM) architecture to provision, configure, update, and manage Windows PCs. When you have set up Intune, you can simplify Windows enrollment by enrolling Windows 10 PCs into Intune through the MDM channel. We recommend that you use this "agentless" MDM management solution to manage your Windows 10 PCs.

What do I need to do to prepare for this change?

We encourage your organization to immediately consider this action plan:

  • Plan and upgrade the Windows 7 fleet to Windows 10 before January 14, 2020.
  • Explore Windows 10 deployment support to learn more about how to upgrade your existing fleet of Windows 7 PCs to Windows 10.
  • Review the Desktop App Assure offer through FastTrack, which will assist with the Microsoft application compatibility promise.
  • Transition existing legacy Intune software client managed devices to the Microsoft-recommended solution to manage Windows 10 using MDM management. Enroll all new Windows 10 PCs using MDM management for Intune in the Azure portal.

See the blog post here for more information.