In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. Also:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
  • When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

App management

Extended capabilities for Managed Google Play apps on personally-owned Android devices with a work profile

There will be new capabilities extended to work profile devices. The following capabilities were previously available only on corporate-owned devices:

  • Available apps for device groups: You'll soon be able to use Intune to make apps available for device groups through the Managed Google Play store. Previously, apps could only be made available to user groups.

  • Update priority setting: You'll soon be able to use Intune to configure the app update priority on devices with a work profile. To learn more about this setting, see Update a Managed Google Play app.

  • Required apps display as available in Managed Google Play: You'll soon be able to use Intune to make required apps available for users through the Managed Google Play store. Apps that are part of existing policies will now display as available.

Applies to:

  • Android Enterprise personally owned devices with a work profile

Managed app assignment filters for Windows MAM

You'll be able to use managed app assignment filters for Window MAM app protection policies and app configuration policies.

For information about Windows MAM, see Data protection for Windows MAM.

For more information about assignment filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Added protection for iOS/iPadOS app widgets

To protect organizational data for MAM managed accounts and apps, Intune app protection policies now provide the capability to block data sync from policy managed app data to app widgets. App widgets can be added to end-user's iOS/iPadOS device lock screen, which can expose data contained by these widgets, such as meeting titles, top sites, and recent notes. In Intune, you'll be able to set the app protection policy setting Sync policy managed app data with app widgets to Block for iOS/iPadOS apps. This setting will be available as part of the Data Protection settings in app protection policies. This new setting will be an app protection feature similar to the Sync policy managed app data with native app or add-ins setting.

Company Portal automatically installed on Android Enterprise dedicated devices

Intune Company Portal will now be automatically installed on all Android Enterprise dedicated devices to ensure the appropriate handling of app protection policies. Users won't be able to see or launch the Company Portal, and there are no requirements for users to interact with it. Admins will notice that the Company Portal is automatically installed on their Android Enterprise dedicated devices, without the ability to uninstall.

Support for multi-SIM iOS/iPadOS device inventory

You'll be able to view the service subscription fields on devices that have multiple SIM cards installed under the per-device Hardware section. The inventory fields that are capable of reporting multiple values to Intune are:

  • ICCID
  • IMEI
  • MEID
  • Phone number

These fields will default to using labels returned by the device, such as: Primary, Secondary, CTSubscriptionSlotOne, and CTSubscriptionSlotTwo. These returned labels may be displayed in the language of the local device that is reporting its inventory to Intune.

Applies to:

  • iOS/iPadOS

Device configuration

New BIOS device configuration profile for OEMs

There will be a new BIOS configuration and other settings device configuration policy for OEMs. OEMs can use this new policy to enable or disable different BIOS features that secure device. In the Intune device configuration policy, you add the BIOS configuration file, and then assign the policy to your devices.

For example, admins can use the Dell Command tool (opens Dell's website) to create the BIOS configuration file. Then, they add this file to the new Intune policy.

Applies to

  • Windows 10 and later

New settings available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > Windows 10 and later for platform > Settings catalog for profile type.

  • DODisallowCacheServerDownloadsOnVPN - This setting blocks downloads from Microsoft Connected Cache servers when the device connects using VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected using VPN.

  • DOSetHoursToLimitBackgroundDownloadBandwidth - This setting specifies the maximum background download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

  • DOSetHoursToLimitForegroundDownloadBandwidth - This setting specifies the maximum foreground download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

  • DOVpnKeywords - This policy allows you to set one or more keywords used to recognize VPN connections.

For more information on these settings, see Policy CSP - DeliveryOptimization.

Applies to:

  • Windows 10 and later

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Passcode:

  • Maximum Passcode Age In Days
  • Minimum Complex Characters
  • Require Alphanumeric Passcode

Restrictions:

  • Allow Marketplace App Installation

macOS

Declarative Device Management (DDM) > Passcode:

  • Change At Next Auth
  • Custom Regex
  • Failed Attempts Reset In Minutes
  • Maximum Passcode Age In Days
  • Minimum Complex Characters
  • Require Alphanumeric Passcode

The macOS Company Portal app will support platform SSO (public preview)

In Intune, you can configure the Enterprise SSO plug-in on Apple devices using a device configuration profile (Devices > Configuration > Create > macOS for platform > Settings Catalog for profile > Authentication > Extensible Single sign-on (SSO)).

The Company Portal app version will support the platform SSO settings for macOS 13 and later. Platform SSO allows you to sync your Microsoft Entra ID password to local accounts on Macs using the Enterprise Single Sign-On extension.

For more information on the Enterprise SSO plug-in, see:

Applies to:

  • macOS 13 and later

Device management

New compliance settings for Android work profile, personal devices

New compliance settings will let you add restrictions to the work profile password on a personal device without impacting the device password. Settings will be available in Microsoft Intune compliance policies under Android Enterprise personally-owned work profiles >System Security > Work Profile Security, and include:

  • Require a password to unlock work profile
  • Number of days until password expires
  • Number of previous passwords to prevent reuse
  • Maximum minutes of inactivity before password is required
  • Password complexity
  • Required password type
  • Minimum password length

Company Portal will enforce the settings and mark the device as noncompliant if the work profile password fails to meet your requirements. Intune compliance settings take precedence over the respective Intune configuration settings. For example, if the password complexity in your compliance policy is set to medium and the one in your configuration profile is set to high, Intune will prioritize and enforce the compliance setting.

Applies to:

  • Android Enterprise personally owned devices with a work profile

End-user access to BitLocker Recovery Keys for enrolled Windows devices

End-users will be able to view the BitLocker Recovery Key for enrolled Windows devices in the Web Company Portal. This capability will reduce helpdesk calls in the event they get locked out of their corporate machines. End users can access their enrolled Windows device's Recovery Key by clicking on View Recovery Key under their device after logging into the Web Company Portal. This is a similar experience to the MyAccount website, which allows end users see their recovery keys as well.

Access to BitLocker recovery keys by end-users can be prevented when not allowed within your organization by using the Microsoft Entra ID toggle Restrict non-admin users from recovering the BitLocker key(s) for their owned device. For more information about how to prevent access to BitLocker recovery keys, see Manage device identities using the Microsoft Entra admin center.

Windows quality updates will support expediting non-security updates

Windows quality updates will support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.

For more information about installing an expedited update, see Expedite Windows quality updates in Microsoft Intune.

Introducing a remote action to pause the config refresh enforcement interval

In the Windows Settings Catalog, you can configure Config Refresh. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune. The device will replay and re-enforce settings based on previously received policy to minimize the chance for configuration drift.

To support this feature, a remote action will be added to allow a pause in action. If an admin needs to make changes or run remediation on a device for troubleshooting or maintenance, they can issue a pause from Intune for a specified period. When the period expires, settings will be enforced again.

The remote action Pause config refresh can be accessed from the device summary page.

For information on currently available Remote actions, see Remote actions.

Device security

Defender for Endpoint security settings support in government cloud environments

Customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments will soon be able to use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. This capability is known as Defender for Endpoint security settings management.

For more information about the Intune features supported in GCC High and DoD environments, see Intune US Government service description.

Updated security baseline for Windows version 23H2

We’re working on an update to the Intune security baseline for Windows. The updated security baseline is based on the version 23H2 of the Group Policy security baseline found in the Security Compliance Toolkit and Baselines from the Microsoft Download Center, and includes only the settings that are applicable to devices managed through Intune. Use of this updated baseline can help you maintain best-practice configurations for your Windows devices.

Use of Intune security baselines can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations, which you can modify to meet the requirements of your organization.

Improvements for Intune deployments of Microsoft Defender for Endpoint

We’re improving and simplifying the experience, workflow, and reporting details when using Intune’s endpoint detection and response (EDR) policy to deploy Microsoft Defender for Endpoint. These changes will apply for Windows devices managed by Intune and the tenant-attach scenario. These improvements include:

  • Changes to dashboards and reports to improve the visibility of your Defender EDR deployment numbers.
  • A tenant-wide deployment option for Intune EDR policy that streamlines deployments of Defender for Endpoint to applicable devices.
  • Changes to Intune’s endpoint security Overview page to provide consolidated dashboard reports for the device signals from Defender on your managed devices.

Applies to the following through cloud and tenant attach endpoints:

  • Windows 10
  • Windows 11

Support for Intune Device control policy for devices managed by Microsoft Defender for Endpoint

You'll be able to use the endpoint security policy for Device control (Attack surface reduction policy) from the Microsoft Intune with the devices you manage through the Microsoft Defender for Endpoint security settings management capability.

  • Device control policies are part of endpoint security Attack surface reduction policy.

    Applies to the following when you use the Windows 10, Windows 11, and Windows Server platform:

    • Windows 10
    • Windows 11

When this change takes effect, devices that are assigned this policy while managed by Defender for Endpoint but not enrolled with Intune, will now apply the settings from the policy. Check your policy to make sure only the devices you intend to receive this policy will get it.

Monitor and troubleshoot

Intune support of Microsoft 365 remote application diagnostics

The Microsoft 365 remote application diagnostics will allow Intune admins to request Intune App Protection logs and Microsoft 365 application logs (where applicable) directly from the Intune console. Admins will find this report in the Microsoft Intune admin center by selecting Troubleshooting + support > Summary > App protection*.

This feature is exclusive to applications that are under Intune App Protection management. If supported, the application specific logs are gathered and stored within dedicated storage solutions for each application. Outlook mobile logs will be supported in version 2404, with support for additional applications coming soon.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID by April 2024

Last year we announced a new Microsoft Intune GitHub repository based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, starting on April 1, 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed.

How does this affect you or your users?

If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.

How can you prepare?

Before April 1, 2024, update your PowerShell scripts by:

  1. Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform.
  2. Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:

  • Android Enterprise personally-owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

  • Intune technical support won't be provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

  • Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
  • Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
  • Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. Expected with Intune’s April (2404) service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

Wrapped iOS apps and iOS apps using the Intune App SDK will require Azure AD app registration

We're making updates to improve the security of the Intune mobile application management (MAM) service. This update will require iOS wrapped apps and SDK integrated apps to be registered with Microsoft Entra ID (formerly Azure Active Directory (Azure AD)) by March 31, 2024 to continue receiving MAM policy.

How does this affect you or your users?

If you have wrapped apps or SDK integrated apps that aren't registered with Azure AD, these apps will be unable to connect to the MAM service to receive policy and your users won't be able to access apps that aren't registered.

How can you prepare?

Prior to this change, you will need to register the apps with Azure AD. See below for detailed instructions.

  1. Register your apps with Azure AD by following these instructions: Register an application with the Microsoft identity platform.
  2. Add the custom redirect URL to your app settings as documented here.
  3. Give your app access to the Intune MAM service, for instructions see here.
  4. Once the above changes are completed, configure your apps for Microsoft Authentication Library (MSAL):
    1. For wrapped apps: Add the Azure AD application client ID into the command-line parameters with the Intune App Wrapping Tool as outlined in the documentation: Wrap iOS apps with the Intune App Wrapping Tool | Microsoft Learn -ac and -ar are required parameters. Each app will need a unique set of these parameters. -aa is only required for single tenant applications.
    2. For SDK integrated apps see, Microsoft Intune App SDK for iOS developer guide | Microsoft Learn. ADALClientId and ADALRedirectUri/ADALRedirectScheme are now required parameters. ADALAuthority is only required for single tenant applications.
  5. Deploy the app.
  6. To validate the above steps:
    1. Target "com.microsoft.intune.mam.IntuneMAMOnly.RequireAADRegistration" application configuration policy and set it to Enabled - Configuration policies for Intune App SDK managed apps - Microsoft Intune | Microsoft Learn
    2. Target App Protection Policy to the application. Enable the 'Work or school account credentials for access' policy and set 'Recheck the access requirements after (minutes of inactivity)' setting to a low number like 1.
  7. Then launch the application on a device and verify if the sign-in (which should be required every minute on app launch) happens successfully with the configured parameters.
  8. Note that if you only do step #6 and #7 before doing the other steps, you might be blocked on application launch. You will also notice the same behavior if some of the parameters are incorrect.
  9. Once you’ve completed the validation steps, you can undo the changes made in step #6.

Note

Intune will soon require an Azure AD device registration for iOS devices using MAM. If you have Conditional Access policies enabled, your devices should already be registered, and you won't notice any change. For more information see, Microsoft Entra registered devices - Microsoft Entra | Microsoft Learn.

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.

Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Update to the latest Intune App SDK and Intune App Wrapper for iOS to support iOS/iPadOS 17

To support the upcoming release of iOS/iPadOS 17, update to the latest versions of the Intune App SDK and the App Wrapping Tool for iOS to ensure applications stay secure and run smoothly. Additionally, for organizations using the Conditional Access grant “Require app protection policy”, users should update their apps to the latest version prior to upgrading to iOS 17. You can learn more by reading the blog: Update Intune App SDK, Wrapper, and iOS apps using MAM policies to support iOS/iPadOS 17.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in August 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning August 30, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

  1. Users won't be able to enroll devices with Android device administrator.
  2. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
  3. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

Plan for Change: Intune is moving to support iOS/iPadOS 15 and later

Later this year, we expect iOS 17 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 15/iPadOS 15 and higher shortly after iOS 17’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 15).

Because Office 365 mobile apps are supported on iOS/iPadOS 15.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 15 or iPadOS 15 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 15/iPadOS 15 while the allowed OS version will change to iOS 12/iPadOS 12 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 12 and higher later this year

Later this year, we expect macOS 14 Sonoma to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 12 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 17.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Monterey is compatible with these computers.

Note

Devices that are currently enrolled on macOS 11.x or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 11.x or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 11.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Ending support for Microsoft Store for Business and Education apps

In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune

How does this affect you or your users?

If you're using Microsoft Store for Business and Education apps:

  1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.
  2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users might still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data.
  3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later.

The retirement of Microsoft Store for Business and Education was announced in 2021. When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.

How can you prepare?

We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:

Related information

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP without enrollment scenario at the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it's only applicable to Windows 8.1 devices.

Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available.

How does this affect you or your users?

If you're managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There's no impact to existing devices and policies, however, you'll not be able to enroll new devices if they are running Windows 8.1.

How can you prepare?

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Intune admin center > Devices > Windows > Windows devices, and filter by OS.

Additional information

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change only affects you if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Intune admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.