What's new in Microsoft Intune

Learn what's new each week in Microsoft Intune.

You can also read:

Note

Each monthly update can take up to three days to rollout and will be in the following order:

  • Day 1: Asia Pacific (APAC)
  • Day 2: Europe, Middle East, Africa (EMEA)
  • Day 3: North America
  • Day 4+: Intune for Government

Some features roll out over several weeks and might not be available to all customers in the first week.

For a list of upcoming Intune feature releases, see In development for Microsoft Intune. For new information about Autopilot, see Windows Autopilot What's new.

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Week of March 3, 2024

Device enrollment

Role-based access control changes to enrollment settings for Windows Hello for Business

We've updated Role-based access control (RBAC) in the enrollment area for Windows Hello for Business. Enrollment settings related to Windows Hello for Business are read-only for all roles except the Intune Service Administrator. The Intune Service Administrator can create and edit Windows Hello for Business enrollment settings.

For more information, see Role-based access control in the Windows Hello at device enrollment article.

Device security

New enrollment configuration for Windows Hello for Business

A new Windows Hello for Business enrollment setting, Enable enhanced sign in security is available in the Intune admin center. Enhanced sign-in security is a Windows Hello feature that prevents malicious users from gaining access to a user's biometrics through external peripherals.

For more information about this setting, see Create a Windows Hello for Business policy.

HTML formatting supported in noncompliance email notifications

Intune now supports HTML formatting in noncompliance email notifications for all platforms. You can use supported HTML tags to add formatting such as italics, URL links, and bulleted lists to your organization's messages.

For more information, see Create a notification message template.

Week of February 26, 2024

Microsoft Intune Suite

New Microsoft Cloud PKI service

Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. ​Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone Intune add-on. The cloud-based services provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see Overview of Microsoft Cloud PKI.

Applies to:

  • Windows
  • Android
  • iOS/iPadOS
  • macOS

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Cinebody by Super 6 LLC

For more information about protected apps, see Microsoft Intune protected apps.

Week of February 19, 2024 (Service release 2402)

App management

Additional app configuration permissions for Android apps

There are six new permissions that can be configured for an Android app using an app configuration policy. These include the following permissions:

  • Allow background body sensor data
  • Media Video (read)
  • Media Images (read)
  • Media Audio (read)
  • Nearby Wifi Devices
  • Nearby Devices

For more information about how to use app config policies for Android apps, see Add app configuration policies for managed Android Enterprise devices.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Bob HR by Hi Bob Ltd
  • ePRINTit SaaS by ePRINTit USA LLC
  • Microsoft Copilot by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Update to Intune Management Extension on Windows

To support expanded functionality and bug fixes, use .NET Framework 4.7.2 or higher with the Intune Management Extension on Windows clients. If a Windows client continues to use an earlier version of the .NET Framework, the Intune Management Extension will continue to function. The .NET Framework 4.7.2 is available from Windows Update as of July 10, 2018, which is included in Win10 1809 (RS5) and newer. Note that multiple versions of the .NET Framework can coexist on a device.

Device configuration

Use assignment filters on Endpoint Privilege Management (EPM) policies

You can use assignment filters to assign a policy based on rules you create. A filter allows you to narrow the assignment scope of a policy, like targeting devices with a specific OS version or a specific manufacturer.

You can use filters on Endpoint Privilege Management (EPM) policies.

For more information, see:

Applies to:

  • Windows 10
  • Windows 11

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS
  • Restrictions

    • Allow Live Voicemail
    • Force Classroom Unprompted Screen Observation
    • Force Preserve ESIM On Erase
macOS
  • Full Disk Encryption > FileVault > Force Enable In Setup Assistant
  • Restrictions > Force Classroom Unprompted Screen Observation

For more information, see:

Import up to 20 custom ADMX and ADML administrative templates

You can import custom ADMX and ADML administrative templates in Microsoft Intune. Previously, you could import up to 10 files. Now, you can upload up to 20 files.

Applies to:

  • Windows 10
  • Windows 11

For more information on this feature, go to Import custom ADMX and ADML administrative templates into Microsoft Intune (public preview).

New setting for updating MAC address randomization on Android Enterprise devices

There is a new MAC address randomization setting on Android Enterprise devices (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Wi-Fi for profile type).

Starting with Android 10, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Using randomized MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address. However, randomized MAC addresses break functionality that relies on a static MAC address, including network access control (NAC).

Your options:

  • Use device default: Intune doesn't change or update this setting. By default, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Any updates made by the user to the setting persist.

  • Use randomized MAC: Enables MAC address randomization on devices. When connecting to a new network, devices present a randomized MAC address, instead of the physical MAC address. If the user changes this value on their device, it resets to Use randomized MAC on the next Intune sync.

  • Use device MAC: Forces devices to present their actual Wi-Fi MAC address instead of a random MAC address. This setting allows devices to be tracked by their MAC address. Only use this value when necessary, such as for network access control (NAC) support. If the user changes this value on their device, it resets to Use device MAC on the next Intune sync.

Applies to:

  • Android 13 and newer

For more information on the Wi-Fi settings you can configure, see Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune.

Turn Off Copilot in Windows setting in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There is a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices > Configuration > Create > Windows for platform > Settings catalog for profile type.

  • Windows AI > Turn Off Copilot in Windows (User)

    • If you enable this policy setting, users can't use Copilot. The Copilot icon won't appear on the taskbar.
    • If you disable or don't configure this policy setting, users can use Copilot when it's available to them.

This setting uses the Policy CSP - WindowsAI.

For more information about configuring Settings Catalog policies in Intune, including user scope vs. device scope, see Create a policy using settings catalog.

Applies to:

  • Windows 10 and later

Windows Autopilot self-deploying mode is now generally available

Windows Autopilot self-deploying mode is now generally available and out of preview. Windows Autopilot self-deploying mode enables you to deploy Windows devices with little to no user interaction. Once the device connects to network, the device provisioning process starts automatically: the device joins Microsoft Entra ID, enrolls in Intune, and syncs all device-based configurations targeted to the device. Self-deploying mode ensures that the user can't access desktop until all device-based configuration is applied. The Enrollment Status Page (ESP) is displayed during OOBE so users can track the status of the deployment. For more information, see:

This information is also published in Windows Autopilot: What's new.

Windows Autopilot for pre-provisioned deployment is now generally available

Windows Autopilot for pre-provisioned deployment is now generally available and out of preview. Windows Autopilot for pre-provisioned deployment is used by organizations that want to ensure devices are business-ready before the user accesses them. With pre-provisioning, admins, partners, or OEMs can access a technician flow from the Out-of-box experience (OOBE) and kick off device setup. Next, the device is sent to the user who completes provisioning in the user phase. Pre-provisioning delivers most the configuration in advance so the end user can get to the desktop faster. For more information, see:

This information is also published in Windows Autopilot: What's new.

Device enrollment

ESP setting to install required apps during Windows Autopilot pre-provisioning

The setting Only fail selected blocking apps in technician phase is now generally available to configure in Enrollment Status Page (ESP) profiles. This setting only appears in ESP profiles that have blocking apps selected.

For more information, see Set up the Enrollment Status Page.

New local primary account configuration for macOS automated device enrollment

Configure local primary account settings for Macs enrolling in Intune via Apple automated device enrollment. These settings, supported on devices running macOS 10.11 and later, are available in new and existing enrollment profiles under the new Account Settings tab. For this feature to work, the enrollment profile must be configured with user-device affinity and one of the following authentication methods:

  • Setup Assistant with modern authentication
  • Setup Assistant (legacy)

Applies to:

  • macOS 10.11 and later

For more information about macOS account settings, see Create an Apple enrollment profile in Intune.

Await final configuration for macOS automated device enrollment now generally available

Now generally available, await final configuration enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies are installed on devices. The locked experience works on devices targeted with new and existing enrollment profiles, enrolling via one of these authentication methods:

  • Setup Assistant with modern authentication
  • Setup Assistant (legacy)
  • Without user device affinity

Applies to:

  • macOS 10.11 and later

For information about how to enable await final configuration, see Create an Apple enrollment profile.

Device management

AOSP devices check for new tasks and notifications approximately every 15 minutes

On devices enrolled with Android (AOSP) management, Intune attempts to check for new tasks and notifications approximately every 15 minutes. To use this feature, devices must be using the Intune app version 24.02.4 or newer.

Applies to:

  • Android (AOSP)

For more information, see:

New device management experience for Government clouds in Microsoft Intune

In government clouds, there's a new device management experience in the Intune admin center. The Devices area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster.

If you want to try the new experience before your tenant is updated, go to Devices > Overview, select the Preview upcoming changes to Devices and provide feedback notification banner, and select Try it now.

Bulk approval of drivers

Bulk actions are now available for Windows Driver update policies. With bulk actions, multiple driver updates can be approved, paused, or declined at the same time, saving time and effort.

When bulk approving drivers, the date for when the drivers become available to applicable devices can also be set, enabling drivers to be installed together.

Applies to:

  • Windows 10
  • Windows 11

For more information, see Bulk driver updates.

Tenant administration

Customization pane support for excluding groups

The Customization pane now supports selecting groups to exclude when assigning policies. You will find this setting in the Microsoft Intune admin center by selecting Tenant administration > Customization.

For more information, see Assign policies in Microsoft Intune.

Week of January 29, 2024

Microsoft Intune Suite

Microsoft Intune Enterprise Application Management

Enterprise Application Management provides an Enterprise App Catalog of Win32 applications that are easily accessible in Intune. You can add these applications to your tenant by selecting them from the Enterprise App Catalog. When you add an Enterprise App Catalog app to your Intune tenant, default installation, requirements, and detection settings are automatically provided. You can modify these settings as well. Intune hosts Enterprise App Catalog apps in Microsoft storage.

For more information, see:

Microsoft Intune Advanced Analytics

Intune Advanced Analytics provides comprehensive visibility of the end-user experience in your organization and optimizes it with data driven insights. It includes near real-time data about your devices with Device query, increased visibility with custom device scopes, a battery health report and a detailed device timeline for troubleshooting device issues, and anomaly detection to help identify potential vulnerabilities or risks across your device estate.

  • Battery health report

    The battery health report provides visibility into the health of batteries in your organization's devices and its influence on user experience. The scores and insights in this report are aimed to help IT admins with asset management and purchase decisions that improve user experience while balancing hardware costs.

  • Run on-demand device queries on single devices

    Intune allows you to quickly gain on-demand information about the state of your device. When you enter a query on a selected device, Intune runs a query in real time.

    The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.

    Applies to:

    • Windows devices

Intune Advanced Analytics is part of the Microsoft Intune Suite. For added flexibility, this new set of capabilities, together with the existing Advanced Analytics features, is also now available as an individual add-on to Microsoft subscriptions that include Intune.

To use Device query and battery health report in your tenant, or any of the existing Advanced Analytics capabilities, you must have a license for either:

  • The Intune Advanced Analytics add-on
  • The Microsoft Intune Suite add-on

For more information, see:

Week of January 22, 2024 (Service release 2401)

App management

Install DMG and PKG apps up to 8 GB in size on managed Macs

The size-limit of DMG and PKG apps that can be installed using Intune on managed Macs has been increased. The new limit is 8 GB and is applicable to apps (DMG and unmanaged PKG) that are installed using the Microsoft Intune management agent for macOS.

For more information about DMG and PKG apps, see Add a macOS DMG app to Microsoft Intune and Add an unmanaged macOS PKG app to Microsoft Intune.

Intune support of store-signed LOB apps for Surface Hub devices

Intune now supports the deployment of store-signed LOB apps (single file .appx, .msix, .appxbundle, and .msixbundle) to Surface Hub devices. The support for store-signed LOB apps enables offline store apps to be deployed to Surface Hub devices following the retirement of the Microsoft Store for Business.

Route SMS/MMS messages to specific app

You can configure an app protection policy to determine which SMS/MMS app must be used when the end user intends to send a SMS/MMS message after getting redirected from a policy managed app. When the end user clicks on a number with the intent of sending an SMS/MMS message, the app protection settings are used to redirect to the configured SMS/MMS app. This capability relates to the Transfer messaging data to setting and applies to both iOS/iPadOS and Android platforms.

For more information, see iOS app protection policy settings and Android app protection policy settings.

End user app PIN reset

For managed apps that require a PIN to access, allowed end users can now reset the app PIN at any time. You can require an app PIN in Intune by selecting the PIN for access setting in iOS/iPadOS and Android app protection policies.

For more information about app protection policies, see App protection policies overview.

Maximum app package size

The maximum package size for uploading apps to Intune has changed from 8 GB to 30 GB for paid customers. Trial tenants are still restricted to 8 GB.

For more information, see Win32 app management in Microsoft Intune.

Device configuration

New setting that disables location on Android Enterprise devices

On Android Enterprise devices, there's a new setting that allows admins to control the location (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions for profile type > General):

  • Location: Block disables the Location setting on the device and prevents users from turning it on. When this setting is disabled, then any other setting that depends on the device location is affected, including the Locate device remote action. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using location on the device.

Applies to:

  • Android Enterprise

For more information on the settings you can configure, see Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Date and time picker for managed software updates in the settings catalog on iOS/iPadOS and macOS devices

Using the settings catalog, you can enforce managed updates on iOS/iPadOS and macOS devices by entering a date and time (Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative Device Management > Software Update).

Previously, you had to manually type the date and time. Now, there's a date and time picker for the Target Local Date Time setting:

Declarative Device Management (DDM) > Software Update:

  • Target Local Date Time

Important

If you create a policy using this setting before the January 2024 release, then this setting shows Invalid Date for the value. The updates are still scheduled correctly and use the values you originally configured, even though it shows Invalid Date.

To configure a new date and time, you can delete the Invalid Date values, and select a new date and time using the date time picker. Or, you can create a new policy.

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring Managed software updates in Intune, see Use the settings catalog to configure managed software updates.

Device management

New device management experience in Microsoft Intune

We're rolling out an update to the device management experience in the Intune admin center. The Devices area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster. The new experience, previously in public preview, will gradually roll out for general availability over the coming weeks. The public preview experience continues to be available until your tenant receives the update.

The availability of this new admin center experience varies tenant by tenant. While a few will see this update immediately, many might not see the new experience for several weeks. For Government clouds, the availability of this experience is estimated around late February 2024.

Due to the rollout timelines, we are updating our documentation to the new experience as soon as possible to help ease the transition to the new admin center layout. We are unable to provide a side-by-side content experience during this transition and believe providing documentation that aligns to the newer experience brings more value to more customers. If you want to try the new experience and align with doc procedures before your tenant is updated, go to Devices > Overview, select the notification banner that reads Preview upcoming changes to Devices and provide feedback, and select Try it now.

BlackBerry Protect Mobile now supports app protection policies

You can now use Intune app protection policies with BlackBerry Protect Mobile (powered by Cylance AI). With this change Intune supports BlackBerry Protect Mobile for mobile application management (MAM) scenarios for unenrolled devices. This includes the use of risk assessment with Conditional access and configuration of Conditional Launch settings for unenrolled devices.

While configuring the CylancePROTECT Mobile connector (formerly BlackBerry Mobile), you now can select options to turn on App protection policy evaluation for both Android and iOS/iPadOS devices.

For more information, see Set up BlackBerry Protect Mobile, and Create Mobile Threat Defense app protection policy with Intune.

Device security

Support for Intune Defender Update control policies for devices managed by Microsoft Defender for Endpoint

You can now use the endpoint security policy for Defender Update control (Antivirus policy) from the Microsoft Intune admin center with the devices you manage through the Microsoft Defender for Endpoint security settings management capability.

  • Defender Update control policies are part of endpoint security Antivirus policy.

Applies to the following when you use the Windows 10, Windows 11, and Windows Server platform:

  • Windows 10
  • Windows 11

With this support available, devices that are assigned this policy while managed by Defender for Endpoint but not enrolled with Intune, will now apply the settings from the policy. Check your policy to make sure only the devices you intend to receive the policy will get it.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • PrinterOn Print by PrinterOn, Inc. (iOS/iPadOS)
  • Align for Intune by MFB Technologies, Inc. (iOS/iPadOS)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Monitoring reports for devices

In Intune, you can view a new list of all device monitoring reports. You can find these reports in Microsoft Intune admin center by selecting Devices > Monitor. The Monitor pane provides reports related to configuration, compliance, enrollment, and software updates. Additionally, there are other reports that you can view, such as Device actions.

For more information, see Intune reports.

Exported report data maintains search results

Intune can now maintain your report search and filter results when exporting report data. For example, when you use the Noncompliant devices and settings report, set the OS filter to "Windows", and search for "PC", the exported data will only contain Windows devices with "PC" in their name. This capability is also available when calling the ExportJobs API directly.

Easy upload of diagnostic logs for Microsoft Tunnel servers

You can now use a single click within the Intune admin center to have Intune enable, collect, and submit eight hours of verbose logs for a Tunnel Gateway Server to Microsoft. The verbose logs can then be referenced while working with Microsoft to identify or resolve issues with a Tunnel server.

In contrast, the collection of verbose logs has previously required you to sign on to the server, run manual tasks and scripts to enable and collect verbose logs, and then copy them to a location from which you can transfer them to Microsoft.

To find this new capability, in the admin center go to Tenant administration > Microsoft Tunnel Gateway > select a server > select the Logs tab. On this tab, is a new section named Send verbose server logs with button labeled Send logs, and a list view that displays the various log sets that have been collected and submitted to Microsoft.

When you select the Send logs button:

  • Intune captures and submits the current server logs as a baseline, prior to collecting verbose logs.
  • Verbose logging is automatically enabled at level 4, and runs for eight hours to provide time to reproduce an issue for capture in those logs.
  • After eight hours, Intune submits the verbose logs and then restores the server to its default verbosity level of zero (0), for normal operations. If you previously set logs to run at a higher verbosity level, you can restore your custom verbosity level after log collection and upload is complete.
  • Each time Intune collects and submits logs, it updates the list view below the button.
  • Below the button is a list of past log submissions, displaying their verbosity level and an Incident ID that you can use when working with Microsoft to reference a specific set of logs.

For more information about this capability, see Easy upload of diagnostic logs for Tunnel servers.

Week of December 11, 2023 (Service release 2312)

App management

Support to add unmanaged PKG-type applications to managed macOS devices is now generally available

You can now upload and deploy unmanaged PKG-type applications to managed macOS devices using the Intune MDM agent for macOS devices. This feature enables you to deploy custom PKG installers, such as unsigned apps and component packages. You can add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS app (PKG) for app type.

Applies to:

  • macOS

For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB) apps to Microsoft Intune. For more information about the Intune MDM agent for macOS devices, see Microsoft Intune management agent for macOS.

Windows MAM supported in government cloud environments and in 21 Vianet in China

Customer tenants in US Government Community (GCC), US Government Community (GCC) High, and Department of Defense (DoD) environments are now able to use Windows MAM. For related information, see Deploying apps using Intune on the GCC High and DoD Environments and Data protection for Windows MAM.

In addition, Windows MAM is available for Intune operated by 21Vianet in China. For more information, see Intune operated by 21Vianet in China.

Device configuration

Updated security baseline for Microsoft Edge v117

We've released a new version of the Intune security baseline for Microsoft Edge, version v117. This update brings support for recent settings so you can continue to maintain best-practice configurations for Microsoft Edge.

We've also updated our reference article for this baseline where you can view the default configuration of the settings this baseline version includes.

Device management

Support for variables in noncompliant email notifications

Use variables to personalize email notifications that are sent when a user's device becomes noncompliant. The variables included in the template, such as {{username}} and {{devicename}}, are replaced by the actual username or device name in the email that users receive. Variables are supported with all platforms.

For more information and a list of supported variables, see Create a notification message template.

Updated report visualization for Microsoft Defender for Endpoint connector

We updated the reporting visualization for the Microsoft Defender for Endpoint connector. This report visualization displays the count of devices that have onboarded to Defender for Endpoint based on status from the Defender CSP, and visually aligns to other recent report views that use a bar to represent the percentage of devices with different status values.

Device security

New settings for scheduling Antivirus scans added to Antivirus policy for Windows devices

We've added two settings to the Microsoft Defender Antivirus profile for endpoint security Antivirus policy that applies to Windows 10 and Windows 11 devices. These two settings work together to first enable support for a random start time of a device's antivirus scan, and to then define a range of time during which the randomized scan start can begin. These settings are supported with devices managed by Intune and devices managed through the Defender for Endpoint security settings management scenario.

In addition to being added to the Microsoft Defender Antivirus profile, both settings are now available from the settings catalog.

Applies to:

  • Windows 10
  • Windows 11

Microsoft Tunnel support for direct proxy exclusion list in VPN profiles for Android Enterprise

Intune now supports configuration of a Proxy exclusion list when you configure a VPN profile for Microsoft Tunnel for Android devices. With an exclusion list, you can exclude specific domains from your proxy setup without requiring the use of a Proxy Auto-Configuration (PAC) file. The proxy exclusion list is available with both Microsoft Tunnel and Microsoft Tunnel for MAM.

The proxy exclusion list is supported in environments that use a single proxy. The exclusion list isn't suitable or supported when you use multiple proxy servers, for which you should continue to use a .PAC file.

Applies to:

  • Android Enterprise

Microsoft Tunnel server health metric to report on TLS certificate revocation

We've added a new health metric for Microsoft Tunnel named TLS certificate revocation. This new health metric reports on the status of the Tunnel Servers TLS certificate by accessing the Online Certificate Status Protocol (OCSP) or CRL address as defined in the TLS certificate. You can view the status of this new check with all the health checks in the Microsoft Intune admin center by navigating to Tenant administration > Microsoft Tunnel Gateway > Health status, selecting a server, and then selecting that servers Health check tab.

This metric runs as part of the existing Tunnel Health checks, and supports the following status:

  • Healthy: The TLs certificate is not revoked
  • Warning: Unable to check if the TLS certificate is revoked
  • Unhealthy: The TLS certificate is revoked, and should be updated

For more information about the TLS certificate revocation check, see Monitor Microsoft Tunnel.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Akumina EXP by Akumina Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Week of November 27, 2023

App management

Configure offline caching in Microsoft 365 (Office) for Android devices

When the Save As to Local Storage setting is set to blocked in an app protection policy, you can use a configuration key in an app configuration policy to enable or disable offline caching. This setting is only applicable to the Microsoft 365 (Office) app on Android.

For more information, see Data protection settings in Microsoft 365 (Office).

Win32 app grace period settings on a device

On a device where a Win32 app with grace period settings has been deployed, low-rights users without administrative privileges can now interact with the grace period UX. Admins on the device continue to be able to interact with the grace period UX on the device.

For more information about grace period behavior, see Set Win32 app availability and notifications.

Managed Home Screen app configuration additions

Now in public preview, Microsoft Managed Home Screen (MHS) has been updated to improve the core workflows and user experience. In addition to some user interface changes, there's a new top bar navigation where admins can configure device identifying attributes to be displayed. Additionally, users can access settings, sign in/out, and view notifications when permissions are requested on the top bar.

You can add additional settings to configure the Managed Home Screen app for Android Enterprise. Intune now supports the following settings in your Android Enterprise app configuration policy:

  • Enable updated user experience
  • Top Bar Primary Element
  • Top Bar Secondary Element
  • Top Bar User Name Style

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Intune APP SDK for .NET MAUI

Using the Intune APP SDK for .NET MAUI, you can develop Android or iOS apps for Intune that incorporate the .NET Multi-platform App UI. Apps developed using this framework will allow you to enforce Intune mobile application management. For .NET MAUI support on Android, see Intune App SDK for .NET MAUI - Android. For .NET MAUI support on iOS, see Intune App SDK for .NET MAUI - iOS.

Week of November 13, 2023 (Service release 2311)

App management

New grace period status added in apps for Android, Android AOSP

The Intune Company Portal app for Android and Microsoft Intune app for Android AOSP now show a grace period status for devices that don't meet compliance requirements but are still within their given grace period. Users can see the date by which devices must be compliant, and the instructions for how to become compliant. If users don't update their device by the given date, the device is marked as noncompliant.

For more information, see the following articles:

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Managed Settings:

  • Data roaming
  • Personal hotspot
  • Voice roaming (deprecated): This setting is deprecated in iOS 16.0. Data roaming is the replacement setting.
Shared iPad

Managed Settings:

  • Diagnostic submission
macOS

Microsoft Defender > Antivirus engine:

  • Enable passive mode (deprecated): This setting is deprecated. Enforcement level is the replacement setting.
  • Enable real-time protection (deprecated): This setting is deprecated. Enforcement level is the replacement setting.
  • Enforcement level

Settings to manage Windows Subsystem for Linux are now available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

We've added settings to the Windows settings catalog for Windows Subsystem for Linux (WSL). These settings enable Intune integration with WSL so admins can manage deployments of WSL and controls into Linux instances themselves.

To find these settings, in the Microsoft Intune admin center go to Devices > Configuration > Create > New Policy > Windows 10 and later for platform > Settings catalog for profile type.

Windows Subsystem for Linux:

  • Allow kernel debugging
  • Allow custom networking configuration
  • Allow custom system distribution configuration
  • Allow kernel command line configuration
  • Allow custom kernel configuration
  • Allow WSL1
  • Allow the Windows Subsystem for Linux
  • Allow the Inbox version of the Windows Subsystem For Linux
  • Allow user setting firewall configuration
  • Allow nested virtualization
  • Allow passthrough disk mount
  • Allow the debug shell

Applies to:

  • Windows 10
  • Windows 11

Device enrollment

Enrollment for iOS/iPadOS devices in shared device mode now generally available

Now generally available to configure in the Microsoft Intune admin center, set up automated device enrollment for iOS/iPadOS devices that are in shared device mode. Shared device mode is a feature of Microsoft Entra that enables your frontline workers to share a single device throughout the day, signing in and out as needed.

For more information, see Set up enrollment for devices in shared device mode.

Device management

Improvements to new device experience in admin center (public preview)

We've made the following changes to the new Devices experience in the Microsoft Intune admin center:

  • Additional entry points to platform-specific options: Access the platform pages from the Devices navigation menu.
  • Quick entry to monitoring reports: Select the titles of the metrics cards to go to the corresponding monitoring report.
  • Improved navigation menu: We added icons back in to provide more color and context as you navigate.

Flip the toggle in the Microsoft Intune admin center to try out the new experience while it's in public preview and share your feedback.

For more information, see:

Device security

Additional settings for the Linux Antivirus policy template

We've expanded support for Linux by adding the following settings to the Microsoft Defender Antivirus template for Linux devices:

  • cloudblocklevel
  • scanarhives
  • scanafterdefinitionupdate
  • maximumondemandscanthreads
  • behaviormonitoring
  • enablefilehashcomputation
  • networkprotection
  • enforcementlevel
  • nonexecmountpolicy
  • unmonitoredfilesystems

The Microsoft Defender Antivirus template for Linux is supported for devices managed by Intune, as well as those managed only by Defender through the Defender for Endpoint security settings management scenario.

Updated security baseline for Microsoft 365 Apps for Enterprise

We've released a new version of the Intune security baseline for Microsoft 365 Apps for Enterprise, version 2306.

The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to your Office Apps that meet the security recommendations of the Office and security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations. You can modify the default baseline to meet the requirements of your organization.

We've also updated our reference article for this baseline where you can view the default configuration of the settings this baseline version includes.

Deprecation and replacement of two settings found in the Linux and macOS endpoint security Antivirus policies

We have deprecated two settings that are found in the Antivirus engine category of Microsoft Defender Antivirus profiles of both macOS and Linux. These profiles are available as part of Intune's endpoint security Antivirus policies.

For each platform, the two deprecated settings are replaced by a single new setting that aligns to how the device configurations are managed by Microsoft Defender for Endpoint.

The following are the two deprecated settings:

  • Enable real-time protection now appears as Enable real-time protection (deprecated)
  • Enable passive mode now appears as Enable passive mode (deprecated)

The new setting that replaces the two deprecated settings:

  • Enforcement level - By default, Enforcement level is set to Passive and supports options of Real time and On demand.

These settings are also available from the Intune settings catalog for each platform, where the old settings are also marked as deprecated and replaced by the new setting.

With this change, a device that has either of the deprecated settings configured will continue to apply that configuration until the device is targeted by the new setting Enforcement level. Once targeted by Enforcement Level, the deprecated settings no longer are applied to the device.

The deprecated settings will be removed from the Antivirus profiles and the settings catalog in a future update to Intune.

Note

The changes for Linux are now available. The macOS settings are marked as deprecated, but the Enforcement level setting will not be available until December.

Applies to:

  • Linux
  • macOS

Microsoft Defender Firewall profiles are renamed to Windows Firewall

To align to Firewall branding changes in Windows, we are updating the names of Intune profiles for endpoint security Firewall policies. In profiles that have Microsoft Defender Firewall in the name we are replacing that with Windows Firewall.

The following platforms have profiles that are affected, with only the profile names being affected by this change:

  • Windows 10 and later (ConfigMgr)
  • Windows 10, Windows 11, and Windows Server

Endpoint security Firewall policy for Windows Firewall to manage firewall settings for Windows Hyper-V

We've added new settings to the Windows Firewall profile (formerly Microsoft Defender Firewall) for endpoint security Firewall policy. The new settings can be used to manage Windows Hyper-V settings. To configure the new settings, in the Microsoft Intune admin center, go to Endpoint security > Firewall > Platform: Windows 10, Windows 11, and Windows Server > Profile: Windows Firewall.

The following settings have been added to the Firewall category:

  • Target - When Target is set to Windows Subsystem for Linux, the following child settings are applicable:
    • Enable Public Network Firewall
    • Enable Private Network Firewall
    • Allow Host Policy Merge
    • Enable Domain Network Firewall
    • Enable Loopback

Applies to:

  • Windows 10
  • Windows 11

For more information about these settings, see Windows Firewall with Advanced Security.

New Endpoint Security Firewall policy profile for Windows Hyper-V Firewall Rules

We've released a new profile named Windows Hyper-V Firewall Rules that you can find through the Windows 10, Windows 11, and Windows Server platform path for endpoint security Firewall policy. Use this profile to manage the firewall settings and rules that apply to specific Hyper-V containers on Windows, including applications like the Windows Subsystem for Linux (WSL) and the Windows Subsystem for Android (WSA).

Applies to:

  • Windows 10
  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Hey DAN for Intune by Civicom, Inc.
  • Microsoft Azure by Microsoft Corporation (iOS)
  • KeePassium for Intune by KeePassium Labs (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Week of November 6, 2023

App management

Minimum version update for iOS Company Portal

Users are required to update to v5.2311.1 of the iOS Company Portal. If you have enabled the Block installing apps using App Store device restriction setting, you will likely need to push an update to the related devices that use this setting. Otherwise, no action is needed.

If you have a helpdesk, you might want to make them aware of the prompt to update the Company Portal app. In most cases, users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. Users that have an earlier app version will be prompted to update to the latest Company Portal app.

Device security

Defender for Endpoint security settings management enhancements and support for Linux and macOS are generally available

The improvements that were introduced in the Defender for Endpoint security settings management opt-in public preview are now generally available.

With this change, the default behavior for security settings management includes all the behavior added for the opt-in preview – without having to enable support for preview features in Microsoft Defender for Endpoint. This includes the general availability and support for the following endpoint security profiles for Linux and macOS:

Linux:

  • Microsoft Defender Antivirus
  • Microsoft Defender Antivirus exclusions
  • Endpoint detection and response

MacOS:

  • Microsoft Defender Antivirus
  • Microsoft Defender Antivirus exclusions
  • Endpoint detection and response

For more information, see Microsoft Defender for Endpoint Security settings management in the Intune documentation.

Device management

Feature updates and reports support Windows 11 policies

The new setting on Feature update policies enables an organization to deploy Windows 11 to those devices that are eligible for the upgrade, while ensuring devices not eligible for the upgrade are on the latest Windows 10 feature update with a single policy. As a result, admins do not need to create or manage groups of eligible and non-eligible devices.

For more information on feature updates, see Feature updates for Windows 10 and later.

Week of October 30, 2023

Device security

Strict Tunnel Mode in Microsoft Edge available for Microsoft Tunnel for MAM on Android and iOS/iPadOS devices

In Intune, you can use the Microsoft Tunnel for mobile application management (MAM) on Android and iOS/iPadOS devices. With the MAM tunnel, unmanaged devices (devices not enrolled in Intune) can access on-premises apps and resources.

There's a new Strict Tunnel Mode feature you can configure for Microsoft Edge. When users sign into Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again.

To configure this feature, create a Microsoft Edge app configuration policy, and add the following setting:

  • Key: com.microsoft.intune.mam.managedbrowser.StrictTunnelMode
  • Value: True

Applies to:

  • Android Enterprise version 10 and later
  • iOS/iPadOS version 14 and later

For more information, see:

Week of October 23, 2023 (Service release 2310)

App management

Update for users of Android Company Portal app

If users launch a version of the Android Company Portal app below version 5.0.5333.0 (released November 2021), they'll see a prompt encouraging them to update their Android Company Portal app. If a user with an older Android Company Portal version attempts a new device registration using a recent version of the Authenticator app, the process will likely fail. To resolve this behavior, update the Android Company Portal app.

Minimum SDK version warning for iOS devices

The Min SDK version for the iOS Conditional Launch setting on iOS devices now includes a warn action. This action warns end users if the min SDK version requirement isn't met.

For more information, see iOS app protection policy settings.

Minimum OS for Apple LOB and store apps

You can configure the minimum operating system to be the latest Apple OS releases for both Apple line-of-business apps and iOS/iPadOS store apps. You can set the minimum operating system for Apple apps as follows:

  • iOS/iPadOS 17.0 for iOS/iPadOS line-of-business apps
  • macOS 14.0 for macOS line-of-business apps
  • iOS/iPadOS 17.0 for iOS/iPadOS store apps

Applies to:

  • iOS/iPadOS
  • macOS

Android (AOSP) supports line-of-business (LOB) apps

You can install and uninstall mandatory LOB apps on AOSP devices by using the Required and Uninstall group assignments.

Applies to:

  • Android

To learn more about managing LOB apps, see Add an Android line-of-business app to Microsoft Intune.

Configuration scripts for unmanaged macOS PKG apps

You can now configure pre-install and post-install scripts in unmanaged macOS PKG apps. This feature gives you greater flexibility over custom PKG installers. Configuring these scripts is optional and requires the Intune agent for macOS devices v2309.007 or higher.

For more information about adding scripts to unmanaged macOS PKG apps, see Add an unmanaged macOS PKG app.

Device configuration

FSLogix settings are available in the Settings Catalog and Administrative Templates

The FSLogix settings are available in the Settings Catalog and in Administrative Templates (ADMX) for you to configure.

Previously, to configure FSLogix settings on Windows devices, you imported them using the ADMX import feature in Intune.

Applies to:

  • Windows 10
  • Windows 11

For more information on these features, see:

Use delegated scopes in your Managed Google Play apps that configure enhanced permissions on Android Enterprise devices

In your Managed Google Play apps, you can give apps enhanced permissions using delegated scopes.

When your apps include delegated scopes, you can configure the following settings in a device configuration profile (Devices > Configuration > Create > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions for profile type > Applications):

  • Allow other apps to install and manage certificates: Admins can select multiple apps for this permission. The selected apps are granted access to certificate installation and management.
  • Allow this app to access Android security logs: Admins can select one app for this permission. The selected app is granted access to security logs.
  • Allow this app to access Android network activity logs: Admins can select one app for this permission. The selected app is granted access to network activity logs.

To use these settings, your Managed Google Play app must use delegated scopes.

Applies to:

  • Android Enterprise fully managed devices
  • Android Enterprise dedicated devices
  • Android Enterprise corporate-owned devices with a work profile

For more information on this feature, see:

Samsung ended support for kiosk mode on Android device administrator (DA) devices

Samsung marked the Samsung Knox kiosk APIs used on Android device administrator as deprecated in Knox 3.7 (Android 11).

Though the functionality might continue to work, there's no guarantee that it will continue working. Samsung won't fix bugs that might arise. For more information on Samsung support for deprecated APIs, see What kind of support is offered after an API is deprecated? (opens Samsung's web site).

Instead, you can manage kiosk devices with Intune using dedicated device management.

Applies to:

  • Android device administrator (DA)

Import and export settings catalog policies

The Intune settings catalog lists all the settings you can configure, and all in one place (Devices > Configuration > Create > New Policy > Select your platform > For Profile, select Settings catalog).

The settings catalog policies can be imported and exported:

  • To export an existing policy, select the profile > select the ellipsis > Export JSON.
  • To import a previously exported settings catalog policy, select Create > Import policy > select the previously exported JSON file.

For more information about the settings catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Note

This feature is continuing to roll out. It may be a couple of weeks before it's available in your tenant.

New setting to block users from using the same password to unlock the device and access the work profile on Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, users can use the same password to unlock the device and access the work profile.

There's a new setting that can enforce different passwords to unlock the device and access the work profile (Devices > Configuration > Create > Android Enterprise > Personally Owned Work Profile for platform > Device Restrictions for profile type):

  • One lock for device and work profile: Block prevents users from using the same password for the lock screen on the device and work profile. End users are required to enter the device password to unlock the device and enter their work profile password to access their work profile. When set to Not Configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to access their work profile using a single password.

This setting is optional and doesn't impact existing configuration profiles.

Currently, if the work profile password doesn't meet the policy requirements, then device users see a notification. The device isn't marked as non-compliant. A separate compliance policy for the work profile is being created and will be available in a future release.

Applies to:

  • Android Enterprise personally owned devices with a work profile (BYOD)

For a list of settings you can configure on personally owned devices with a work profile, see Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > macOS > Settings catalog for profile type.

Privacy > Privacy Preferences Policy Control:

  • System Policy App Data

Restrictions:

  • Force On Device Only Dictation

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Device enrollment

Web based device enrollment with JIT registration for personal iOS/iPadOS devices

Intune supports web-based device enrollment with just in time (JIT) registration for personal devices set up via Apple device enrollment. JIT registration reduces the number of authentication prompts shown to users throughout the enrollment experience and establishes SSO across the device. Enrollment takes place on the web version of Intune Company Portal, eliminating need for the Company Portal app. Also, this enrollment method enables employees and students without managed Apple IDs to enroll devices and access volume-purchased apps.

For more information, see Set up web based device enrollment for iOS.

Device management

Updates to the Intune add-ons page

The Intune add-ons page under Tenant administration includes Your add-ons, All add-ons, and Capabilities. It provides an enhanced view into your trial or purchased licenses, the add-on capabilities you're licensed to use in your tenant, and support for new billing experiences in Microsoft admin center.

For more information, see Use Intune Suite add-ons capabilities.

Remote Help for Android is now Generally available

Remote Help is generally available for Android Enterprise Dedicated devices from Zebra and Samsung.

With Remote Help, IT Pros can remotely view the device screen and take full control in both attended and unattended scenarios, to diagnose and resolve issues quickly and efficiently.

Applies to:

  • Android Enterprise Dedicated devices, manufactured by Zebra or Samsung

For more information, see Remote Help on Android.

Device security

Configure declarative software updates and passcode policies for Apple devices in the Settings Catalog

You can manage software updates and passcode using Apple's declarative device management (DDM) configuration using the settings catalog (Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative device management).

For more information about DDM, see Apple's declarative device management (DDM) (opens Apple's website).

DDM allows you to install a specific update by an enforced deadline. The autonomous nature of DDM provides an improved user experience as the device handles the entire software update lifecycle. It prompts users that an update is available and also downloads, prepares the device for the installation, & installs the update.

In the settings catalog, the following declarative software update settings are available at Declarative device management > Software Update:

  • Details URL: The web page URL that shows the update details. Typically, this URL is a web page hosted by your organization that users can select if they need organization-specific help with the update.
  • Target Build Version: The target build version to update the device to, like 20A242. The build version can include a supplemental version identifier, like 20A242a. If the build version you enter isn't consistent with the Target OS Version value you enter, then the Target OS Version value takes precedence.
  • Target Local Date Time: The local date time value that specifies when to force install the software update. If the user doesn't trigger the software update before this time, then the device force installs it.
  • Target OS Version: The target OS version to update the device to. This value is the OS version number, like 16.1. You can also include a supplemental version identifier, like 16.1.1.

For more information on this feature, see Manage software updates with the settings catalog.

In the settings catalog, the following declarative passcode settings are available at Declarative device management > Passcode:

  • Automatic Device Lock: Enter the maximum time period that a user can be idle before the system automatically locks the device.
  • Maximum Grace Period: Enter the maximum time period that a user can unlock the device without a passcode.
  • Maximum Number of Failed Attempts: Enter the maximum number of wrong passcode attempts before:
    • iOS/iPadOS wipes the device
    • macOS locks the device
  • Minimum Passcode Length: Enter the minimum number of characters a passcode must have.
  • Passcode Reuse Limit: Enter the number of previously used passcodes that can't be used.
  • Require Complex Passcode: When set to True, a complex passcode is required. A complex passcode doesn't have repeated characters, and doesn't have increasing or decreasing characters, like 123 or CBA.
  • Require Passcode on Device: When set to True, the user must set a passcode to access the device. If you don't set other passcode restrictions, then there aren't any requirements about the length or quality of the passcode.

Applies to:

  • iOS/iPadOS 17.0 and later
  • macOS 14.0 and later

For information about the settings catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Mvision Mobile is now Trellix Mobile Security

The Intune Mobile Threat Defense partner Mvision Mobile has transitioned to Trellix Mobile Security. With this change, we've updated our documentation and the Intune admin center UI. For example, the Mvision Mobile connector is now Trellix Mobile Security. Existing installs of the Mvision Mobile connector also update to Trellix Mobile Security.

If you have questions about this change, reach out to your Trellix Mobile Security representative.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • BuddyBoard by Brother Industries, LTD
  • Microsoft Loop by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Updated reports for Policy compliance and Setting compliance are now generally available

The following device compliance reports are out of public preview and are now generally available:

With this move to general availability, the older versions of both reports have been retired from the Intune admin center and are no longer available.

For more information about these changes, see the Intune Support Team blog at https://aka.ms/Intune/device_compl_report.

Tenant administration

Intune admin center home page update

The Intune admin center home page has been redesigned with a fresh new look and more dynamic content. The Status section has been simplified. You can explore Intune related capabilities in the Spotlight section. The Get more out of Intune section provides links to the Intune community and blog, and Intune customer success. Also, the Documentation and training section provides links to What's New in Intune, Feature in development, and more training. In Microsoft Intune admin center, select Home.

Week of October 16, 2023

Tenant administration

endpoint.microsoft.com URL redirects to intune.microsoft.com

Previously, it was announced that the Microsoft Intune admin center has a new URL (https://intune.microsoft.com).

The https://endpoint.microsoft.com URL now redirects to https://intune.microsoft.com.

Week of September 18, 2023 (Service release 2309)

App management

MAM for Windows general availability

You can now enable protected MAM access to org data via Microsoft Edge on personal Windows devices. This capability uses the following functionality:

  • Intune Application Configuration Policies (ACP) to customize the org user experience in Microsoft Edge
  • Intune Application Protection Policies (APP) to secure org data and ensure the client device is healthy when using Microsoft Edge
  • Windows Security Center threat defense integrated with Intune APP to detect local health threats on personal Windows devices
  • Application Protection Conditional Access to ensure the device is protected and healthy before granting protected service access via Microsoft Entra ID.

Intune Mobile Application Management (MAM) for Windows is available for Windows 11, build 10.0.22621 (22H2) or later. This feature includes the supporting changes for Microsoft Intune (2309 release), Microsoft Edge (v117 stable branch and later) and Windows Security Center (v 1.0.2309.xxxxx and later). App Protection Conditional Access is in Public Preview.

Sovereign cloud support is expected in the future. For more information, see App protection policy settings for Windows.

Device configuration

OEMConfig profiles that don't deploy successfully aren't shown as "pending"

For Android Enterprise devices, you can create a configuration policy that configures the OEMConfig app (Devices > Configuration > Create > Android Enterprise for platform > OEMConfig for profile type).

Previously, OEMConfig profiles that exceed 350 KB show a "pending" state. This behavior changed. An OEMConfig profile that exceeds 350 KB isn't deployed to the device. Profiles in a pending state or profiles larger that 350 KB aren't shown. Only profiles that successfully deploy are shown.

This change is a UI change only. No changes are made to the corresponding Microsoft Graph APIs.

To monitor the profile pending status in the Intune admin center, go to Devices > Configuration > Select the profile > Device status.

Applies to:

  • Android Enterprise

For more information on OEM Configuration, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Config Refresh settings are in the settings catalog for Windows Insiders

In the Windows Settings Catalog, you can configure Config Refresh. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune.

Config Refresh:

  • Enable config refresh
  • Refresh cadence (minutes)

Applies to:

  • Windows 11

For more information on the Settings Catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Managed Settings now available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

The settings within the Managed Settings command are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > iOS/iPadOS > Settings catalog for profile type.

Managed Settings > App Analytics:

  • Enabled: If true, enable sharing app analytics with app developers. If false, disable sharing app analytics.

Applies to:

  • Shared iPad

Managed Settings > Accessibility Settings:

  • Bold Text Enabled
  • Grayscale Enabled
  • Increase Contrast Enabled
  • Reduce Motion Enabled
  • Reduce Transparency Enabled
  • Text Size
  • Touch Accommodations Enabled
  • Voice Over Enabled
  • Zoom Enabled

Managed Settings > Software Update Settings:

  • Recommendation Cadence: This value defines how the system presents software updates to the user.

Managed Settings > Time Zone:

  • Time Zone: The Internet Assigned Numbers Authority (IANA) time zone database name.

Applies to:

  • iOS/iPadOS

Managed Settings > Bluetooth:

  • Enabled: If true, enable the Bluetooth setting. If false, disable the Bluetooth setting.

Managed Settings > MDM Options:

  • Activation Lock Allowed While Supervised: If true, a supervised device registers itself with Activation Lock when the user enables Find My.

Applies to:

  • iOS/iPadOS
  • macOS

For more information on these settings, see Apple's developer website. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

New setting available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There's a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices > Configuration > Create > macOS > Settings catalog for profile type.

Microsoft Defender > Cloud delivered protection preferences:

  • Cloud Block Level

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Intune integration with the Zebra Lifeguard Over-the-Air service is generally available

Microsoft Intune supports integration with Zebra Lifeguard Over-the-Air service, which allows you to deliver OS updates and security patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can select the firmware version you want to deploy, set a schedule, and stagger update downloads and installs. You can also set minimum battery, charging status, and network conditions requirements for when the update can happen.

This integration is now generally available for Android Enterprise Dedicated and Fully Managed Zebra devices that are running Android 8 or later. It also requires a Zebra account and Intune Plan 2 or Microsoft Intune Suite.

Previously, this feature was in public preview and free for use. With this release as generally available, this solution now requires an add-on license for its use.

For licensing details, see Intune add-ons.

Device enrollment

SSO support during enrollment for Android Enterprise fully managed and corporate-owned devices with a work profile

Intune supports single sign-on (SSO) on Android Enterprise devices that are fully managed or corporate-owned with a work profile. With the addition of SSO during enrollment, end users enrolling their devices only need to sign in once with their work or school account.

Applies to:

  • Android Enterprise corporate owned devices with a work profile
  • Android Enterprise fully managed

For more information on these enrollment methods, see:

Device management

Introducing Remote Help on macOS

The Remote Help web app allows users to connect to macOS devices and join a view-only remote assistance session.

Applies to:

  • 11 Big Sur
  • 12 Monterey
  • 13 Ventura

For more information on Remote Help on macOS, see Remote Help.

Management certificate expiration date

Management certificate expiration date is available as a column in the Devices workload. You can filter on a range of expiration dates for the management certificate and also export a list of devices with an expiration date matching the filter.

This information is available in Microsoft Intune admin center by selecting Devices > All devices.

Windows Defender Application Control (WDAC) references are updated to App Control for Business

Windows renamed Windows Defender Application Control (WDAC) as App Control for Business. With this change, the references in Intune docs and the Intune admin center are updated to reflect this new name.

Intune supports iOS/iPadOS 15.x as the minimum version

Apple released iOS/iPadOS version 17. Now, the minimum version supported by Intune is iOS/iPadOS 15.x.

Applies to:

  • iOS/iPadOS

For more information on this change, see Plan for change: Intune is moving to support iOS/iPadOS 15 and later.

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement for supported versus allowed iOS/iPadOS versions for user-less devices.

Government tenant support for endpoint security Application Control policy and managed installer

We've added support to use endpoint security Application Control policies, and to configure a managed installer, to the following sovereign cloud environments:

  • US Government clouds
  • 21Vianet in China

Support for Application Control policy and managed installers was originally released in preview in June 2023. Application Control policies in Intune are an implementation of Defender Application Control (WDAC).

Device security

Endpoint Privilege Management support for Windows 365 devices

You can now use Endpoint Privilege Management to manage application elevations on Windows 365 devices (also known as Cloud PCs).

This support doesn't include Azure Virtual Desktop.

Elevation report by Publisher for Endpoint Privilege Management

We've released a new report named Elevation report by Publisher for Endpoint Privilege Management (EPM). With this new report you can view all managed and unmanaged elevations, which are aggregated by the publisher of the app that is elevated.

You'll find the report in the Report node for EPM in the Intune admin center. Navigate to Endpoint security > Endpoint Privilege Management and then select the Reports tab.

macOS support with Intune Endpoint security policies for Endpoint detection and response

Intune Endpoint security policies for Endpoint detection and response (EDR) now support macOS. To enable this support, we've added a new EDR template profile for macOS. Use this profile with macOS devices enrolled with Intune and macOS devices managed through the opt-in public preview of the Defender for Endpoint security settings management scenario.

The EDR template for macOS includes the following settings for the Device tags category from Defender for Endpoint:

  • Type of tag – The GROUP tag, tags the device with the specified value. The tag is reflected in the admin center on the device page and can be used for filtering and grouping devices.
  • Value of tag - Only one value per tag can be set. The Type of a tag is unique and shouldn't be repeated in the same profile.

To learn more about Defender for Endpoint settings that are available for macOS, see Set preferences for Microsoft Defender for Endpoint on macOS in the Defender documentation.

Linux support with Intune Endpoint security policies for Endpoint detection and response

Intune Endpoint security policies for Endpoint detection and response (EDR) now support Linux. To enable this support, we've added a new EDR template profile for Linux. Use this profile with Linux devices enrolled with Intune and Linux devices managed through the opt-in public preview of the Defender for Endpoint security settings management scenario.

The EDR template for Linux includes the following settings for the Device tags category from Defender for Endpoint:

  • Value of tag - Only one value per tag can be set. The Type of a tag is unique and shouldn't be repeated in the same profile.
  • Type of tag – The GROUP tag, tags the device with the specified value. The tag is reflected in the admin center on the device page and can be used for filtering and grouping devices.

You can learn more about Defender for Endpoint settings that are available for Linux in Set preferences for Microsoft Defender for Endpoint on Linux in the Defender documentation.

Monitor and troubleshoot

Updated reports for Update rings for Windows 10 and later

Reporting for Update rings for Windows 10 and later has been updated to use Intune's improved reporting infrastructure. These changes align to similar improvements introduced for other Intune features.

With this change for reports for Update rings for Windows 10 and later, when you select an update rings policy in the Intune admin center, there isn't a left-pane navigation for Overview, Manage, or Monitor options. Instead, the policy view opens to a single pane that includes the following policy details:

  • Essentials – including the policy name, created and modified dates, and more details.
  • Device and user check-in status – This view is the default report view and includes:
    • A high-level overview of device status for this policy, and a View report button to open a more comprehensive report view.
    • A streamlined representation and count of the different device status values returned by devices assigned to the policy. The simplified bar and chart replace former doughnut charts seen in the prior reporting representation.
  • Two other report tiles to open more reports. These tiles include:
    • Device assignment status – This report combines the same information as the previous Device status and User status reports, which are no longer available. However, with this change, pivots and drill-in through based on the user name is no longer available.
    • Per setting status – This new report provides success metrics for each setting configured differently than the defaults, allowing for new insight to which settings might not be successfully deploying to your organization.
  • Properties – View details for each configuration page of the policy, including an option to Edit each areas profile details.

For more information about reports for update rings for Windows 10 and later, see Reports for Update rings for Windows 10 and later policy in the Windows Update reports for Microsoft Intune article.

Role-based access

Updating the scope of UpdateEnrollment

With the introduction of a new role UpdateEnrollment, the scope of UpdateOnboarding is getting updated.

The UpdateOnboarding setting for custom and built-in roles is modified to only manage or change the Android Enterprise binding to Managed Google Play and other account-wide configurations. Any built-in roles that used UpdateOnboarding will now have UpdateEnrollmentProfiles included.

The resource name is being updated from Android for work to Android Enterprise.

For more information, see Role-based access control (RBAC) with Microsoft Intune.

Week of September 11, 2023

Device configuration

Introducing Remote Launch on Remote Help

With Remote Launch, the helper can launch Remote Help seamlessly on the helper and user's device from Intune by sending a notification to the user's device. This feature allows both helpdesk and the sharer to be connected to a session quickly without exchanging session codes.

Applies to:

  • Windows 10/11

For more information, see Remote Help.

Week of September 4, 2023

Device management

Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024

Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on August 30, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable.

If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends.

For more information, see Ending support for Android device administrator on GMS devices.

Week of August 28, 2023

Device configuration

Windows and Android support for 4096-bit key size for SCEP and PFX certificate profiles

Intune SCEP certificate profiles and PKCS certificate profiles for Windows and Android devices now support a Key size (bits) of 4096. This key size is available for new profiles and existing profiles you choose to edit.

  • SCEP profiles have always included the Key size (bits) setting and now support 4096 as an available configuration option.
  • PKCS profiles don't include the Key size (bits) setting directly. Instead, an admin must modify the certificate template on the Certification Authority to set the Minimum key size to 4096.

If you use a third-party Certificate Authority (CA), you might need to contact your vendor for assistance with implementing the 4096-bit key size.

When updating or deploying new certificate profiles to take advantage of this new key size, we recommend using a staggered deployment approach. This approach can help avoid creating excessive demand for new certificates across a large number of devices at the same time.

With this update, be aware of the following limitations on Windows devices:

  • 4096-bit key storage is supported only in the Software Key Storage Provider (KSP). The following don't support storing keys of this size:
    • The hardware TPM (Trusted Platform Module). As a workaround you can use the Software KSP for key storage.
    • Windows Hello for Business. There isn't a workaround at this time.

Tenant administration

Access policies for multiple Administrator Approval are now generally available

Access policies for multiple Administrator Approval are out of public preview and are now generally available. With these policies, you can protect a resource, like App deployments, by requiring any change to the deployment to be approved by one of a group of users who are approvers for the resource, before that change is applied.

For more information, see Use Access policies to require multiple administrative approval.

Week of August 21, 2023 (Service release 2308)

App management

Managed Home Screen end-users prompted to grant exact alarm permission

Managed Home Screen uses the exact alarm permission to do the following actions:

  • Automatically sign out users after a set time of inactivity on the device
  • Launch a screen saver after a set period of inactivity
  • Automatically relaunch MHS after a certain period of time when a user exits kiosk mode

For devices running Android 14 and higher, by default, the exact alarm permission will be denied. To make sure critical user functionality isn't impacted, end-users are prompted to grant exact alarm permission upon first launch of Managed Home Screen. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android's developer documentation.

Managed Home Screen notifications

For Android devices running Android 13 or higher that target API level 33, by default, applications don't have permission to send notifications. In previous versions of Managed Home Screen, when an admin had enabled automatic relaunch of Managed Home Screen, a notification was displayed to alert users of the relaunch. To accommodate change to notification permission, in the scenario when an admin has enabled auto-relaunch of Managed Home Screen, the application will now display a toast message alerting users of the relaunch. Managed Home Screen is able to auto-grant permission for this notification, so no change is required for admins configuring Managed Home Screen to accommodate the change in notification permission with API level 33. For more information about Android 13 (API level 33) notification messages, see the Android developer documentation. For more information about Managed Home Screen, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

New macOS web clip app type

In Intune, end users can pin web apps to the dock on your macOS devices (Apps > macOS > Add > macOS web clip).

Applies to:

  • macOS

For related information about the settings you can configure, see Add web apps to Microsoft Intune.

Win32 app configurable installation time

In Intune, you can set a configurable installation time to deploy Win32 apps. This time is expressed in minutes. If the app takes longer to install than the set installation time, the system will fail the app install. Max timeout value is 1440 minutes (1 day). For more information about Win32 apps, see Win32 app management in Microsoft Intune.

Samsung Knox conditional launch check

You can add more detection of device health compromises on Samsung Knox devices. Using a conditional launch check within a new Intune App Protection Policy, you can require that hardware-level device tamper detection and device attestation be performed on compatible Samsung devices. For more information, see the Samsung Knox device attestation setting in the Conditional launch section of Android app protection policy settings in Microsoft Intune.

Device configuration

Remote Help for Android in public preview

Remote Help is available in public preview for Android Enterprise Dedicated devices from Zebra and Samsung. With Remote Help, IT Pros can remotely view the device screen and take full control in both attended and unattended scenarios, to diagnose and resolve issues quickly and efficiently.

Applies to:

  • Android Enterprise Dedicated devices, manufactured by Zebra or Samsung

For more information, see Remote Help on Android.

Group Policy analytics is generally available

Group Policy analytics is generally available (GA). Use Group Policy analytics to analyze your on-premises group policy objects (GPOs) for their migration to Intune policy settings.

Applies to:

  • Windows 11
  • Windows 10

For more information about Group Policy analytics, see Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune.

New SSO, login, restrictions, passcode, and tamper protection settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS > Settings catalog for profile type.

iOS/iPadOS 17.0 and later

Restrictions:

  • Allow iPhone Widgets On Mac
macOS

Microsoft Defender > Tamper protection:

  • Process's arguments
  • Process path
  • Process's Signing Identifier
  • Process's Team Identifier
  • Process exclusions
macOS 13.0 and later

Authentication > Extensible Single Sign On (SSO):

  • Account Display Name
  • Additional Groups
  • Administrator Groups
  • Authentication Method
  • Authorization Right
  • Group
  • Authorization Group
  • Enable Authorization
  • Enable Create User At Login
  • Login Frequency
  • New User Authorization Mode
  • Account Name
  • Full Name
  • Token To User Mapping
  • User Authorization Mode
  • Use Shared Device Keys
macOS 14.0 and later

Login > Login Window Behavior:

  • Autologin Password
  • Autologin Username

Restrictions:

  • Allow ARD Remote Management Modification
  • Allow Bluetooth Sharing Modification
  • Allow Cloud Freeform
  • Allow File Sharing Modification
  • Allow Internet Sharing Modification
  • Allow Local User Creation
  • Allow Printer Sharing Modification
  • Allow Remote Apple Events Modification
  • Allow Startup Disk Modification
  • Allow Time Machine Backup

Security > Passcode:

  • Password Content Description
  • Password Content Regex

Device enrollment

Just-in-time registration and compliance remediation for iOS/iPadOS Setup Assistant with modern authentication now generally available

Just in time (JIT) registration and compliance remediation for Setup Assistant with modern authentication are now out of preview and generally available. With just in time registration, the device user doesn't need to use the Company Portal app for Microsoft Entra registration and compliance checking. JIT registration and compliance remediation are embedded into the user's provisioning experience, so they can view their compliance status and take action within the work app they're trying to access. Also, this establishes single-sign on across the device. For more information about how to set up JIT registration, see Set up Just in Time Registration.

Awaiting final configuration for iOS/iPadOS automated device enrollment now generally available

Now generally available, awaiting final configuration enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies install on devices. The locked experience works on devices targeted with new and existing enrollment profiles. Supported devices include:

  • iOS/iPadOS 13+ devices enrolling with Setup Assistant with modern authentication
  • iOS/iPadOS 13+ devices enrolling without user affinity
  • iOS/iPadOS 13+ devices enrolling with Microsoft Entra ID shared mode

This setting is applied once during the out-of-box automated device enrollment experience in Setup Assistant. The device user doesn't experience it again unless they re-enroll their device. Awaiting final configuration is enabled by default for new enrollment profiles. For information about how to enable awaiting final configuration, see Create an Apple enrollment profile.

Device management

Changes to Android notification permission prompt behavior

We've updated how our Android apps handle notification permissions to align with recent changes made by Google to the Android platform. As a result of Google changes, notification permissions are granted to apps as follows:

  • On devices running Android 12 and earlier: Apps are permitted to send notifications to users by default.
  • On devices running Android 13 and later: Notification permissions vary depending on the API the app targets.
    • Apps targeting API 32 and lower: Google has added a notification permission prompt that appears when the user opens the app. Management apps can still configure apps so that they're automatically granted notification permissions.
    • Apps targeting API 33 and higher: App developers define when the notification permission prompts appear. Management apps can still configure apps so that they're automatically granted notification permissions.

You and your device users can expect to see the following changes now that our apps target API 33:

  • Company Portal used for work profile management: Users see a notification permission prompt in the personal instance of the Company Portal when they first open it. Users don't see a notification permission prompt in the work profile instance of Company Portal because notification permissions are automatically permitted for Company Portal in the work profile. Users can silence app notifications in the Settings app.
  • Company Portal used for device administrator management: Users see a notification permission prompt when they first open the Company Portal app. Users can adjust app notification settings in the Settings app.
  • Microsoft Intune app: No changes to existing behavior. Users don't see a prompt because notifications are automatically permitted for the Microsoft Intune app. Users can adjust some app notification settings in the Settings app.
  • Microsoft Intune app for AOSP: No changes to existing behavior. Users don't see a prompt because notifications are automatically permitted for the Microsoft Intune app. Users can't adjust app notification settings in the Settings app.

Device security

Defender Update controls to deploy updates for Defender is now generally available

The profile Defender Update controls for Intune Endpoint security Antivirus policy, which manages update settings for Microsoft Defender, is now generally available. This profile is available for the Windows 10, Windows 11, and Windows Server platform. While in public preview, this profile was available for the Windows 10 and later platform.

The profile includes settings for the rollout release channel by which devices and users receive Defender Updates that are related to daily security intelligence updates, monthly platform updates, and monthly engine updates.

This profile includes the following settings, which are all directly taken from Defender CSP - Windows Client Management.

  • Engine Updates Channel
  • Platform Updates Channel
  • Security Intelligence Updates Channel

These settings are also available from the settings catalog for the Windows 10 and later profile.

Elevation report by applications for Endpoint Privilege Management

We've released a new report named Elevation report by applications for Endpoint Privilege Management (EPM). With this new report you can view all managed and unmanaged elevations, which are aggregated by the application that elevated. This report can aid you in identifying applications that might require elevation rules to function properly, including rules for child processes.

You'll find the report in the Report node for EPM in the Intune admin center. Navigate to Endpoint security > Endpoint Privilege Management and then select the Reports tab.

New settings available for macOS Antivirus policy

The Microsoft Defender Antivirus profile for macOS devices has been updated with nine more settings, and three new settings categories:

Antivirus engine – The following settings are new in this category:

  • Degree of parallelism for on-demand scans – Specifies the degree of parallelism for on-demand scans. This setting corresponds to the number of threads used to perform the scan and impacts the CPU usage, and the duration of the on-demand scan.
  • Enable file hash computation – Enables or disables file hash computation feature. When this feature is enabled, Windows Defender computes hashes for files it scans. This setting helps improve the accuracy of Custom Indicator matches. However, enabling Enable file hash computation can impact device performance.
  • Run a scan after definitions are updated – Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting triggers an antivirus scan on the running processes of the device.
  • Scanning inside archive files – If true, Defender unpacks archives and scan files inside them. Otherwise archive content is skipped, which improves scanning performance.

Network protection – A new category that includes the following setting:

  • Enforcement level – Configure this setting to specify if network protection is disabled, in audit mode, or enforced.

Tamper protection - A new category that includes the following setting:

  • Enforcement level - Specify whether tamper protection is disabled, in audit mode, or enforced.

User interface preferences – A new category that includes the following settings:

  • Control sign-in to consumer version - Specify whether users can sign into the consumer version of Microsoft Defender.
  • Show / hide status menu icon – Specify whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.
  • User initiated feedback – Specify whether users can submit feedback to Microsoft by going to Help > Send Feedback.

New profiles that you create include the original settings and the new settings. Your existing profiles automatically update to include the new settings, with each new setting set to Not configured until you choose to edit that profile to change it.

For more information about how to set preferences for Microsoft Defender for Endpoint on macOS in enterprise organizations, see Set preferences for Microsoft Defender for Endpoint on macOS.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • VerityRMS by Mackey LLC (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

CloudDesktop log now collected with Windows diagnostics data

The Intune remote action to collect diagnostics from a Windows device now includes data in a log file.

Log file:

  • %temp%\CloudDesktop*.log

Anomaly detection device cohorts in Intune Endpoint analytics is generally available

Anomaly detection device cohorts in Intune Endpoint analytics is now generally available.

Device cohorts are identified in devices associated with a high or medium severity anomaly. Devices are correlated into groups based on one or more factors they have in common like an app version, driver update, OS version, device model. A correlation group will contain a detailed view with key information about the common factors between all affected devices in that group. You can also view a breakdown of devices currently affected by the anomaly and 'at risk' devices. "At risk" devices haven't yet shown symptoms of the anomaly.

For more information, see Anomaly detection in Endpoint analytics.

Improved user experience for device timeline in Endpoint Analytics

The user interface (UI) for device timeline in Endpoint analytics is improved and includes more advanced capabilities (support for sorting, searching, filtering, and exports). When viewing a specific device timeline in Endpoint analytics, you can search by event name or details. You can also filter the events and choose the source and level of events that appear on the device timeline and select a time range of interest.

For more information, see Enhanced device timeline.

Updates for compliance policies and reports

We've made several improvements to the Intune compliance policies and reports. With these changes, the reports more closely align to the experience in use for device configuration profiles and reports. We've updated our compliance report documentation to reflect the available compliance report improvements.

Compliance report improvements include:

  • Compliance details for Linux devices.
  • Redesigned reports that are up-to-date and simplified, with newer report versions beginning to replace older report versions, which will remain available for some time.
  • When viewing a policy for compliance, there isn't a left-pane navigation. Instead, the policy view opens to a single pane that defaults to the Monitor tab and its Device status view.
    • This view provides a high-level overview of device status for this policy, supports drilling in to review the full report, and a per-setting status view of the same policy.
    • The doughnut chart is replaced by a streamlined representation and count of the different device status values returned by devices assigned the policy.
    • You can select the Properties tab to view the policy details, and review and edit its configuration and assignments.
    • The Essentials section is removed with those details appearing in the policy's Properties tab.
  • The updated status reports support sorting by columns, the use of filters, and search. Combined, these enhancements enable you to pivot the report to display specific subsets of details you want to view at that time. With these enhancements, we have removed the User status report as it has become redundant. Now, while viewing the default Device status report you can focus the report to display the same information that was available from User status by sorting on the User Principal Name column, or searching for a specific username in the search box.
  • When viewing status reports, the count of devices that Intune displays now remains consistent between different report views as you drill in for deeper insights or details.

For more information about these changes, see the Intune Support Team blog at https://aka.ms/Intune/device_compl_report.

Week of August 14, 2023

App management

Use the Turn off the Store application setting to disable end user access to Store apps, and allow managed Intune Store apps

In Intune, you can use the new Store app type to deploy Store apps to your devices.

Now, you can use the Turn off the Store application policy to disable end users' direct access to Store apps. When it's disabled, end users can still access and install Store apps from the Windows Company Portal app and through Intune app management. If you want to allow random store app installs outside of Intune, then don't configure this policy.

The previous Only display the private store within the Microsoft Store app policy doesn't prevent end users from directly accessing the store using the Windows Package Manager winget APIs. So, if your goal is to block random unmanaged Store application installs on client devices, then it's recommended to use the Turn off the Store application policy. Don't use the Only display the private store within the Microsoft Store app policy . Applies to:

  • Windows 10 and later

For more information, see Add Microsoft Store Apps to Microsoft Intune.

Week of August 7, 2023

Role-based access control

Introducing a new role-based access control (RBAC) permission under the resource Android for work

Introducing a new RBAC Permission for creating a custom role in Intune, under the resource Android for work. The permission Update Enrollment Profile allows the admin to manage or change both AOSP and Android Enterprise Device Owner enrollment profiles that are used to enroll devices.

For more information, see Create custom role.

Week of July 31, 2023

Device security

New BitLocker profile for Intune's endpoint security Disk encryption policy

We have released a new experience creating new BitLocker profiles for endpoint security Disk Encryption policy. The experience for editing your previously created BitLocker policy remains the same, and you can continue to use them. This update applies only for the new BitLocker policies you create for the Windows 10 and later platform.

This update is part of the continuing rollout of new profiles for endpoint security policies, which began in April 2022.

App management

Uninstall Win32 and Microsoft store apps using the Windows Company Portal

End-users can uninstall Win32 apps and Microsoft store apps using the Windows Company Portal if the apps were assigned as available and were installed on-demand by the end-users. For Win32 apps, you have the option to enable or disable this feature (off by default). For Microsoft store apps, this feature is always on and available for your end-users. If an app can be uninstalled by the end-user, the end-user will be able to select Uninstall for the app in the Windows Company Portal. For related information, see Add apps to Microsoft Intune.

Week of July 24, 2023 (Service release 2307)

App management

Intune supports new Google Play Android Management API

Changes have been made to how Managed Google Play public apps are managed in Intune. These changes are to support Google's Android Management APIs (opens Google's web site).

Applies to:

  • Android Enterprise

To learn more about changes to the admin and user experience, see Support Tip: Intune moving to support new Google Play Android Management API.

App report for Android Enterprise corporate-owned devices

You can now view a report containing all apps found on a device for Android Enterprise corporate-owned scenarios, including system apps. This report is available in Microsoft Intune admin center by selecting Apps > Monitor > Discovered apps. You'll see Application Name and Version for all apps detected as installed on the device. It can take up to 24 hours for app information to populate the report.

For related information, see Intune discovered apps.

Add unmanaged PKG-type applications to managed macOS devices [Public Preview]

You can now upload and deploy unmanaged PKG-type applications to managed macOS devices using the Intune MDM agent for macOS devices. This feature enables you to deploy custom PKG installers, such as unsigned apps and component packages. You can add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS app (PKG) for app type.

Applies to:

  • macOS

For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB) apps to Microsoft Intune. For more information about the Intune MDM agent for macOS devices, see Microsoft Intune management agent for macOS.

New settings available for the iOS/iPadOS web clip app type

In Intune, you can pin web apps to your iOS/iPadOS devices (Apps > iOS/iPadOS > Add > iOS/iPadOS web clip). When you add web clips, there are new settings available:

  • Full screen: If configured to Yes, launches the web clip as a full-screen web app without a browser. There isn't a URL nor search bar, and no bookmarks.
  • Ignore manifest scope: If configured to Yes, a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip's URL. This setting has no effect when Full screen is set to No. Available in iOS 14 and later.
  • Precomposed: If configured to Yes, prevents Apple's application launcher (SpringBoard) from adding "shine" to the icon.
  • Target application bundle identifier: Enter the application bundle identifier that specifies the application that opens the URL. Available in iOS 14 and later.

Applies to:

  • iOS/iPadOS

For more information, see Add web apps to Microsoft Intune.

Change to default settings when adding Windows PowerShell scripts

In Intune, you can use policies to deploy Windows PowerShell scripts to your Windows devices (Devices > Scripts > Add > Windows 10 and later). When you add a Windows PowerShell script, there are settings you configure. To increase secure-by-default behavior of Intune, the default behavior of the following settings has changed:

  • The Run this script using the logged on credentials setting defaults to Yes. Previously, the default was No.
  • The Enforce script signature check setting defaults to Yes. Previously, the default was No.

This behavior applies to new scripts you add, not existing scripts.

Applies to:

  • Windows 10 and later (excluding Windows 10 Home)

For more information about using Windows PowerShell scripts in Intune, see Use PowerShell scripts on Windows 10/11 devices in Intune.

Device configuration

Added Support for Scope tags

You can now add scope tags when creating deployments using Zebra LifeGuard Over-the-Air integration (in public preview).

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Configuration > Create > macOS for platform > Settings catalog for profile type.

Microsoft AutoUpdate (MAU):

  • Current Channel (Monthly)

Microsoft Defender > User interface preferences:

  • Control sign-in to consumer version

Microsoft Office > Microsoft Outlook:

  • Disable Do not send response

User Experience > Dock:

  • MCX Dock Special Folders

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Compliance Retrieval service support for MAC address endpoints

We've now added MAC address support to the Compliance Retrieval service.

The initial release of the CR service included support for using only the Intune device ID with the intent to eliminate the need to manage internal identifiers like serial numbers and MAC addresses. With this update, organizations that prefer to use MAC addresses over certificate authentication can continue to do so while implementing the CR service.

While this update adds MAC address support to the CR service, our recommendation is to use certificate-based authentication with the Intune device ID included in the certificate.

For information about the CR service as a replacement for the Intune Network Access Control (NAC) service, see the Intune blog at https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696.

Settings insight within Intune security baselines is generally available

Announcing the general availability of Settings insight in Microsoft Intune.

The Settings insight feature adds insight to settings giving you confidence in configurations that have been successfully adopted by similar organizations. Settings insight is currently available for security baselines.

Navigate to Endpoint security > Security baselines. While creating and editing a workflow, these insights are available for all settings with light bulbs.

Device security

Tamper protection support for Windows on Azure Virtual Desktop

Intune now supports use of endpoint security Antivirus policy to manage Tamper protection for Windows on Azure Virtual Desktop multi-session devices. Support for Tamper protection requires devices to onboard to Microsoft Defender for Endpoint before the policy that enables Tamper protection is applied.

EpmTools PowerShell module for Endpoint Privilege Management

The EpmTools PowerShell module is now available for use with Intune Endpoint Privilege Management (EPM). EpmTools includes the cmdlets like Get-FileAttributes that you can use to retrieve file details to help build accurate elevation rules, and other cmdlets you can use to troubleshoot or diagnose EPM policy deployments.

For more information, see EpmTools PowerShell module.

Endpoint Privilege Management support to manage elevation rules for child processes

With Intune Endpoint Privilege Management (EPM) you can manage which files and processes are allowed to Run as Administrator on your Windows devices. Now, EPM elevation rules support a new setting, Child process behavior.

With Child process behavior, your rules can manage the elevation context for any child processes created by the managed process. Options include:

  • Allowing all child processes created by the managed process to always run as elevated.
  • Allow a child process to run as elevated only when it matches the rule that manages its parent process.
  • Deny all child processes from running in an elevated context, in which case they run as standard users.

Endpoint Privilege Management is available as an Intune add-on. For more information, see Use Intune Suite add-on capabilities.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Dooray! for Intune

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Updated reports for Setting compliance and Policy compliance are in public preview

We've released two new reports as a public preview for Intune device compliance. You can find these new preview reports in the Intune admin center at Reports > Device compliance > Reports tab:

Both reports are new instances of existing reports, and deliver improvements over the older versions, including:

  • Details for Linux settings and devices
  • Support for sorting, searching, filtering, exports, and paging views
  • Drill-down reports for deeper details, which are filtered based on the column you select.
  • Devices are represented a single time. This behavior is in contrast to the original reports, which could count a device more than once if multiple users used that device.

Eventually, the older report versions that are still available in the admin center at Devices > Monitor will be retired.

What's new archive

For previous months, see the What's new archive.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID by April 2024

Last year we announced a new Microsoft Intune GitHub repository based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, starting on April 1, 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed.

How does this affect you or your users?

If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.

How can you prepare?

Before April 1, 2024, update your PowerShell scripts by:

  1. Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform.
  2. Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:

  • Android Enterprise personally-owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

  • Intune technical support won't be provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

  • Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
  • Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
  • Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. Expected with Intune’s April (2404) service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

Wrapped iOS apps and iOS apps using the Intune App SDK will require Azure AD app registration

We're making updates to improve the security of the Intune mobile application management (MAM) service. This update will require iOS wrapped apps and SDK integrated apps to be registered with Microsoft Entra ID (formerly Azure Active Directory (Azure AD)) by March 31, 2024 to continue receiving MAM policy.

How does this affect you or your users?

If you have wrapped apps or SDK integrated apps that aren't registered with Azure AD, these apps will be unable to connect to the MAM service to receive policy and your users won't be able to access apps that aren't registered.

How can you prepare?

Prior to this change, you will need to register the apps with Azure AD. See below for detailed instructions.

  1. Register your apps with Azure AD by following these instructions: Register an application with the Microsoft identity platform.
  2. Add the custom redirect URL to your app settings as documented here.
  3. Give your app access to the Intune MAM service, for instructions see here.
  4. Once the above changes are completed, configure your apps for Microsoft Authentication Library (MSAL):
    1. For wrapped apps: Add the Azure AD application client ID into the command-line parameters with the Intune App Wrapping Tool as outlined in the documentation: Wrap iOS apps with the Intune App Wrapping Tool | Microsoft Learn -ac and -ar are required parameters. Each app will need a unique set of these parameters. -aa is only required for single tenant applications.
    2. For SDK integrated apps see, Microsoft Intune App SDK for iOS developer guide | Microsoft Learn. ADALClientId and ADALRedirectUri/ADALRedirectScheme are now required parameters. ADALAuthority is only required for single tenant applications.
  5. Deploy the app.
  6. To validate the above steps:
    1. Target "com.microsoft.intune.mam.IntuneMAMOnly.RequireAADRegistration" application configuration policy and set it to Enabled - Configuration policies for Intune App SDK managed apps - Microsoft Intune | Microsoft Learn
    2. Target App Protection Policy to the application. Enable the 'Work or school account credentials for access' policy and set 'Recheck the access requirements after (minutes of inactivity)' setting to a low number like 1.
  7. Then launch the application on a device and verify if the sign-in (which should be required every minute on app launch) happens successfully with the configured parameters.
  8. Note that if you only do step #6 and #7 before doing the other steps, you might be blocked on application launch. You will also notice the same behavior if some of the parameters are incorrect.
  9. Once you’ve completed the validation steps, you can undo the changes made in step #6.

Note

Intune will soon require an Azure AD device registration for iOS devices using MAM. If you have Conditional Access policies enabled, your devices should already be registered, and you won't notice any change. For more information see, Microsoft Entra registered devices - Microsoft Entra | Microsoft Learn.

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.

Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Update to the latest Intune App SDK and Intune App Wrapper for iOS to support iOS/iPadOS 17

To support the upcoming release of iOS/iPadOS 17, update to the latest versions of the Intune App SDK and the App Wrapping Tool for iOS to ensure applications stay secure and run smoothly. Additionally, for organizations using the Conditional Access grant “Require app protection policy”, users should update their apps to the latest version prior to upgrading to iOS 17. You can learn more by reading the blog: Update Intune App SDK, Wrapper, and iOS apps using MAM policies to support iOS/iPadOS 17.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in August 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning August 30, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

  1. Users won't be able to enroll devices with Android device administrator.
  2. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
  3. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

Plan for Change: Intune is moving to support iOS/iPadOS 15 and later

Later this year, we expect iOS 17 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 15/iPadOS 15 and higher shortly after iOS 17’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 15).

Because Office 365 mobile apps are supported on iOS/iPadOS 15.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 15 or iPadOS 15 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 15/iPadOS 15 while the allowed OS version will change to iOS 12/iPadOS 12 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 12 and higher later this year

Later this year, we expect macOS 14 Sonoma to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 12 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 17.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Monterey is compatible with these computers.

Note

Devices that are currently enrolled on macOS 11.x or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 11.x or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 11.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Ending support for Microsoft Store for Business and Education apps

In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune

How does this affect you or your users?

If you're using Microsoft Store for Business and Education apps:

  1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.
  2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users might still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data.
  3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later.

The retirement of Microsoft Store for Business and Education was announced in 2021. When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.

How can you prepare?

We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:

Related information

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP without enrollment scenario at the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it's only applicable to Windows 8.1 devices.

Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available.

How does this affect you or your users?

If you're managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There's no impact to existing devices and policies, however, you'll not be able to enroll new devices if they are running Windows 8.1.

How can you prepare?

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Intune admin center > Devices > Windows > Windows devices, and filter by OS.

Additional information

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change only affects you if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Intune admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.