What's new in Microsoft Intune

Applies to: Intune in the Azure portal
Looking for documentation about Intune in the classic portal? Go here.

Learn what’s new each week in Microsoft Intune. You can also find out about upcoming changes, important notices about the service, and information about past releases.


Many of these features will eventually be supported for hybrid deployments with Configuration Manager. For more information about new hybrid features, check out our hybrid What’s New page.

Week of October 16, 2017

Device enrollment

Windows AutoPilot Deployment Program support in Microsoft Intune

You can now use Microsoft Intune with Windows AutoPilot Deployment Program to empower your users to provision their corporate devices without involving IT. You can customize the out-of-box experience (OOBE) and guide users to join their device to Azure AD and enroll in Intune. Working together, Microsoft Intune and Windows AutoPilot eliminate the need to deploy, maintain, and manage operating system images. For details, see Enroll Windows devices using Windows AutoPilot Deployment Program.

Quick start for device enrollment

Quick start is now available in Device enrollment and provides a table of references for managing platforms and configuring the enrollment process. A brief description of each item and links to documentation with step-by-step instructions provides useful documentation to simplify getting started.

Device categorization

The enrolled devices platform chart of the Devices > Overview blade organizes devices by platform, including Android, iOS, macOS, Windows, and Windows Mobile. Devices running other operating systems are grouped into "Other." This includes devices manufactured by Blackberry, NOKIA, and others.

To learn which devices are affected in your tenant, choose Manage > All devices and then use Filter to limit the OS field.

Device management

Zimperium - New Mobile Threat Defense partner

You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Zimperium, a Mobile Threat Defense solution that integrates with Microsoft Intune.

How integration with Intune works

Risk is assessed based on telemetry collected from devices running Zimperium. You can configure EMS conditional access policies based on Zimperium risk assessment enabled through Intune device compliance policies, which you can use to allow or block non-compliant devices to access corporate resources based on detected threats.

New settings for Windows 10 device restriction profile

We are adding new settings to the Windows 10 device restriction profile in the Windows Defender SmartScreen category.

For details about the Windows 10 device restriction profile, see Windows 10 and later device restriction settings.

Remote support for Windows and Windows Mobile devices

Intune can now use the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Windows, and Windows Mobile devices.

Scan devices with Windows Defender

You can now run a Quick scan, Full scan, and Update signatures with Windows Defender Antivirus on managed Windows 10 devices. From the device's overview blade, choose the action to run on the device. You are prompted to confirm the action before the command is sent to the device.

Quick scan: A quick scan scans locations where malware registers to start, such as registry keys and known Windows startup folders. A quick scan takes an average of five minutes. Combined with the Always-on real-time protection setting that scans files when they are opened, closed, and whenever a user navigates to a folder, a quick scan helps provide protection from malware that might be in the system or the kernel. Users see the scan results on their devices when it finishes.

Full scan: A full scan can be useful on devices that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and is useful for running on-demand scans. Full scan can take an hour to run. Users see the scan results on their devices when it finishes.

Update signatures: The update signature command updates Windows Defender Antivirus malware definitions and signatures. This helps ensure Windows Defender Antivirus is effective in detecting malware. This feature is for Windows 10 devices only, pending device internet connectivity.

The Enable/Disable button is removed from the Intune Certificate Authority page of the Intune Azure portal

We are eliminating an extra step in setting up the certificate connector on Intune. Currently, you download the certificate connector and then enable it in the Intune console. However, if you disable the connector in the Intune console, the connector continues to issue certificates.

How does this affect me?

Starting in October, the Enable/Disable button will no longer appear on the Certificate Authority page in the Azure portal. Connector functionality remains the same. Certificates are still deployed to devices enrolled in Intune. You can continue to download and install the certificate connector. To stop certificates from being issued, you now uninstall the certificate connector rather than disable it.

What do I need to do to prepare for this change?

If you currently have the certificate connector disabled, you should uninstall it.

Device configuration

New settings for Windows 10 Team device restriction profile

In this release, we’ve added many new settings to the Windows 10 Team device restriction profile to help you control Surface Hub devices.

For more information about this profile, see Windows 10 Team device restriction settings.

Prevent users of Android devices from changing their device date and time

You can use an Android custom device policy to prevent Android device users from changing the device date and time.

To do this, configure an Android custom policy with the setting URI ./Vendor/MSFT/PolicyManager/My/System/AllowDateTimeChange Set this to TRUE, and then assign it to the required groups.

BitLocker device configuration

The Windows Encryption > Base Settings include a new Warning for another disk encryption setting that lets you disable the warning prompt for other disk encryption that might be in use on the user's device. The warning prompt requires end-user consent before setting up BitLocker on the device and blocks BitLocker setup until confirmed by the end-user. The new setting disables the end-user warning.

App management

Volume Purchase Program for Business apps will now sync to your Intune Tenant

Third-party developers can privately distribute apps to authorized Volume Purchase Program (VPP) for Business members specified in iTunes Connect. These VPP for Business members can sign in to the Volume Purchase Program App Store and purchase their apps.

With this release, the VPP for Business apps purchased by the end user will now start syncing to their Intune tenants.

Select Apple country store to sync VPP apps

You can configure the Volume Purchase Program (VPP) country store when uploading your VPP token. Intune synchronizes VPP apps for all locales from the specified VPP country store.


Today, Intune only synchronizes VPP apps from the VPP country store that match the Intune locale in which the Intune tenant was created.

Intune apps

Block copy and paste between work and personal profiles in Android for Work

With this release, you are able to configure the work profile for Android for Work to block copy and paste between work and personal apps. You can find this new setting in the Device restrictions profile for the Android for Work Platform in Work profile settings.

Create iOS apps limited to specific regional Apple App Stores

You will be able to specify the country locale during the creation of an Apple App Store managed app.


Currently, you can only create Apple App Store managed apps that are present in the US country store.

Update iOS VPP user and device licensed apps

You will be able to configure the iOS VPP token to update all apps purchased for that token through the Intune service. Intune will detect the VPP app updates inside the app store and automatically push them to the device when the device checks-in.

For steps to set an VPP token and enable automatic updates, see How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune.

Monitor and troubleshoot

User device association entity Collection added to Intune Data Warehouse data model

You can now build reports and data visualizations using the user device association information that associates user and device entity collections. The data model can be accessed through the Power BI file (PBIX) retrieved from the Data Warehouse Intune page, through the OData endpoint, or by developing a custom client.

Review policy compliance for Windows 10 update rings

You will be able to review a policy report for your Windows 10 update rings from Software updates > Per update ring deployment state. The policy report includes deployment status for the update rings that you have configured.

New report that lists iOS devices with older iOS versions

The Out-of-date iOS Devices report is available from the Software updates workspace. In the report, you can view a list of supervised iOS devices that were targeted by an iOS update policy and have available updates. For each device, you can view a status for why the device has not been automatically updated.

View app protection policy assignments for troubleshooting

In this upcoming release, App protection policy option will be added to the Assignments drop-down list available on the troubleshooting blade. You can now select app protection policies to see app protection policies assigned to the selected users.

Week of October 2, 2017

Intune apps

Improvements to device setup workflow in Company Portal

We've improved the device setup workflow in the Company Portal app for Android. The language is more user-friendly and specific to your company, and we've combined screens where possible. You can see these on the what's new in app UI page.

Improved guidance around the request for access to contacts on Android devices

The Company Portal app for Android often requires the end user to accept the Contacts permission. If an end user declines this access, they will now see an in-app notification that alerts them to grant it for conditional access.

Secure startup remediation for Android

End users with Android devices will be able to tap the non-compliance reason in the Company Portal app. When possible, this will take them directly to the correct location in the settings app to fix the issue.

Additional push notifications for end users on the Company Portal app for Android Oreo

End users will see additional notifications to indicate to them when the Company Portal app for Android Oreo is performing background tasks, such as retrieving policies from the Intune service. This increases transparency for end users about when the Company Portal is performing administrative tasks on their device. This is part of the overall optimization of the Company Portal UI for the Company Portal app for Android Oreo.

There are further optimizations for new UI elements that are enabled in Android Oreo. End users will see additional notifications that will indicate to them when Company Portal is performing background tasks such as retrieving policy from the Intune service. This increases transparency for end users about when Company Portal is performing administrative tasks on the device.

New behaviors for the Company Portal app for Android with work profiles

When you enroll an Android for Work device with a work profile, it's the Company Portal app in the work profile that performs management tasks on the device.

Unless you are using a MAM-enabled app in the personal profile, the Company Portal app for Android no longer serves any use. To improve the work profile experience, Intune will automatically hide the personal Company Portal app after a successful work profile enrollment.

The Company Portal app for Android can be enabled at any time in the personal profile by browsing for Company Portal in the Play Store and tapping Enable.

Company Portal for Windows 8.1 and Windows Phone 8.1 moving to sustaining mode

Beginning in October 2017, the Company Portal apps for Windows 8.1 and Windows Phone 8.1 will move to sustaining mode. This means that the apps and existing scenarios, such as enrollment and compliance, will continue to be supported for these platforms. These apps will continue to be available for download through existing release channels, such as the Microsoft Store.

Once in sustaining mode, these apps will only will receive critical security updates. There will be no additional updates or features released for these apps. For new features, we recommend that you update devices to Windows 10 or Windows 10 Mobile.

Device enrollment

Block unsupported Samsung Knox device enrollment

The Company Portal app only attempts to enroll supported Samsung Knox devices. To avoid KNOX activation errors that prevent MDM enrollment, device enrollment is only attempted if the device appears in the list of devices published by Samsung. Samsung devices can have model numbers that support KNOX while others that don't. Verify Knox compatibility with your device reseller before purchase and deployment. You can find the full list of verified devices in the Android and Samsung KNOX Standard policy settings.

End of support for Android 4.3 and lower

Managed apps and the Company Portal app for Android will require Android 4.4 and higher to access company resources. By December, all enrolled devices will be force retired in December, resulting in loss of access to company resources. If you are using app protection policies without MDM, apps will not receive updates, and the quality of their experience will diminish over time.

Inform end users what device information can be seen on enrolled devices

We are adding Ownership Type to the Device Details screen on all Company Portal apps. This will allow users to find out more about privacy directly from the What information can your company see? article. This will be rolling out across all Company Portal apps in the near future. We announced this for iOS in September.

Week of September 25, 2017

Device enrollment

Intune supports iOS 11

Intune supports iOS 11. This was previously announced on the Intune Support blog.

End of support for iOS 8.0

Managed apps and the Company Portal app for iOS will require iOS 9.0 and higher to access company resources. Devices that aren't updated before this September will no longer be able to access the Company Portal or those apps.

Intune apps

Refresh action added to the Company Portal app for Windows 10

The Company Portal app for Windows 10 allows users to refresh the data in the app by either pulling to refresh or, on desktops, pressing F5.


New path for managed devices in Graph API

We are making a change to the path used to access managed devices in the beta version of the Graph API.

Current path https://graph.microsoft.com/beta/managedDevices
New path https://graph.microsoft.com/beta/deviceManagement/managedDevices

Both paths will work through the month of October. After the October service release, only the new path will work. If you are using the Graph API to access managed devices, update and verify your scripts and applications with the new path. For additional changes, check the monthly Graph API changelog.

Direct access to Apple enrollment scenarios

For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure portal. Previously, the Apple enrollment preview was only accessible from links in the Intune classic portal. Intune accounts created before January 2017 require a one-time migration before these features are available in Azure. The schedule for migration has not been announced yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test out the new experience if your existing account cannot access the Azure portal.

Administration roles being replaced in Azure portal

The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only) used in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration controls (RBAC) in the Intune Azure portal. Once you are migrated to the Azure portal, you will need to reassign your admins to these new administration roles. For more information about RBAC and the new roles, see Role-based access control for Microsoft Intune.

What's coming

Changes in support for the Intune iOS Company Portal app

Coming soon, there will be a new version of the Microsoft Intune Company Portal app for iOS that will support only devices running iOS 9.0 or later. The version of the Company Portal that supports iOS 8 will still be available for a very short period of time. However, note that if you also use MAM-enabled iOS apps we support iOS 9.0 and later, so you'll want to ensure your end users update to the latest OS.

How does this affect me?

We are letting you know this in advance, even though we don't have specific dates, so you have time to plan. Ensure your users are updated to iOS 9+ and when the Company Portal app releases, request that your end users update their Company Portal app.

What do I need to do to prepare for this change?

Encourage your users to update to iOS 9.0 or later to take full advantage of new Intune features. Encourage users to install the new version of the Company Portal and take advantage of the new features it will offer.

Go to the Intune in the Azure portal and view Devices > All Devices and filter by iOS version to see any current devices with operating systems earlier than iOS 9.

Apple to require updates for Application Transport Security

Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers using the iOS Company Portal apps.

We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that enforces the new ATS requirements. If you would like to try it so you can test your ATS compliance, email CompanyPortalBeta@microsoft.com with your first name, last name, email address, and company name. Review our Intune support blog for more details.

See also