What's new in Microsoft Intune

Learn what’s new each week in Microsoft Intune. You can also find out about upcoming changes, important notices about the service, and information about past releases. Some features may roll out over several weeks and might not be available to all customers in the first week.


For information on new functionality in hybrid mobile device management (MDM), check out the hybrid What’s New page.

Week of September 17, 2018

App management

Remove duplication of app protection status tiles

The User status for iOS and the User status for Android tiles were present in both the Client Apps - Overview page, as well as the Client Apps - App protection status page. The status tiles have been removed from the Client Apps - Overview page to avoid duplication.

Week of August 27, 2018

App management

Packet tunnel support for iOS per-app VPN profiles for custom and Pulse Secure connection types

When using iOS per-app VPN profiles, you can choose to use app-layer tunneling (app-proxy) or packet-level tunneling (packet-tunnel). These options are available with the following connection types:

  • Custom VPN
  • Pulse Secure If you are not sure which value to use, consult your VPN provider's documentation.

Delay when iOS software updates are shown on the device

In Intune > Software Updates > Update policies for iOS, you can configure the days and times when you don't want devices to install any updates. In a future update, you'll be able to delay when a software update is visibly shown on the device, from 1-90 days. Configure iOS update policies in Microsoft Intune lists the current settings.

Office 365 ProPlus version

When assigning the Office 365 ProPlus apps to Windows 10 devices using Intune, you will be able to select the version of Office. In the Azure portal, select Microsoft Intune > Apps > Add App. Then, select Office 365 ProPlus Suite (Windows 10) from the Type dropdown list. Select App Suite Settings to display the associated blade. Set the Update Channel to a value, such as Monthly. Optionally, remove other version of Office (msi) from end user devices by selecting Yes. Select Specific to install a specific version of Office for the selected channel on end user devices. At this point, you can select the Specific version of Office to use. The available versions will change over time. Therefore, when creating a new deployment, the versions available may be newer and not have certain older versions available. Current deployments will continue to deploy the older version, but the version list will be continually updated per channel. For more information, see Overview of update channels for Office 365 ProPlus.

Support for Register DNS setting for Windows 10 VPN

With this update, you can configure Windows 10 VPN profiles to dynamically register the IP addresses assigned to the VPN interface with the internal DNS, without needing to use custom profiles. For information about the current VPN profile settings available, see Windows 10 VPN settings.

The macOS Company Portal installer now includes the version number in the installer file name

iOS automatic app updates

Automatic app updates work for both device and user licensed apps for iOS Version 11.0 and above.

Device configuration

Windows Hello will target users and devices

When you create a Windows Hello for Business policy, it applies to all users within the organization (tenant-wide). With this update, the policy can also be applied to specific users or specific devices using a device configuration policy (Device Configuration > Profiles > Create profile > Identity Protection > Windows Hello for Business). In Intune in the Azure portal, the Windows Hello configuration and settings now exists in both Device enrollment and Device configuration. Device enrollment targets the entire organization (tenant-wide), and supports Windows AutoPilot (OOBE). Device configuration targets devices and users using a policy that's applied during check-in. This feature applies to:

  • Windows 10 and later
  • Windows Holographic for Business

Zscaler is an available connection for VPN profiles on iOS

When you create an iOS VPN device configuration profile (Device configuration > Profiles > Create profile > iOS platform > VPN profile type), there are several connection types, including Cisco, Citrix, and more. This update adds Zscaler as a connection type. VPN settings for devices running iOS lists the available connection types.

FIPS mode for Enterprise Wi-Fi profiles for Windows 10

You can now enable Federal Information Processing Standards (FIPS) mode for Enterprise Wi-Fi profiles for Windows 10 in the Intune Azure portal. Be sure FIPS mode is enabled on your Wi-Fi infrastructure if you enable it in your Wi-Fi profiles. Wi-Fi settings for Windows 10 and later devices in Intune shows you how to create a Wi-Fi profile.

Control S-mode on Windows 10 and later devices - public preview

With this feature update, you can create a device configuration profile that switches a Windows 10 device out of S-mode, or prevent users from switching the device out of S-mode. This feature is in Intune > Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch. Introducing Windows 10 in S mode provides more information on S mode. Applies to: the most recent Windows Insider build (while in preview).

Windows Defender ATP configuration package automatically added to configuration profile

When using Advanced Threat Protection and onboarding devices in Intune, you previously had to download a configuration package, and add it to your configuration profile. With this update, Intune automatically gets the package from Windows Defender Security Center, and adds it to your profile. Applies to Windows 10 and later.

Require users to connect during device setup

You can now set device profiles to require that the device connects to a network before proceeding past the Network page during Windows 10 setup. While this feature is in preview, a Windows Insider build 1809 or later is required to use this setting. Applies to: the most recent Windows Insider build (while in preview).

Restricts apps, and block access to company resources on iOS and Android Enterprise devices

In Device compliance > Policies > Create policy > iOS > System Security, there is a new Restricted applications setting. This new setting uses a compliance policy to block access to company resources if certain apps are installed on the device. The device is considered non-compliant until the restricted apps are removed from the device. Applies to: iOS

Modern VPN support updates for iOS

This update adds support the following iOS VPN clients:

  • F5 Access (version 3.0.1 and higher)
  • Citrix SSO
  • Palo Alto Networks GlobalProtect version 5.0 and higher Also in this update:
  • Existing F5 Access connection type is renamed to F5 Access Legacy for iOS.
  • Existing Palo Alto Networks GlobalProtect connection type is renamed to Palo Alto Networks GlobalProtect (legacy) for iOS. Existing profiles with these connection types continue to work with their respective legacy VPN client. If you're using Cisco Legacy AnyConnect, F5 Access Legacy, Citrix VPN, or Palo Alto Networks GlobalProtect version 4.1 and earlier with iOS, you should move to the new apps. Do this as soon as possible to ensure that VPN access is available for iOS devices as they update to iOS 12. For more information about iOS 12 and VPN profiles, see the Microsoft Intune Support Team Blog.

Export Azure classic portal compliance policies to recreate these policies in the Intune Azure portal

Compliance policies created in the Azure classic portal will be deprecated. You can review and delete any existing compliance policies, however you can't update them. If you need to migrate any compliance policies to the current Intune Azure portal, you can export the policies as a comma-separated file (.csv file). Then, use the details in the file to recreate these policies in the Intune Azure portal.


When the Azure classic portal retires, you will no longer be able to access or view your compliance policies. Therefore, be sure to export your policies and recreate them in the Azure portal before the Azure classic portal retires.

Better Mobile - New Mobile Threat Defense partner

You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Better Mobile, a Mobile Threat Defense solution that integrates with Microsoft Intune.

Device enrollment

Lock the Company Portal in single app mode until user sign-in

You now have the option to run the Company Portal in Single App mode if you authenticate a user through the Company Portal instead of Setup Assistant during DEP enrollment. This option locks the device immediately after Setup Assistant completes so that a user must sign in to access the device. This process makes sure that the device completes onboarding and is not orphaned in a state without any user tied.

Assign a user and friendly name to an Autopilot device

You can now assign a user to a single Autopilot device. Admins will also be able to give friendly names to greet the user when setting up their device with Autopilot. Applies to: the most recent Windows Insider build (while in preview).

Use VPP device licenses to pre-provision the Company Portal during DEP enrollment

You can now use Volume Purchase Program (VPP) device licenses to pre-provision the Company Portal during Device Enrollment Program (DEP) enrollments. To do so, when you create or edit an enrollment profile, specify the VPP token that you want to use to install the Company Portal. Make sure that your token doesn't expire and that you have enough licenses for the Company Portal app. In cases where the token expires or runs out of licenses, Intune will push the App Store Company Portal instead (this will prompt for an Apple ID).

Confirmation required to delete VPP token that is being used for Company Portal pre-provisioning

A confirmation is now required to delete a Volume Purchase Program (VPP) token if it is being used to pre-provision the Company Portal during DEP enrollment.

Block Windows personal device enrollments

You can block Windows personal devices from enrolling with mobile device management in Intune. Devices enrolled with Intune PC agent can't be blocked with this feature. This feature is rolling out over the next couple weeks so you might not see it immediately in the user interface.

Specify machine name patterns in an Autopilot profile

You can specify a computer name template to generate and set the computer name during Autopilot enrollment. Applies to: the most recent Windows Insider build (while in preview).

For Windows Autopilot profiles, hide the change account options on the company sign-in page and domain error page

There are new Windows Autopilot profile options for admins to hide the change account options on the company sign-in and domain error pages. Hiding these options requires Company Branding to be configured in Azure Active Directory. Applies to: the most recent Windows Insider build (while in preview).

Device management

Delete Jamf devices

You can delete JAMF-managed devices by going to Devices > choose the Jamf device > Delete.

Change terminology to "retire" and "wipe"

To be consistent with the Graph API, the Intune user interface and documentation has changed the following terms:

  • Remove company data will be changed to "retire"
  • Factory reset will be changed to wipe

Confirmation dialog if admin tries to delete MDM Push Certificate

If anyone tries to delete an Apple MDM Push certificate, a confirmation dialog box displays the number of related iOS and macOS devices. If the certificate is deleted, these devices will need to be re-enrolled.

Additional security settings for Windows installer

You can allow users to control app installs. If enabled, installations that may otherwise be stopped due to a security violation would be permitted to continue.​ You can direct the Windows installer to use elevated permissions when it installs any program on a system.​ Additionally, you can enabled Windows Information Protection (WIP) items to be indexed and the metadata about them stored in an unencrypted location. When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. The functionality for these options are disabled by default.

New user experience update for the Company Portal website

We’ve added new features, based on feedback from customers, to the Company Portal website. You'll experience a significant improvement in existing functionality and usability from your devices. Areas of the site–such as device details, feedback and support, and device overview–have received a new, modern, responsive design. You'll also see:

  • Streamlined workflows across all device platforms
  • Improved device identification and enrollment flows
  • More helpful error messages
  • Friendlier language, less tech jargon
  • Ability to share direct links to apps
  • Improved performance for large app catalogs
  • Increased accessibility for all users

The Intune Company Portal website documentation has been updated to reflect these changes. To view an example of the app enhancements, see UI updates for Intune end-user apps.

Monitor and troubleshoot

Enhanced jailbreak detection in compliance reporting

The enhanced jailbreak detection setting states now appears in all compliance reporting in the admin console.

Role-based access control

Scope tags for policies

You can create scope tags to limit access to Intune resources. Add a scope tag to a role assignment and then add the scope tag to a configuration profile. The role will only have access to resources with configuration profiles that have matching scope tags (or no scope tag).

Week of August 14, 2018

macOS support for Apple Device Enrollment Program

Intune now supports enrolling macOS devices into the Apple Device Enrollment Program (DEP). For more information, see Automatically enroll macOS devices with Apple's Device Enrollment Program.

Week of July 23, 2018

App management

Line-of-business (LOB) app support for macOS

Microsoft Intune allows macOS LOB apps to be deployed as Required or Available with enrollment. End users can get apps deployed as Available using the Company Portal for macOS or the Company Portal website.

iOS built-in app support for kiosk mode

In addition to Store Apps and Managed Apps, you can now select a Built-In App (such as Safari) that runs in kiosk mode on an iOS device.

Edit your Office 365 Pro Plus app deployments

As the Microsoft Intune admin, you have greater ability to edit your Office 365 Pro Plus app deployments. Additionally, you no longer have to delete your deployments to change any of the suite’s properties. In the Azure portal, select Microsoft Intune > Client apps > Apps. From the list of apps, select your Office 365 Pro Plus Suite.

Updated Intune App SDK for Android is now available

An updated version of the Intune App SDK for Android is available to support the Android P release. If you are an app developer and use the Intune SDK for Android, you must install the updated version of the Intune app SDK to ensure that Intune functionality within your Android apps continue to work as expected on Android P devices. This version of the Intune App SDK provides a built-in plugin that performs the SDK updates. You do not need to rewrite any existing code that’s integrated. For details, see Intune SDK for Android. If you are using the old badging style for Intune, we recommend that you use the briefcase icon. For branding details, see this GitHub repository.

Device configuration

Use S/MIME to encrypt and sign a user's multiple devices

This update includes S/MIME email encryption using a new imported certificate profile (Device configuration > Profiles > Create profile > select the platform > PKCS imported certificate profile type). In Intune, you can import certificates in PFX format. Intune can then deliver those same certificates to multiple devices enrolled by a single user. This also includes:

  • The native iOS email profile supports enabling S/MIME encryption using imported certificates in PFX format.
  • The native mail app on Windows Phone 10 devices automatically use the S/MIME certificate.
  • The private certificates can be delivered across multiple platforms. But, not all email apps support S/MIME.
  • On other platforms, you may need to manually configure the mail app to enable S/MIME.
  • Email apps that support S/MIME encryption may handle retrieving certificates for S/MIME email encryption in a way that an MDM cannot support, such as reading from their publisher's certificate store.

Supported on: Windows, Windows Phone 10, macOS, iOS, Android

Create device compliance policy using Firewall settings on macOS devices

When you create a new macOS compliance policy (Device compliance > Policies > Create policy > Platform: macOS > System security), there are some new Firewall settings available:

  • Firewall: Configure how incoming connections are handled in your environment.
  • Incoming connections: Block all incoming connections except those required for basic internet services, such as DHCP, Bonjour, and IPSec. This setting also blocks all sharing services.
  • Stealth Mode: Enable stealth mode to prevent the device from responding to probing requests. The device continues to answer incoming requests for authorized apps.

Applies to: macOS 10.12 and later

New Wi-Fi device configuration profile for Windows 10 and later

Currently, you can import and export Wi-Fi profiles using XML files. With this update, you can create a Wi-Fi device configuration profile directly in Intune, just like some other platforms.

To create the profile, open Device configuration > Profiles > Create Profile > Windows 10 and later > Wi-Fi.

Applies to Windows 10 and later.

Kiosk - obsolete is grayed out, and can't be changed

The Kiosk feature (Device configuration > Profiles > Create profile > Windows 10 and later > Device restrictions) is obsolete, and replaced with Kiosk settings for Windows 10 and later. With this update, the Kiosk - Obsolete feature is grayed out, and the user interface can't be changed or updated.

To enable kiosk mode, see Kiosk settings for Windows 10 and later.

Applies to Windows 10 and later, Windows Holographic for Business

APIs to use 3rd party certification authorities

In this update, there is a Java API that enables third-party certificate authorities to integrate with Intune and SCEP. Then, users can add the SCEP certificate to a profile, and apply it to devices using MDM.

Currently, Intune supports SCEP requests using Active Directory Certificate Services.

Toggle to show or not show the End Session button on a Kiosk browser

You can now configure whether or not Kiosk browsers show the End Session button. You can see the control at Device configuration > Kiosk (preview) > Kiosk Web Browser. If turned on, when a user clicks the button, the app prompts for confirmation to end the session. When confirmed, the browser clears all browsing data and navigates back to the default URL.

Create an eSIM cellular configuration profile

In Device configuration, you can create an eSIM cellular profile. You can import a file that contains cellular activation codes provided by your mobile operator. You can then deploy these profiles to your eSIM LTE enabled Windows 10 devices, such as the Surface Pro LTE and other eSIM capable devices.

Check to see if your devices support eSIM profiles.

Applies to Windows 10 and later.

Device enrollment

Automatically mark Android devices enrolled by using Samsung Knox Mobile Enrollment as "corporate".

By default, Android devices enrolled using Samsung Knox Mobile Enrollment are now marked as corporate under Device Ownership. You don't need to manually identify corporate devices using IMEI or serial numbers prior to enrolling using Knox Mobile Enrollment.

Device management

Bulk delete devices on devices blade

You can now delete multiple devices at a time on the Devices blade. Choose Devices > All devices > select the devices you want to delete > Delete. For devices that can't be deleted, an alert will be displayed.

Week of July 16, 2018

More opportunities to sync in the Company portal app for Windows

The Company Portal app for Windows now lets you initiate a sync directly from the Windows taskbar and Start menu. This feature is especially useful if your only task is to sync devices and get access to corporate resources. To access the new feature, right-click the Company portal icon that's pinned to your taskbar or Start menu. In the menu options (also referred to as a jump list), select Sync this device. The Company Portal will open to the Settings page and initiate your sync. For a look at the new functionality see What's new in the UI.

New browsing experiences in the Company portal app for Windows

Now when browsing or searching for apps in the Company Portal app for Windows, you can toggle between the existing Tiles view and the newly added Details view. The new view lists application details such as name, publisher, publication date and installation status.

The Apps page's Installed view lets you see details about completed and in-progress app installations. To see what the new view looks like, see What's new in the UI.

Improved Company Portal app experience for device enrollment managers

When a device enrollment manager (DEM) signs in to the Company Portal app for Windows, the app will now only list the DEM's current, running device. This improvement will reduce timeouts that previously occurred when the app tried to show all DEM-enrolled devices.

Week of July 9, 2018

App management

Block app access based on unapproved device vendors and models

The Intune IT admin can enforce a specified list of Android manufacturers, and/or iOS models through Intune App Protection Policies. The IT admin can provide a semicolon separated list of manufacturers for Android policies and device models for iOS policies. Intune App Protection Policies are for Android and iOS only. There are two separate actions that can be performed on this specified list:

  • A block from app access on devices that are not specified.
  • Or, a selective wipe of corporate data on devices that are not specified.

The user will be unable to access the targeted application if the requirements through the policy are not met. Based on settings, the user may either be blocked, or selectively wiped of their corporate data within the app. On iOS devices, this feature requires the participation of applications (such as WXP, Outlook, Managed Browser, Yammer) to integrate the Intune APP SDK for this feature to be enforced with the targeted applications. This integration happens on a rolling basis and is dependent on the specific application teams. On Android, this feature requires the latest Company Portal.

On end-user devices, the Intune client will take action based on a simple matching of the strings specified in the Intune blade for Application Protection Policies. This depends entirely on the value that the device reports. As such, the IT administrator is encouraged to ensure that the intended behavior is accurate. This can be accomplished by testing this setting based on a variety of device manufacturers and models targeted to a small user group. In Microsoft Intune, select Client apps > App protection policies to view and add app protection policies. For more information about app protection policies, see What are app protection policies and Selectively wipe data using app protection policy access actions in Intune.

Access to macOS Company Portal pre-release build

Using Microsoft AutoUpdate, you can sign up to receive builds early by joining the Insider program. Signing up will enable you to use the updated Company Portal before it’s available to your end users. For more information, see the Microsoft Intune blog.

Week of July 2, 2018

App management

Monitor iOS app configuration status per device

As the Microsoft Intune admin, you can monitor iOS app configuration status for each managed device. From Microsoft Intune in the Azure portal, select Devices > All devices. From the list of managed devices, select a specific device to display a blade for the device. On the device blade, select App configuration.

Access actions for app protection policies

You can configure app protection policies to explicitly wipe, block, or warn non-compliant devices. The wipe action removes your company’s corporate data from a device. If a wipe occurs, the device's user is notified of both the reason for the wipe and remediation steps. For some settings, like minimum OS version, you will be able to apply multiple actions, such as block and wipe. Note that these actions are triggered when the app is launched.

Selective wipe of organization's app data

Administrators can now configure a selective wipe of the organization's data as a new action when the conditions of Application Protection Policies (APP) Access settings are not met. This feature helps administrators automatically protect and remove sensitive organization data from applications based on pre-configured criteria.

Revoking an iOS app purchased through VPP

As the Microsoft Intune admin, you can revoke all the licenses for a selected iOS app purchased through the volume-purchase program (VPP). You can notify users when a user licensed app is no longer assigned to them. Revoking an app license will not uninstall the related VPP app from the device. To uninstall a VPP app, you must change the assignment action to Uninstall. The reclaimed license count will be reflected in Licensed Apps node in the App workload of Intune. For more information related to iOS VPP apps, see How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune.

Updates to out-of-compliance messages in Company Portal app

We revised the messages that device users see when a device is out-of-compliance. Messages retain their original meanings but have been updated with friendlier language and less technical jargon. We also refreshed links to documentation and remediation steps to keep them up-to-date. The following before and after text is one example of the improvements in messaging you'll see:

  • Before: This device hasn’t contacted the Intune service in the specified time period required by your IT admin. To resolve this issue, please open the company portal app on your device and click on the Check Compliance button.
  • After: Your device has not checked in with your organization in a while. To reestablish a connection, open the Company Portal app on your device and tap Check Settings for your device.

Revoke iOS VPP app license

As the admin, you can reclaim an iOS VPP app license assigned to a user or device. Uninstalling an iOS VPP app will also allow you to reclaim the app license. Before uninstalling the app, the user or the device needs to be removed from the group to which the app is targeted. Removing the user or the device from the group avoids a reinstall of the app. Once these steps are complete, you can choose to assign the app license to another user or device. For more information about iOS VPP app licenses, see Manage iOS volume-purchased apps in Microsoft Intune.

Device configuration

Select device categories by using the Access Work or School settings

If you've enabled device group mapping, users on Windows 10 will now be prompted to select a device category after enrolling through the Connect button in Settings > Accounts > Access work or school.

Use sAMAccountName as the account username for email profiles

You can use the on-premises sAMAccountName as the account username for email profiles for Android, iOS, and Windows 10. You can also get the domain from the domain or ntdomain attribute in Azure Active Directory (Azure AD). Or, enter a custom static domain.

To use this feature, you must sync the sAMAccountName attribute from your on-premises Active Directory environment to Azure AD.

Applies to Andoid, iOS, Windows 10 and later

See device configuration profiles in conflict

In Device Configuration, a list of the existing profiles is shown. With this update, a new column is added that provides details on profiles that have a conflict. You can select a conflicting row to see the setting and profile that has the conflict.

More on manage configuration profiles.

New status for devices in device compliance

In Device compliance > Policies > select a policy > Overview, the following new states are added:

  • succeeded
  • error
  • conflict
  • pending
  • not-applicable An image that shows the device count of a different platform is also shown. For example, if you're looking at an iOS profile, the new tile shows the count of non-iOS devices that are also assigned to this profile. See Device compliance policies.

Device compliance supports 3rd party anti-virus solutions

When you create a device compliance policy (Device compliance > Policies > Create policy > Platform: Windows 10 and later > Settings > System Security), there are new Device Security options:

  • Antivirus: When set to Require, you can check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Windows Defender.
  • AntiSpyware: When set to Require, you can check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Windows Defender.

Applies to: Windows 10 and later

Device enrollment

Devices without profiles column in the list of enrollment program tokens

In the enrollment program tokens list, there is a new column showing the number of devices without a profile assigned. This helps admins assign profiles to these devices before handing them out to users. To see the new column, go to Device enrollment > Apple enrollment > Enrollment program tokens.

Device management

Google name changes for Android for Work and Play for Work

Intune has updated "Android for Work" terminology to reflect Google branding changes. The terms "Android for Work" and "Play for Work" are no longer be used. Different terminology is used depending on the context:

  • "Android enterprise" refers to the overall modern Android management stack.
  • "Work profile" or "Profile Owner" refers to BYOD devices managed with work profiles.
  • "Managed Google Play" refers to the Google app store.

Rules for removing devices

New rules are available that let you automatically remove devices that haven't checked in for a number of days that you set. To see the new rule, go to the Intune pane, select Devices, and select Device cleanup rules.

Corporate-owned, single use support for Android devices

Intune now supports highly-managed, locked-down, kiosk-style Android devices. This allows admins to further lock down the usage of a device to a single app or small set of apps, and prevents users from enabling other apps or performing other actions on the device. To set up Android kiosk, go to Intune > Device enrollment > Android enrollment > Kiosk and task device enrollments. For more information, see Set up enrollment of Android enterprise kiosk devices.

Per-row review of duplicate corporate device identifiers uploaded

When uploading corporate IDs, Intune now provides a list of any duplicates and gives you the option to replace or keep the existing information. The report will appear if there are duplicates after you choose Device enrollment > Corporate Device Identifiers > Add Identifiers.

Manually add corporate device identifiers

You can now manually add corporate device IDs. Choose Device enrollment > Corporate Device Identifiers > Add.

Week of June 25, 2018

Pradeo - New Mobile Threat Defense partner

You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Pradeo, a Mobile Threat Defense solution that integrates with Microsoft Intune.

Week of June 18, 2018

Edge mobile support for Intune app protection policies

The Microsoft Edge browser for mobile devices now supports app protection policies defined in Intune.

Week of June 11, 2018

Use FIPS mode with the NDES Certificate connector

When you install the NDES Certificate connector on a computer with Federal Information Processing Standard (FIPS) mode enabled, issuing and revoking certificates didn't work as expected. With this update, support for FIPS is included with the NDES Certificate connector.

This update also includes:

  • The NDES Certificate connector requires .NET 4.5 Framework, which is automatically included with Windows Server 2016 and Windows Server 2012 R2. Previously, .NET 3.5 Framework was the minimum required version.
  • TLS 1.2 support is included with the NDES Certificate connector. So if the server with NDES Certificate connector installed supports TLS 1.2, then TLS 1.2 is used. If the server doesn't support TLS 1.2, then TLS 1.1 is used. Currently, TLS 1.1 is used for authentication between the devices and server.

For more information, see Configure and use SCEP certificates and Configure and use PKCS certificates.

Week of June 4, 2018

App management

Retrieve the associated app user model ID (AUMID) for Microsoft Store for Business apps in kiosk mode

Intune can now retrieve the app user model ids (AUMIDs) for Microsoft Store for Business (WSfB) apps to provide improved configuration of the kiosk profile.

For more information about Microsoft Store for Business apps, see Manage apps from Microsoft Store for Business.

New Company Portal branding page

The Company Portal branding page has a new layout, messages, and tooltips.

Device configuration

Support for Palo Alto Networks GlobalProtect VPN profiles

With this update, you can choose Palo Alto Networks GlobalProtect as a VPN connection type for VPN profiles in Intune (Device configuration > Profiles > Create profile > Profile type > VPN). In this release, the following platforms are supported:

  • iOS
  • Windows 10

Additions to Local Device Security Options settings

You can now configure additional Local Device Security Options settings for Windows 10 devices. Additional settings are available in the areas of Microsoft Network Client, Microsoft Network Server, Network access and security, and Interactive logon. Find these settings in the Endpoint Protection category when you create a Windows 10 device configuration policy.

Enable kiosk mode on Windows 10 devices

On Windows 10 devices, you can create a configuration profile and enable kiosk mode (Device Configuration > Profiles > Create profile > Windows 10 > Device Restrictions > Kiosk). In this update, the Kiosk (preview) setting is renamed to Kiosk (obsolete). Kiosk (obsolete) is no longer recommended for use, but will continue to function until the July update. Kiosk (obsolete) is replaced by the new Kiosk profile type (Create profile > Windows 10 > Kiosk (preview)), which will contain the settings to configure Kiosks on Windows 10 RS4 and later.

Applies to Windows 10 and later.

Device profile graphical user chart is back

While improving the numeric counts shown on the device profile graphical chart (Device configuration > Profiles > select an existing profile > Overview), the graphical user chart was temporarily removed.

With this update, the graphical user chart is back, and shown in the Azure portal.

Device enrollment

Support for Windows Autopilot enrollment without user authentication

Intune now supports Windows Autopilot enrollment without user authentication. This is a new option in the Windows Autopilot deployment profile "Autopilot Deployment mode" set to "Self-Deploying". The device must be running Windows 10 Insider Preview Build 17672 or later and possess a TPM 2.0 chip to successfully complete this type of enrollment. Since no user authentication is required, you should only assign this option to devices that you have physical control over.

New language/region setting when configuring OOBE for Autopilot

A new configuration setting is available to set the language and region for Autopilot profiles during the Out of Box Experience. To see the new setting, choose Device enrollment > Windows enrollment > Deployment profiles > Create profile > Deployment mode = Self-deploying > Defaults configured.

New setting for configuring device keyboard

A new setting will be available to configure the keyboard for Autopilot profiles during the Out of Box Experience. To see the new setting, choose Device enrollment > Windows enrollment > Deployment profiles > Create profile > Deployment mode = Self-deploying > Defaults configured.

Autopilot profiles moving to group targeting

AutoPilot deployment profiles can be assigned to Azure AD groups containing AutoPilot devices.

Device management

Set compliance by device location

In some situations, you may want to restrict access to corporate resources to a specific location, defined by a network connection. You can now create a compliance policy (Device compliance > Locations) based on the IP address of the device. If the device moves outside the IP range, then the device cannot access corporate resources.

Applies to: Android devices 6.0 and higher, with the updated Company Portal app

Prevent consumer apps and experiences on Windows 10 Enterprise RS4 Autopilot devices

You will be able to prevent the installation of consumer apps and experiences on your Windows 10 Enterprise RS4 AutoPilot devices. To see this feature, go to Intune > Device configuration > Profiles > Create profile > Platform = Windows 10 or later > Profile type = Device restrictions > Configure > Windows Spotlight > Consumer features.

Uninstall the latest from Windows 10 software updates

Should you discover a breaking issue on your Windows 10 machines, you can choose to uninstall (rollback) the latest feature update or the latest quality update. Uninstalling a feature or quality update is only available for the servicing channel the device is on. Uninstalling will trigger a policy to restore the previous update on your Windows 10 machines. For feature updates specifically, you can limit the time from 2-60 days that an uninstall of the latest version can be applied. To set software update uninstall options, select Software updates from the Microsoft Intune blade within the Azure portal. Then, select Windows 10 Update Rings from the Software updates blade. You can then choose the Uninstall option from the Overview section.

Search all devices for IMEI and serial number

You can now search for IMEI and serial numbers on the All devices blade (email, UPN, device name, and management name are still available). In Intune, choose Devices > All devices > enter your search in the search box.

Management name field will be editable

You can now edit the management name field on a device’s Properties blade. To edit this field, choose Devices > All devices > choose the device > Properties. You can use the management name field to uniquely identify a device.

New All devices filter: Device category

You can now filter the All devices list by device category. To do so, choose Devices > All devices > Filter > Device category.

Use TeamViewer to screen share iOS and MacOS devices

Administrators can now connect to TeamViewer, and start a screen sharing session with iOS and macOS devices. iPhone, iPad, and macOS users can share their screens live with any other desktop or mobile device.

Multiple Exchange Connector support

You're no longer limited to one Microsoft Intune Exchange Connector per tenant. Intune now supports multiple Exchange Connectors so that you can set up Intune conditional access with multiple on-premises Exchange organizations.

With an Intune on-premises Exchange connector, you can manage device access to your on-premises Exchange mailboxes based on whether a device is enrolled in Intune and complies with Intune device compliance policies. To set up a connector, you download the Intune on-premises Exchange connector from the Azure portal and install it on a server in your Exchange organization. On the Microsoft Intune dashboard, choose On-premises access, and then under Setup, choose Exchange ActiveSync connector. Download the Exchange on-premises connector and install it on a server in your Exchange organization. Now that you're no longer limited to one Exchange connector per tenant, if you have additional Exchange organizations, you can follow this same process to download and install a connector for each additional Exchange organization.

New device hardware detail: CCID

The Chip Card Interface Device (CCID) information is now included for each device. To see it, choose Devices > All devices > choose a device > Hardware> check under Network details>

Assign all users and all devices as scope groups

You can now assign all users, all devices, and all users and all devices in scope groups. To do this, choose Intune roles > All roles > Policy and profile manager > Assignments > choose an assignment > Scope (groups).

UDID information now included for iOS and macOS devices

To see the Unique Device Identifier (UDID) for iOS and macOS devices, go to Devices > All devices > choose a device > Hardware. UDID is only available for corporate devices (as set under Devices > All devices > choose a device > Properties > Device ownership).

Intune apps

Improved troubleshooting for app installation

On Microsoft Intune MDM-managed devices, sometimes app installations can fail. When these app installs fail, it can be challenging to understand the failure reason or troubleshoot the issue. We're shipping a Public Preview of our App Troubleshooting features. You will notice a new node under each individual device called Managed Apps. This lists the apps that have been delivered via Intune MDM. Inside the node, you'll see a list of app install states. If you select an individual app, you'll see the troubleshooting view for that specific app. In the troubleshooting view, you'll see the end-to-end lifecycle of the app, such as when the app was created, modified, targeted, and delivered to a device. Additionally, if the app install was not successful, you'll be presented with the error code and a helpful message about the cause of the error.

Intune app protection policies and Microsoft Edge

The Microsoft Edge browser for mobile devices (iOS and Android) now supports Microsoft Intune app protection policies. Users of iOS and Android devices who sign in with their corporate Azure AD accounts in the Edge application will be protected by Intune. On iOS devices, the Require managed browser for web content policy will allow users to open links in Edge when it is managed.

Week of May 14, 2018

App management

Require installation of policies, apps, certificate and network profiles

Admins can block end users from accessing the Windows 10 RS4 desktop until Intune installs policies, apps, and certificate and network profiles during the provisioning of AutoPilot devices. For more info, see Set up an enrollment status page.

Configuring your app protection policies

In the Azure portal, instead of going to the Intune App Protection service blade, you now just go to Intune. There is now only one location for app protection policies within Intune. Note that all of your app protection policies are on the Mobile app blade in Intune under App protection policies. This integration helps to simplify your cloud management administration. Remember, all app protection policies are already in Intune and you can modify any of your previously configured policies. Intune App Policy Protection (APP) and Conditional Access (CA) policies are now under Conditional access, which can be found under the Manage section in the Microsoft Intune blade or under the Security section in the Azure Active Directory blade. For more information about modifying conditional access policies, see Conditional access in Azure Active Directory. For additional information, see What are app protection policies?

Week of May 7, 2018

App management

Samsung Knox mobile enrollment support

When using Intune with Samsung Knox Mobile Enrollment (KME), you can enroll large numbers of company-owned Android devices. Users on WiFi or cellular networks can enroll with just a few taps when they turn on their devices for the first time. When using the Knox Deployment App, devices can be enrolled using Bluetooth or NFC. For more information, see Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.

Requesting help in the Company Portal for Windows 10

The Company Portal for Windows 10 will now send app logs directly to Microsoft when the user initiates the workflow to get help with an issue. This will make it easier to troubleshoot and resolve issues that are raised to Microsoft.

Week of April 23, 2018

App management

Passcode support for MAM PIN on Android

Intune admins can set an application launch requirement to enforce a passcode instead of a numeric MAM PIN. If configured, the user is required to set and use a passcode when prompted before getting access to MAM-enlightened applications. A passcode is defined as a numeric PIN with at least one special character or upper/lowercase alphabet. Intune supports passcode in a similar way to the existing numeric PIN... being able to set a minimum length, allowing repeat characters and sequences through the admin console. This feature requires the latest version of Company Portal on Android. This feature is already available for iOS.

Line-of-business (LOB) app support for macOS

Microsoft Intune will provide the capability to install macOS LOB apps from the Azure portal. You will be able to add a macOS LOB app to Intune after it has been pre-processed by the tool available in GitHub. In the Azure portal, choose Client apps from the Intune blade. On the Client apps blade, choose Apps > Add. On the Add App blade, select Line-of-business app.

Built-in All Users and All Devices Group for Android for Work (AFW) app assignment

You can leverage the built-in All Users and All Devices groups for AFW app assignment. For more information, see Include and exclude app assignments in Microsoft Intune.

Intune will reinstall required apps that are uninstalled by users

If an end user uninstalls a required app, Intune automatically reinstalls the app within 24 hours rather than waiting for the 7-day re-evaluation cycle.

Device configuration

Device profile chart and status list show all devices in a group

When you configure a device profile (Device configuration > Profiles), you choose the device profile, such as iOS. You assign this profile to a group that includes iOS devices and non-iOS devices. The graphical chart count shows that the profile is applied to the iOS and the non-iOS devices (Device configuration > Profiles > select an existing profile > Overview). When you select the graphical chart in the Overview tab, the Device status lists all the devices in the group, instead of only the iOS devices.

With this update, the graphical chart (Device configuration > Profiles > select an existing profile > Overview) only shows the count for the specific device profile. For example, if the configuration device profile applies to iOS devices, the chart only lists the count of the iOS devices. Selecting the graphical chart, and opening the Device status only lists the iOS devices.

While this update is being made, the graphical user chart is temporarily removed.

Always On VPN for Windows 10

Currently, Always On can be used on Windows 10 devices by using a custom virtual private network (VPN) profile created using OMA-URI.

With this update, admins can enable Always On for Windows 10 VPN profiles directly in Intune in the Azure portal. Always On VPN profiles will automatically connect when:

  • Users sign into their devices
  • The network on the device changes
  • The screen on the device turns back on after being turned off

New printer settings for education profiles

For education profiles, new settings are available under the Printers category: Printers, Default printer, Add new printers.

Show caller ID in personal profile - Android for Work

When using a personal profile on a device, end users may not see the caller ID details from a work contact.

With this update, there is a new setting in Android for Work > Device restrictions > Work profile settings:

  • Display work contact caller-id in personal profile

When enabled (not configured), the work contact caller details are displayed in the personal profile. When blocked, the work contact caller number is not displayed in the personal profile.

Applies to: Android work profile devices on Android OS v6.0 and newer

New Windows Defender Credential Guard settings added to endpoint protection settings

With this update, Windows Defender Credential Guard (Device configuration > Profiles > Endpoint protection) includes the following settings:

  • Windows Defender Credential Guard: Turns on Credential Guard with virtualization-based security. Enabling this feature helps protect credentials at the next reboot when Platform Security Level with Secure Boot and Virtualization Based Security are both enabled. Options include:
    • Disabled: If Credential Guard was previously turned on with the Enabled without lock" option​, then it turns off Credential Guard remotely.

    • Enabled with UEFI lock: Ensures that Credential Guard cannot be disabled using a registry key or using Group Policy. To disable Credential Guard after using this setting, you must set the Group Policy to "Disabled". Then, remove the security functionality from each computer, with a physically present user. These steps clear the configuration persisted in UEFI. As long as the UEFI configuration persists, Credential Guard is enabled.​

    • Enabled without lock: Allows Credential Guard to be disabled remotely using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).

The following dependent technologies are automatically enabled when configuring Credential Guard:

  • Enable Virtualization-based Security (VBS): Turns on virtualization-based security (VBS) at next reboot. Virtualization-based security uses the Windows Hypervisor to provide support for security services, and requires Secure Boot.
  • Secure Boot with Direct Memory Access (DMA): Turns on VBS with Secure Boot and direct memory access. DMA protection require hardware support, and is only enabled on properly configured devices.

Use a custom subject name on SCEP certificate

You can use the OnPremisesSamAccountName the common name in a custom subject on an SCEP certificate profile. For example, you can use CN={OnPremisesSamAccountName}).

Block camera and screen captures on Android for Work

Two new properties are available to block when you configure device restrictions for Android devices:

  • Camera: Blocks access to all cameras on the device
  • Screen capture: Blocks the screen capture, and also prevents the content from being shown on display devices that don't have a secure video output

Applies to Android for Work.

Device enrollment

New enrollment steps for users on devices with macOS High Sierra 10.13.2+

macOS high Sierra 10.13.2 introduced the concept of "User Approved" MDM enrollment. Approved enrollments allow Intune to manage some security-sensitive settings. For more information, see Apple's support documentation here: https://support.apple.com/HT208019.

Devices enrolled using the macOS Company Portal are considered "Not User Approved" unless the end user opens System Preferences and manually provides approval. To this end, the macOS Company Portal now directs users on macOS 10.13.2 and above to go and manually approve their enrollment at the end of the enrollment process. The Intune admin console will report on if an enrolled device is user approved.

Device management

Advanced Threat Protection (ATP) and Intune are fully integrated

Advanced Threat Protection (ATP) shows the risk level of Windows 10 devices. In Windows Defender Security Center (ATP portal), you can create a connection to Microsoft Intune. Once created, an Intune compliance policy is used to determine an acceptable threat level. If the threat level is exceeded, an Azure Active Directory (AD) conditional access policy can then block access to different apps within your organization.

This feature allows ATP to scan files, detect threats, and report any risk on your Windows 10 devices.

See Enable ATP with conditional access in Intune.

Support for user-less devices

Intune supports the ability to evaluate compliance on a user-less device, such as the Microsoft Surface Hub. Compliance policy can target specific devices. So compliance (and noncompliance) can be determined for devices that don't have an associated user.

Delete Autopilot devices

Intune admins can delete Autopilot devices.

Improved device deletion experience

You're no longer be required to remove company data or factory reset a device before deleting a device from Intune.

To see the new experience, sign in to Intune and select Devices > All devices > the name of the device > Delete.

If you still want the wipe/retire confirmation, you can use the standard device lifecycle route by issuing a Remove company data and Factory Reset prior to Delete.

Play sounds on iOS when in Lost mode

When supervised iOS devices are in Mobile Device Management (MDM) Lost mode, you can play a sound (Devices > All devices > select an iOS device > Overview > More). The sound continues to play until the device is removed from Lost mode, or a user disables sound on the device. Applies to iOS devices 9.3 and newer.

Block or allow web results in searches made on an Intune device

Admins can now block web results from searches made on a device.

Improved error messaging for Apple MDM Push Certificate upload failure

The error message explains that the same Apple ID must be used when renewing an existing MDM certificate.

Test the Company Portal for macOS on virtual machines

We've published guidance to help IT admins test the Company Portal app for macOS on virtual machines in Parallels Desktop and VMware Fusion. Find out more in enroll virtual macOS machines for testing.

User interface

Improved device tiles in the Windows 10 Company Portal

The tiles have been updated to be more accessible to low-vision users and to perform better for screen reading tools.

Send diagnostic reports in Company Portal app for macOS

The Company Portal app for macOS devices was updated to improve how users report Intune-related errors. From the Company Portal app, your employees can:

  • Upload diagnostic reports directly to the Microsoft developer team.
  • Email an incident ID to your company's IT support team.

For more information see Send errors for macOS.

Intune adapts to Fluent Design System in the Company Portal app for Windows 10

The Intune Company Portal app for Windows 10 has been updated with the Fluent Design System's navigation view. Along the side of the app, you'll notice a static, vertical list of all top-level pages. Click any link to quickly view and switch between pages. This is the first of several updates you'll see as part of our ongoing effort to create a more adaptive, empathetic, and familiar experience in Intune. To see the updated look, go to What's new in the app UI.

Week of April 16, 2018

Use Cisco AnyConnect client for iOS

When you create a new VPN profile for iOS, there are now two options: Cisco AnyConnect and Cisco Legacy AnyConnect. Cisco AnyConnect profiles support 4.0.7x and newer versions. Existing iOS Cisco AnyConnect VPN profiles are labeled Cisco Legacy AnyConnect, and continue to work with Cisco AnyConnect 4.0.5x and older versions, as they do today.


This change only applies to iOS. There continues to be only one Cisco AnyConnect option for Android, Android for Work, and macOS platforms.

Jamf-enrolled macOS devices can now register with Intune

Versions 1.3 and 1.4 of the macOS company portal did not successfully register Jamf devices with Intune. Version 1.4.2 of the macOS portal fixes this issue.

Week of April 9, 2018

Updated help experience in Company Portal app for Android

We've updated the help experience in the Company Portal app for Android to align with best practices for the Android platform. Now when users encounter a problem in the app, they can tap Menu > Help and:

  • Upload diagnostic logs to Microsoft.
  • Send an email that describes the problem and incident ID to a company support person.

To check out the updated help experience go to Send logs using email and Send errors to Microsoft.

New enrollment failure trend chart and failure reasons table

On the Enrollment Overview page, you can view the trend of enrollment failures and the top five causes of failures. By clicking on the chart or table, you can drill into details to find troubleshooting advice and remediation suggestions.

Update where to configure your app protection policies

In the Azure portal within the Microsoft Intune service, we’re going to temporarily redirect you from the Intune App Protection service blade to the Mobile app blade. Note that all of your app protection policies are already on the Mobile app blade in Intune under app configuration. Instead of going to Intune App Protection, you’ll just go to Intune. In April 2018, we will stop the redirection and fully remove the Intune App Protection service blade, so that there's only one location for app protection policies within Intune.

How does this affect me? This change will affect both Intune standalone customers and hybrid (Intune with Configuration Manager) customers. This integration will help simplify your cloud management administration.

What do I need to do to prepare for this change? Please tag Intune as a favorite instead of the Intune App Protection service blade and ensure you’re familiar with the App protection policy workflow in the Mobile app blade within Intune. We’ll redirect for a short period of time and then remove the App Protection blade. Remember, all app protection policies are already in Intune and you can modify any of your conditional access policies. For more information about modifying conditional access policies, see Conditional access in Azure Active Directory. For additional information, see What are app protection policies?

Week of April 2, 2018

Intune apps

User experience update for the Company Portal app for iOS

We've released a major user experience update to the Company Portal app for iOS. The update features a complete visual redesign that includes a modernized look and feel. We've maintained the functionality of the app, but increased its usability and accessibility.

You'll also see:

  • Support for iPhone X.
  • Faster app launch and loading responses, to save users time.
  • Additional progress bars to provide users with the most up-to-date status information.
  • Improvements to the way users upload logs, so if something goes wrong, it's easier to report.

To see the updated look, go to What's new in the app UI.

Protect on-premises Exchange data using Intune APP and CA

You can now use Intune App Policy Protection (APP) and Conditional Access (CA) to protect access to on-premises Exchange data with Outlook Mobile. To add or modify an app protection policy within the Azure portal, select Microsoft Intune > Client apps > App protection policies. Before using this feature, make sure you meet the Outlook for iOS and Android requirements.


Plan for Change: Intune will move to support macOS 10.12 and higher in December

Apple has just released macOS 10.14. Subsequently, Intune will move to support macOS 10.12 and higher in December 2018.

How does this affect me?

Starting in December, end users on devices with macOS 10.11 and prior won’t be able to use the Company Portal to enroll into Intune. They will need to upgrade their device to macOS 10.12 or higher and upgrade the Company Portal app to the latest version to continue to receive support and new features.

macOS versions 10.12 and higher are currently supported on:

  • MacBook (late 2009 or newer).
  • iMac (late 2009 or newer)
  • MacBook Air (late 2010 or newer).
  • MacBook Pro (late 2010 or newer).
  • Mac Mini (late 2010 or newer).
  • Mac Pro (late 2010 or newer).

After December, end users who have devices other than the ones listed above will not be able to access the latest version of the Company Portal app for macOS. Existing enrolled devices running unsupported versions below macOS 10.12 will continue to be managed and listed in the Intune Admin Console.

What do I need to do to prepare for this change?

Request your end users to upgrade their devices to a supported OS version before December 2018.

  • Check your Intune reporting in the Intune on Azure console, to see what devices or users may be affected. Go to Devices > All devices and filter by OS. You can add in additional columns to help identify who in your organization has devices running macOS 10.11.
  • If you are using hybrid mobile device management (MDM), go to Assets and Compliance > Devices in the Configuration Manager console, right-click the columns to add the Operating System and Client Version columns, and sort by OS. Note that hybrid MDM is now deprecated, and you should move to Intune on Azure as soon as possible.

Additional Information https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp

Plan for Change: New Intune support experience for Premier customers

As a Microsoft Premier customer, you can currently use the Microsoft Premier Online (MPO) portal (premier.microsoft.com) and Intune on Azure (portal.azure.com) to create support requests for Intune. Starting on December 3, 2018, to continue enhancing the Premier support experience, you will be able to create support requests only in Intune on Azure.

How does this affect me?

After December 3, you will be not be able to create support requests in MPO. When you try to do this, you’ll see a prompt that you will not be able to dismiss, to be redirected to Intune on Azure. Here, you can create a support request which will be routed to Intune-dedicated Microsoft Support, to diagnose and resolve your issue in a timely manner. Support requests created in the MPO portal cannot be viewed in the Azure portal, so you should stop creating support requests in MPO.

If you use hybrid mobile device management (hybrid MDM) or use co-management, you can continue to use MPO to create support requests for ConfigMgr but use the Azure portal to create support requests for Intune. As a reminder, hybrid MDM is deprecated, and you should plan to move to Intune on Azure as soon as possible. For more information, see Move from Hybrid Mobile Device Management to Intune on Azure.

Note that only users with Global Administrator, Intune Service Administrator and Service Support Administrator roles can create support tickets in the Azure portal.

What can I do to prepare for this change?

  • Stop using MPO and use Intune on Azure to create and manage all your Intune support requests.
  • Notify your helpdesk and update documentation if necessary.
  • If you have users without Global administrator or Intune Service Administrator roles currently creating support requests in MPO, assign them the Service Support Administrator role in Azure Active Directory, so they can continue to create support tickets in the Azure portal.
  • Click on Additional Information for more information and helpful links.

Additional Information


Take action: Please update your Android device restriction or compliance policy password settings in Intune

Intune will be removing the available password type “device default” for Android 4.4 and higher devices. Due to differences in Android platforms and device defaults, that policy is often treated as optional by the device. To clear up confusion on when this setting is enforced on Android, we’ll remove this setting from the UI in an upcoming release.

How does this affect me?

  • If your intent is to require a password on the devices, we recommend instead of using “device default” you edit your Android platform profile(s) to clearly articulate the required password type.
  • If your intent is to let your end user to decide on whether to create a password, select the “Not configured” button. When we remove this setting from the UI, if the setting is still set, you will be prompted to choose a value other than “Device default” on your next edit of the profile. What do I need to do to prepare for this change? Review the password settings in your Android and Android enterprise device restriction and compliance policies. These are listed under System security for Compliance policies and under either Device password or Work profile settings for Device restrictions. Additional information has a link to more details and screenshots for where these settings are configured.

Additional information


Plan for Change: Change Password at Next Auth added to Intune

In the September service release, Intune plans to integrate Apple’s newly-released Change Password at Next Auth setting for devices running macOS versions 10.13 and newer. Before this setting, MDM providers can't verify that the device passcode was changed to be compliant. Intune’s configuration and compliance policies only validate that the next time a device password is changed, that it's marked as compliant. When this new Apple feature is added, your macOS users will receive a request to update their password, even if their password is compliant.

How does this affect me?

This impacts environments with a macOS device policy using Intune or a hybrid MDM. Now that Apple has this Change Password at New Auth setting, Intune can force users to update their password when a password policy is pushed. If you block company resources until the device is marked compliant, then your end users may be blocked from accessing company resources, such as email or SharePoint sites, until they reset their password. In the future, all updates to configuration and compliance password policies force targeted users to update their passwords.

What do I need to do to prepare for this change?

Let your helpdesk know. If you don't want to enforce this macOS device policy, we recommend you un-assign or delete your existing macOS policy. Customer research suggests most customers aren't affected by this change. Most end users update their password after receiving a request to enroll with a password, or reset their password to remain compliant.

Plan for Change: Intune moving to TLS 1.2

Starting on October 31, 2018, Intune will support Transport Layer Security (TLS) protocol version 1.2 to provide best-in-class encryption, to ensure our service is more secure by default, and to align with other Microsoft services such as Microsoft Office 365. Office communicated this change in MC128929.

The Company Portal will also move to support TLS 1.2 on October 31, 2018.

How does this affect me?

As of October 31, 2018, Intune will no longer support TLS protocol versions 1.0 or 1.1. All client-server and browser-server combinations should use TLS version 1.2 to ensure connection without issues to Intune. Note that this change will impact end-user devices that are no longer supported by Intune but are still receiving policy through Intune, and that cannot use TLS version 1.2. This includes devices such as those running Android 4.3 and earlier. For a list of affected devices and browsers, see Additional Information below.

After October 31, 2018, if you experience an issue related to the use of an old TLS version, you will be required to update to TLS 1.2 or to a device that supports TLS 1.2 as part of the resolution.

What do I need to do to prepare for this change?

We recommend that you proactively remove TLS 1.0 and 1.1 dependencies in your environments and disable TLS 1.0 and 1.1 at the operating system level where possible. Begin planning your migration to TLS 1.2 today. Check the support blog post below for the list of devices that are not supported by Intune today but might still be receiving policy, and that will not be able to communicate using TLS version 1.2. You might need to notify those end users that they’ll lose access to corporate resources.

Additional Information: Intune moving to TLS 1.2 for encryption

Plan for Change: Use Intune on Azure now for your MDM management

Over a year ago, we announced public preview of Intune on Azure and followed up six months ago with general availability of the new admin experience for Intune. Starting on August 31, 2018, we will turn off mobile device management (MDM) in the classic Silverlight console for those customers using Intune standalone. Instead, you can use Intune on Azure for your MDM needs. If you're still using the classic console for MDM, please stop and familiarize yourself with Intune on Azure. We do not expect any end user impact with this change. Classic PC management will remain in Silverlight. You can learn more about this change and how it affects you here.

What's coming

Apple to require updates for Application Transport Security

Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers using the iOS Company Portal apps. We'll keep our Intune support blog with details.

See also