In development for Microsoft Intune
To help in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition to the information on this page:
- If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office message center.
- When a feature enters production, whether it's a preview or generally available, the feature description will move from this page to What's new.
- This page and the What's new page are updated periodically. Check back for additional updates.
- Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.
This page reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This page doesn't describe all features in development.
RSS feed: Find out when this page is updated by copying and pasting the following URL into your feed reader:
This article was last updated on the date listed under the title above.
Update to device icons in Company Portal and Intune apps on Android
We're updating the device icons in the Company Portal and Intune apps on Android devices to create a more modern look and feel and to align with the Microsoft Fluent Design System. For related information, see Update to icons in Company Portal app for iOS/iPadOS and macOS.
iOS Company Portal will support Apple's Automated Device Enrollment without user affinity
iOS Company Portal will be supported on devices enrolled using Apple's Automated Device Enrollment without requiring an assigned user. An end user can sign in to the iOS Company Portal to establish themselves as the primary user on an iOS/iPadOS device enrolled without device affinity. For more information about Automated Device Enrollment, see Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrollment.
The Windows Company Portal adds Configuration Manager application support
The Windows Company Portal now supports Configuration Manager applications. This feature allows end users to see both Configuration Manager and Intune deployed applications in the Windows Company Portal for co-managed customers. This support will help administrators consolidate their different end-user portal experiences. For more information, see Use the Company Portal app on co-managed devices.
Set device compliance state from third-party MDM partners
Microsoft 365 customers who own third-party MDM solutions will be able to enforce Conditional Access policies for Microsoft 365 apps on iOS and Android via integration with Microsoft Intune Device Compliance service. Third-party MDM vendor will leverage the Intune Device Compliance service to send device compliance data to Intune. Intune will then evaluate to determine if the device is trusted and set the conditional access attributes in Azure AD. Customers will be required to set Azure AD Conditional Access policies from within the Microsoft Endpoint Manager admin center or the Azure AD portal.
Create PKCS certificate profiles for Android Enterprise Fully Managed devices (COBO)
You can create PKCS certificate profiles to deploy certificates to Android Enterprise Device owner and Work profile devices (Devices > Configuration profiles > Create profile > Android Enterprise > Device owner only, or Android Enterprise > Work profile only for platform > PKCS for profile).
Soon you'll be able to create PKCS certificate profiles for Android Enterprise Fully Managed devices. The Intune PFX certificate connector is required. If you don't use SCEP, and only use PKCS, you can remove the NDES connector after you install the new PFX connector. The new PFX connector imports PFX files, and deploys PKCS certificates to all platforms.
For more information on PKCS certificates, see Configure and use PKCS certificates with Intune.
- Android Enterprise fully managed (COBO)
Use NetMotion as a VPN connection type for iOS/iPadOS, and macOS devices
When you create a VPN profile, NetMotion is available as a VPN connection type (Devices > Device configuration > Create profile > iOS/iPadOS or macOS for platform > VPN for profile > NetMotion for connection type).
For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.
More Protected Extensible Authentication Protocol (PEAP) options for Windows 10 Wi-Fi profiles
On Windows 10 devices, you can create Wi-Fi profiles using the Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Wi-Fi for profile > Enterprise). When you select Protected EAP (PEAP), there are new settings available:
- Perform server validation in PEAP phase 1: In PEAP negotiation phase 1, devices validate the certificate, and verify the server.
- Disable user prompts for server validation in PEAP phase 1: In PEAP negotiation phase 1, user prompts asking to authorize new PEAP servers for trusted certification authorities aren't shown.
- Require cryptographic binding: Prevents connections to PEAP servers that don't use crypto binding during the PEAP negotiation.
To see the settings you can currently configure, go to Add Wi-Fi settings for Windows 10 and later devices.
- Windows 10 and newer
Configure the macOS Microsoft Enterprise SSO plug-in
The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow macOS 10.15+ users to gain access to Microsoft apps, organization apps, and websites that support Apple's SSO feature and authenticate using Azure AD, with one sign-on. With the Microsoft Enterprise SSO plug-in release, you can configure the SSO extension with the new Microsoft Azure AD app extension type (Devices > Configuration profiles > Create profile > macOS for platform > Device features for profile > Single sign-on app extension > SSO app extension type > Microsoft Azure AD).
To achieve SSO with the Microsoft Azure AD SSO app extension type, users need to install and sign in to the Company Portal app on their macOS devices.
For more information about macOS SSO app extensions, see Single sign-on app extension.
- macOS 10.15 and newer
Use SSO app extensions on more iOS/iPadOS apps with the Microsoft Enterprise SSO plug-in
The Microsoft Enterprise SSO plug-in for Apple devices can be used with all apps that support SSO app extensions. In Intune, this feature means the plug-in works with mobile iOS/iPadOS apps that don't use the Microsoft Authentication Library (MSAL) for Apple devices. The apps don't need to use MSAL, but they do need to authenticate with Azure AD endpoints.
To configure your iOS/iPadOS apps to use SSO with the plug-in, add the app bundle identifiers in an iOS/iPadOS configuration profile (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile > Single sign-on app extension > Microsoft Azure AD for SSO app extension type > App bundle IDs).
To see the current SSO app extension settings you can configure, go to Single sign-on app extension.
Improvement to Update device settings page in Company Portal app for Android to show descriptions
In the Company Portal app on Android devices, the Update device settings page lists the settings a user needs to update to be compliant. We have improved the user experience so that listed settings are expanded by default to show the description and the Resolve button (when applicable). Previously, they defaulted to collapsed. This new default behavior reduces the number of clicks, so users can resolve issues more quickly.
PowerShell scripts support for BYOD devices
PowerShell scripts will support Azure AD registered devices in Intune. For more information about PowerShell, see Use PowerShell scripts on Windows 10 devices in Intune. This functionality does not support devices running Windows 10 Home edition.
Log Analytics will include device details log
Intune device detail logs will be available in Reports > Log analytics. You can correlate device details to build custom queries and Azure workbooks.
Tenant attach: Device timeline in the admin center
When Configuration Manager synchronizes a device to Microsoft Endpoint Manager through tenant attach, you'll be able to see a timeline of events. This timeline shows past activity on the device that can help you troubleshoot problems. For more information, see Configuration Manager technical preview 2005.
Tenant attach: Install an application from the admin center
You'll be able to initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Management admin center. For more information, see Configuration Manager technical preview 2005.
Tenant attach: CMPivot from the admin center
You'll be able to bring the power of CMPivot to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to be able to initiate real-time queries from the cloud against an individual ConfigMgr managed device and return the results back to the admin center. This gives all the traditional benefits of CMPivot, which allows IT Admins and other designated personas the ability to quickly assess the state of devices in their environment and take action. For more information, see Configuration Manager technical preview 2005.
Tenant attach: Run Scripts from the admin center
You'll be able to bring the power of the Configuration Manager on-premises Run Scripts feature to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to run PowerShell scripts from the cloud against an individual Configuration Manager managed device. This gives all the traditional benefits of PowerShell scripts that have already been defined and approved by the Configuration Manager admin to this new environment. For more information, see Configuration Manager technical preview 2005.
Deploy Software Updates to macOS devices
You'll be able to deploy Software Updates to groups of macOS devices. This feature includes critical, firmware, configuration file, and other updates. You'll be able to send updates on the next device check-in or select a weekly schedule to deploy updates in or out of time windows that you set. This helps when you want to update devices outside standard work hours or when your help desk is fully staffed. You'll also get a detailed report of all macOS devices with updates deployed. You can drill into the report on a per-device basis to see the statuses of particular updates.
Associated licenses revoked before deletion of Apple VPP token
In a future update, when you delete an Apple VPP token in Microsoft Endpoint Manager, all Intune-assigned licenses associated with that token will be automatically revoked before the deletion.
Monitor and troubleshoot
Power BI compliance report template V2.0
Admins will be able to update the Power BI compliance report template version from V1.0 to V2.0. V2.0 will include an improved design, as well as changes to the calculations and data that are being surfaced as part of the template. For related information, see Connect to the Data Warehouse with Power BI.
App protection policy support for Symantec Endpoint Security and Check Point Sandblast
In October of 2019, Intune app protection policy added the capability to use data from some of our Microsoft Threat Defense partners (MTD partners). We are adding support for the following partners, to use an app protection policy to block, or selectively wipe the user's corporate data based on the health of a device:
- Check Point Sandblast on Android, iOS and iPadOS
- Symantec Endpoint Security on Android, iOS and iPadOS
For information about using app protection policy with MTD partners, see Create Mobile Threat Defense app protection policy with Intune.
Microsoft Defender ATP creates Endpoint Manager Security task with vulnerability details
Threat and Vulnerability Management (TVM) in Microsoft Defender ATP discovers misconfigured security settings on devices. Administrators use this information to update vulnerable devices.
Soon, Microsoft Defender ATP can raise an Endpoint Manager Security task (Endpoint Manager > Endpoint Security > Security tasks) with the vulnerability details, and show the affected devices. IT administrators can accept the security task, and deploy the required configuration.
For more information on security tasks, see Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP.
Changes for Endpoint security Antivirus policy exclusions
We’re introducing two changes for managing the Microsoft Defender Antivirus exclusion lists you configure as part of an Endpoint Security Antivirus policy. (Endpoint security > Antivirus > Create Policy > Windows 10 and later for platform). These two changes help prevent conflicts between policies, and existing policies that were in conflict will no longer be in conflict for the list of exclusions:
- First, we are adding a new profile type for Windows 10 and later; Microsoft Defender Antivirus exclusions. This new profile type includes only the settings for specifying a list of Defender processes, file extensions, and files and folders that you don’t want Microsoft Defender to scan. This can help you simplify management of your exclusion lists by separating them from other policy configurations.
- The second change is that the list of exclusions you define in different profiles will merge into a single list of exclusions for each device or user, based on the individual policies that apply to a specific user or device. For example, when you target a user with three separate policies, the exclusion lists from those three policies are merged into a single superset of Microsoft Defender Antivirus exclusions, which are then applied to the user. This merge includes the exclusions lists from the new profile type were adding, as well as from any existing policies you have that were configured in a Microsoft Defender Antivirus profile.
These notices provide important information that can help you prepare for future Intune changes and features.
Microsoft Intune support for Windows 10 Mobile ending
Microsoft mainstream support for Windows 10 Mobile ended in December 2019. As mentioned in this support statement, Windows 10 Mobile users will no longer be eligible to receive new security updates, non-security hotfixes, free assisted support options or online technical content updates from Microsoft. Based on the all-up Mobile OS support, Microsoft Intune will now end support for both the Company Portal for the Windows 10 Mobile app and the Windows 10 Mobile Operating System on August 10, 2020.
How does this affect me?
If you have Windows 10 Mobile devices deployed in your organization, between now and August 10, 2020 you can enroll new devices, add, or remove policies and apps, or update any management settings. After August 10, we will stop new enrollments, and eventually remove Windows 10 Mobile management from the Intune UI. Devices will no longer check into the Intune service and we will delete device and policy data.
What do I need to do to prepare for this change?
You can check your Intune reporting to see what devices or users may be affected. Go to Devices > All devices and filter by OS. You can add in additional columns to help identify who in your organization has devices running Windows 10 Mobile. Request that your end users upgrade their devices or discontinue using the devices for corporate access.
End of support for legacy PC management
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as Mobile Device Management (MDM) devices to keep them managed by Intune.
Move to the Microsoft Endpoint Manager admin center for all your Intune management
In MC208118 posted last March, we introduced a new, simple URL for your Microsoft Endpoint Manager – Intune administration: https://endpoint.microsoft.com. Microsoft Endpoint Manager is a unified platform that includes Microsoft Intune and Configuration Manager. Starting August 1, 2020, we will remove Intune administration at https://portal.azure.com and recommend you instead use https://endpoint.microsoft.com for all your endpoint management.
Decreasing support for Android device administrator
Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of Android Enterprise was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.
How does this affect me?
Because of these changes by Google, in the fourth quarter of 2020, you will no longer have as extensive management capabilities on impacted device administrator-managed devices.
This date was previously communicated as third quarter of 2020, but it has been moved out based on the latest information from Google.
Device types that will be impacted
Devices that will be impacted by the decreasing device administrator support are those for which all three conditions below apply:
- Enrolled in device administrator management.
- Running Android 10 or later.
- Not a Samsung device.
Devices will not be impacted if they are any of the below:
- Not enrolled with device administrator management.
- Running an Android version below Android 10.
- Samsung devices. Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you additional time to plan the transition off device administrator management for Samsung devices.
Settings that will be impacted
Google's decreased device administrator support prevents configuration of these settings from applying on impacted devices.
Configuration profile device restriction settings
- Block Camera
- Set Minimum password length
- Set Number of sign-in failures before wiping device (will not apply on devices without a password set, but will apply on devices with a password)
- Set Password expiration (days)
- Set Required password type
- Set Prevent use of previous passwords
- Block Smart Lock and other trust agents
Compliance policy settings
- Set Required password type
- Set Minimum password length
- Set Number of days until password expires
- Set Number of previous passwords to prevent reuse
Additional impacts based on Android OS version
Android 10: For all device administrator-managed devices (including Samsung) running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:
- Network access control for VPN will no longer work
- Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned
- The IMEI and serial number will no longer be visible to IT admins in Intune
Android 11: We are currently testing Android 11 support on the latest developer beta release to evaluate if it will cause impact on device administrator-managed devices.
User experience of impacted settings on impacted devices
Impacted configuration settings:
- For already enrolled devices that already had the settings applied, the impacted configuration settings will continue being enforced.
- For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings will not be enforced (but all other configuration settings will still be enforced).
Impacted compliance settings:
- For already enrolled devices that already had the settings applied, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page, the device will be out of compliance, and the password requirements will still be enforced in the Settings app.
- For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page and the device will be out of compliance, but stricter password requirements will not be enforced in the Settings app.
Cause of impact
Devices will begin being impacted in the fourth quarter of 2020. At that time, there will be a Company Portal app update that will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).
At that point, device administrator-managed devices that are not manufactured by Samsung will be impacted once the user completes both these actions:
- Updates to Android 10 or later.
- Updates the Company Portal app to the version that targets API level 29.
What do I need to do to prepare for this change?
To avoid the reduction in functionality coming in the fourth quarter of 2020, we recommend the following:
- New enrollments: Onboard new devices into Android Enterprise management (where available) and/or app protection policies. Avoid onboarding new devices into device administrator management.
- Previously enrolled devices: If a device administrator-managed device is running Android 10 or later or may update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator management to Android Enterprise management and/or app protection policies. You can leverage the streamlined flow to move Android devices from device administrator to work profile management.
- Move Android devices from device administrator to work profile management
- Set up enrollment of Android Enterprise work profile devices
- Set up enrollment of Android Enterprise dedicated devices
- Set up enrollment of Android Enterprise fully managed devices
- How to create an assign app protection policies
- How to use Intune in environments without Google Mobile Services
- Understanding app protection policies and work profiles on Android Enterprise devices
- Google’s blog about what you need to know about Device Admin deprecation
- Google's guidance for migration from device administrator to Android Enterprise
- Google's documentation of deprecated device administrator APIs
Plan for Change: Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS
In the July Company Portal release, we’ll be changing the iOS/iPadOS enrollment flow for Apple’s Automated Device Enrollment (formerly known as DEP). The enrollment flow change is only encountered during the “Enroll with User Affinity” flow. Previously, if you set the “Install Company Portal” to “no” as part of your configuration, users could still install the Company Portal app from the store which would then trigger enrollment where the user would add in the appropriate serial number. With this upcoming Company Portal release, we’ll be removing that serial number confirmation screen. Instead, you’ll want to create a corresponding app configuration policy to send down alongside the Company Portal to ensure that users can successfully enroll, or set the “Install Company Portal” to “Yes” as part of your configuration.
- See the post here for more info.
For details about recent developments, see What's new in Microsoft Intune.