In development for Microsoft Intune

To help in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition to the information on this page:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office message center.
  • When a feature enters production, whether it's a preview or generally available, the feature description will move from this page to What's new.
  • This page and the What's new page are updated periodically. Check back for additional updates.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

Note

This page reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This page doesn't describe all features in development.

RSS feed: Find out when this page is updated by copying and pasting the following URL into your feed reader: https://docs.microsoft.com/api/search/rss?search=%22in+development+-+microsoft+intune%22&locale=en-us

This article was last updated on the date listed under the title above.

App management

Export underlying discovered apps list data

In addition to exporting the summarized discovered apps list data, you will also be able export the more extensive underlying data. The current summarized export experience provides summarized aggregate data, however the additional new experience will also provide the raw data. The raw data export will give you the entire dataset, which is used to create the summarized aggregate report. The raw data will be a list of every device and each app discovered for that device. This functionality is being added to the Intune console to replace the Intune Data Warehouse Application Inventories dataset, which will be removed in the 2108 release. In the Microsoft Endpoint Manager admin center, select Apps > Monitor > Discovered apps > Export to display the export options. For related information, see Intune discovered apps and Export Intune reports using Graph APIs.

Maximum OS version setting for app conditional launch

Using iOS app protection policies in Microsoft Intune app protection policies, you will be able to add a new conditional launch setting to ensure end users are not using a pre-release or beta OS build to access work or school account data. This setting ensures that you can vet all OS releases before end users are actively using new OS functionality. In Microsoft Endpoint Manager admin center, you will be able to find this setting by selecting Apps > App protection policies. For related information, see How to create and assign app protection policies.

Updated default license type for Apple VPP apps

When you create a new assignment for an Apple Volume Purchase Program (VPP) app, the default license type is now "device". Existing assignments remain unchanged. For more information about Apple VPP apps, see How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune.

Device configuration

See policy compliance for a device in tenant attach in Endpoint Manager

To manage your devices from the cloud, you can attach your Configuration Manager infrastructure to Endpoint Manager. When deploying Endpoint Security policy to tenant attached devices, you'll be able to see the overall compliance status for the policy. With device level reporting, you'll be able to see the compliance state for a policy at the device level in the Microsoft Endpoint Manager admin center.

For more information on what you can do in Endpoint Manager in a tenant attach setup, see Microsoft Endpoint Manager tenant attach.

Use a Settings Catalog policy in a policy set for Windows and macOS devices

In Intune, you can create a policy using Settings Catalog, which lists all the settings you can configure. Now, you can use the Settings Catalog policy within a policy set.

For more information, see Use policy sets to group collections of management objects.

Applies to:

  • macOS
  • Windows 10 and newer

Settings catalog policies for policy sets

In addition to profiles based on templates, you will be able to add a profiles based on the Settings catalog to your policy sets. The Settings catalog is a list of all the settings you can configure. To create a policy set in Microsoft Endpoint Manager admin center, select Devices > Policy sets > Policy sets > Create. For more information, see Use policy sets to group collections of management objects and Use the settings catalog to configure settings on Windows and macOS devices - preview.

Use the EnrollmentProfileName property when creating a filter for Android Enterprise

In Endpoint Manager, you can create filters to target devices based on different properties, including device name, manufacturer, and more. On iOS/iPadOS and Windows 10 and newer devices, you can create a filter using the enrollment profile name. The enrollment profile name property will be available for Android Enterprise devices.

To see the filter properties you can currently configure, go to Device properties, operators, and rule editing when creating filters.

Applies to:

  • Android Enterprise

Use filters on Settings Catalog configuration profiles, and Risk Score and Threat Level compliance policy settings

When you use filters to assign your policies, you'll be able to:

  • Use filters on compliance policies that use the Risk Score and Threat Level settings.
  • Use filters on configuration profiles that use the Settings Catalog profile type.

For more information on what you can do, see List of platforms, policies, and app types supported by filters.

Applies to:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 10 and newer

New macOS device configuration profile settings, and iOS/iPadOS setting name is changing

There are new settings you can configure on macOS 10.13 devices and newer (Devices > Configuration profiles > Create profile > macOS for platform > Templates > Device restrictions for profile type):

  • Block adding Game Center friends (App Store, Doc Viewing, Gaming): Prevents users from adding friends to the Game Center.
  • Block Game Center (App Store, Doc Viewing, Gaming): Disables the Game Center, and the Game Center icon is removed from the Home screen.
  • Block multiplayer gaming in the Game Center (App Store, Doc Viewing, Gaming): Prevents multiplayer gaming when using the Game Center.
  • Block modification of wallpaper (General): Prevents the wallpaper from being changed.

To see the settings you can currently configure, go to macOS device settings to allow or restrict features.

Also, the iOS/iPadOS Block Multiplayer Gaming setting name is changing to Block multiplayer gaming in the Game Center (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type).

For more information about this setting, go to iOS and iPadOS device settings to allow or restrict features.

Applies to:

  • iOS/iPadOS
  • macOS 10.13 and newer

More iOS/iPadOS home screen layout grid size options

On iOS/iPadOS devices, you can configure the grid size on the home screen (Devices > Device Configuration > Create profile > iOS/iPadOS for platform > Device features for profile > Home screen layout). For example, you can set the grid size to 4 columns x 5 rows.

The grid size will have more options:

  • 4 columns x 5 rows
  • 4 columns x 6 rows
  • 5 columns x 6 rows

To see the home screen layout settings you can currently configure, go to device settings to use common iOS/iPadOS features in Intune.

Applies to:

  • iOS/iPadOS

Device enrollment

Browser access automatically enabled during corporate Android enrollment

Browser access will be automatically enabled during new enrollments of the following devices:

  • Android dedicated devices
  • Android fully managed devices
  • Android corporate-owned work profile devices

With this upcoming change, compliant devices can use the browser to access resources protected by conditional access.

This change will have no impact on devices that are already enrolled.

Device management

Tenant attach: Offboarding

While we know customers get enormous value by enabling tenant attach with Configuration Manager, there are rare cases where you might need to offboard a hierarchy. For example, you may need to offboard from the cloud following a disaster recovery scenario where the on-premises environment was removed. You'll soon be able to offboard a Configuration Manager environment from the Microsoft Endpoint Manager admin center.

Device security

Settings catalog support for Microsoft Defender for Endpoint on macOS

You'll soon be able to use the settings catalog to configure Microsoft Defender for Endpoint on macOS. (Devices > Configuration profiles > Create profile > macOS > Settings catalog).

Some of the settings we plan to make available from the settings catalog include:

Microsoft Defender - Antivirus engine:

  • Allowed threats
  • Enable passive mode
  • Enable real-time protection
  • Scan exclusions
  • Threat type settings

Microsoft Defender - Cloud delivered protection preferences:

  • Diagnostic collection level
  • Enable - disable automatic sample submissions
  • Enable - disable cloud delivered protection

Microsoft Defender - EDR preferences:

  • Device tags
  • Enable - disable early preview

Microsoft Defender - User interface preferences:

  • Show - hide status menu icon

Certificate Connector for Microsoft Intune combines separate certificate connectors

The separate certificate connectors are being combined into a unified connector called Certificate Connector for Microsoft Intune. This unified connector replaces existing connectors, and includes the following new features:

  • Configure SCEP, PKCS, PFX imported certs, and revocation in the same connector.
  • Use normal Active Directory accounts or the system account for the connector service.
  • Based on your tenant location, select government vs. commercial environments.
  • Removes the need to select a client certificate for SCEP integration with NDES.
  • Auto-updates to the latest version of the connector.
  • Improved logging.

To use the Certificate Connector for Microsoft Intune:

  1. Uninstall any existing certificate connectors.
  2. Install the Certificate Connector for Microsoft Intune.

For more information on certificate connectors, see Certificate connectors for Microsoft Intune.

Intune apps

End users can restart an app install from the Company Portal

Using the Company Portal, end users will be able to restart an app installation if the progress seems to have stalled or is frozen. This functionality is allowed if the app installation progress has not changed in two hours.

Intune management agent for macOS devices will be a universal app

When you deploy shell scripts or custom attributes for macOS devices from Microsoft Endpoint Manager, it will deploy the new universal version of the Intune management agent app that runs natively on Apple Silicon Mac machines. The same deployment will install the x64 version of the app on Intel Mac machines. For related information, see Microsoft Intune management agent for macOS.

Monitor and troubleshoot

Account protection policy changes in Endpoint security

We’re reworking the endpoint security Account protection policy to use the new APIs for Windows Hello for Business. The new APIs will result in a more consistent experience. The new API is ./Device/Vendor/MSFT/PassportForWork, which includes more options that can help reduce conflicts. This API replaces the use of ./User/Vendor/MSFT/PassportForWork. (Endpoint security > Account protection)

After the change, only new policies you then create will use the new API. Your existing policies won’t be affected by this change and will continue to use the older API.

Export capability for Enrollment failures report

You will be able to export data from the Enrollment failures operational report. This report will allow you to quickly export reporting data generated from any size tenant. In Microsoft Endpoint Manager admin center, select Devices > Monitor > Enrollment failures > Export. For more information about reports in Intune, see Intune reports.

The Certificates report will be updated

The Certificates report, which shows the current device certificates in use, will be updated to include better capabilities to search, page, sort, and export the report. In the Microsoft Endpoint Manager admin center, select Devices > Monitor > Certificates. For more information about reports in Intune, see Intune reports.

Role-based access control

Scope tags for Managed Google Play apps

Scope tags determine which objects an admin with specific rights can view in Intune. Most newly-created items in Intune take on the scope tags of the creator. This is not the case for Managed Google Play Store apps. You will be able to optionally assign a scope tag to apply to all newly-synced Managed Google Play apps on the Managed Google Play connector pane. The chosen scope tag will only apply to new Managed Google Play apps, not Managed Google Play apps that have already been approved in the tenant. For related information see Add Managed Google Play apps to Android Enterprise devices with Intune and Use role-based access control (RBAC) and scope tags for distributed IT.

Scripting

Update when exporting Intune reports using the Graph API

When you use the Graph API to export Intune reports without selecting any columns for the devices report, you'll receive the default column set. To reduce confusion, we'll be removing columns from the default column set starting January 2021. The columns being removed are PhoneNumberE164Format, _ComputedComplianceState, _OS, and OSDescription. These columns will still be available for selection if you need them, but only explicitly, and not by default. If you have built automation around the default columns of the device export, and that automation uses any of these columns, you need to refactor your processes to explicitly select these and any other relevant columns. For related information, see Export Intune reports using Graph APIs.

Intune Data Warehouse updates

The applicationInventory entity will be removed from the Intune Data Warehouse with the 2108 service update of Intune. We're introducing a more complete and accurate dataset that will be available in the UI and via our export API. For related information, see Export Intune reports using Graph APIs.

Security

New options for Tunnel Gateway server upgrades

You'll soon be able to configure some aspects of Microsoft Tunnel Gateway server upgrades. (Tenant administration > Microsoft Tunnel Gateway (preview))

Options include:

  • Restrict the start of server upgrades to a specific time window.
  • Configure servers at a site to upgrade manually, or require the admin to approve an upgrade before it can start.

We're also adding a new health check setting that helps you identify when a server is running the latest version of Tunnel Gateway.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Update your iOS Company Portal minimum version to v4.16.0

We have recently released an updated Company Portal for iOS to the Apple Store that is a required app update. The minimum supported version of the iOS Company Portal is now v4.16.0.

What action do I need to take?

If you have enabled the Block installing apps using App Store device restriction setting, you will likely need to push an update to the related devices. Otherwise, no action is needed, but if you have a helpdesk, you may want to make them aware of the prompt to update the Company Portal app.

How does this affect me?

User impact - Most users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. Users that have an earlier app version will be prompted to update to the latest Company Portal app.

Note

If you have enabled the Block installing apps using App Store device restriction setting, you may need to manually push an update to the related devices.

Plan for Change: Intune ending support for standalone client apps on Microsoft Tunnel

Beginning on June 14, 2021, the Microsoft Defender for Endpoint app on Android supports Microsoft Tunnel functionality and is the official tunnel client app for Android Enterprise customers. With the release of Microsoft Defender for Endpoint as the Microsoft Tunnel client app, the standalone Microsoft Tunnel app for Android is deprecated with support ending in 60 days, after August 14, 2021. When support ends, the standalone tunnel app will be removed from the Google Play store.

How this change will affect your organization

If you use the standalone tunnel app for Android, you'll need to move to the Microsoft Defender for Endpoint app before August 14 2021 to ensure users can still access the Tunnel Gateway configuration.

What you need to do to prepare

For your devices that run Android Enterprise and currently use the standalone tunnel app, plan to replace the standalone tunnel app with the Defender for Endpoint app. New devices should use Microsoft Defender for Endpoint as the tunnel client app.

Upgrade to the Microsoft Intune Management Extension

We’ve released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are less than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see CVE-2021-31980 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31980.

What action do I need to take?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security Antivirus Windows 10 Profiles

We've made a minor change to improve the Antivirus profile experience for Windows 10. There’s no end-user effect as this is a change only in what you’ll see in the UI.

How does this affect me?

Previously, when you configured a Windows security profile for Endpoint security Antivirus policy, you had two options for most settings: Yes and Not configured. Moving forward, those same settings now include Yes, Not configured, and a new option of No. Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you now have the option to explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting (Hide the Virus and threat protection area) was set to Not configured and the child setting was set to Yes, both the parent and child settings will be set to Not configured, which will take effect when you edit the profile.

What action do I need to take?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for Change: Intune ending company portal support for unsupported versions of Windows

Intune follows Windows 10 lifecycle for supported Windows 10 versions. We’re now removing support for the associated Windows 10 Company Portals for those Windows versions that are out of the Modern Support policy.

How does this affect me?

Given that Microsoft no longer supports these OSs, this may not affect you; you have likely already upgraded your OS or devices. This will only affect you if you are still managing unsupported Windows 10 versions. Windows and Company portal versions this affects include:

  • Windows 10, Version 1507, Company portal version 10.1.721.0
  • Windows 10, Version 1511, Company portal version 10.1.1731.0
  • Windows 10, Version 1607, Company portal version 10.3.5601.0
  • Windows 10, Version 1703, Company portal version 10.3.5601.0
  • Windows 10, Version 1709, any Company portal version

We will not uninstall these Company portal versions mentioned above, but we will remove them from the Microsoft Store and stop testing our service releases with them.

User Impact: If you continue to use an unsupported version of Window 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. The user will not be able to be co-managed with System Center Configuration Manager and Intune.

What do I need to do?

In the Microsoft Endpoint Manager admin center, use the Discovered apps feature to find apps with these versions. On a user’s device, the Company Portal version is shown in the Settings page of the company portal. Update to a supported Windows/Company Portal version.

Plan for Change: Intune moving to support Android 6.0 and higher in April 2021

As mentioned in MC234534, Intune will be moving to support Android 6.0 (Marshmallow) and higher in the April (2104) service release.

How this change will affect your organization

Given that the Office mobile apps for Android ended support for Android 5.x (Lollipop) on June 30, 2019 (MC181101) this change may not affect you; you have likely already upgraded your OS or devices. However, if you have any device that is still running Android version 5.x, or decide to enroll any device that is running Android version 5.x, please note that these devices will no longer be supported. Either update them to Android version 6.0 (Marshmallow) or higher or replace them with a device on Android version 6.0 or higher.

Note

Teams Android devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

What you need to do to prepare

Notify your helpdesk, if applicable, of this upcoming change in support. You also have two admin options to help inform your end users or block enrollment.

  1. Here’s how you can warn end users:
    • Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send a message to users before marking them noncompliant.
    • Configure an app protection policy Conditional launch setting with a Min OS version requirement to warn users.
  2. Here’s how you can block devices on versions below Android 6.0:
    • Set enrollment restrictions to prevent devices on Android 5.x from enrolling
    • Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices on Android 5.x non-compliant.
    • Configure an app protection policy Conditional launch setting with a Min OS version requirement to block users from app access.

See also

For details about recent developments, see What's new in Microsoft Intune.