In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. In addition to the information in this article:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
  • When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

App management

New app types for Microsoft Endpoint Manager

As an admin, you will be able to create and assign two new types of Intune apps:

  • iOS/iPadOS web clip
  • Windows web link

These new app types work in a similar way to the existing web link application type, however they apply only for their specific platform, whereas web link applications apply across all platforms. With these new app types, you can assign to groups and also use assignment filters to limit the scope of assignment. You will find this functionality in Microsoft Endpoint Manager admin center, by selecting Apps > All Apps > Add.

Enterprise feedback policies for Web Company Portal

Feedback settings will be provided to address M365 enterprise feedback policies for the currently logged in user via the Microsoft 365 Apps Admin Center. The settings are used to determine whether feedback can be enabled or must be disabled for a user in the Web Company Portal.

Photo library outgoing data transfer support via app protection policies

You will be able to select to include Photo Library as a supported application storage service for outgoing data. This support is in addition to incoming data transfer support for Photo Library. By selecting Photo Library in the Allow users to open data from selected services setting within Intune, you can allow managed accounts to send outgoing data to their device's photo library from their managed apps on iOS and Android platforms. In Microsoft Endpoint Manager admin center, select Apps > App protection policies > Create Policy. Choose either iOS/iPadOS or Android. This setting will be available as part of the Data protection step and specifically for Policy managed apps. For related information, see Data protection.

Use App Protection Policies with Android Enterprise dedicated devices and Android (AOSP) devices

Intune-managed Android Enterprise dedicated devices enrolled with Azure Active Directory (Azure AD) shared mode and Android (AOSP) devices will be able to receive app protection policies and can be targeted separately from other Android device types. For more information about Android Enterprise dedicated devices and Android (AOSP), see Android Enterprise dedicated devices and Android Open Source Project.

Device management

User configuration support for Windows 11 multi-session VMs will be public preview

You'll be able to:

  • Configure user scope policies using Settings catalog and assign to groups of users
  • Configure user certificates and assign to users
  • Configure PowerShell scripts to install in the user context and assign to users

Applies to:

  • Windows 11

[!Note]: User support for Windows 10 multi-session builds will be available later this year.

For more information, see Using Azure Virtual Desktop multi-session with Microsoft Intune

Remotely restart and shut down macOS device

You'll be able to remotely restart or shut down a macOS device using device actions. These device actions are available for devices running macOS 10.13 and later. For more information, see Restart devices with Microsoft Intune.

Additional Remote actions for Android (AOSP) Corporate devices

For Android Open Source Project (AOSP) Corporate devices, you can soon leverage additional remote actions from the Microsoft Endpoint Manager admin center - Reboot and Remote lock.

For information about these features, see:

Applies to:

  • Android Open Source Project (AOSP)

Improved certificate reporting details

We’re changing what Intune displays when you view certificate details for devices and certificate profiles. Microsoft Endpoint Manager admin center > Devices > Monitor > Certificates.

Today, the certificate reports can show certificates that are no longer valid, or that are no longer on a device. With this change, you won't see information for those invalid certificates. Instead, Intune displays only those that are valid, that were revoked within the last 30 days, or that expired within the last 30 days will be shown.

View a managed device's group membership

In the monitor section of the Devices workload of Intune, you'll be able to view the group membership of all AAD groups for a managed device. When this is available, you will be able to select Group Membership by signing in to Microsoft Endpoint Manager admin center and selecting Devices > Monitor > select a device > Group Membership.

Device enrollment

Utilize bootstrap tokens on macOS devices

Bootstrap token support, currently in public preview, will become available to all Microsoft Intune customers, including GCC High and Microsoft Azure Government Cloud tenants. Intune supports the use of bootstrap tokens on enrolled devices running macOS, version 10.15 or later.

Bootstrap tokens allow for non-admin users to have increased MDM permissions, and perform specific software functions on behalf of the IT admin. Bootstrap tokens will be supported on:

  • Supervised devices (in Intune, that's all user-approved enrollments)
  • Devices enrolled in Intune via Apple automated device enrollment

For more information about how bootstrap tokens work with Intune, see Set up enrollment for macOS devices.

Device configuration

New macOS settings in Settings Catalog

The Settings Catalog has new macOS settings you can configure (Devices > Configuration profiles > Create profile > macOS for platform >Settings catalog (preview) for profile type):

Accounts > Caldav:

  • Cal DAV Account Description
  • Cal DAV Host Name
  • Cal DAV Password
  • Cal DAV Port
  • Cal DAV Principal URL
  • Cal DAV Use SSL
  • Cal DAV Username

Accounts > Carddav:

  • Card DAV Account Description
  • Card DAV Host Name
  • Card DAV Password
  • Card DAV Port
  • Card DAV Principal URL
  • Card DAV Use SSL
  • Card DAV Username

User Experience > Dock:

  • Allow Dock Fixup Override
  • Autohide
  • Autohide Immutable
  • Contents Immutable
  • Double Click Behavior
  • Double Click Behavior Immutable
  • Large Size
  • Launch Animation
  • Launch Animation Immutable
  • Magnification
  • Magnify Immutable
  • Magsize Immutable
  • MCX Dock Special Folders
  • Minimize Effect
  • Minimize Effect Immutable
  • Minimize To Application
  • Minimize To Application Immutable
  • Orientation
  • Persistent Apps
  • Position Immutable
  • Show Process Indicators
  • Show Indicators Immutable
  • Show Recents
  • Show Recents Immutable
  • Size Immutable
  • Static Apps
  • Static Only
  • Static Others
  • Tile Size
  • Window Tabbing
  • Window Tabbing Immutable

System Configuration > Energy Saver:

  • Desktop Schedule
  • Repeating Power Off
  • Repeating Power On
  • Desktop AC Power
  • Portable Battery Power
  • Portable AC Power
  • Destroy FV Key On Standby
  • Sleep Disabled

System Configuration > System Logging:

  • Enable Private Data

System Configuration > System Extensions:

  • Removable System Extensions

System Configuration > Time Server:

  • Time Server
  • Time Zone

The following settings are also in Settings Catalog. Previously, they were only available in Templates:

Security > Passcode:

  • Allow Simple Passcode
  • Change At Next Auth
  • Expiration In Days
  • Force Pin
  • Lock After Inactivity Minutes
  • Max Failed Attempts
  • Max Grace Period
  • Min Complex Chars
  • Min Length
  • Minutes Until Failed Login Reset
  • Passcode History
  • Require Alphanumeric Passcode

Privacy > Privacy Preferences Policy Control:

  • Accessibility
  • Address Book
  • Apple Events
  • Calendar
  • Camera
  • File Provider Presence
  • Listen Event
  • Media Library
  • Microphone
  • Photos
  • Post Event
  • Reminders
  • Screen Capture
  • Speech Recognition
  • System Policy All Files
  • System Policy Desktop Folder
  • System Policy Documents Folder
  • System Policy Downloads Folder
  • System Policy Network Volumes
  • System Policy Removable Volumes
  • System Policy Sys Admin Files

System Configuration > System Extensions:

  • Allow User Overrides
  • Allowed System Extension Types
  • Allowed System Extensions
  • Allowed Team Identifiers

There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies.

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune.

Applies to:

  • macOS

Unlock the work profile on Android Enterprise corporate owned work profile (COPE) devices after a set time using password, PIN, or pattern

On Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration profiles > Create profile > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type).

On Android Enterprise devices, you can configure the How often pin, password, or pattern is needed to unlock setting. This setting will also be available for the work profile on Android Enterprise COPE devices.

For more information on this setting, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android 8.0 and newer
  • Android Enterprise corporate owned work profile (COPE)

Use TEAP authentication in wired networks device configuration profiles for Windows devices

On Windows devices, you can create a Wired Networks device configuration profile that supports the Extensible Authentication Protocol (EAP) (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Wired networks for profile type).

When you create the profile, you'll be able to use the Tunnel Extensible Authentication Protocol (TEAP).

For more information on wired networks, go to Add and use wired networks settings on your macOS and Windows devices in Microsoft Intune.

Applies to:

  • Windows 11
  • Windows 10

iOS/iPadOS platform is in Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. The iOS/iPadOS platform and some settings are now available in the Settings Catalog (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Settings catalog (preview) for profile type).

New settings include:

Accounts > Caldav:

  • Card DAV Account Description
  • Card DAV Host Name
  • Card DAV Password
  • Card DAV Port
  • Card DAV Principal URL
  • Card DAV Use SSL
  • Card DAV Username

Accounts > Carddav:

  • Card DAV Account Description
  • Card DAV Host Name
  • Card DAV Password
  • Card DAV Port
  • Card DAV Principal URL
  • Card DAV Use SSL
  • Card DAV Username

AirPlay:

  • Allow List

  • Password

  • Managed Devices > Profile Removal Password:

  • Removal Password

Networking > Cellular:

  • APNs
  • Attach APN

Proxies > Global HTTP Proxy:

  • Proxy Captive Login Allowed
  • Proxy PAC Fallback Allowed
  • Proxy PAC URL
  • Proxy Password
  • Proxy Server
  • Proxy Server Port
  • Proxy Type
  • Proxy Username

The following settings are also in Settings Catalog. Previously, they were only available in Templates:

App Management > AppLock:

  • App Identifier
  • Disable Auto Lock
  • Disable Device Rotation
  • Disable Ringer Switch
  • Disable Sleep Wake Button
  • Disable Touch
  • Disable Volume Buttons
  • Enable Assistive Touch
  • Enable Invert Colors
  • Enable Mono Audio
  • Enable Speak Selection
  • Enable Voice Control
  • Enable Voice Over
  • Enable Zoom
  • Allow Assistive Touch Adjustment
  • Allow Invert Colors Adjustment
  • Allow Voice Control Adjustment
  • Allow Voice Over Adjustment
  • Allow Zoom Adjustment

Networking > Domains:

  • Email Domains
  • Safari Password Auto Fill Domains
  • Web Domains

Networking > DNS Settings:

  • DNS Protocol
  • Server Addresses
  • Server Name
  • Server URL
  • Supplemental Match Domains
  • Action
  • Action Parameters
  • DNS Domain Match
  • DNS Server Address Match
  • Interface Type Match
  • SSID Match
  • URL String Probe

Networking > Network Usage Rules:

  • Allow Cellular Data
  • Allow Roaming Cellular Data
  • App Identifier Matches

Printing > Air Print:

  • Printers
  • Force TLS
  • IP Address
  • Port
  • Resource Path

Restrictions:

  • Allow Account Modification
  • Allow Activity Continuation
  • Allow Adding Game Center Friends
  • Allow Air Drop
  • Allow Air Print
  • Allow Air Print Credentials Storage
  • Allow Air Print iBeacon Discovery
  • Allow App Cellular Data Modification
  • Allow App Clips
  • Allow App Installation
  • Allow App Removal
  • Allow Apple Personalized Advertising
  • Allow Assistant
  • Allow Assistant User Generated Content
  • Allow Assistant While Locked
  • Allow Auto Correction
  • Allow Auto Unlock
  • Allow Automatic App Downloads
  • Allow Automatic Screen Saver
  • Allow Bluetooth Modification
  • Allow Bookstore
  • Allow Bookstore Explicit Books
  • Allow Camera
  • Allow Cellular Plan Modification
  • Allow Chat
  • Allow Cloud Backup
  • Allow Cloud Document Sync
  • Allow Cloud Keychain Sync
  • Allow Cloud Photo Library
  • Allow Cloud Private Relay
  • Allow Continuous Path Keyboard
  • Allow Definition Lookup
  • Allow Device Name Modification
  • Allow Diagnostic Submission
  • Allow Diagnostic Submission Modification
  • Allow Dictation
  • Allow Enabling Restrictions
  • Allow Enterprise App Trust
  • Allow Enterprise Book Backup
  • Allow Enterprise Book Metadata Sync
  • Allow Erase Content And Settings
  • Allow ESIM Modification
  • Allow Explicit Content
  • Allow Files Network Drive Access
  • Allow Files USB Drive Access
  • Allow Find My Device
  • Allow Find My Friends
  • Allow Find My Friends Modification
  • Allow Fingerprint For Unlock
  • Allow Fingerprint Modification
  • Allow Game Center
  • Allow Global Background Fetch When Roaming
  • Allow Host Pairing
  • Allow In App Purchases
  • Allow Keyboard Shortcuts
  • Allow Listed App Bundle IDs
  • Allow Lock Screen Control Center
  • Allow Lock Screen Notifications View
  • Allow Lock Screen Today View
  • Allow Mail Privacy Protection
  • Allow Managed Apps Cloud Sync
  • Allow Managed To Write Unmanaged Contacts
  • Allow Multiplayer Gaming
  • Allow Music Service
  • Allow News
  • Allow NFC
  • Allow Notifications Modification
  • Allow Open From Managed To Unmanaged
  • Allow Open From Unmanaged To Managed
  • Allow OTAPKI Updates
  • Allow Paired Watch
  • Allow Passbook While Locked
  • Allow Passcode Modification
  • Allow Password Auto Fill
  • Allow Password Proximity Requests
  • Allow Password Sharing
  • Allow Personal Hotspot Modification
  • Allow Photo Stream
  • Allow Podcasts
  • Allow Predictive Keyboard
  • Allow Proximity Setup To New Device
  • Allow Radio Service
  • Allow Remote Screen Observation
  • Allow Safari
  • Allow Screen Shot
  • Allow Shared Device Temporary Session
  • Allow Shared Stream
  • Allow Spell Check
  • Allow Spotlight Internet Results
  • Allow System App Removal
  • Allow UI App Installation
  • Allow UI Configuration Profile Installation
  • Allow Unmanaged To Read Managed Contacts
  • Allow Unpaired External Boot To Recovery
  • Allow Untrusted TLS Prompt
  • Allow USB Restricted Mode
  • Allow Video Conferencing
  • Allow Voice Dialing
  • Allow VPN Creation
  • Allow Wallpaper Modification
  • Allow Wifi Power Modification
  • Allow iTunes
  • Autonomous Single App Mode Permitted App IDs
  • Blocked App Bundle IDs
  • Enforced Software Update Delay
  • Enforced Software Update Major OS Deferred Install Delay
  • Enforced Software Update Minor OS Deferred Install Delay
  • Enforced Software Update Non OS Deferred Install Delay
  • Force Air Drop Unmanaged
  • Force Air Play Outgoing Requests Pairing Password
  • Force Air Print Trusted TLS Requirement
  • Force Assistant Profanity Filter
  • Force Authentication Before Auto Fill
  • Force Automatic Date And Time
  • Force Classroom Automatically Join Classes
  • Force Classroom Request Permission To Leave Classes
  • Force Classroom Unprompted App And Device Lock
  • Force Classroom Unprompted Screen Observation
  • Force Delayed Major Software Updates
  • Force Delayed Software Updates
  • Force Encrypted Backup
  • Force iTunes Store Password Entry
  • Force Limit Ad Tracking
  • Force On Device Only Dictation
  • Force On Device Only Translation
  • Force Unprompted Managed Classroom Screen Observation
  • Force Watch Wrist Detection
  • Force WiFi Power On
  • Force WiFi To Allowed Networks Only
  • Require Managed Pasteboard
  • Safari Accept Cookies Double
  • Safari Allow Autofill
  • Safari Allow Java Script
  • Safari Allow Popups
  • Safari Force Fraud Warning

Security > Passcode:

  • Allow Simple Passcode
  • Expiration In Days
  • Force Pin
  • Lock After Inactivity Minutes
  • Max Failed Attempts
  • Max Grace Period
  • Min Complex Chars
  • Min Length
  • Passcode History
  • Require Alphanumeric Passcode

System Configuration > Lock Screen Message:

  • Asset Tag Information
  • Lock Screen Footnote

User Experience > Notifications:

  • Alert Type
  • Badges Enabled
  • Bundle Identifier
  • Critical Alert Enabled
  • Grouping Type
  • Notifications Enabled
  • Preview Type
  • Show In Car Play
  • Show In Lock Screen
  • Show In Notification Center
  • Sounds Enabled

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • iOS/iPadOS

Add custom support information to Android Enterprise devices

On Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration profiles > Create profile > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type).

There will be some new settings you can configure:

  • Short support message: When users try to change a managed setting, you can add a short message that's shown to users in a system dialog window.
  • Long support message: You can add a long message that's shown in Settings > Security > Device admin apps > Device Policy.

By default, the OEM default messages are shown. When you deploy a custom message, the Intune default message is also deployed. If you don't enter a custom message for the device's default language, then the Intune default message is shown.

For example, you deploy a custom message for English and French. The user changes the device's default language to Spanish. Since you didn't deploy a custom message to the Spanish language, the Intune default message is shown.

The Intune default message is translated for all languages in the Endpoint Manger admin center (Settings > Language + Region). The Language setting value determines the default language used by Intune. By default, it's set to English.

In the policy, you can customize the messages for the following languages:

  • Arabic
  • Bulgarian
  • Czech
  • Danish
  • German
  • Greek
  • English (United Kingdom)
  • English (United States)
  • Spanish (Spain)
  • Spanish (Mexico)
  • Estonian
  • Finnish
  • French (Canada)
  • French (France)
  • Hebrew
  • Croatian
  • Hungarian
  • Italian
  • Japanese
  • Korean
  • Lithuanian
  • Latvian
  • Norwegian, Bokmål
  • Dutch
  • Polish
  • Portuguese (Brazil)
  • Portuguese (Portugal)
  • Romanian
  • Slovak
  • Slovenian
  • Russian
  • Serbian
  • Swedish
  • Thailand
  • Turkish
  • Ukrainian
  • Chinese (Simplified)
  • Chinese (Traditional)

For a list of settings you can currently configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android 7.0 and newer
  • Android Enterprise corporate owned fully managed (COBO)
  • Android Enterprise corporate owned dedicated devices (COSU)
  • Android Enterprise corporate owned work profile (COPE)

New settings for DFCI profiles on Windows 10/11 devices

On Windows 10/11 devices, you can create a Device Firmware Configuration Interface (DFCI) profile (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type).

DFCI profiles lets Intune pass management commands to UEFI (Unified Extensible Firmware Interface) using the DFCI firmware layer. This additional firmware layer makes configuration more resilient to malicious attacks. DFCI also limits end users' control over the BIOS by graying out managed settings.

There will be new settings you can configure:

  • Built-in hardware:

    • Front cameras
    • Rear cameras
    • Infrared (IR) cameras
  • Built-in hardware:

    • Microphones
    • Speakers
  • Built-in hardware:

    • Bluetooth
    • WWAN
    • NFC
    • Wi-Fi
  • Ports:

    • USB type A
    • USB type C
    • SD card
  • Wake on LAN

  • Wake on power

For more information on the DFCI profile, go to Use Device Firmware Configuration Interface profiles on Windows devices in Microsoft Intune.

Applies to:

  • Windows 10/11

Settings catalog for macOS and Windows is generally available (GA)

The settings catalog will be generally available (GA). For more information on the settings catalog, go to Use the settings catalog to configure settings on Windows and macOS devices

Applies to:

  • macOS
  • Windows 10/11

New Microsoft Office and Microsoft Outlook preference settings in the macOS Settings Catalog

The Settings Catalog now supports preference settings for Microsoft Office and Microsoft Outlook (Devices > Configuration profiles > Create profile > macOS for platform >Settings catalog (preview) for profile type).

Microsoft Office > Microsoft Office:

  • Allow experiences and functionality that analyzes user content
  • Allow experiences and functionality that downloads user content
  • Allow macros to modify Visual Basic projects
  • Allow optional connected experiences
  • Allow Visual Basic macros to use system APIs
  • Background accessibility checking
  • Default to local files for open - save
  • Diagnostic data level
  • Disable cloud fonts
  • Disable third-party store add-in catalog
  • Disable user surveys
  • Enable automatic sign-in
  • Prevent all Visual Basic macros from executing
  • Prevent Visual Basic macros from using external dynamic libraries
  • Prevent Visual Basic macros from using legacy MacScript
  • Prevent Visual Basic macros from using pipes to communicate
  • Show Template Gallery on app launch
  • Show Whats New dialog
  • Visual Basic macro policy

Microsoft Office > Microsoft Outlook:

  • Allow S - MIME certificates without a matching email address
  • Allowed Email Domains
  • Default domain name
  • Default weather location
  • Disable 'Do Not Forward' options
  • Disable automatic updating of weather location
  • Disable email signatures
  • Disable export to OLM files
  • Disable import from OLM and PST files
  • Disable Junk settings
  • Disable Microsoft 365 encryption options
  • Disable Microsoft Teams meeting support
  • Disable S - MIME
  • Disable Skype for Business meeting support
  • Download embedded images
  • Enable New Outlook
  • Hide On My Computer folders
  • Hide the 'Get started with Outlook' control in the task pane
  • Hide the 'Personalize the new Outlook' dialog
  • Set the order in which S - MIME certificates are considered
  • Set theme
  • Specify first day of the week
  • Trust Office 365 autodiscover redirects
  • Use domain-based autodiscover instead of Office 365

For more information about Microsoft Office settings, see Use preferences to manage privacy controls for Office for Mac - Deploy Office.

For more information about Microsoft Outlook settings, see Set preferences for Outlook for Mac - Deploy Office.

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune.

Applies to:

  • macOS

Certificate profiles support for Android (ASOP) devices

To expand our support for the Android Open Source Project (AOSP) platform, you’ll soon be able to deploy the following certificate profiles to corporate-owned and userless devices:

  • Trusted certificate profile
  • PKCS certificate profile

Create and deploy Wi-Fi profiles to Android AOSP devices

You'll be able to configure and deploy a Wi-Fi profile to your Android AOSP devices.

Applies to:

  • Android (AOSP)

Import custom ADMX and ADML administrative templates to create a device configuration profile

You can create a device configuration policy that uses built-in ADMX templates (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Administrative templates).

You'll be able to import custom and 3rd party/partner ADMX and ADML templates into the Endpoint Manager admin center. Once imported, you can create a device configuration policy, assign the policy to your devices, and manage the settings in the policy.

For information on the built-in ADMX templates, see Use Windows 10/11 templates to configure group policy settings in Microsoft Intune.

Applies to:

  • Windows 11
  • Windows 10

Device security

Users assigned the Endpoint Security Manager admin role can modify Mobile Threat Defense connector settings

We’re expanding the scope of the Endpoint Security Manager built-in admin role to include the capability to modify the Mobile Threat Defense connector (MTD connector) settings for your Tenant.

Before these permissions change, we recommend you review the users that are assigned to the Endpoint Security Manager role for your tenant. If any should not have permissions to edit the MTD connector settings, then update their role permissions or create a custom role to only allow read permissions for MTD connectors settings.

Microsoft Endpoint Manager admin center > Tenant administration > Roles > Endpoint Security Manager > Assignments.

Reusable groups of settings for Microsoft Defender Firewall Rules

You’ll soon be able to add reusable groups of settings to your profiles for Microsoft Defender Firewall Rules. The reusable groups are collections of remote IP addresses and FQDNs that you define one time and can then use with one or more firewall rule profiles. You’ll no longer need to reconfigure the same group of IP addresses in each individual profile that might require them.

Features of the reusable settings groups will include:

  • Add one or more remote IP addresses.

  • Add one or more FQDNs that can auto resolve to the remote IP address, or for one or more simple keywords when auto resolve for the group is off.

  • Use each settings group with one or more firewall rule profiles and the different profiles can support different access configurations for the group.

    For example, you can create two firewall rule profiles that reference the same reusable settings group and assign each profile to a different group of devices. The first profile can block access to all the remote IP addresses in the reusable settings group, while the second profile can be configured to allow access.

  • Edits to a settings group that's in use are automatically applied to the Firewall Rules profiles that use that group.

Reusable groups will be configured on a new Tab for Reusable settings that will be available when you view endpoint security Firewall policy. In the Microsoft Endpoint Manager admin center > Endpoint security > Firewall.

Monitor and troubleshoot

Use Collect diagnostics to collect details about Windows expedited updates

Intune’s remote action to Collect diagnostics will soon collect additional details about Windows expedited updates that you deploy to devices. (Devices > Windows > select a device > Collect diagnostics) This information can be of use when troubleshooting problems with expedited updates.

The new details that will be collected include:

  • Files: C:\Program Files\Microsoft Update Health Tools\Logs\*.etl
  • Registry Keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for change: Intune is moving to support macOS 11.6 and higher later this year

Apple is expected to release macOS 13 (Ventura) later this year, Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 11.6 (Big Sur) and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 16.

How does this affect you or your users?

This change will affect you only if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Big Sur is compatible with these computers.

Note

Devices that are currently enrolled on macOS 10.15 or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 10.15 or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 10.15 or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for change: Intune is moving to support iOS/iPadOS 14 and later

Later this year, we expect iOS 16 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 14/iPadOS 14 and higher shortly after iOS 16’s release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 14).

Because Office 365 mobile apps are supported on iOS/iPadOS 14.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 14 or iPadOS 14 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. See https://aka.ms/ADE_userless_support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management, go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status > App Protection report: iOS, Android.

To manage the supported OS version in your organization, you can use Microsoft Endpoint Manager controls for both mobile device management and APP. For more information, see Manage operating system versions with Intune.

Plan for Change: Deploy macOS LOB apps by uploading PKG-type installer files

We recently announced the general availability to deploy macOS line-of-business (LOB) apps by uploading PKG-type installer files directly in the Microsoft Endpoint Manager admin center. This process no longer requires the use of the Intune App Wrapping Tool for macOS to convert .pkg files to .intunemac format.

In July 2022, we will be removing the Intune App Wrapping Tool for macOS from the Microsoft Intune App SDK GitHub repository. Soon after, we will be removing the ability to upload wrapped .intunemac files in the Microsoft Endpoint Manager admin center.

How does this affect you or your users?

There is no impact to apps previously uploaded with .intunemac files. You can upgrade previously uploaded apps by uploading the .pkg file type.

How can you prepare?

Moving forward, deploy macOS LOB apps by uploading and deploying PKG-type installer files in the Microsoft Endpoint Manager admin center.

Plan for change: Intune is moving to support Android 8.0 and later in January 2022

Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for mobile device management (MDM) enrolled devices on or shortly after January 7, 2022.

How does this affect you or your users?

After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will no longer receive updates to the Android Company Portal or the Intune App. Enrolled devices will continue to have Intune policies applied but are no longer supported for any Intune scenarios. Company Portal and the Intune App will not be available for devices running Android 7.x and lower beginning mid-February; however, these devices will not be blocked from completing enrollment if the requisite app has been installed prior to this change. If you have MDM enrolled devices running Android 7.x or below, update them to Android version 8.0 (Oreo) or higher or replace them with a device on Android version 8.0 or higher.

Note

Microsoft Teams devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

How can you prepare?

Notify your helpdesk, if applicable, of this upcoming change in support. You can identify how many devices are currently running Android 7.x or below by navigating to Devices > All devices > Filter. Then filter by OS and sort by OS version. There are two admin options to help inform your users or block enrollment.

Here's how you can warn users:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that warns users.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send an email or push notification to users before marking them noncompliant.

Here's how you can block devices running on versions earlier than Android 8.0:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that blocks users from app access.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices running Android 7.x or earlier non-compliant.
  • Set enrollment restrictions that prevent devices running Android 7.x or earlier from enrolling.

Note

Intune app protection policies are supported on devices running Android 9.0 and later. See MC282986 for more details.

Plan for change: Intune APP/MAM is moving to support Android 9 and higher

With the upcoming release of Android 12, Intune app protection policies (APP, also known as mobile application management) for Android will move to support Android 9 (Pie) and later on October 1, 2021. This change will align with Office mobile apps for Android support of the last four major versions of Android.

Based on your feedback, we've updated our support statement. We're doing our best to keep your organization secure and protect your users and devices, while aligning with Microsoft app lifecycles.

Note

This announcement doesn't affect Microsoft Teams Android devices. Those devices will continue to be supported regardless of their Android OS version.

How does this affect you or your users?

If you're using app protection policies (APP) on any device that's running Android version 8.x or earlier, or you decide to enroll any device that's running Android version 8.x or earlier, these devices will no longer be supported for APP.

APP policies will continue to be applied to devices running Android 6.x to Android 8.x. But if you have problems with an Office app and APP, support will request that you update to a supported Office version for troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or later, or replace them with a device on Android version 9.0 or later before October 1, 2021.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. You also have two admin options to warn users:

Take action: Update to the latest version of the Android Company Portal app

Starting with the October (2110) service release, Intune will no longer support new Android device administrator enrollments that use Company Portal version 5.04993.0 or earlier. The reason is a change in the integration of Intune with Samsung devices.

How does this affect you or your users?

Users who need to enroll Samsung devices in an Android device administrator by using an older version of the Company Portal app (any version earlier than 5.04993.0) will no longer be successful. They'll need to update the Company Portal app to successfully enroll.

How can you prepare?

Update any older version of the Company Portal staged in your environment to support Android device administrator enrollments before the Intune October (2110) service release. Inform your users that they'll need to update to the latest version of the Android Company Portal to enroll their Samsung device.

If applicable, inform your helpdesk in case users don't update the app before enrolling. We also recommend that you keep the Company Portal app updated to ensure that the latest fixes are available on your devices.

More information

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security antivirus Windows 10 profiles

We've made a minor change to improve the antivirus profile experience for Windows 10. There's no user effect, because this change affects only what you'll see in the UI.

How does this affect you or your users?

Previously, when you configured a Windows security profile for the Endpoint Security antivirus policy, you had two options for most settings: Yes and Not configured. Those settings now include Yes, Not configured, and a new option of No.

Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting is set to Not configured and the child setting is set to Yes, both the parent and child settings will be set to Not configured. That change will take effect when you edit the profile.

How can you prepare?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change will affect you only if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Endpoint Manager admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.