In development for Microsoft Intune

To help in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition to the information on this page:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office message center.
  • When a feature enters production, whether it's a preview or generally available, the feature description will move from this page to What's new.
  • This page and the What's new page are updated periodically. Check back for additional updates.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.


This page reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This page doesn't describe all features in development.

RSS feed: Find out when this page is updated by copying and pasting the following URL into your feed reader:

This article was last updated on the date listed under the title above.

App management

Win32 app version displayed in console

The Win32 app version will be displayed in the Intune console. The app version will be provided in the All apps list, where you can filter by Win32 apps and select the optional version column. In the Microsoft Endpoint Manager admin center, select Apps > All apps > Columns > Version to display the app version in the app list. For related information, see Win32 app management in Microsoft Intune.

Installation status for device-assigned required apps

From the Installed apps page of the Windows Company Portal or the Company Portal website, end users will be able to view the installation status and details for device-assigned required apps. This functionality is provided in addition to the installation status and details of user-assigned required apps that is available today. For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Export underlying discovered apps list data

In addition to exporting the summarized discovered apps list data, you will also be able export the more extensive underlying data. The current summarized export experience provides summarized aggregate data, however the additional new experience will also provide the raw data. The raw data export will give you the entire dataset, which is used to create the summarized aggregate report. The raw data will be a list of every device and each app discovered for that device. This functionality is being added to the Intune console to replace the Intune Data Warehouse Application Inventories dataset, which will be deprecated in 2107 release. In the Microsoft Endpoint Manager admin center, select Apps > Monitor > Discovered apps > Export to display the export options. For related information, see Intune discovered apps and Export Intune reports using Graph APIs.

Maximum OS version setting for app conditional launch

Using iOS app protection policies in Microsoft Intune app protection policies, you will be able to add a new conditional launch setting to ensure end users are not using a pre-release or beta OS build to access work or school account data. This setting ensures that you can vet all OS releases before end users are actively using new OS functionality. In Microsoft Endpoint Manager admin center, you will be able to find this setting by selecting Apps > App protection policies. For related information, see How to create and assign app protection policies.

Device configuration

See policy compliance for a device in tenant attach in Endpoint Manager

To manage your devices from the cloud, you can attach your Configuration Manager infrastructure to Endpoint Manager. When deploying Endpoint Security policy to tenant attached devices, you'll be able to see the overall compliance status for the policy. With device level reporting, you'll be able to see the compliance state for a policy at the device level in the Microsoft Endpoint Manager admin center.

For more information on what you can do in Endpoint Manager in a tenant attach setup, see Microsoft Endpoint Manager tenant attach.

Disable NFC pairing on iOS/iPadOS devices running 14.2 and newer

On iOS/iPadOS devices, you'll be able to create a device restrictions profile that disables NFC (Devices > Configuration profiles> Create profile > iOS/iPadOS for platform > Device restrictions for profile > Connected devices > Disable near field communication (NFC)). When you disable this feature, it prevents devices from pairing with other NFC-enabled devices and NFC will be disabled.

To see the settings you can configure, go to iOS and iPadOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS/iPadOS 14.2 and newer

Device enrollment

Microsoft Endpoint Manager ending support for Android 5.x

In a future update, Microsoft Endpoint Manager will stop supporting Android 5.x devices.

Device management

Windows 10 Enterprise multi-session support (public preview)

This support will give users a familiar Windows 10 experience while you get the cost advantages of multi-session and existing per-user Microsoft 365 licensing. This upcoming support will let you:

  • Host multiple concurrent user sessions using the new Remote Desktop Session Host exclusive to Windows Virtual Desktop on Azure.
  • Manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 Enterprise client.
  • Automatically enroll Hybrid Azure AD joined virtual machines in Intune and target them with OS scope policies and apps.

Use Intune policy to expedite installation of Windows 10 quality updates

As part of a public preview, you’ll soon be able to use Intune’s Windows 10 quality updates policy to expedite installation of the most recent Windows 10 updates to devices you manage with Intune. (Devices > Windows 10 quality updates (preview) > Create profile).

When you expedite an update, devices can start the download and install of the update as soon as possible, without having to wait for the device to check in for updates. Other than expediting the install of the update, use of this policy leaves your existing update deployment policies and processes untouched.

Locate device remote action for Windows 10 devices

You'll be able to use a new locate device remote action to get the geographical location of a device. Supported devices include:

  • Windows 10 version 20H2 (10.0.19042.789) or later
  • Windows 10 version 2004 (10.0.19041.789) or later
  • Windows 10 version 1909 (10.0.18363.1350) or later
  • Windows 10 version 1809 (10.0.17763.1728) or later

To see the new action, sign in to the Microsoft Endpoint Manager admin center and choose Devices > Windows > choose a Windows 10 > Locate device.

This action will work in a similar manner as the current Locate device action for Apple devices (but will not include any lost mode functionality).

Support to display phone numbers for corporate Android Enterprise devices

For corporate Android Enterprise devices (Dedicated, Fully Managed, and Fully managed with work profile), the associated device phone numbers will be displayed in the MEM admin center. If multiple numbers are associated with the device, only one number will be displayed.

Intune apps

End users can restart an app install from the Company Portal

Using the Company Portal, end users will be able to restart an app installation if the progress seems to have stalled or is frozen. This functionality is allowed if the app installation progress has not changed in two hours.

Intune management agent for macOS devices will be a universal app

When you deploy shell scripts or custom attributes for macOS devices from Microsoft Endpoint Manager, it will deploy the new universal version of the Intune management agent app that runs natively on Apple Silicon Mac machines. The same deployment will install the x64 version of the app on Intel Mac machines. For related information, see Microsoft Intune management agent for macOS.

Monitor and troubleshoot

Account protection policy changes in Endpoint security

We’re reworking the endpoint security Account protection policy to use the new APIs for Windows Hello for Business. The new APIs will result in a more consistent experience. The new API is ./Device/Vendor/MSFT/PassportForWork, which includes more options that can help reduce conflicts. This API replaces the use of ./User/Vendor/MSFT/PassportForWork. (Endpoint security > Account protection)

After the change, only new policies you then create will use the new API. Your existing policies won’t be affected by this change and will continue to use the older API.

Organizational report focused on device configuration

We'll be releasing a new Device configuration organizational report. This report will replace the existing Assignment status report found in the Microsoft Endpoint Manager admin center under Devices > Monitor. The Device configuration report will allow you to generate a list of profiles in the tenant that have devices in a state of success, error, conflict, or pending. You can use filters for the profile type, OS, and state. The returned results will provide search, sort, filter, pagination, and export capabilities. In addition to device configuration details, this report will provide resource access details, and new settings catalog profile details. For related information, see Intune Reports.

Export Intune reports using Graph API v1.0 or beta

Intune reporting export API will be available in Graph v1.0, and will continue to be available in Graph beta. For related information, see Intune reports and Export Intune reports using Graph APIs.


Update when exporting Intune reports using the Graph API

When you use the Graph API to export Intune reports without selecting any columns for the devices report, you'll receive the default column set. To reduce confusion, we'll be removing columns from the default column set starting January 2021. The columns being removed are PhoneNumberE164Format, _ComputedComplianceState, _OS, and OSDescription. These columns will still be available for selection if you need them, but only explicitly, and not by default. If you have built automation around the default columns of the device export, and that automation uses any of these columns, you need to refactor your processes to explicitly select these and any other relevant columns. For related information, see Export Intune reports using Graph APIs.

Intune Data Warehouse updates

The applicationInventory entity will be removed from the Intune Data Warehouse with the 2107 service update of Intune. We're introducing a more complete and accurate dataset that will be available in the UI and via our export API. For related information, see Export Intune reports using Graph APIs.


Improved flow for conditional access on Surface Duo devices

We’re streamlining the conditional access flow on Surface Duo devices. These changes happen automatically and won't require any configuration updates by administrators. (Endpoint security > Conditional access)

  • We’re improving the redirection to the Company Portal app when access to a resource is blocked by conditional access. Instead of being sent to the Google Play store listing of the Company Portal app, users will be sent directly to the Company Portal app that’s preinstalled on their Duo device.
  • For devices that are enrolled as personally-owned work profile, when a user tries to sign in to a personal version of an app using their work credentials, they will be sent to the work version of Company Portal where guidance messaging is shown. Currently, the user is sent to the Google Play store listing of the personal version of the Company Portal app, where they must reenable the personal Company Portal to see the guidance messaging.

New options for Tunnel Gateway server upgrades

You'll soon be able to configure some aspects of Microsoft Tunnel Gateway server upgrades. (Tenant administration > Microsoft Tunnel Gateway (preview))

Options include:

  • Restrict the start of server upgrades to a specific time window.
  • Configure servers at a site to upgrade manually, or require the admin to approve an upgrade before it can start.

We're also adding a new health check setting that helps you identify when a server is running the latest version of Tunnel Gateway.

Use Antivirus profiles to prevent or allow merger of Antivirus exclusion lists on devices

You’ll soon be able to use a setting in a Microsoft Defender Antivirus profile to block merger of local exclusion lists for Microsoft Defender Antivirus on Windows 10 devices. Exclusion lists for Microsoft Defender Antivirus can be configured locally on a device, and specified by Intune Antivirus policy. (Endpoint security > Antivirus)

  • When exclusion lists are merged, a locally defined exclusion can override those from Intune.
  • When merge is blocked, those from Intune policy take precedence in the case of conflicts.


These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Intune moving to support Android 6.0 and higher in April 2021

As mentioned in MC234534, Intune will be moving to support Android 6.0 (Marshmallow) and higher in the April (2104) service release.

How this change will affect your organization

Given that the Office mobile apps for Android ended support for Android 5.x (Lollipop) on June 30, 2019 (MC181101) this change may not affect you; you have likely already upgraded your OS or devices. However, if you have any device that is still running Android version 5.x, or decide to enroll any device that is running Android version 5.x, please note that these devices will no longer be supported. Either update them to Android version 6.0 (Marshmallow) or higher or replace them with a device on Android version 6.0 or higher.


Teams Android devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

What you need to do to prepare

Notify your helpdesk, if applicable, of this upcoming change in support. You also have two admin options to help inform your end users or block enrollment.

  1. Here’s how you can warn end users:
    • Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send a message to users before marking them noncompliant.
    • Configure an app protection policy Conditional launch setting with a Min OS version requirement to warn users.
  2. Here’s how you can block devices on versions below Android 6.0:
    • Set enrollment restrictions to prevent devices on Android 5.x from enrolling
    • Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices on Android 5.x non-compliant.
    • Configure an app protection policy Conditional launch setting with a Min OS version requirement to block users from app access.

See also

For details about recent developments, see What's new in Microsoft Intune.