What's new in Microsoft Intune
Learn what's new each week in Microsoft Intune in Microsoft Endpoint Manager admin center. You can also find important notices, past releases, and information about how Intune service updates are released.
Each monthly update may take up to three days to rollout and will be in the following order:
- Day 1: Asia Pacific (APAC)
- Day 2: Europe, Middle East, Africa (EMEA)
- Day 3: North America
- Day 4+: Intune for Government
Some features may roll out over several weeks and might not be available to all customers in the first week.
Check the In development page for a list of upcoming features in a release.
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
Week of November 23, 2020
PowerShell scripts execute before apps, and time out reduced
There are some updates to PowerShell scripts:
- Microsoft Intune management extension execution flow is reverted back to processing PowerShell scripts first, and then running Win32 apps.
- To resolve an Enrollment Status Page (ESP) time out issue, PowerShell scripts time out after 30 minutes. Previously, they timed out after 60 minutes.
For more information, see Use PowerShell scripts on Windows 10 devices in Intune.
Week of November 16, 2020 (2011 Service release)
Power menu, status bar notifications, and more restrictive settings available for Android Enterprise dedicated devices
On Intune enrolled Android Enterprise dedicated devices running single or multi-app kiosk mode, you can:
- Restrict the power menu, system error warnings, and access to the Settings app.
- Choose if users can see the home and overview buttons, and notifications.
To configure these settings, create a device restrictions configuration profile: Devices > Configuration Profiles > Create profile > Android Enterprise for platform > Fully managed, dedicated, and Corporate-owned work profile > Device restrictions > General.
For more information on these settings, and the other settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.
- Android Enterprise dedicated devices
New show previews setting for app notifications on iOS/iPadOS devices
On iOS/iPadOS devices, there's a Show Previews setting (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile > App Notifications). Use this setting to choose when recent app notification previews are shown on devices.
For more information on app notification settings, and other settings you can configure, see device settings to use common iOS/iPadOS features.
On-demand rules with Microsoft Tunnel for iOS
The Microsoft Tunnel now supports on-demand rules for iOS/iPad devices. With on-demand rules you can specify the use of the VPN when conditions are met for specific FQDNs or IP addresses.
To configure on-demand rules for iOS/iPadOS with Microsoft Tunnel, configure a VPN Profile for iOS/iPadOS as part of device configuration policy. On the profiles Configuration settings page, select Microsoft Tunnel as the Connection type and you’ll then have access to configure On-Demand VPN Rules.
For information about the on-demand VPN rules you can configure, see Automatic VPN settings.
More authentication settings for Wi-Fi profiles on Windows 10 and newer devices
New settings and features for Wi-Fi profiles on devices running Windows 10 and newer (Devices > Device Configuration > Create profile > Windows 10 and later for platform > Wi-Fi for profile > Enterprise):
Authentication mode: Authenticate the user, device, either, or use guest authentication.
Remember credentials at each logon: Force users to enter credentials whenever they connect to the VPN. Or, cache the credentials so users only enter their credentials once.
More granular control over authentication behavior, including:
- Authentication period
- Authentication retry delay period
- Start period
- Maximum EAPOL-Start messages
- Maximum authentication failures
Use separate VLANs for device and user authentication: When using single sign-on, the Wi-Fi profile can use a different virtual LAN based on the user’s credentials. Your Wi-Fi server must support this feature.
To see these settings, and all the settings you can configure, go to Add Wi-Fi settings for Windows 10 and later devices in Intune.
- Windows 10 and newer
Personally-owned work profile terminology
To avoid confusion, the term for the work profile Android Enterprise management scenario will be changed to "personally-owned devices with a work profile" or personally-owned work profile throughout the Intune documentation and user interface. This is to differentiate it from the "corporate-owned work profile" (COPE) management scenario.
Windows Autopilot for HoloLens 2 (preview)
Windows Autopilot for HoloLens 2 devices is now in public preview. Admins no longer have to register their tenants for flighting. For more information on using Autopilot for HoloLens, see Windows Autopilot for HoloLens 2.
Ending support for iOS 11
Intune enrollment and the Company Portal now support iOS versions 12 and later. Older versions aren't supported but will continue to receive policies.
Ending support for macOS 10.12
Since macOS Big Sur has released, Intune enrollment and the Company Portal now support macOS versions 10.13 and later. Older versions aren't supported.
New setting for Device Control profile for endpoint security
We’ve added a new setting, Block write access to removable storage to the Device control profile for Attack surface reduction policy in endpoint security. When set to Yes, write access to removable storage is blocked.
Improvements to settings in Attack surface reduction rule profiles
We’ve updated the options for applicable settings in the Attack surface reduction rule profile which is part of endpoint securities Attack surface reduction policy.
We've brought consistency across settings to existing options, like Disable and Enable, and added a new option, Warn:
- Warn - On devices that run Windows 10 version 1809 or later, the device user receives a message that they can bypass the setting. For example, on the setting Block Adobe Reader from creating child processes, the option of Warn presents users with the option to bypass that block and allow Adobe Reader to create a child process. On devices that run earlier versions of Windows 10, the rule enforces the behavior without the option to bypass it.
Policy merge support for USB device ID’s in Device control profiles for endpoint security Attack surface reduction policy
We’ve added support for policy merge of USB device ID’s to the Device control profile for the endpoint security Attack surface reduction policy. The following settings from device control profiles are evaluated for policy merge:
- Allow hardware device installation by device identifiers
- Block hardware device installation by device identifiers
- Allow hardware device installation by setup classes
- Block hardware device installation by setup classes
- Allow hardware device installation by device instance identifiers
- Block hardware device installation by device instance identifiers
Policy merge applies to the configuration of each setting across the different profiles that apply to a device. It doesn’t include evaluation between different settings, even when two settings are closely related.
For a more detailed example of what merges, and how to allow and block lists for each supported setting gets merged and applies on a device, see Policy merge for settings for device control profiles.
Improved Antivirus status operations report for endpoint security
We’ve added new details to the Antivirus status operations report for Windows Defender Antivirus, which is an endpoint security policy report.
The following new columns of information will be available for each device:
- Product status – The status of Windows Defender on the device.
- Tamper protection – Is tamper protection enabled or disabled.
- Virtual machine – Is the device a virtual machine, or physical device.
Improved rule merge for Attack surface reduction rules
Attack surface reduction rules now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed.
Attack surface reduction rule merge behavior is as follows:
- Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
- Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction.
- Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
- Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules.
- Settings that do not have conflicts are added to a superset of policy for the device.
- When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
- Only the configurations for conflicting settings are held back.
MVISION Mobile – New Mobile Threat Defense partner
You can control mobile device access to corporate resources using Conditional Access based on risk assessment conducted by MVISION Mobile, a Mobile Threat Defense solution from McAfee that integrates with Microsoft Intune.
Monitor and troubleshoot
New Intune operational report to help troubleshoot configuration profile issues
A new Assignment failures operational report is available in public preview to help troubleshoot errors and conflicts for configuration profiles that have been targeted to devices. This report will show a list of configuration profiles for the tenant and the number of devices in a state of error or conflict. Using this information, you can drill down to a profile to see a list of devices and users in a failure state related to the profile. Additionally, you can drill down even further to view a list of settings and setting details related to the cause of the failure. You have the ability to filter, sort, and search across all of the records throughout the report. In the Microsoft Endpoint Manager admin center, you can find this report by selecting Devices > Monitor > Assignment failures (preview). For more information about reports in Intune, see Intune reports.
Reporting updates for Windows Virtual Desktop VMs
The following settings are marked as Not applicable in the Policy reports:
- BitLocker settings
- Device encryption
- Defender Application Guard settings
- Defender Tamper Protection
- Wi-Fi profiles
Noncompliant policies report to troubleshoot devices in error or that are noncompliant
In preview, the new Noncompliant policies report is an operational report you can use to help troubleshoot errors and conflicts for compliance policies targeting devices. The Noncompliant policies report displays a list of compliance policies that have one or more devices with errors or that are in a state of noncompliance to the policy.
Use this report to:
- View the device compliance policies with devices in a noncompliant or error state, and then drill in to view of the list of devices and users in a failed state.
- Drill down further to see the list of settings and setting information causing a failure.
- Filter, sort, and search across all records in the report. We've added paging controls and improved export capability to a csv file.
- Identify when issues are occurring, and streamline troubleshooting.
For more information on monitoring device compliance, see Monitor Intune Device compliance policies.
Week of November 9, 2020
Improvements to work profile messaging in Company Portal for Android
We've updated messaging in Company Portal for Android to better introduce and explain how work profile works. The new messaging appears:
- After the work profile setup flow. Users see a new informational screen explaining where to find work apps, with links to help documentation.
- When a user accidentally re-enables the Company Portal app in the personal profile. We redesigned a screen (Your device now has a profile just for work) with clearer explanations and new illustrations to guide users to their work apps, with links to help documentation.
- On the Help page. In the Frequently Asked Questions section, there's a new link to help documentation about how to set up work profile and find apps.
Week of October 26, 2020 (2010 Service release)
New and updated planning, setup, and enrollment deployment guides
The existing planning and migration guides are rewritten, and updated with new guidance. There's also some new deployment guides that focus on Intune setup, and enrollment for Android, iOS/iPadOS, macOS, and Windows devices.
For more information, go to Overview.
Apps that require enrollment are hidden when enrollment is set to unavailable
Apps assigned with the Available for enrolled devices and Required intents won't be displayed in the Company Portal for users where the device enrollment setting is set to Unavailable. This change is only applicable when viewing the Company Portal app or website from an unenrolled device, including unenrolled devices that use app protection policies (MAM-WE). The apps will still be visible for users viewing the Company Portal from an enrolled device, regardless of the value of the Device enrollment setting. For more information, see Device enrollment setting options.
Improvements to iOS Company Portal privacy message customization
You now have greater ability to customize the privacy messaging in the iOS Company Portal. In addition to the previous support for being able to customize what your organization can't see, you will now also be able to customize what your organization's can see in the privacy message displayed to end users in the iOS Company Portal. To support this feature, devices will need to be running at least Company Portal version 4.11 to see the customized messaging about what can be seen. This feature will be available in the Microsoft Endpoint Manager admin center by selecting Tenant administration > Customization. For related information, see the Company Portal Privacy message.
Android app protection policies (MAM) on COPE devices
Newly added Mobile Application Management (MAM) support enables Android app protection policies on Android Enterprise corporate-owned devices with a work profile (COPE). For more information about app protection policies, see App protection policies overview.
Max Company Portal version age for Android devices
You can set an age limit as the maximum number of days for the Company Portal (CP) version for Android devices. This setting ensures that end users are within a certain range of CP releases (in days). When the setting for the devices is not met, the selected action for this setting is triggered. Actions include Block access, Wipe data, or Warn. You can find this setting in the Microsoft Endpoint Manager admin center by selecting Apps > App protection policies > Create policy. The Max Company Portal version age (days) setting will be available in the Device conditions section of the Conditional launch step. For more information, see Android app protection policy settings - Conditional launch.
Mac LOB apps will be supported as managed apps on macOS 11 and higher
Intune supports the Install as managed app property that can be configured for Mac line-of-business (LOB) apps deployed to macOS 11 and higher. When this setting is on, the Mac LOB app will be installed as a managed app on supported devices (macOS 11 and higher). Managed line-of-business apps can be removed using the uninstall assignment type on supported devices (macOS 11 and higher). In addition, removing the MDM profile removes all managed apps from the device. In the Microsoft Endpoint Manager admin center, select Apps > macOS > Add. For more information about adding apps, see Add apps to Microsoft Intune.
Enable Outlook S/MIME emails to be always signed or encrypted
You can enable Outlook S/MIME emails to be always signed or encrypted when you create an Outlook email profile under app configuration for iOS/iPadOS and Android Enterprise devices. The setting is available when you choose Managed devices when creating an Outlook app configuration policy. You can find this setting in Microsoft Endpoint Manager admin center by selecting Apps > App configuration policies > Add > Managed devices. For related information, see App configuration policies for Microsoft Intune.
Win32 app support for Workplace join (WPJ) devices
Existing Win32 apps are supported for Workplace join (WPJ) devices. PowerShell scripts, which are not officially supported on WPJ devices, can be deployed to WPJ devices. Specifically, device context PowerShell scripts work on WPJ devices, but user context PowerShell scripts are ignored by design. User context scripts will be ignored on WPJ devices and will not be reported to the Microsoft Endpoint Manager console. For more information about PowerShell, see Use PowerShell scripts on Windows 10 devices in Intune.
Device Firmware Configuration Interface (DFCI) is generally available
DFCI is an open-source Unified Extensible Firmware Interface (UEFI) framework. It allows you to securely manage the UEFI (BIOS) settings of your Windows Autopilot devices using Microsoft Endpoint Manager. It also limits end-user control over firmware configurations.
Unlike traditional UEFI management, DFCI removes the need for managing third-party solutions. It also provides zero-touch firmware management by using Microsoft Endpoint Manager for cloud management. DFCI also accesses the existing Windows Autopilot device information for authorization.
For more information on this feature, see Use DFCI profiles on Windows devices in Intune.
DFCI policy reporting in the Endpoint Manager admin center wasn't working as expected. All policies reported a "Pending" status. This behavior is fixed.
Use the Connect Automatically setting on Android Enterprise basic Wi-Fi profiles
On Android Enterprise devices, you can create basic Wi-Fi profiles that include common Wi-Fi settings, such as the connection name. You can configure the Connect automatically setting that automatically connects to your Wi-Fi network when devices are in range.
To see these settings, go to Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices.
- Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile
New user experience and new Enable direct download setting on macOS devices using associated domains
When you create an Associated Domain configuration profile on macOS devices, the user experience is updated (Devices > Configuration profiles > Create profile > macOS for platform > Device features for profile > Associated domains). You still enter your App ID and Domains.
On macOS 11+ supervised devices enrolled with user approved device enrollment or automated device enrollment, you can use the Enable direct download setting. Enabling direct downloads allows domain data to downloaded directly from the devices, instead of downloading through a content delivery network (CDN).
For more information, see Associated domains on macOS devices.
- macOS 11+ (supervised)
New lockout password settings on macOS devices
New settings are available when you create a macOS password profile (Devices > Configuration profiles > Create profile > macOS for platform > Device restrictions for profile > Password):
Maximum allowed sign-in attempts: The maximum number of times users can try to consecutively sign in before the device locks them out, is from 2-11. Set this value to a higher number. Setting this value to 2 or 3 isn't recommended, as mistakes are common.
Applies to all enrollment types.
Lockout duration: Choose how long the lockout lasts, in minutes. During a device lockout, the sign-in screen is inactive, and users can't sign in. When the lockout duration ends, user can sign in again. To use this setting, configure the Maximum allowed sign-in attempts setting.
Applies to macOS 10.10 and newer, and all enrollment types.
To see these settings, go to macOS password device restrictions.
Required password type default setting is changing on Android Enterprise devices
On Android Enterprise devices, you can create a device password profile that sets the Required password type (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device restrictions > Device password).
The Required password type setting default is changing from Numeric to Device default.
Existing profiles aren't impacted. New profiles will automatically use Device default.
Most devices don't require a password when Device default is selected. If you want to require your users to set up a passcode on their devices, configure the Required password type setting to something more secure than Device default.
To see the settings you can restrict, go to Android Enterprise device settings to allow or restrict features.
- Android Enterprise
Intune support for provisioning Azure Active Directory shared devices
With Intune, you can now provision Android Enterprise dedicated devices with Microsoft Authenticator automatically configured into Azure AD shared device mode. For more information on how to use this enrollment type, see Set up Intune enrollment of Android Enterprise dedicated devices.
Update for Microsoft Tunnel
We’ve released a new version of the Microsoft Tunnel Gateway, which includes the following changes:
- Fixes for logging. View the Microsoft Tunnel system logs when you run the journalctl -t command line on the tunnel server.
- Additional bug fixes.
The Tunnel Gateway server will automatically update to the new release.
App protection policy support on Android and iOS/iPadOS for additional partners
In October of 2019, Intune app protection policy added the capability to use data from our Microsoft Threat Defense partners.
With this update, we're expanding this support to the following two partners for using an app protection policy to block or selectively wipe a user’s corporate data based on the health of the device:
- Check Point Sandblast on Android, iOS and iPadOS
- Symantec Endpoint Security on Android, iOS and iPadOS
For more information, see Create Mobile Threat Defense app protection policy with Intune.
Endpoint Manager Security tasks include details about misconfigured settings from Microsoft Defender ATP TVM
Microsoft Endpoint Manager Security tasks now report on and provide remediation details for misconfigurations discovered by Threat Vulnerability Management (TVM). The misconfigurations that are reported to Intune are limited to issues for which remediation guidance can be provided.
TVM is part of Microsoft Defender Advanced Threat Protection. Prior to this update, details from TVM only included details and remediation steps for Applications.
When you view Security tasks, you’ll find a new column named Remediation Type that identifies the type of issue:
- Application – Vulnerable applications and remediation steps. This has been available in Security tasks prior to this update.
- Configuration – A new category of details from TVM that identify misconfiguration and provides steps to help you remediate them.
For more information on security tasks, see Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP.
Endpoint security Firewall policies for tenant attached devices
As a public preview, you can deploy endpoint security policy for Firewalls to devices you manage with Configuration Manager. This scenario requires you to configure a tenant attach between a supported version of Configuration Manager and your Intune subscription.
Firewall policy for tenant attached devices is supported for devices that run Windows 10 and later, and requires your environment to run Configuration Manager current branch 2006 with the in-console hotfix KB4578605.
For more information, see the requirements for Intune endpoint security policies to support Tenant Attach.
Expanded settings to manage hardware device installation through block and allow lists
In Device control profiles, which are part of endpoint security Attack surface reduction policy, we’ve revised and expanded our settings for managing hardware device installation. You’ll now find settings to define block lists and separate allow lists using device IDs, setup classes, and instance identifiers. The following six settings are now available:
- Allow hardware device installation by device identifiers
- Block hardware device installation by device identifiers
- Allow hardware device installation by setup class
- Block hardware device installation by setup class
- Allow hardware device installation by device instance identifiers
- Block hardware device installation by device instance identifiers
Each of these settings supports the options of Yes, No, and Not configured. When you configure Yes you can then define the block or allow list for that setting. On a device, hardware that is specified in an allow list can install or update. However, if that same hardware is specified on a block list, the block overrides the allow list and installation or update of the hardware is prevented.
Improvements to endpoint security Firewall rules
We've made several changes to improve the experience of configuring firewall rules in the Microsoft Defender Firewall rules profile for endpoint security Firewall policy.
- Improved layout in the UI, including section headers to organize the view.
- Increasing the character limit for the description field.
- Validation of IP address entries.
- Sorting of IP address lists.
- Option to select all addresses when you clear entries from an IP address list.
Use Microsoft Defender for Endpoint in compliance policies for iOS
As a public preview, you can now use Intune device compliance policy to onboard iOS devices to Microsoft Defender for Endpoint (formerly named Microsoft Defender for Advanced Threat Protection).
After you onboard your enrolled iOS/iPadOS devices, your compliance policies for iOS can use the threat level signals from Microsoft Defender. These are the same signals that you can use for Android and Windows 10 devices.
The Defender for iOS app should move from public preview to generally availability by the end of the year.
Security Experience profiles for Endpoint Security Antivirus policy now have tri-state options
We’ve added a third state of configuration for settings in the Windows Security experience profile for Endpoint security Antivirus policies. This update applies to the Windows Security experience for Windows 10 and later).
For example, where a setting previously offered Not configured and Yes, if supported by the platform, you now have the additional option of No.
Updated version of the Edge security baseline
We’ve added a new security baseline for Edge to Intune: September 2020 (Edge version 85 and later).
Updated baseline versions bring support for recent settings to help you maintain the best-practice configurations recommended by the respective product teams.
To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes.
Monitor and troubleshoot
New Windows 10 feature update failures report
The Feature update failures operational report provides failure details for devices that are targeted with a Windows 10 feature updates policy and have attempted an update. In the Microsoft Endpoint Manager admin center, select Devices > Monitor > Feature update failures to view this report. For more information, see Feature update failures report.
Updates to Antivirus reports
Both the Antivirus agent status report and the Detected malware report have been updated. These reports now show data visualizations and provide additional columns of information (SignatureUpdateOverdue, MalwareID, displayName, and InitialDetectionDateTime). In addition, remote actions are included in the Antivirus agent status report. For more information, see the Antivirus agent status report and the Detected malware report.
Updated Help and Support for Microsoft Endpoint Manager
The Help and Support experience uses machine learning to display solutions, diagnostics, and insights that will help you resolve your issues. We've updated the help and support page in Microsoft Endpoint Manager admin center with a new, easier to navigate, consistent UX experience. The new UX has now been rolled out in all blades in the console and will help us get you more relevant help.
You'll now find an updated and consolidated support experience for the following cloud-based offerings from within the admin center:
- Configuration Manager
- Microsoft Managed Desktop
View PowerShell scripts in the Intune Troubleshooting pane
You can now view your assigned PowerShell scripts in the Troubleshooting pane. PowerShell scripts provide Windows 10 client communication with Intune to run enterprise management tasks, such as advanced device configuration and troubleshooting. For more information, see Use PowerShell scripts on Windows 10 devices in Intune.
Collect custom device or user properties using shell scripts on managed Macs
You can create a custom attribute profile which enables you to collect custom properties from a managed macOS device using shell scripts. You can find this feature in the Microsoft Endpoint Manager admin center by selecting Devices > macOS > Custom attributes. For related information, see Use shell scripts on macOS devices in Intune.
Week of October 19, 2020
Changes for Password settings in Device restriction profiles for Android device administrator
Recently we added Password complexity as a new setting for Device compliance policy and Device restriction for Android device administrator. We've now added additional changes to the UI for settings in both policy types to help Intune accommodate the password changes in Android version 10 and later. These changes help ensure settings for passwords continue to apply to devices as expected.
You'll find the following changes to the Intune UI for passwords settings for the two policy types, which won't affect existing profiles:
- Settings are reorganized into sections that are based on which device versions the setting applies to, like Android 9 and earlier, or Android 10 and later.
- Updates to labels and example text in the UI.
- Clarifications for references to PINs as numerical or alphabetical, or alphanumeric.
- Android device administrator
Week of October 12, 2020
Configure the macOS Microsoft Enterprise SSO plug-in
On macOS, the Microsoft Azure AD SSO extension is listed in the Intune user interface, but wasn't working as expected. This feature is now working, and is available to use in public preview.
The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension. This app extension allows macOS 10.15+ users to access Microsoft apps, organization apps, and websites that support Apple's SSO feature. It authenticates using Azure AD, with one sign-on.
With the Microsoft Enterprise SSO plug-in release, you can configure the SSO extension with the new Microsoft Azure AD app extension type in Intune (Devices > Configuration profiles > Create profile > macOS for platform > Device features for profile > Single sign-on app extension > SSO app extension type > Microsoft Azure AD).
To get SSO with the Microsoft Azure AD SSO app extension type, users need to install and sign in to the Company Portal app on their macOS devices.
For more information about macOS SSO app extensions, see Single sign-on app extension.
- macOS 10.15 and newer
New Microsoft Tunnel version
We’ve released a new version of the Microsoft Tunnel Gateway. The following changes are included in the new version:
- Microsoft Tunnel now logs operational and monitoring details to Linux server logs in the syslog format. You can View the Microsoft Tunnel system logs when you run the
journalctl -tcommand line on the tunnel server.
- Various bug fixes.
Week of October 5, 2020
New version of the PFX Certificate Connector
We’ve released a new version of the PFX Certificate Connector, version 6.2008.60.612. This new connector version:
- Fixes an issue with PKCS certificate delivery to Android Enterprise Fully Managed devices. The issue required the cryptography Key Storage Provider (KSP) be a legacy provider. You can now use a Cryptographic Next Generation (CNG) Key Storage Provider as well.
- Changes to CA Account tab of the PFX Certificate Connector: The Username and password (credentials) that you specify are now used to issue certificates and to revoke certificates. Previously these credentials were used only for certificate revocation.
For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors.
Week of September 28, 2020
Improved work profile messaging in Company Portal for Android
The Company Portal screen previously titled "You're Halfway There!" has been updated to better explain how work profile management works. Users will see this screen if they re-enable Company Portal in the personal profile after they've already gone through work profile enrollment. They may also see this screen during work profile enrollment on some Android OS versions, as shown in the help doc, Enroll with Android work profile.
Tamper Protection policy for Tenant Attached devices in preview
In preview, we’ve added a new profile to Intune endpoint security Antivirus policy that you can use to manage Tamper Protection on tenant attached devices: Windows Security experience (preview).
The new profile is found under the Windows 10 and Windows Server (ConfigMgr) platform when you create a new Antivirus policy.
Before you can use Intune endpoint security policies with tenant attached devices, you need to configure Configuration Manager tenant attach, and synchronize devices with Intune.
Also be aware of the specific prerequisites that are required to use and support tamper protection with Intune policy.
Week of September 21, 2020
Tenant attach: Run scripts from the admin center
Bring the power of the Configuration Manager on-premises Run scripts feature to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to run PowerShell scripts from the cloud against an individual Configuration Manager managed device in real time. This feature gives all the traditional benefits of PowerShell scripts that have already been defined and approved by the Configuration Manager admin to this new environment. For more information, see Tenant attach: Run Scripts from the admin center.
Unified delivery of Azure AD Enterprise and Office Online applications in the Windows Company Portal
In the 2006 release, we announced Unified delivery of Azure AD Enterprise and Office Online applications in the Company Portal website. This feature is supported in the Windows Company Portal. On the Customization pane of Intune, select to Hide or Show both Azure AD Enterprise applications and Office Online applications in the Windows Company Portal. Each end user will see their entire application catalog from the chosen Microsoft service. By default, each additional app source will be set to Hide. In the Microsoft Endpoint Manager admin center, select Tenant administration > Customization to find this configuration setting. For related information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
Windows Company Portal app descriptions with rich text
Using markdown, you can now display app descriptions using rich text in the Windows Company Portal. For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
App protection policies allow administrators to configure incoming Org data locations
You can now control which trusted data sources are allowed to open into organization documents. Similar to the existing Save copies of org data app protection policy option, you can define which incoming data locations are trusted. This functionality relates to the following app protection policy settings:
- Save copies of org data
- Open data into org documents
- Allow users to open data from selected services
In the Microsoft Endpoint Manager admin center, select Apps > App protection policies > Create policy. To use this functionality, Intune policy-managed applications must implement support for this control. For more information, see iOS app protection policy settings and Android app protection policy settings.
COPE preview update: New settings to create requirements for the work profile password for Android Enterprise corporate-owned devices with a work profile
New settings now give admins the ability to set requirements for the work profile password for Android Enterprise corporate-owned devices with a work profile:
- Required password type
- Minimum password length
- Number of days until password expires
- Number of passwords required before user can reuse a password
- Number of sign-in failures before wiping device
For more information, see Android Enterprise device settings to allow or restrict features using Intune.
COPE preview update: New settings to configure the personal profile for Android Enterprise corporate-owned devices with a work profile
For Android Enterprise corporate-owned devices with a work profile, there are new settings you can configure that only apply to the personal profile (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work profile > Device restrictions for profile > Personal profile):
- Camera: Use this setting to block access to the camera during personal usage.
- Screen capture: Use this setting to block screen captures during personal usage.
- Allow users to enable app installation from unknown sources in the personal profile: Use this setting to allow users to install apps from unknown sources in the personal profile.
- Android Enterprise corporate-owned devices with a work profile, personally enabled devices.
To see all the settings you can configure, go to Android Enterprise device settings to allow or restrict features.
Analyze your on-premises GPOs using Group Policy analytics
In Devices > Group Policy analytics (preview), you can import your group policy objects (GPOs) in the Endpoint Manager admin center. When you import, Intune automatically analyzes the GPO, and shows the policies that have equivalent settings in Intune. It also shows GPOs that are deprecated, or aren't supported anymore. For deeper information, go to Reports > Group policy analytics (preview) > Migration readiness report.
For more information on this feature, see Group Policy analytics.
- Windows 10 and newer
Block App Clips on iOS/iPadOS, and Defer non-OS software updates on macOS devices
When you create a Device Restrictions profile on iOS/iPadOS and macOS devices, there are some new settings:
iOS/iPadOS 14.0+ Block App Clips
- Applies to iOS/iPadOS 14.0 and newer.
- Devices must be enrolled with device enrollment or automated device enrollment (supervised devices).
- The Block App Clips setting blocks App Clips on managed devices (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile > General). When blocked, users can't add any App Clips, and existing App Clips are removed.
macOS 11+ Defer software updates
- Applies to macOS 11 and newer. On supervised macOS devices, the device must have user approved device enrollment, or enrolled through automated device enrollment.
- The existing Defer software updates setting can now delay OS and non-OS updates (Devices > Configuration profiles > Create profile > macOS for platform > Device restrictions for profile > General). The existing Delay visibility of software updates setting applies to OS and non-OS updates. Deferring non-OS software updates doesn't impact scheduled updates.
- The behavior of existing policies isn't changed, affected, or deleted. Existing policies will automatically migrate to the new setting with your same configuration.
New settings using per-app VPN or on-demand VPN on iOS/iPadOS and macOS devices
You can configure automatic VPN profiles in Devices > Configuration profiles > Create profile > iOS/iPadOS or macOS for platform > VPN for profile > Automatic VPN. There are new per-app VPN settings you can configure:
- Prevent users from disabling automatic VPN: When creating an automatic Per-app VPN or On-demand VPN connection, you can force users to keep the automatic VPN enabled and running.
- Associated domains: When creating an automatic Per-app VPN connection, you can add associated domains in the VPN profile that automatically start the VPN connection. For more information on associated domains, see Associated domains.
- Excluded domains: When creating an automatic Per-app VPN connection, you can add domains that can bypass the VPN connection when per-app VPN is connected.
- iOS/iPadOS 14 and newer
- macOS Big Sur (macOS 11)
Set maximum transmission unit for IKEv2 VPN connections on iOS/iPadOS devices
Starting with iOS/iPadOS 14 and newer devices, you can configure a custom maximum transmission unit (MTU) when using IKEv2 VPN connections (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > VPN for profile > IKEv2 for connection type).
For more information on this setting, and the others you can configure, see IKEv2 settings.
- iOS/iPadOS 14 and newer
Per-account VPN connection for email profiles on iOS/iPadOS devices
Starting with iOS/iPadOS 14, email traffic for the native Mail app can be routed through a VPN based on the account the user is using. In Intune, you can configure the VPN profile for per account VPN setting (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Email for profile > Exchange ActiveSync email settings).
This feature lets you select a per-app VPN profile to use for an account-based VPN connection. The per-app VPN connection automatically turns on when users use their organization account in the Mail app.
To see this setting and the others you can configure, go to Add e-mail settings for iOS and iPadOS devices.
- iOS/iPadOS 14 and newer
Disable MAC address randomization on Wi-Fi networks on iOS/iPadOS devices
Starting with iOS/iPadOS 14, by default, devices present a randomized MAC address instead of the physical MAC address when connecting to a network. This behavior is recommended for privacy, as it's harder to track a device by its MAC address. This feature also breaks functionality that relies on a static MAC address, including network access control (NAC).
You can disable MAC address randomization on a per-network basis in Wi-Fi profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Wi-Fi for profile > Basic or Enterprise for Wi-Fi type).
To see this setting, and the others you can configure, go to Add Wi-Fi settings for iOS and iPadOS devices.
- iOS/iPadOS 14 and newer
New settings for Device control profiles
We’ve added a pair of settings to the Device control profile for the Attack surface reduction policy for devices that run Windows 10 or later:
- Removable storage
- USB connections (HoloLens only)
Attack surface reduction policy is part of Endpoint security in Intune.
Enrollment Status Page shows critical kiosk policies
You'll now be able to see the following policies tracked on the Enrollment Status Page
- Assigned access
- Kiosk browser settings
- Edge browser settings
All other kiosk policies aren't currently tracked.
Support for PowerPrecision and PowerPrecision+ Batteries for Zebra devices
On a device's hardware details page, you can now see the following information about Zebra devices using PowerPrecision and PowerPrecision+ batteries:
- State-of-Health rating as determined by Zebra (PowerPrecision+ batteries only)
- Number of full charge cycles consumed
- Date of last check-in for battery last found in the device
- Serial number of the battery pack last found in the device
COPE preview update: Reset work profile password for Android Enterprise corporate-owned devices with a work profile
You can now reset the work profile password on Android Enterprise corporate-owned devices with a work profile. For more information, see Reset a passcode.
Rename a co-managed device that is Azure Active Directory joined
You can now rename a co-managed device that is Azure AD joined. For more information, see Rename a device in Intune.
Microsoft Tunnel Gateway VPN solution in preview
You can now deploy Microsoft Tunnel Gateway to provide remote access to on-premises resources on iOS and Android Enterprise (Fully managed, Corporate-Owned Work Profile, Work profile) devices.
Microsoft Tunnel supports per-app and full device VPN, split tunneling, and conditional access capabilities using modern authentication. Tunnel can support multiple gateway servers for high availability for production readiness.
Additional biometric authentication support for Android devices
New Android devices are making use of a more diverse set of biometrics beyond fingerprints. When OEMs implement support for non-fingerprint biometrics, end users have the potential to use this capability for secure access and a better experience. With the 2009 release of Intune, you can allow your end users to use fingerprint or Face Unlock, depending on what the Android device supports. You can configure whether all biometric types beyond fingerprint can be used to authenticate. For more information, see App protection experience for Android devices.
New details in the Endpoint security configuration for a device
You can now view additional details for devices as part of a devices Endpoint security configuration. When you drill-in to view status details about policies you've deployed to devices, you’ll now find the following setting:
- UPN (User Principle Name): The UPN identifies which endpoint security profile is assigned to a given user on the device. This information is useful to help differentiate between multiple users on a device and multiple entries of a profile or baseline that’s assigned to the device.
For more information, see Resolve conflicts for security baselines.
Expanded RBAC permissions for the Endpoint Security role
The Endpoint Security Manager role for Intune has additional role-based access control (RBAC) permissions for remote tasks.
This role grants access to the Microsoft Endpoint Manager admin center and can be used by individuals who manage security and compliance features, including security baselines, device compliance, conditional access, and Microsoft Defender Advanced Threat Protection.
New permissions for remote tasks include:
- Reboot now
- Remote lock
- Rotate BitLockerKeys (Preview)
- Rotate FileVault key
- Sync devices
- Microsoft Defender
- Initiate Configuration Manger action
To view the full set of permission for any Intune RBAC role, go to (Tenant admin > Intune roles > select a role > Permissions).
Updates for Security Baselines
We have new versions available for the following security baselines:
Updated baseline versions bring support for recent settings to help you maintain the best-practice configurations recommended by the respective product teams.
To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes.
Use Endpoint security configuration details to identify the source of policy conflicts for devices
To aid in conflict resolution, you can now drill-in through a security baseline profile to view the Endpoint security configuration for a selected device. From there, you can select settings that show a Conflict or Error and continue to drill-in further to view a list of details that includes the profiles and policies that are part of the conflict.
If you then select a policy that is a source of a conflict, Intune opens that policies Overview pane where you can review or modify the policies configuration.
The following policy types can be identified as a source of conflict when you drill in through a security baseline:
- Device configuration policy
- Endpoint security policies
For more information, see Resolve conflicts for security baselines.
Support for certificates with a key size of 4096 on iOS and macOS devices
When you configure a SCEP certificate profile for iOS/iPadOS or macOS devices, you can now specify a Key size (bits) of 4096 bits.
Intune supports 4096-bit keys for the following platforms:
- iOS 14 and later
- macOS 11 and later
To configure SCEP certificate profiles, see Create a SCEP certificate profile.
Android 11 deprecates deployment of trusted root certificates to device administrator enrolled devices
Beginning with Android 11, trusted root certificates can no longer install the trusted root certificate on devices that enroll as Android device administrator. This limitation doesn’t affect Samsung Knox devices. For non-Samsung devices, users must manually install the trusted root certificate on the device.
After the trusted root certificate is manually installed on a device, you can use SCEP to provision certificates to the device. You must still create and deploy a trusted certificate policy to the device, and link that policy to the SCEP certificate profile.
- If the trusted root certificate is on the device, the SCEP certificate profile can install successfully.
- If the trusted certificate can't be found on the device, the SCEP certificate profile will fail.
For more information, see Trusted certificate profiles for Android device administrator.
Tri-state options for more settings in Endpoint Security Firewall policy
We've added a third state of configuration to a few more settings in Endpoint security Firewall policies for Windows 10.
The following settings are updated:
- Stateful File Transfer Protocol (FTP) now supports Not configured, Allow, and Disabled.
- Require keying modules to only ignore the authentication suites they don’t support now supports Not configured, Enabled, and Disabled.
Improved certificate deployment for Android Enterprise
We’ve improved our support for using S/MIME certificates for Outlook for encryption and signing on Android Enterprise devices that enroll as Fully Managed, Dedicated, and Corporate-Owned Work Profiles. Previously, use of S/MIME required the device user to allow access. Now, the S/MIME certificates can be used without user interaction.
To deploy S/MIME certificates to supported Android devices, use a PKCS imported certificate profile or SCEP certificate profile for Device configuration. Create a profile for Android Enterprise and then select PKCS imported certificate from the category for Fully Managed, Dedicated, and Corporate-Owned Work Profile.
Improved status details in security baseline reports
We’ve begun improving many of the status details for Security baseline. You’ll now see more meaningful and detailed status when viewing information about the baseline Versions you’ve deployed.
Specifically, when you select a baseline, select Version, and the select an instance of that baseline, the initial Overview displays the following information:
- Security baseline posture chart - This chart now displays the following status details:
- Matches default baseline – This status replaces Matches baseline and identifies when a devices configuration matches the default (unmodified) baseline configuration.
- Matches custom settings – This status identifies when a devices configuration matches the baseline that you’ve configured (customized) and deployed.
- Misconfigured – This status is a rollup that represents three status conditions from a device: Error, Pending, or Conflict. These separate states are available from other views, as detailed below.
- Not applicable - This status represents a device that can’t receive the policy. For example, the policy updates a setting specific to the latest version of Windows, but the device runs an older (earlier) version that doesn’t support that setting.
- Security baseline posture by category - This is a list view that displays device status by category. The available columns mirror much of the Security baseline posture chart, but in place of Misconfigured you’ll see three columns for the status that make up Misconfigured:
- Error: The policy failed to apply. The message typically displays with an error code that links to an explanation.
- Conflict: Two settings are applied to the same device, and Intune can't sort out the conflict. An administrator should review.
- Pending: The device hasn't checked in with Intune to receive the policy yet.
New setting for Password complexity for Android 10 and later for device administrator enrolled devices
To support new options for Android 10 and later on devices enrolled as Android device administrator, we’ve added a new setting called Password complexity to both Device compliance policy and Device restriction policy. You use this new setting to manage a measure of the password strength that factors in the password type, length, and quality.
Password Complexity doesn’t apply to Samsung Knox devices. On these devices, password length and type settings override Password complexity.
Password complexity supports the following options:
- None - No password
- Low - The password satisfies one of the following:
- PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
- Medium - The password satisfies one of the following:
- PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4
- Alphabetic, length at least 4
- Alphanumeric, length at least 4
- High - The Password satisfies one of the following:
- PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8
- Alphabetic, length at least 6
- Alphanumeric, length at least 6
This new setting remains a work in progress. In late October 2020, Password complexity will take effect on devices.
If you set Password complexity to something other than None, you must also configure an additional setting to ensure that end users who use a password that doesn’t meet your complexity requirements will receive a warning to update their password.
- Device compliance: Set Require a password to unlock mobile devices to Require.
- Device restriction: Set Password to Require
If you don’t set the additional setting to Require, users with weak passwords won’t receive the warning.
Monitor and troubleshoot
Endpoint analytics is generally available
Endpoint analytics aims to improve user productivity and reduce IT support costs by providing insights into the user experience. These insights enable IT to optimize the end-user experience with proactive support and to detect regressions to the user experience by assessing user impact of configuration changes. For more information, see Endpoint analytics.
Bulk actions for devices listed in operational report
As part of the new antivirus reports coming out under Microsoft Endpoint Manager security, the Windows 10 detected malware operational report provides bulk actions that are applicable to the devices selected within the report. Actions include Restart, Quick scan, and Full scan. For more information, see Windows 10 detected malware report.
Export Intune reports using Graph APIs
All reports that have been migrated to the Intune reporting infrastructure will be available for export from a single top-level export API. For more information, see Export Intune reports using Graph APIs.
New and improved Microsoft Defender Antivirus reporting for Windows 10 and newer
We're adding four new reports for Microsoft Defender Antivirus on Windows 10 in Microsoft Endpoint Manager. These reports include:
- Two operational reports, Windows 10 unhealthy endpoints and Windows 10 detected malware. In Microsoft Endpoint Manager, select Endpoint security > Antivirus.
- Two organizational reports, Antivirus agent status and Detected malware. In Microsoft Endpoint Manager, select Reports > Microsoft Defender Antivirus.
New Windows 10 feature update report
The Windows 10 feature update report provides an overall view of compliance for devices that are targeted with a Windows 10 feature updates policy. In the Microsoft Endpoint Manager admin center, select Reports > Windows updates to view the summary for this report. To see reports for specific policies, from the Windows updates workload, select the Reports tab and open the Windows Feature Update Report. For more information, see Windows 10 feature updates.
Week of September 7, 2020
Tenant attach: Device timeline in the admin center
When Configuration Manager synchronizes a device to Microsoft Endpoint Manager through tenant attach, you'll be able to see a timeline of events. This timeline shows past activity on the device that can help you troubleshoot problems. For more information, see Tenant attach: Device timeline in the admin center.
Tenant attach: Resource explorer in the admin center
From the Microsoft Endpoint Management admin center, you can view hardware inventory for uploaded Configuration Manager devices by using resource explorer. For more information, see Tenant attach: Resource explorer in the admin center.
Tenant attach: CMPivot from the admin center
Bring the power of CMPivot to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to be able to initiate real-time queries from the cloud against an individual ConfigMgr managed device and return the results back to the admin center. This gives all the traditional benefits of CMPivot, which allows IT Admins and other designated personas the ability to quickly assess the state of devices in their environment and take action.
Week of August 31, 2020
New version of the PFX Certificate Connector and changes for PKCS certificate profile support
We’ve released a new version of the PFX Certificate Connector, version 6.2008.60.607. This new connector version:
Supports PKCS certificate profiles on all supported platforms except Windows 8.1
We’ve consolidated all of the PCKS support in the PFX Certificate Connector. This means if you don’t use SCEP in your environment, and don’t use NDES for other intents, you can remove the Microsoft Certificate Connector and uninstall NDES from your environment.
Because the Microsoft Certificate Connector hasn’t had functionality removed, you can continue to use them to support PKCS certificate profiles.
Supports certificate revocation for Outlook S/MIME
Requires .NET Framework 4.7.2
For more information about certificate connectors, including a list of connector release for both certificate connectors, see Certificate connectors
Week of August 24, 2020 (2008 Service release)
Associated licenses revoked before deletion of Apple VPP token
When you delete an Apple VPP token in Microsoft Endpoint Manager, all Intune-assigned licenses associated with that token are automatically revoked before the deletion.
Improvement to Update device settings page in Company Portal app for Android to shows descriptions
In the Company Portal app on Android devices, the Update device settings page lists the settings that need updated to be compliant. Users expand the issue to see more information, and see the Resolve button.
This user experience is improved. The listed settings are expanded by default to show the description, and show the Resolve button, when applicable. Previously, the issues were collapsed by default. This new default behavior reduces the number of clicks, so users can resolve issues more quickly.
Use NetMotion as a VPN connection type for iOS/iPadOS and macOS devices
When you create a VPN profile, NetMotion is available as a VPN connection type (Devices > Device configuration > Create profile > iOS/iPadOS or macOS for platform > VPN for profile > NetMotion for connection type).
For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.
More Protected Extensible Authentication Protocol (PEAP) options for Windows 10 Wi-Fi profiles
On Windows 10 devices, you can create Wi-Fi profiles using the Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Wi-Fi for profile > Enterprise).
When you select Protected EAP (PEAP), there are new settings available:
- Perform server validation in PEAP phase 1: In PEAP negotiation phase 1, the server is verified by the certificate validation.
- Disable user prompts for server validation in PEAP phase 1: In PEAP negotiation phase 1, user prompts asking to authorize new PEAP servers for trusted certification authorities aren't shown.
- Require cryptographic binding: Prevents connections to PEAP servers that don't use cryptobinding during the PEAP negotiation.
To see the settings you can configure, go to Add Wi-Fi settings for Windows 10 and later devices.
- Windows 10 and newer
Prevent users from unlocking Android Enterprise work profile devices using face and iris scanning
You can now prevent users from using face or iris scanning to unlock their work profile-managed devices, either at the device level or the work profile level. This can be set in Devices > Configuration profiles > Create profile > Android Enterprise for platform > Work profile > Device restrictions for profile > Work profile settings and Password sections.
For more information, see Android Enterprise device settings to allow or restrict features using Intune.
- Android Enterprise work profile
Use SSO app extensions on more iOS/iPadOS apps with the Microsoft Enterprise SSO plug-in
The Microsoft Enterprise SSO plug-in for Apple devices can be used with all apps that support SSO app extensions. In Intune, this feature means the plug-in works with mobile iOS/iPadOS apps that don't use the Microsoft Authentication Library (MSAL) for Apple devices. The apps don't need to use MSAL, but they do need to authenticate with Azure AD endpoints.
To configure your iOS/iPadOS apps to use SSO with the plug-in, add the app bundle identifiers in an iOS/iPadOS configuration profile (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile > Single sign-on app extension > Microsoft Azure AD for SSO app extension type > App bundle IDs).
To see the current SSO app extension settings you can configure, go to Single sign-on app extension.
Deploy endpoint security Antivirus policy to tenant attached devices (preview)
As a preview, you can deploy endpoint security policy for Antivirus to devices you manage with Configuration Manager. This scenario requires you to configure a tenant attach between a supported version of Configuration Manager and your Intune subscription. The following versions of Configuration Manager are supported:
- Configuration Manager current branch 2006
For more information, see the [requirements for Intune endpoint security policies](../protect/tenant-attach-intune.md# requirements-for-intune-endpoint-security-policies) to support Tenant Attach.
Changes for Endpoint security Antivirus policy exclusions
We’ve introduced two changes for managing the Microsoft Defender Antivirus exclusion lists you configure as part of an Endpoint Security Antivirus policy. The changes help you to prevent conflicts between different policies and resolve exclusion list conflicts that might exist in your previously deployed policies.
Both of the changes apply to policy settings for the following Microsoft Defender Antivirus Configuration Service Providers (CSPs):
The changes are:
New profile type: Microsoft Defender Antivirus exclusions - Use this new profile type for Windows 10 and later to define a policy that is focused only on Antivirus exclusions. This profile helps simplify management of your exclusion lists by separating them from other policy configurations.
The exclusions you can configure include Defender processes, file extensions, and files and folders that you don’t want Microsoft Defender to scan.
Policy merge – Intune now merges the list of exclusions you’ve defined in separate profiles into a single list of exclusions to apply to each device or user. For example, if you target a user with three separate policies, the exclusion lists from those three policies merge into a single superset of Microsoft Defender Antivirus exclusions, that then apply to that user.
Import and export lists of address ranges for Windows firewall rules
We've added support to Import or Export a list of address ranges using .csv files to the Microsoft Defender Firewall rules profile in the Firewall policy for Endpoint security. The following Windows firewall rule settings now support import and export:
- Local address ranges
- Remote address ranges
We've also improved validation of both local and remote address range entry to help prevent duplicate or invalid entries.
For more information about these settings, see the settings for Microsoft Defender Firewall rules.
Week of August 17, 2020
Custom brand image now displayed in the Windows Company Portal profile page
As a Microsoft Intune administrator, you can upload a custom brand image to Intune which will be displayed as a background image on the user's profile page in the Windows Company Portal app. For more information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
The Company Portal adds Configuration Manager application support
The Company Portal now supports Configuration Manager applications. This feature allows end users to see both Configuration Manager and Intune deployed applications in the Company Portal for co-managed customers. This new version of the Company Portal will display Configuration Manager deployed apps for all co-managed customers. This support will help administrators consolidate their different end-user portal experiences. For more information, see Use the Company Portal app on co-managed devices.
Set device compliance state from third-party MDM providers
Intune now supports third-party MDM solutions as a source of device compliance details. This third-party compliance data can be used to enforce Conditional Access policies for Microsoft 365 apps on iOS and Android through integration with Microsoft Intune. Intune evaluates the compliance details from the third-party provider to determine if a device is trusted, and then sets the conditional access attributes in Azure AD. You'll continue to create your Azure AD Conditional Access policies from within the Microsoft Endpoint Manager admin center or the Azure AD portal.
The following third-party MDM providers are supported with this release, as a public preview:
- VMware Workspace ONE UEM (previously known as AirWatch)
This update is rolling out to customers globally. You should see this capability within the next week.
Week of August 10, 2020
Tenant attach: Install an application from the admin center
You can now initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Manager admin center. For more information, see Tenant attach: Install an application from the admin center.
Week of July 27, 2020
Monitor and troubleshoot
Power BI compliance report template V2.0
Power BI template apps enable Power BI partners to build Power BI apps with little or no coding, and deploy them to any Power BI customer. Admins can update the version of the Power BI compliance report template from V1.0 to V2.0. V2.0 includes an improved design, as well as changes to the calculations and data that are surfaced as part of the template. For more information, see Connect to the Data Warehouse with Power BI and Update a template app. Additionally, see the blog post Announcing a New Version of the Power BI Compliance Report with Intune Data Warehouse.
Week of July 13, 2020 (2007 Service release)
Exchange On-Premises Connector support
Intune is removing support for the Exchange On-Premises Connector feature from the Intune service beginning in the 2007 (July) release. Existing customers with an active connector will be able to continue with the current functionality at this time. New customers and existing customers that do not have an active connector will no longer be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those customers, Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through Outlook Mobile for Exchange on-premises.
S/MIME for Outlook on iOS and Android devices without enrollment
You can now enable S/MIME for Outlook on iOS and Android devices using an app configuration policy for managed apps. This allows for policy delivery regardless of device enrollment state. In Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed apps. Additionally, you can choose whether or not to allow users to change this setting in Outlook. However, to automatically deploy S/MIME certificates to Outlook for iOS and Android, the device must be enrolled. For general information about S/MIME, see S/MIME overview to sign and encrypt email in Intune. For more information about Outlook configuration settings, see Microsoft Outlook configuration settings and Add app configuration policies for managed apps without device enrollment. For Outlook for iOS and Android S/MIME information, see S/MIME scenarios and Configuration keys - S/MIME settings.
New VPN settings for Windows 10 and newer devices
When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > VPN for profile > Base VPN):
- Device Tunnel: Allows devices to automatically connect to VPN without requiring any user interaction, including user log-on. This feature requires you to enable Always On, and use Machine certificates as the authentication method.
- Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations, which allow you to match client and server settings.
To see the settings you can configure, go to Windows device settings to add VPN connections using Intune.
- Windows 10 and newer
Configure more Microsoft Launcher settings in a device restrictions profile on Android Enterprise devices (COBO)
On Android Enterprise Fully Managed devices, you can configure more Microsoft Launcher settings using a device restrictions profile (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner only > Device restrictions > Device experience > Fully managed).
To see these settings, go to Android Enterprise device settings to allow or restrict features.
You can also configure the Microsoft Launcher settings using an app configuration profile.
- Android Enterprise device owner fully managed devices (COBO)
New features for Managed Home Screen on Android Enterprise device owner dedicated devices (COSU)
On Android Enterprise devices, administrators can use device configuration profiles to customize the Managed Home Screen on dedicated devices using multi-app kiosk mode (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile > Device experience > Dedicated device > Multi-app).
Specifically, you can:
- Customize icons, change the screen orientation, and show app notifications on badge icons
- Hide the Managed Settings shortcut
- Easier access to the debug menu
- Create an allowed list of Wi-Fi networks
- Easier access to the device information
For more information, see Android Enterprise device settings to allow or restrict features and this blog.
- Android Enterprise device owner, dedicated devices (COSU)
Administrative templates updated for Microsoft Edge 84
The ADMX settings available for Microsoft Edge have been updated. End users can now configure and deploy new ADMX settings added in Edge 84. For more information, see the Edge 84 release notes.
Corporate-owned, personally enabled devices (preview)
Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8 and above. Corporate-owned devices with a work profile is one of the corporate management scenarios in the Android Enterprise solution set. This scenario is for single user devices intended for corporate and personal use. This corporate-owned, personally enabled (COPE) scenario offers:
- work and personal profile containerization
- device-level control for admins
- a guarantee for end users that their personal data and applications will remain private
The first public preview release will include a subset of the features that will be included in the generally available release. Additional features will be added on a rolling basis. The features that will be available in the first preview include:
- Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
- Device configuration: A subset of the existing fully managed and dedicated device settings.
- Device compliance: The compliance policies that are currently available for fully managed devices.
- Device Actions: Delete device (factory reset), reboot device, and lock device.
- App management: App assignments, app configuration, and the associated reporting capabilities
- Conditional Access
For more information about corporate-owned with work profile preview, see the support blog.
Updates to the remote lock action for macOS devices
Changes to the remote lock action for macOS devices include:
- The recovery pin is displayed for 30 days before deletion (instead of 7 days).
- If an admin has a second browser open and tries to trigger the command again from a different tab or browser, Intune lets the command to go through. But the reporting status is set to failed rather than generating a new pin.
- The admin isn't allowed to issue another remote lock command if the previous command is still pending or if the device hasn’t checked back in. These changes are designed to prevent the correct pin from being overwritten after multiple remote lock commands.
Device actions report differentiates between wipe and protected wipe
The Device actions report now differentiates between the wipe and protected wipe actions. To see the report, go to Microsoft Endpoint Manager admin center > Devices > Monitor > Device Actions (under Other).
Microsoft Defender Firewall rule migration tool preview
As a public preview, we're working on a PowerShell based tool that will migrate Microsoft Defender Firewall rules. When you install and run the tool, it automatically creates endpoint security firewall rule policies for Intune that are based on the current configuration of a Windows 10 client. For more information, see Endpoint security firewall rule migration tool overview.
Endpoint detection and response policy for onboarding Tenant Attached devices to MDATP is Generally Available
As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies for use with devices managed by Configuration Manager are no longer in preview and are now Generally Available.
To use EDR policy with devices from a supported version of Configuration Manager, configure Tenant attach for Configuration Manager. After you complete the tenant attach configuration, you can deploy EDR policies to onboard devices managed by Configuration Manager to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
Bluetooth settings are available in Device Control profiles for Endpoint security Attack surface reduction policy
We've added settings to manage Bluetooth on Windows 10 devices to the Device control profile for Endpoint security Attack surface Reduction policy. These are the same settings as those that have been available in Device restriction profiles for Device configuration.
Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices
We've added two new settings to the Updates category of endpoint security antivirus policy for Windows 10 devices that can help you manage how devices get update definitions:
- Define file shares for downloading definition updates
- Define the order of sources for downloading definition updates
With the new settings, you can add UNC file shares as download source locations for definition updates, and define the order in which different source locations are contacted.
Improved security baselines node
We've made some changes to improve the usability of the security baseline node in the Microsoft Endpoint Manager admin center. Now when you drill in to Endpoint security > Security baselines and then select a security baseline type like the MDM Security Baseline, you're presented with the Profiles pane. On the Profiles pane, you view the profiles you've created for that Baseline type. Previously the console presented an Overview pane which included an aggregate data roll up that didn't always match the details found in the reports for individual profiles.
Unchanged, from the Profiles pane you can select a profile to drill-in to view that profiles properties as well as various reports that are available under Monitor. Similarly, at the same level as Profiles you can still select Versions to view the various versions of that profile type that you've deployed. When you drill-in to a version, you also gain access to reports, similar to the profile reports.
Derived credentials support for Windows
You can now use derived credentials with your Windows devices. This will expand on the existing support for iOS/iPadOS and Android, and will be available for the same derived credential providers:
- Entrust Datacard
- DISA Purebred
Support for Widows includes use of a derived credential to authenticate to Wi-Fi or VPN profiles. For Windows devices, the derived credential is issued from the client app that's provided by the derived credential provider that you use.
Manage FileVault encryption for devices that were encrypted by the device user and not by Intune
Intune can now assume management of FileVault disk encryption on a macOS device that was encrypted by the device user, and not by Intune policy. This scenario requires:
- The device to receive disk encryption policy from Intune that enables FileVault.
- The device user to use the Company Portal website to upload their personal recovery key for the encrypted device to Intune. To upload the key, they select the Store recovery key option for their encrypted macOS device.
After the user uploads their recovery key, Intune rotates the key to confirm it is valid. Intune can now manage the key and encryption as if it used policy to encrypt the device directly. Should a user need to recover their device, they can access the recovery key using any device from the following locations:
- Company Portal website
- Company Portal app for iOS/iPadOS
- Company Portal app for Android
- Intune app
Hide the personal recovery key from a device user during macOS FileVault disk encryption
When you use endpoint security policy to configure macOS FileVault disk encryption, use the Hide recovery key setting to prevent display of the personal recovery key to the device user, while the device is being encrypted. By hiding the key during encryption, you can help keep it secure as users won’t be able to write it down while waiting for the device to encrypt.
Later, if recovery is needed, a user can always use any device to view their personal recovery key through the Intune Company Portal website, the iOS/iPadOS Company Portal, the Android Company Portal, or the Intune app.
Improved view of security baseline details for devices
You can now drill-in to the details for a device to view the settings details for security baselines that apply to the device. The settings appear in a simple, flat list, which includes the setting category, setting name, and status. For more information, see View Endpoint security configurations per device.
Monitor and troubleshoot
Device compliance logs now in English
The Intune DeviceComplianceOrg logs previously only had enumerations for ComplianceState, OwnerType, and DeviceHealthThreatLevel. Now, these logs have English information in the columns.
Role-based access control
Assign profile and Update profile permission changes
Role-based access control permissions have changed for Assign profile and Update profile for the Automated Device Enrollment flow:
Assign profile: Admins with this permission can also assign the profiles to tokens and assign a default profile to a token for Automated Device Enrollment.
Update profile: Admins with this permission can update existing profiles only for Automated Device Enrollment.
To see these roles, go to Microsoft Endpoint Manager admin center > Tenant administration > Roles > All roles > Create > Permissions > Roles.
Additional Data Warehouse v1.0 properties
Additional properties are available using the Intune Data Warehouse v1.0. The following properties are now exposed via the devices entity:
ethernetMacAddress- The unique network identifier of this device.
office365Version- The version of Microsoft 365 that is installed on the device.
The following properties are now exposed via the devicePropertyHistories entity:
physicalMemoryInBytes- The physical memory in bytes.
totalStorageSpaceInBytes- Total storage capacity in bytes.
For more information, see Microsoft Intune Data Warehouse API.
Week of July 06, 2020
Update to device icons in Company Portal and Intune apps on Android
We have updated the device icons in the Company Portal and Intune apps on Android devices to create a more modern look and feel and to align with the Microsoft Fluent Design System. For related information, see Update to icons in Company Portal app for iOS/iPadOS and macOS.
iOS Company Portal will support Apple's Automated Device Enrollment without user affinity
The iOS Company Portal is now supported on devices enrolled using Apple's Automated Device Enrollment without requiring an assigned user. An end user can sign in to the iOS Company Portal to establish themselves as the primary user on an iOS/iPadOS device enrolled without device affinity. For more information about Automated Device Enrollment, see Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrollment.
Tenant attach: ConfigMgr client details in the admin center (preview)
You can now see ConfigMgr client details including collections, boundary group membership, and real-time client information for a specific device in the Microsoft Endpoint Manager admin center. For more information, see Tenant attach: ConfigMgr client details in the admin center (preview).
Week of June 22, 2020
Newly available protected apps for Intune
The following protected apps are now available:
- BlueJeans Video Conferencing
- Cisco Jabber for Intune
- Tableau Mobile for Intune
- ZERO for Intune
For more information about protected apps, see Microsoft Intune protected apps.
Monitor and troubleshoot
Use Endpoint analytics to improve user productivity and reduce IT support costs
During the next week, this feature will be rolled out. Endpoint analytics aims to improve user productivity and reduce IT support costs by providing insights into the user experience. The insights enable IT to optimize the end-user experience with proactive support and to detect regressions to the user experience by assessing user impact of configuration changes. For more information, see Endpoint analytics preview.
Proactively remediate end user device issues using script packages
You can create and run script packages on end user devices to proactively find and fix the top support issues in your organization. Deploying script packages will help you reduce support calls. Choose to create your own script packages or deploy one of the script packages we've written and used in our environment to reduce support tickets. Intune allows you to see the status of your deployed script packages and to monitor the detection and remediation results. In Microsoft Endpoint Manager admin center, select Reports > Endpoint analytics > Proactive remediations. For more information, see Proactive remediations.
Use Microsoft Defender ATP in compliance policies for Android
You can now use Intune to onboard Android devices to Microsoft Defender Advanced Threat Protection (MicrosoftDefender ATP). After your enrolled devices are onboarded, your compliance policies for Android can use the threat level signals from Microsoft Defender ATP. These are the same signals that you could previously use for Windows 10 devices.
Configure Defender ATP web protection for Android devices
When you use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android devices, you can configure Microsoft Defender ATP web protection to disable the phishing scan feature, or prevent the scan from using VPN.
Depending on how your Android device enrolls with Intune, the following options are available:
- Android device administrator - Use custom OMA-URI settings to disable the web protection feature, or disable only the use of VPNs during scans.
- Android Enterprise work profile - Use an app configuration profile and the configuration designer to disable all web protection capabilities.
Week of June 15, 2020 (2006 Service release)
Telecommunications data transfer protection for managed apps
When a hyperlinked phone number is detected in a protected app, Intune will check whether a protection policy has been applied that allows the number to be transferred to a dialer app. You can choose how to handle this type of content transfer when it is initiated from a policy managed app. When creating an app protection policy in Microsoft Endpoint Manager, select a managed app option from the Send org data to other apps, then select an option from Transfer telecommunications data to. For more information about this data protection setting, see Android app protection policy settings in Microsoft Intune and iOS app protection policy settings.
Unified delivery of Azure Active Directory Enterprise and Office Online applications in the Windows Company Portal
On the Customization pane of Intune, you can select to Hide or Show both Azure AD Enterprise applications and Office Online applications in the Company Portal. Each end-user will see their entire application catalog from the chosen Microsoft service. By default, each additional app source will be set to Hide. This feature will first take effect in the Company Portal website, with support in the Windows Company Portal expected to follow. In the Microsoft Endpoint Manager admin center, select Tenant administration > Customization to find this configuration setting. For related information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
Improvements to the Company Portal for macOS enrollment experience
The Company Portal for macOS enrollment experience has a simpler enrollment process that aligns more closely with the Company Portal for iOS enrollment experience. Device users will see:
- A sleeker user interface.
- An improved enrollment checklist.
- Clearer instructions about how to enroll their devices.
- Improved troubleshooting options.
For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
Improvements to Devices page of iOS/iPadOS and macOS Company Portals
We've made changes to the Company Portal Devices page to improve the app experience for iOS/iPadOS and Mac users. In addition to creating a more modern look and feel, we reorganized the device details under a single column with defined section headers so that it's easier for users to see their device status. We also added clearer messaging and troubleshooting steps for users whose devices fall out of compliance. For more information about Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app. To manually sync a device, see Sync your iOS device manually.
Cloud setting for iOS/iPadOS Company Portal app
A new Cloud setting for the iOS/iPadOS Company Portal allows users to redirect their authentication towards the appropriate cloud for your organization. By default, the setting is configured to Automatic, which directs authentication towards the cloud automatically detected by the user's device. If authentication for your organization must be redirected towards a cloud other than the cloud that is automatically detected (such as Public or Government), your users can manually select the appropriate cloud by selecting the Settings app > Company Portal > Cloud. Your users should only change the Cloud setting from Automatic if they are signing in from another device and the appropriate cloud is not automatically detected by their device.
Duplicate Apple VPP tokens
Apple VPP tokens with the same Token Location are now marked as Duplicate and can be synced again when the duplicate token has been removed. You can still assign and revoke licenses for tokens that are marked as duplicate. However, licenses for new apps and books purchased may not be reflected once a token is marked as duplicate. To find Apple VPP tokens for your tenant, from Microsoft Endpoint Manager admin center, select Tenant administration > Connectors and tokens > Apple VPP Tokens. For more information about VPP tokens, see How to manage iOS and macOS apps purchased through Apple Volume Purchase Program with Microsoft Intune.
Add multiple root certificates for EAP-TLS authentication in Wi-Fi profiles on macOS devices
On macOS devices, you can create a Wi-Fi profile, and select the Extensible Authentication Protocol (EAP) authentication type (Devices > Configuration profiles > Create profile > macOS for platform > Wi-Fi for profile > Wi-Fi type set to Enterprise).
When you set the EAP Type to EAP-TLS, EAP-TTLS, or PEAP authentication, you can add multiple root certificates. Previously, you could only add one root certificate.
For more information on the settings you can configure, see Add Wi-Fi settings for macOS devices in Microsoft Intune.
Use PKCS certificates with Wi-Fi profiles on Windows 10 and newer devices
You can authenticate Windows Wi-Fi profiles with SCEP certificates (Device configuration > Profiles > Create profile > Windows 10 and later for platform > Wi-Fi for profile type > Enterprise > EAP type). Now, you can use PKCS certificates with your Windows Wi-Fi profiles. This feature allows users to authenticate Wi-Fi profiles using new or existing PKCS certificate profiles in your tenant.
For more information on the Wi-Fi settings you can configure, see Add Wi-Fi settings for Windows 10 and later devices in Intune.
- Windows 10 and newer
Wired network device configuration profiles for macOS devices
A new macOS device configuration profile is available that configures wired networks (Devices > Configuration profiles > Create profile > macOS for platform > Wired Network for profile). Use this feature to create 802.1x profiles to manage wired networks, and deploy these wired networks to your macOS devices.
For more information in this feature, see Wired networks on macOS devices.
Use Microsoft Launcher as the default launcher for fully managed Android Enterprise devices
On Android Enterprise device owner devices, you can set Microsoft Launcher as the default launcher for fully managed devices (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device owner > Device restrictions for profile > Device experience). To configure all other Microsoft Launcher settings, use app configuration policies.
Also, there are some other UI updates, including Dedicated devices being renamed to Device experience.
To see all the settings you can restrict, see Android Enterprise device settings to allow or restrict features using Intune.
- Android Enterprise device owner fully managed devices (COBO)
Use Autonomous Single App Mode settings to configure the iOS Company Portal app to be a sign in/sign out app
On iOS/iPadOS devices, you can configure apps to run in autonomous single app mode (ASAM). Now, the Company Portal app supports ASAM, and can be configured to be a "sign in/sign out" app. In this mode, users must sign in to the Company Portal app to use other apps and the Home screen button on the device. When they sign out of the Company Portal app, the device returns to single app mode, and locks on the Company Portal app.
To configure the Company Portal to be in ASAM, go to Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile > Autonomous Single App Mode.
Configure content caching on macOS devices
On macOS devices, you can create a configuration profile that configures content caching (Devices > Configuration profiles > Create profile > macOS for platform > Device features for profile). Use these settings to delete cache, allow shared cache, set a cache limit on the disk, and more.
For more information on content caching, see ContentCaching (opens Apple's web site).
To see the settings you can configure, go to macOS device feature settings in Intune.
Add new schema settings, and search for existing schema settings using OEMConfig on Android Enterprise
In Intune, you can use OEMConfig to manage settings on Android Enterprise devices (Devices > Configuration profiles > Create profile > Android Enterprise for platform > OEMConfig for profile). When you use the Configuration designer, the properties in the app schema are shown. Now, in the Configuration designer, you can:
- Add new settings to the app schema.
- Search for new and existing settings in the app schema.
For more information on OEMConfig profiles in Intune, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.
- Android Enterprise
Block Shared iPad temporary sessions on Shared iPad devices
In Intune, there's a new Block Shared iPad temporary sessions setting that blocks temporary sessions on Shared iPad devices (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type > Shared iPad). When enabled, end users can't use the Guest account. They must sign in to the device with their Managed Apple ID and password.
For more information, see iOS and iPadOS device settings to allow or restrict features.
- Shared iPad devices running iOS/iPadOS 13.4 and newer
Bring-your-own-devices can use VPN to deploy
The new Autopilot profile Skip Domain Connectivity Check toggle lets you deploy Hybrid Azure AD Join devices without access to your corporate network using your own 3rd party Win32 VPN client. To see the new toggle, go to Microsoft Endpoint Manager Admin Center > Devices > Windows > Windows enrollment > Deployment profiles > Create profile > Out-of-box experience (OOBE).
Enrollment Status Page profiles can be set to device groups
Previously, Enrollment Status Page (ESP) profiles could only be targeted to user groups. Now you can also set them to target device groups. For more information, see Set up an Enrollment Status Page.
Automated Device Enrollment sync errors
New errors will be reported for iOS/iPadOS and macOS devices, including
- Invalid characters in the phone number or if that field is empty.
- Invalid or empty configuration name for the profile.
- Invalid/expired cursor value or if no cursor is found.
- Rejected or expired token.
- The department field is empty or the length is too long.
- Profile is not found by Apple and a new one needs to be created.
- A count of removed Apple Business Manager devices will be added to the overview page where you see the status of your devices.
Shared iPads for Business
You can use Intune and Apple Business Manager to easily and securely set up Shared iPad so that multiple employees can share devices. Apple's Shared iPad provides a personalized experience for multiple users while preserving user data. Using a Managed Apple ID, users can access their apps, data, and settings after signing into any Shared iPad in their organization. Shared iPad works with federated identities.
To see this feature, go to Microsoft Endpoint Manager admin center > Devices > iOS > iOS enrollment > Enrollment program tokens > choose a token > Profiles > Create profile > iOS. On the Management Settings page, select Enroll without User Affinity and you'll see the Shared iPad option.
Requires: iPadOS 13.4 and later. This release added support for temporary sessions with Shared iPad so that users can access a device without a Managed Apple ID. Upon logout, the device erases all user data so that the device is immediately ready for use, eliminating the need for a device wipe.
Updated user interface for Apple's Automated Device Enrollment
The user interface has been updated to replace Apple's Device Enrollment Program to Automated Device Enrollment to reflect Apple terminology.
Device remote lock pin available for macOS
The availability for macOS device remote lock pins has been increased from 7 days to 30 days.
Change primary user on co-managed devices
You can change a device's primary user for co-managed Windows devices. For more information on how to find and change it, see Find the primary user of an Intune device. This feature will be rolling out gradually over the next few weeks.
Setting the Intune primary user also sets the Azure AD owner property
This new feature automatically sets the owner property on newly-enrolled Hybrid Azure AD joined devices at the same time that the Intune primary user is set. For more information on the primary user, see Find the primary user of an Intune device.
This is a change to the enrollment process and only applies to newly enrolled devices. For existing Hybrid Azure AD Joined devices, you must manually update the Azure AD Owner property. To do this, you can use the Change primary user feature or a script.
When Windows 10 devices become Hybrid Azure Active Directory Joined, the first user of the device becomes the primary user in Endpoint Manager. Currently, the user isn't set on the corresponding Azure AD device object. This causes an inconsistency when comparing the owner property from an Azure AD portal with the primary user property in Microsoft Endpoint Manager admin center. The Azure AD owner property is used for securing access to BitLocker recovery keys. The property isn't populated on Hybrid Azure AD Joined devices. This limitation prevents set up of self-service of BitLocker recovery from Azure AD. This upcoming feature solves this limitation.
Hide the recovery key from users during FileVault 2 encryption for macOS devices
We've added a new setting to the FileVault category within the macOS Endpoint Protection template: Hide recovery key. This setting hides the personal key from the end user during FileVault 2 encryption.
To view the personal recovery key of an encrypted macOS device, the device user can go to any of the following locations and click on get recovery key for the macOS device:
- The iOS/iPadOS company portal app
- The Intune app
- The company portal website
- The Android company portal app
Support for S/MIME signing and encryption certificates with Outlook on Android Fully Managed
You can now use certificates for S/MIME signing and encryption with Outlook on devices that run Android Enterprise Fully Managed.
This expands on the support added last month for other Android versions (Support for S/MIME signing and encryption certificates with Outlook on Android). You can provision these certificates by using SCEP and PKCS imported certificate profiles.
For more information about this support, see Sensitivity labeling and protection in Outlook for iOS and Android in the Exchange documentation.
Add a link to your company portal support website to emails for noncompliance
When you configure a notification message template for sending email notifications for noncompliance, use the new setting Company Portal Website Link to automatically include a link to your Company Portal website. With this option set to Enable, users with noncompliant devices who receive email based on this template can use the link to open a website to learn more about why their device isn’t compliant.
Admins no longer require an Intune license to access Microsoft Endpoint Manager admin console
You can now set a tenant-wide toggle that removes the Intune license requirement for admins to access the MEM admin console and query graph APIs. Once you remove the license requirement, you can never reinstate it.
Some actions, including the Teamviewer Connector flow, still require an Intune license to complete.
Availability of Shell scripts on macOS devices
Shell scripts for macOS devices are now available for Government Cloud and China customers. For more information about shell scripts, see Use shell scripts on macOS devices in Intune.
Week of June 8, 2020
Updates to informational screen in Company Portal for iOS/iPadOS
An informational screen in Company Portal for iOS/iPadOS has been updated to better explain what an admin can see and do on devices. These clarifications are only about corporate-owned devices. Only the text has been updated, no actual modifications have been made to what the admin can see or do on user devices. To see the updated screens, go to UI updates for Intune end-user apps.
Updated Android APP Conditional Launch end-user experience
The 2006 release of the Android Company Portal has changes that build on the updates from the 2005 release. In 2005, we rolled out an update where end users of Android devices that are issued a warn, block, or wipe by an app protection policy see a full page message describing the reason for the warn, block, or wipe and the steps to remediate the issues. In 2006, first-time users of Android apps assigned an app protection policy will be taken through a guided flow to remediate issues that cause their app access to be blocked.
What's New archive
For previous months, see the What's New archive.
These notices provide important information that can help you prepare for future Intune changes and features.
Updated end-user experience for Android device administrator Wi-Fi profiles
Due to a change made by Google, the end-user experience for new Wi-Fi profiles is significantly different starting in the October release of the Company Portal app. Users will need to accept additional permissions, and explicitly accept Wi-Fi configurations when they're deployed. Wi-Fi configurations will not appear in the known Wi-Fi networks list, but will automatically connect when in range. There are no changes in behavior for existing Wi-Fi profiles. There are also no changes to the admin experience in the Endpoint Manager admin center.
- Android device administrator, Android 10 and later
Microsoft Intune ends support for Windows Phone 8.1 and Windows 10 Mobile
Microsoft mainstream support for Windows Phone 8.1 ended in July 2017 and extended support ended in June 2019. The Company Portal app for Windows Phone 8.1 has been in sustain mode since October 2017. Additionally, Microsoft Intune has ended support on February 20, 2020 for Windows Phone 8.1.
Microsoft mainstream support for Windows 10 Mobile ended in December 2019. As mentioned in the support statement, Windows 10 Mobile users will no longer be eligible to receive new security updates, non-security hotfixes, free assisted support options or online technical content updates from Microsoft. Based on the all-up Mobile OS support, Microsoft Intune ends support for both the Company Portal for the Windows 10 Mobile app and the Windows 10 Mobile Operating System on August 10, 2020.
As of August 10, enrollments for Windows Phone 8.1 and Windows 10 Mobile devices will fail and Windows Mobile profile types are removed from the Intune UI. Devices already enrolled will no longer check into the Intune service and we will delete device and policy data.
End of support for legacy PC management
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as Mobile Device Management (MDM) devices to keep them managed by Intune.
Move to the Microsoft Endpoint Manager admin center for all your Intune management
In MC208118 posted last March, we introduced a new, simple URL for your Microsoft Endpoint Manager – Intune administration: https://endpoint.microsoft.com. Microsoft Endpoint Manager is a unified platform that includes Microsoft Intune and Configuration Manager. Starting August 1, 2020, we will remove Intune administration at https://portal.azure.com and recommend you instead use https://endpoint.microsoft.com for all your endpoint management.
Decreasing support for Android device administrator
Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of Android Enterprise was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.
How does this affect me?
Because of these changes by Google, in October 2020, you will no longer have as extensive management capabilities on impacted device administrator-managed devices.
This date was previously communicated as fourth quarter of 2020, but it has been moved out based on the latest information from Google.
Device types that will be impacted
Devices that will be impacted by the decreasing device administrator support are those for which all three conditions below apply:
- Enrolled in device administrator management.
- Running Android 10 or later.
- All Android manufacturers, except Samsung.
Devices will not be impacted if they are any of the below:
- Not enrolled with device administrator management.
- Running an Android version below Android 10.
- Samsung devices. Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you additional time to plan the transition off device administrator management for Samsung devices.
Settings that will be impacted
Google's decreased device administrator support prevents configuration of these settings from applying on impacted devices.
Configuration profile device restriction settings
- Block Camera
- Set Minimum password length
- Set Number of sign-in failures before wiping device (will not apply on devices without a password set, but will apply on devices with a password)
- Set Password expiration (days)
- Set Required password type
- Set Prevent use of previous passwords
- Block Smart Lock and other trust agents
Compliance policy settings
- Set Required password type
- Set Minimum password length
- Set Number of days until password expires
- Set Number of previous passwords to prevent reuse
User experience of impacted settings on impacted devices
Impacted configuration settings:
- For already enrolled devices that already had the settings applied, the impacted configuration settings will continue being enforced.
- For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings will not be enforced (but all other configuration settings will still be enforced).
Impacted compliance settings:
- For already enrolled devices that already had the settings applied, the impacted compliance settings will still be enforced in the Settings app and the user will still be compliant. The Microsoft Endpoint Manager console will report these impacted settings on these devices as Not Applicable.
- For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance will not be sent down to the device, so they will not be enforced in the Settings app and the user will still be compliant. The Microsoft Endpoint Manager console will report these impacted settings on these devices as Not Applicable.
Additional user experience change for Wi-Fi profiles
- Users will need to accept additional permissions, and explicitly accept Wi-Fi configurations when they're deployed. Wi-Fi configurations will not appear in the known Wi-Fi networks list, but will automatically connect when in range. There are no changes in behavior for existing Wi-Fi profiles. There are also no changes to the admin experience in the Endpoint Manager admin center.
Cause of impact
Devices will begin being impacted in October 2020. At that time, there will be a Company Portal app update that will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).
At that point, device administrator-managed devices that are not manufactured by Samsung will be impacted once the user completes both these actions:
- Updates to Android 10 or later.
- Updates the Company Portal app to the version that targets API level 29.
Additional impacts based on Android OS version
Android 10: For all device administrator managed devices (including Samsung) running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:
- Network access control for VPN will no longer work
- Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned
- The IMEI and serial number will no longer be visible to IT admins in Intune
Android 11: These are the changes that will impact device administrator managed device when they update to Android 11:
- For device administrator devices (excluding Samsung) running Android 11 and later, Google has removed the ability for management agents like Company Portal to enforce blocking Camera, even before the October update to the Company Portal app. Policies blocking camera that are applied to devices before they update to Android 11 will continue to apply.
- With Android 11, trusted root certificates can no longer be deployed to devices enrolled with device administrator (except on Samsung devices). Users must manually install the trusted root certificate on the device. With the trusted root certificate manually installed on a device, you can then use SCEP to provision certificates to the device. In this scenario you must still create and deploy a trusted certificate policy to the device, and link that policy to the SCEP certificate profile.
- If the trusted root certificate is on the device, then the SCEP certificate profile will install successfully.
- If the trusted certificate cannot be found, the SCEP certificate profile will fail.
What do I need to do to prepare for this change?
To avoid the reduction in functionality coming in October 2020, we recommend the following:
- New enrollments: Onboard new devices into Android Enterprise management (where available) and/or app protection policies. Avoid onboarding new devices into device administrator management.
- Previously enrolled devices: If a device administrator-managed device is running Android 10 or later or may update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator management to Android Enterprise management and/or app protection policies. You can leverage the streamlined flow to move Android devices from device administrator to work profile management.
- Configure Password Complexity: For impacted devices running Android 10 and later, a future setting called Password Complexity lets you continue enforcing password restrictions and compliance. Password Complexity is a measure of password strength that factors in password type, length, and quality.
What if I have non-Samsung devices that cannot move to Android Enterprise?
Some devices can’t move from device administrator to Android Enterprise management. For example, Google hasn’t made Android Enterprise available in some markets. You can still use Intune to manage non-Samsung devices with device administrator, but the changes to functionality mentioned in this post will apply. For guidance on managing devices when Android Enterprise isn’t available, see How to use Intune in environments without Google Mobile Services.
- Move Android devices from device administrator to work profile management
- Set up enrollment of Android Enterprise work profile devices
- Set up enrollment of Android Enterprise dedicated devices
- Set up enrollment of Android Enterprise fully managed devices
- How to create an assign app protection policies
- How to use Intune in environments without Google Mobile Services
- Understanding app protection policies and work profiles on Android Enterprise devices
- Google’s blog about what you need to know about Device Admin deprecation
- Google's guidance for migration from device administrator to Android Enterprise
- Google's documentation of deprecated device administrator APIs
Plan for Change: Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS
In the July Company Portal release, we’ll be changing the iOS/iPadOS enrollment flow for Apple’s Automated Device Enrollment (formerly known as DEP). The enrollment flow change is only encountered during the “Enroll with User Affinity” flow. Previously, if you set the “Install Company Portal” to “no” as part of your configuration, users could still install the Company Portal app from the store which would then trigger enrollment where the user would add in the appropriate serial number. With this upcoming Company Portal release, we’ll be removing that serial number confirmation screen. Instead, you’ll want to create a corresponding app configuration policy to send down alongside the Company Portal to ensure that users can successfully enroll, or set the “Install Company Portal” to “Yes” as part of your configuration.
- See the post here for more info.