You can use RSS to be notified when this page is updated. For more information, see How to use the docs.
Week of March 17, 2025 (Service release 2503)
Microsoft Intune Suite
Endpoint Privilege Manager support for ARM 64-bit devices
Endpoint Protection Manager (EPM) now supports managing file elevations on devices that run on ARM 64-bit architecture.
Applies to:
Windows
Device configuration
New settings available in the Apple settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, go to Create a policy using settings catalog.
There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
iOS/iPadOS
Restrictions:
Allow Apple Intelligence Report
Allow Default Calling App Modification
Allow Default Messaging App Modification
Allow Mail Smart Replies
Allow Notes Transcription
Allow Safari Summary
macOS
Remote Desktop:
Remote Desktop
Restrictions:
Allow Apple Intelligence Report
Allow Mail Smart Replies
Allow Notes Transcription
Allow Safari Summary
Device management
New settings for Windows LAPS policy
Intune policies for Windows Local Administrator Password Solution (LAPS) now include several new settings and updates to two previously available settings. Use of LAPS which is a Windows built-in solution can help you secure the built-in local administrator account that is present on each Windows device. All the settings that you can manage through Intune LAPS policy are described in the Windows LAPS CSP.
The following new settings are available: (Each setting name is a link that opens the CSP documentation for that setting.)
Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.
By default, each setting in LAPS policies is set to Not configured, which means the addition of these new settings won't change the behavior of your existing policies. To make use of the new settings and options, you can create new profiles or edit your existing profiles.
Applies to:
Windows
Configure devices to stay on the latest OS version using declarative device management (DDM)
As part of the Settings Catalog, you can now configure devices to automatically update to the latest OS version using DDM. To use these new settings in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOSfor platform > Settings catalog for profile type.
Enforce Latest Software Update Version: If true, devices will upgrade to the latest OS version that is available for that device model. This uses the Software Update Enforcement configuration and will force devices to restart and install the update after the deadline passes.
Delay In Days: Specify the number of days that should pass before a deadline is enforced. This delay is based on either the posting date of the new update when released by Apple, or when the policy is configured.
Install Time: Specify the local device time for when updates are enforced. This setting uses the 24-hour clock format where midnight is 00:00 and 11:59pm is 23:59. Ensure that you include the leading 0 on single digit hours. For example, 01:00, 02:00, 03:00.
Remote Help supports Azure Virtual Desktop muti-session
Remote Help now provides support for multi-session AVD with several users on a single virtual machine. Earlier, Remote Help was supporting Azure Virtual Desktop (AVD) sessions with one user on one virtual machine (VM).
You can now use Copilot to generate a KQL query to help you get data from across multiple devices in Intune. This capability is available in the Microsoft Intune admin center by selecting Devices > Device query > Query with Copilot. For more information, see Query with Copilot in device query.
Intune apps
Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:
We are introducing a new Update Substate in Service-side data. This substate is displayed in the reports for devices that are invalid in Microsoft Entra and is known as Not supported.
VPP token name more easily available in Apps workload
The VPP token name column, available in the Apps workload, allows you to quickly determine the token and app association. This column is now available in the All apps list (Apps > All apps) and the app selection pane for App configuration policies (Apps > App configuration policies). For more information about VPP apps, see Manage volume-purchased apps and books with Microsoft Intune.
Applies to:
iOS/iPadOS
macOS
Device configuration
New Windows AI settings available in the Windows settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.
There are new settings in the Settings Catalog for Windows. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later > Settings catalog for profile type.
The new settings are:
Disable AI Data Analysis
Set Deny Uri List For Recall
Set Deny App List For Recall
Set Maximum Storage Space For Recall Snapshots
Set Maximum Storage Duration For Recall Snapshots
Applies to:
Windows
Low privileged account for Intune Connector for Active Directory for Hybrid join Autopilot flows
We've updated the Intune Connector for Active Directory to use a low privileged account to increase the security of your environment. The old connector will no longer be available for download but will continue to work until deprecation in late May 2025.
Managed Home Screen QR Code Authentication in public preview
Managed Home Screen for Android devices natively supports QR Code Authentication in Microsoft Entra ID. Authentication involves both a QR code and PIN. This capability eliminates the need for users to enter and re-enter long UPNs and alphanumeric passwords. For more information, see Sign in to Microsoft Teams or Managed Home Screen (MHS) with QR code.
Manage the DeviceControlEnabled configuration for Microsoft Defender Device Control on Windows devices
You can now use Intune to manage the configuration of the Microsoft Defender CSP for DeviceControlEnabled for Device Control. DeviceControlEnabled is used to enable or disable support for the Microsoft Defender Device Control feature on Windows devices.
You can use the following two Microsoft Intune options to configure DeviceControlEnabled. With both options, the setting appears as Device Control Enabled, and is found in the Defender category:
Both the Device Control template and Settings Catalog support the following options for Device Control Enabled:
Device Control is enabled
Device Control is disabled (Default)
Applies to:
Windows
Manage the DefaultEnforcement configuration for Microsoft Defender Device Control on Windows devices
You can now use Intune to manage the configuration of the Microsoft Defender CSP for DefaultEnforcement for Device Control. DefaultEnforcement manages the configuration of Device Control on devices that don’t receive Device Control policies or for devices that receive and evaluate a policy for Device Control when no rules in the policy are matched.
You can use the following two Microsoft Intune options to configure DefaultEnforcement. With both options, the setting appears as Default Enforcement, and is found in the Defender category:
New settings available in the Apple settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, go to Create a policy using settings catalog.
There are new settings For Apple devices in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
iOS/iPadOS
Managed Settings:
Default Applications
Wallpaper
Networking > Domains:
Cross Site Tracking Prevention Relaxed Apps
Restrictions:
Allowed External Intelligence Workspace IDs
Allow Notes Transcription Summary
Allow Satellite Connection
Allow Visual Intelligence Summary
macOS
Networking > Domains:
Cross Site Tracking Prevention Relaxed Apps
Restrictions:
Allow Bookstore
Allow Bookstore Erotica
Allow Explicit Content
Rating Apps
Rating Movies
Rating Region
Rating TV Shows
System Configuration > File Provider:
Management Allows Known Folder Syncing
Management Known Folder Syncing Allow List
Week of February 17, 2025
Monitor and troubleshoot
Limited live chat support in Intune
Intune is introducing limited live chat support within the Intune admin console. Live chat isn't available for all tenants or inquiries at this time.
Week of February 10, 2025
Device security
Updated security baseline for Windows version 24H2
You can now deploy the Intune security baseline for Windows version 24H2 to your Windows 10 and Windows 11 devices. The new baseline version uses the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.
Use of Intune security baselines can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.
As with all baselines, the default baseline represents the recommended configurations for each setting, which you can modify to meet the requirements of your organization.
Applies to:
Windows
Monitor and troubleshoot
Device Query for Multiple Devices
We've added Device query for multiple devices. This feature allows you to gain comprehensive insights about your entire fleet of devices using Kusto Query Language (KQL) to query across collected inventory data for your devices.
Device query for multiple devices is now supported for devices running Windows 10 or later. This feature is now included as part of Advanced Analytics.
Applies to:
Windows
Week of February 5, 2025 (Service release 2501)
Microsoft Intune Suite
Use Microsoft Security Copilot with Endpoint Privilege Manager to help identify potential elevation risks
When your Azure Tenant is licensed for Microsoft Security Copilot, you can now use Security Copilot to help you investigate Endpoint Privilege Manager (EPM) file elevation requests from within the EPM support approved work flow.
With this capability, while reviewing the properties of a file elevation request, you'll now find option to Analyze with Copilot. Use of this option directs Security Copilot to use the files hash in a prompt Microsoft Defender Threat Intelligence to evaluate the file potential indicators of compromise so you can then make a more informed decision to either approve or deny that file elevation request. Some of the results that are returned to your current view in the admin center include:
The files’ reputation
Information about the trust of the publisher
The risk score for the user requesting the file elevation
The risk score of the device from which the elevation was submitted
The Apps area in Intune, commonly known as the Apps workload, is updated to provide a more consistent UI and improved navigation structure so you can find the information you need faster. To find the App workload in Intune, navigate to Microsoft Intune admin center and select Apps.
Device configuration
New settings available in the Windows settings catalog to Configure multiple display mode
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.
There are new settings in the Settings Catalog to Configure Multiple Display Mode for
Windows 24H2. To see available settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.
The Configure Multiple Display Mode setting allows monitors to extend or clone the display by default, facilitating the need for manual setup. It streamlines the multi-monitor configuration process, ensuring a consistent and user-friendly experience.
Applies to:
Windows
Device security
Updated security baseline for Microsoft Edge v128
You can now deploy the Intune security baseline for Microsoft Edge version 128. This update brings support for recent settings so you can continue to maintain best-practice configurations for Microsoft Edge.
You can now deploy two distinct instances of the security baseline for HoloLens 2. These baselines represent Microsoft’s best practice guidelines and experience from deploying and supporting HoloLens 2 devices to customers across various industries. The two baselines instances:
Standard Security Baseline for HoloLens 2:
The standard security baseline for HoloLens 2 represents the recommendations for configuring security settings that are applicable to all types of customers irrespective of HoloLens 2 use case scenarios. View the default configuration of settings in the standard security baseline.
Advanced Security Baseline for HoloLens 2:
The advanced security baseline for HoloLens 2 represents the recommendations for configuring security settings for the customers who have strict security controls of their environment and require stringent security policies to be applied to any device used in their environment. View the default configuration of settings in the advanced security baseline.
Support Assistant is now available in Intune. It leverages AI to enhance your help and support experience, ensuring more efficient issue resolution. Support Assistant is available in the Microsoft Intune admin center by selecting Troubleshoot + support > Help and Support, or by selecting the question mark near your profile pic. Currently, the Support Assistant is in preview. You can enable and disable Support Assistant by choosing to opt in and opt out at any time. For related information, see How to get support in the Microsoft Intune admin center.
Week of December 30, 2024
Device enrollment
Intune ends support for Android device administrator on devices with access to Google Mobile Services
As of December 31, 2024, Microsoft Intune no longer supports Android device administrator management on devices with access to Google Mobile Services (GMS). This change comes after Google deprecated Android device administrator management and ceased support. Intune support and help documentation remains for devices without access to GMS running Android 15 or earlier, and Microsoft Teams devices migrating to Android Open Source Project (AOSP) management. For more information about how this change impacts your tenant, see Intune ending support for Android device administrator on devices with GMS access in December 2024.
Week of December 16, 2024 (Service release 2412)
App management
Increased scale for Customization policies
You can now create up to 25 policies that customize the Company Portal and Intune app experience. The previous maximum number of Customization policies was 10. Navigate to the Intune admin center, and select Tenant administration > Customization.
With this support, tamper protection configurations from Windows Security Experience profiles for Antivirus policies now apply to all devices instead of only to those that are enrolled with Intune.
Device configuration
Ending support for administrative templates when creating a new configuration profile
Customers cannot create new Administrative Templates configuration profile through Devices > Configuration > Create > New policy > Windows 10 and later > Administrative Templates. A (retired) tag is seen next to Administrative Templates and the Create button is now greyed out. Other templates continue to be supported.
However, customers can now use the Settings Catalog for creating new Administrative Templates configuration profile by navigating to Devices > Configuration > Create > New policy > Windows 10 and later > Settings Catalog.
There are no changes in the following UI experiences:
Editing an existing Administrative template.
Deleting an existing Administrative template.
Adding, modifying, or deleting settings in an existing Administrative template.
Imported Administrative templates (Preview) template, which is used for Custom ADMX.
More Wi-Fi configurations are now available for personally-owned work profile devices
Intune Wi-Fi configuration profiles for Android Enterprise personally-owned work profile devices now support configuration of pre-shared keys and proxy settings.
You can find these settings in the admin console in Devices > Manage devices > Configuration > Create > New Policy. Set Platform to Android Enterprise and then in the Personally-Owned Work Profile section, select Wi-Fi and then select the Create button.
In the Configuration settings tab, when you select Basic Wi-Fi type, several new options are available:
Security type, with options for Open (no authentication), WEP-Pre-shared key, and WPA-Pre-shared key.
Proxy settings, with the option to select Automatic and then specify the proxy server URL.
Intune now supports Ubuntu 24.04 LTS for Linux management.
We're now supporting device management for Ubuntu 24.04 LTS. You can enroll and manage Linux devices running Ubuntu 24.04, and assign standard compliance policies, custom configuration scripts, and compliance scripts.
For more information, see the following in Intune documentation:
Change to enrollment behavior for iOS enrollment profile type
At Apple WWDC 2024, Apple ended support for profile-based Apple user enrollment. For more information, see Support has ended for profile-based user enrollment with Company Portal. As a result of this change, we updated the behavior that occurs when you select Determine based on user choice as the enrollment profile type for bring-your-own-device (BYOD) enrollments.
Now when users select I own this device during a BYOD enrollment, Microsoft Intune enrolls them via account-driven user enrollment, rather than profile-based user enrollment, and then secures only work-related apps. Less than one percent of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices. There is no change for iOS users who select My company owns this device during a BYOD enrollment. Intune enrolls them via device enrollment with Intune Company Portal, and then secures their entire device.
If you currently allow users in BYOD scenarios to determine their enrollment profile type, you must take action to ensure account-driven user enrollment works by completing all prerequisites. For more information, see Set up account driven Apple user enrollment. If you don't give users the option to choose their enrollment profile type, there are no action items.
Device management
Device Inventory for Windows
Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.
You can now choose what you want to collect from your devices, using the catalog of properties and then view the collected properties in the Resource Explorer view.
Windows 10 and later (Corporate owned devices managed by Intune)
Week of November 18, 2024 (Service release 2411)
App management
Configuration values for specific managed applications on Intune enrolled iOS devices
Starting with Intune's September (2409) service release, the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values are automatically sent to managed applications on Intune enrolled iOS devices for the following apps:
Additional installation error reporting for LOB apps on AOSP devices
Additional details are now provided for app installation reporting of Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You can view installation error codes and detailed error messages for LOB apps in Intune.
Microsoft Teams app protection on VisionOS devices (preview)
Microsoft Intune app protection policies (APP) are now supported on the Microsoft Teams app on VisionOS devices.
To learn more about how to target policies to VisionOS devices, see Managed app properties for more information about filters for managed app properties.
Applies to:
Microsoft Teams for iOS on VisionOS devices
Week of October 28, 2024
Device security
Defender for Endpoint security settings support in government cloud environments (generally available)
Now generally available, customer tenants in the Government Community Cloud (GCC), US Government Community High (GCC High), and Department of Defense (DoD) environments can use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. Previously, support for Defender security settings was in public preview.
Windows Autopilot device preparation support in Intune operated by 21Vianet in China
Intune now supports Windows Autopilot device preparation policy for Intune operated by 21Vianet in China cloud. Customers with tenants located in China can now use Windows Autopilot device preparation with Intune to provision devices.
For information about this Autopilot support, see the following in the Autopilot documentation:
For enrolled devices on unsupported OS versions (Android 9 and lower)
Intune technical support isn't provided.
Intune won't make changes to address bugs or issues.
New and existing features aren't guaranteed to work.
While Intune doesn't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.
Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices aren't affected by this change.
Collection of additional device inventory details
Intune now collects additional files and registry keys to assist in troubleshooting the Device Hardware Inventory feature.
Applies to:
Windows
Week of October 7, 2024
App management
New UI for Intune Company Portal app for Windows
The UI for the Intune Company Portal app for Windows is updated. Users now see an improved experience for their desktop app without changing the functionality they've used in the past. Specific UI improvements are focused on the Home, Devices, and Downloads & updates pages. The new design is more intuitive and highlights areas where users need to take action.
New strong mapping requirements for SCEP certificates authenticating with KDC
The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that a Simple Certificate Enrollment Protocol (SCEP) certificate's subject alternative name (SAN) must have a security identifier (SID) extension that maps to the user or device SID in Active Directory. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working.
To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a URI attribute and the OnPremisesSecurityIdentifier variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID.
Windows 10/11, iOS/iPadOS, and macOS user certificates
Windows 10/11 device certificates
This requirement isn't applicable to device certificates used with Microsoft Entra joined users or devices, because the SID attribute is an on-premises identifier.
Defender for Endpoint security settings support in government cloud environments (public preview)
In public preview, customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments can now use Intune to manage the Defender security settings on the devices that onboarded to Defender without enrolling those devices with Intune. This capability is known as Defender for Endpoint security settings management.
Updates to PKCS certificate issuance process in Microsoft Intune Certificate Connector, version 6.2406.0.1001
We updated the process for Public Key Cryptography Standards (PKCS) certificate issuance in Microsoft Intune to support the security identifiers (SID) information requirements described in KB5014754. As part of this update, an OID attribute containing the user or device SID is added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID.
The SID update is available for user certificates across all platforms, and for device certificates specifically on Microsoft Entra hybrid joined Windows devices.
These notices provide important information that can help you prepare for future Intune changes and features.
Plan for Change: New settings for Apple AI features; Genmojis, Writing tools, Screen capture
Today, the Apple AI features for Genmojis, Writing tools, and screen capture are blocked when the app protection policy (APP) "Send Org data to other apps" setting is configured to a value other than "All apps". For more details on the current configuration, app requirements, and the list of current Apple AI controls review the blog: Microsoft Intune support for Apple Intelligence
Expected with Intune’s April (2504) service release, Intune app protection policies have new standalone settings for blocking screen capture, Genmojis, and Writing tools. These standalone settings are supported by apps that have updated to version 19.7.12 or later for Xcode 15 and 20.4.0 or later for Xcode 16 of the Intune App SDK and App Wrapping Tool.
How does this change affect you or your users?
If you configured the APP "Send Org data to other apps" setting to a value other than "All apps", then the new "Genmoji", "Writing Tools" and "Screen capture" settings are set to Block in your app protection policy to prevent changes to your current user experience.
Note
If you configured an app configuration policy (ACP) to allow for screen capture, it overrides the APP setting. We recommend updating the new APP setting to Allow and removing the ACP setting. For more information about the screen capture control, review iOS/iPadOS app protection policy settings | Microsoft Learn.
How can you prepare?
Review and update your app protection policies if you'd like more granular controls for blocking or allowing specific AI features. (Apps > Protection > select a policy > Properties > Basics > Apps > Data protection)
Plan for change: User alerts on iOS for when screen capture actions are blocked
In an upcoming version (20.3.0) of the Intune App SDK and Intune App Wrapping Tool for iOS, support is added to alert users when a screen capture action (including recording and mirroring) is detected in a managed app. The alert is only visible to users if you have configured an app protection policy (APP) to block screen capture.
How does this change affect you or your users?
If APP has been configured to block screen capturing, users see an alert indicating that screen capture actions are blocked by their organization when they attempt to screenshot, screen record, or screen mirror.
For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions, screen capture is blocked if you configured "Send Org data to other apps" to a value other than "All apps". To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting "com.microsoft.intune.mam.screencapturecontrol" to Disabled.
Move to new Microsoft Graph Beta API properties for Windows Autopilot self-deploying mode and pre-provisioning
In late February 2025, a select number of old Microsoft Graph Beta API windowsAutopilotDeploymentProfile properties used for Windows Autopilot self-deploying mode and pre-provisioning are removed and stop working. The same data can be found using newer Graph API properties.
How does this change affect you or your users?
If you have automation or scripts using the following Windows Autopilot properties, you must update to the new properties to prevent them from breaking.
Plan for Change: Blocking screen capture in the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS
We recently released updated versions of the Intune App SDK and the Intune App Wrapping Tool. Included in these releases (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) is the support for blocking screen capture, Genmojis, and writing tools in response to the new AI features in iOS/iPadOS 18.2.
How does this change affect you or your users?
For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions screen capture will be blocked if you configured "Send Org data to other apps" to a value other than "All apps". To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting "com.microsoft.intune.mam.screencapturecontrol" to Disabled.
Take Action: Update to the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS
To support the upcoming release of iOS/iPadOS 18.2, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. Important: If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:
The listed SDK releases support blocking screen capture, Genmojis, and writing tools in response to new AI features in iOS 18.2. For apps that have updated to these SDK versions, screen capture block is applied if you have configured Send Org data to other apps to a value other than All apps. See iOS/iPadOS app protection policy settings for more info. You can configure app configuration policy setting com.microsoft.intune.mam.screencapturecontrol = Disabled if you wish to allow screen capture for your iOS devices. See App configuration policies for Microsoft Intune for more info. Intune will be providing more granular controls for blocking specific AI features in the future. Follow What's new in Microsoft Intune to stay up to date.
Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.2. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to Apps > Monitor > App protection status, then review Platform version and iOS SDK version.
If you have questions, leave a comment on the applicable GitHub announcement. Additionally, if you haven't already, navigate to the applicable GitHub repository and subscribe to Releases and Discussions (Watch > Custom > select Releases, Discussions) to ensure you stay up-to-date with the latest SDK releases, updates, and other important announcements.
Plan for Change: Specific app configuration values will be automatically sent to specific apps
Starting with Intune's September (2409) service release, the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values will be automatically sent to managed applications on Intune enrolled iOS devices for the following apps: Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Teams and Microsoft Word. Intune will continue to expand this list to include additional managed apps.
Plan for Change: Implement strong mapping for SCEP and PKCS certificates
With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows enforces these changes on February 11, 2025.
These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:
SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users.
PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. Important: Before you modify the registry key, review how to change the registry key and how to back up and restore the registry.
If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:
Alternatively, if all certificates can't be renewed before February 11, 2025, with the SID included, enable Compatibility mode by adjusting the registry settings as described in KB5014754. Compatibility mode is valid until September 2025.
Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support
We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.
How does this change affect you or your users?
If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.
How can you prepare?
If you choose to build apps targeting Android API 35, you need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you wrapped your app and are targeting API 35 you need to use the new version of the App wrapper (v1.0.4549.6).
Note
As a reminder, while apps must update to the latest SDK if targeting Android 15, apps don't need to update the SDK to run on Android 15.
You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.
Plan for Change: Intune is moving to support iOS/iPadOS 16 and later
Later in calendar year 2024, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), requires iOS 16/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.
How does this change affect you or your users?
If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).
Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this change may not affect you. You likely already upgraded your OS or devices.
To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:
Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version changes to iOS 16/iPadOS 16 while the allowed OS version changes to iOS 13/iPadOS 13 and later. See this statement about ADE Userless support for more information.
How can you prepare?
Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.
To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.
Plan for change: Intune is moving to support macOS 13 and higher later this year
Later in calendar year 2024, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app, and the Intune mobile device management agent support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices.
How does this change affect you or your users?
This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Ventura is compatible with these computers.
Note
Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices are unable to enroll if they're running macOS 12.x or below.
How can you prepare?
Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.
Intune moving to support Android 10 and later for user-based management methods in October 2024
In October 2024, Intune supports Android 10 and later for user-based management methods, which includes:
Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.
How does this change affect you or your users?
For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:
Intune technical support won't be provided.
Intune won't make changes to address bugs or issues.
New and existing features aren't guaranteed to work.
While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.
How can you prepare?
Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:
Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment
Today, when creating iOS/iPadOS enrollment profiles, "Device enrollment with Company Portal" is shown as the default method. In an upcoming service release, the default method will change to "Web based device enrollment" during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.
This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display "Web based device enrollment" as the default method, existing profiles aren't impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.
How can you prepare?
Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.
Plan for Change: Intune ending support for Android device administrator on devices with GMS access in December 2024
Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning December 31, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access.
How does this change affect you or your users?
After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:
Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
Intune technical support will no longer support these devices.
How can you prepare?
Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.
In this module, you learn about how your organization's devices can be provisioned and managed. Additionally, you learn about the different types of enrollment methods available using Microsoft Intune.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.