In development for Microsoft Intune

To help in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition to the information on this page:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office message center.
  • When a feature enters production, whether it's a preview or generally available, the feature description will move from this page to What's new.
  • This page and the What's new page are updated periodically. Check back for more updates.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

Note

This page reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This page doesn't describe all features in development.

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

This article was last updated on the date listed under the title above.

App management

Device compliance status in Company Portal website

End users will be able to more easily see the compliance status of their devices from the Company Portal website. End users can navigate to the Company Portal website and select the Devices page to see device status. Devices will be listed with a status of Can access company resources, Checking access, or Can't access company resources. For related information, see Manage apps from the Company Portal website and How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Password complexity for Android devices

The Require device lock setting in Intune will be extended to include values (Low Complexity, Medium Complexity, and High Complexity). If the device lock doesn’t meet the minimum password requirement, you will be able to warn, wipe data, or block the end user from accessing a managed account in a managed app. This feature targets devices that operate on Android 11+. For devices operating on Android 10 and earlier, setting a complexity value of Low, Medium, or High will default to the expected behavior for Low Complexity. For related information, see Android app protection policy settings in Microsoft Intune.

Device security

BlackBerry Cylance – New Mobile Threat Defense partner

You’ll soon be able to use BlackBerry’s Cylance AI offering as an integrated Mobile Threat Defense (MTD) partner with Intune to control mobile device access to corporate resources using Conditional Access based on risk assessment.

For more information about MTD partners for Intune, see Mobile Threat Defense integration with Intune.

Device configuration

New option to see the number of profiles with an error or conflict in device configuration profiles

In the Endpoint Manager admin center, there's a new option that states something like "X policies with error or conflict". When you select this option, you automatically go to the Devices > Monitor > Assignment Failures report. This report helps you troubleshoot errors and conflicts.

This new option is available in the following locations in the Endpoint Manager admin center:

  • Home page
  • Dashboard
  • Devices > Configuration profiles: When you select a Windows profile, the Overview summary page shows this option.

For more information, see Monitor device profiles in Microsoft Intune and Assignment failures report.

Applies to:

  • Windows 10 and newer

New Timeout and Block iCloud Private Relay settings for iOS/iPadOS and macOS devices

On iOS/iPadOS and macOS devices, you can create a device restrictions policy that manages features on the device (Devices > Configuration Profiles > Create profile > iOS/iPadOS or macOS for platform > Device restrictions).

There are new settings:

  • iOS/iPadOS:
    • Block iCloud Private Relay: On supervised devices, this setting prevents users from using the iCloud Private Relay (opens Apple's web site).
  • macOS:
    • Block iCloud Private Relay: On supervised devices, this setting prevents users from using the iCloud Private Relay (opens Apple's web site).
    • Timeout: Users can unlock their devices using a Touch ID, such as a fingerprint. Use this setting to require users to enter their password after a period of inactivity. The default inactivity period is is 48 hours. After 48 hours of inactivity, the device prompts for the password, instead of Touch ID.

Applies to:

  • iOS/iPadOS 15 and newer
  • macOS 12 and newer

New device restrictions settings for Android Enterprise corporate-owned devices with a work profile

On Android Enterprise devices, you can configure settings that control features on devices (Devices > Configuration Profiles > Create profile > Android Enterprise for platform > Device restrictions for profile type).

For Android Enterprise corporate-owned devices with a work profile, there are new settings:

  • Restrict searching work contacts and displaying work contact caller-ID in personal profile
  • Restrict copy and paste between work and personal profiles
  • Restrict data sharing between work and personal profiles

For more information on the settings you can currently configure, see Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise corporate-owned work profile (COPE)

Settings Catalog will soon be supported on U.S. Government GCC High and DoD

Settings Catalog will soon be available and supported on U.S. Government GCC High and DoD.

For more information on Settings Catalog, and what it is, see Use the settings catalog to configure settings on Windows and macOS devices.

Applies to:

  • macOS
  • Windows 10 and newer

Enter the certificate common name in Wi-Fi profiles for Android Enterprise fully managed, dedicated, and corporate-owned work profile devices

On Android Enterprise devices, you can create a Wi-Fi profile that configures enterprise Wi-Fi settings (Devices > Configuration Profiles > Create profile > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Wi-Fi for profile type).

When you select Enterprise, there's a new Server names setting. This setting is the DNS name used in the certificate presented by the Radius Server during client authentication to the Wi-Fi access point. For example, enter Contoso.com, uk.contoso.com, or jp.contoso.com.

If you have multiple Radius servers with the same DNS suffix in their fully qualified domain name, then you can enter only the suffix. For example, you can enter contoso.com.

When you enter this value, user devices can bypass the dynamic trust dialog that's sometimes shown when connecting to the Wi-Fi network.

What you need to know:

  • New Wi-Fi profiles targeting Android 11 or later may require this setting to be configured. Otherwise, the devices may not connect to your Wi-Fi network.

For more information on the settings you can currently configure, see Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile Wi-Fi settings.

Applies to:

  • Android Enterprise corporate-owned work profile (COPE)
  • Android Enterprise corporate owned fully managed (COBO)
  • Android Enterprise dedicated devices (COSU)

New Administrative Templates settings for Microsoft Edge 96 and Microsoft Edge updater on Windows devices

In Intune, you can use Administrative Templates to configure Microsoft Edge settings (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Administrative Templates for profile type).

There are new Administrative Templates settings for Microsoft Edge 96 and the Microsoft Edge updater, including Target Channel override support. Use Target Channel override so users get the Extended Stable release cycle option, which can be set using Group Policy or through Intune.

For related information, see:

Applies to:

  • Windows 10 and newer
  • Microsoft Edge

Use filters to assign Endpoint analytics proactive remediations scripts and Endpoint Security policies in Endpoint Manager admin center - public preview

In the Endpoint Manager admin center, you can create filters, and then use these filters when assigning apps and policies. You'll be able to use filters to assign the following policies:

For more information on filters, see Use filters (preview) when assigning your apps, policies, and profiles.

Applies to:

  • macOS
  • Windows 10 and newer

Device enrollment

Use filters on Windows Enrollment Status Page profile assignments

Filters allows you to include or exclude devices in policy or app assignments based on different device properties. When you create an Enrollment Status Page (ESP) profile, you'll be able to use filters when assigning the profile. The All users and All devices assignment options will also be available. You will be able to find this setting in Microsoft Endpoint Manager admin center by selecting Devices > Enroll devices > Enrollment Status Page > Create. For more information about filters, see Use filters when assigning your apps, policies, and profiles. For more information about ESP profiles, see Set up the Enrollment Status Page.

Use filters on device type enrollment restrictions for Windows and Apple enrollments

New assignment filters in Enrollment Restrictions will let you include or exclude restrictions based on device type. For example, you can allow personal devices, while blocking Windows 10 Home devices, by applying the operatingSystemSKU assignment filter. These filters will be released for public preview with a new configuration experience for enrollment restrictions and supported for Windows and Apple devices, with Android support coming at a later date. For more information about how to use filters, see Create a filter.

Monitor and troubleshoot

Adding event viewer for Windows 10 diagnostics

We're adding a new event viewer to Windows 10 device diagnostics called Microsoft-Windows-Windows Firewall with Advanced Security/Firewall. The event viewer will assist you in troubleshooting issues with the firewall.

Account protection policy changes in Endpoint security

We’re reworking the endpoint security Account protection policy to use the new APIs for Windows Hello for Business. The new APIs will result in a more consistent experience. The new API is ./Device/Vendor/MSFT/PassportForWork, which includes more options that can help reduce conflicts. This API replaces the use of ./User/Vendor/MSFT/PassportForWork. (Endpoint security > Account protection)

After the change, only new policies you then create will use the new API. Your existing policies won’t be affected by this change and will continue to use the older API.

Scripting

Intune Data Warehouse updates

The applicationInventory entity will be removed from the Intune Data Warehouse in an upcoming Intune service release. We're introducing a more complete and accurate dataset that will be available in the UI and via our export API. For related information, see Export Intune reports using Graph APIs.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Intune APP/MAM moving to support Android 9 and higher

With the upcoming release of Android 12, Intune app protection policies (APP, also known as MAM) for Android will be moving to support Android 9 (Pie) and higher on October 1, 2021. This change is to align with Office mobile apps for Android support of the last four major versions of Android. Based on your feedback, we have updated our support statement. We are doing our best to keeping your organization secure and protecting your users and devices, while aligning with Microsoft app lifecycles.

Note

Teams Android devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

How this will affect your organization?

If you are using app protection policies on any device that is running Android version 8.x or lower, or decide to enroll any device that is running Android version 8.x or lower, please note that these devices will no longer be supported for APP. While APP policies will continue to be applied to devices running Android 6.x – Android 8.x, if you do run into issues with an Office app and APP, support will request you update to a supported Office version for app troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or higher or replace them with a device on Android version 9.0 or higher before October 1, 2021.

What you need to do to prepare?

Notify your helpdesk, if applicable, of this updated support statement. You also have two admin options to help inform your users.

Here’s how you can warn users:

  1. Configure an app protection policy Conditional launch setting with a Min OS version requirement to warn users.
  2. Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send a message to users before marking them non-compliant.

Plan for change: Enrollment restrictions will no longer be included in policy sets

With the Microsoft Intune service release (2109), you'll no longer be able to configure enrollment restrictions in policy sets. Instead, you'll need to go to Devices > Policy section > Enrollment restrictions to create and manage all enrollment restrictions.

How does this affect me?

If our service telemetry indicates that your existing policy sets include enrollment restrictions, we will migrate your policies when the new restrictions are in place. To create and manage new enrollment restrictions going forward, go to Devices > Policy section > Enrollment restrictions.

What action do I need to take?

Update your documentation. Make sure to configure all new enrollment restrictions in the Enrollment restrictions section of Intune. We’ll start migrating existing policies with the 2109 service release.

Take Action: Update to the latest version of the Android Company Portal app

Due to a change in our integration with Samsung devices, with Intune's October (2110) service release we will no longer be able to support new Android device administrator enrollments using Company Portal version of 5.04993.0 or below.

How this will affect my organization

Users using an older version of the Company Portal app to enroll Samsung devices may need to take action.

User impact: Users who need to enroll Samsung devices into Android device administrator using an older version of the Company Portal app (any version below 5.04993.0) will no longer be successful. They will need to update the Company Portal app to successfully enroll.

What do I need to do to prepare

Update any older version of Company Portal staged in your environment to support Android device administrator enrollments before Intune's October (2110) service release. Inform your users that they will need to update to the latest version of the Android Company Portal to enroll their Samsung device. If applicable, inform your help desk in case users do not update the app prior to enrolling. We also recommend that you keep the Company Portal app updated to ensure that the latest fixes are available on your devices.

More information

Plan for Change: Safe boot and Debugging features in Android Enterprise device restrictions will be replaced

Google announced they have deprecated several settings in the Android Management API and will stop supporting the settings for Intune on November 1, 2021. This impacts the Safe boot and Debugging features configuration settings for Android Enterprise device restrictions, and they will be no longer be available at the end of October. To prepare for this change, we will be adding a new setting Developer settings in September's (2109) service release.

How this will affect your organization:

With Intune's October (2110) service release, Safe boot and Debugging features will be removed from the admin center UI and then removed shortly after from Microsoft Graph API on October 31, 2021. If applicable, you should use the new setting, Developer settings.

Developer settings will be available for new and existing profiles in the September (2109) service release. By default, it is set as "Not configured". If you choose to set this to "Allow", users will be able to access developer settings which may include the ability to enable debugging features and/or reboot the device into safe boot mode.

Note

If Developer settings is set to Allow, it will override both the Safe boot and Debugging features settings.

What you need to do to prepare:

Review the configuration settings for your Android Enterprise device restrictions. Safe boot and Debugging features will be removed from the UI in the October service release and from Microsoft Graph on October 31, 2021.

If you want users to have access to developer settings moving forward, you will need to set Developer settings to Allow, otherwise it will remain as Not configured and users will not have access to any developer settings.

Plan for change: Announcing end of support for the existing Use Locations (network fence) feature in Intune

Intune is announcing end of support for the network fence feature for use only in devices enrolled through Android device administrator. Google has reduced support for devices enrolled using device administrator and Intune customers have provided feedback leading to a re-envisioning of the location based fencing to better meet customer needs across multiple Android enrollment options.

How does this affect me?

This will only affect you if you currently use a location-based (network fence) compliance policy, either on your trial or paid account. In 90 days from the date of this feature end-of-support announcement (on or around October 7, 2021 unless otherwise updated) any network location-based compliance policies targeted to devices enrolled using Android device administrator will no longer work to provide a network fence.

What do I need to do to prepare for this change?

No action is needed at this time. Review our In Development page for advanced notice of upcoming new features, and we will follow up with additional information when it’s available regarding re-envisioned location-based services.

Plan for Change: Intune moving to support iOS/iPadOS 13 and higher later this year

Later this year, we expect iOS 15 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS/iPadOS 13 and higher shortly after iOS 15’s release.

How does this affect me?

If you are managing iOS/iPadOS devices, you might have devices that will not be able to upgrade to the minimum supported version (iOS/iPadOS 13). Provided that Office 365 mobile apps are supported on iOS/iPadOS 13.0 and higher, this may not affect you; you’ve likely already upgraded your OS or devices. See the following Apple documentation for devices to check which devices support iOS 13 or iPadOS 13 (if applicable).

For instructions on how to check in the Microsoft Endpoint Manager admin center which devices or users may be affected, read below.

What do I need to do to prepare for this change?

Check your Intune reporting to see what devices or users may be affected. For devices with mobile device management (MDM) go to Devices > All devices and filter by OS. For devices with app protection policies go to Apps > Monitor > App protection status > App Protection report: iOS, Android.

To manage the supported OS version in your organization, you can use Microsoft Endpoint Manager controls for both MDM and APP. For more information, please review: Manage operating system versions with Intune - Microsoft Intune.

Plan for Change: Intune moving to support macOS 10.15 and later with the release of macOS 12

With Apple's expected release of macOS 12 Monterey in the fall of 2021, Microsoft Intune, the Company Portal app and the Intune MDM agent will be moving to support macOS 10.15 (Catalina) and higher shortly after the release.

How does this affect me?

This will only affect you if you currently manage, or plan to manage macOS devices with Intune. This may not impact you because your users have likely already upgraded their macOS devices. See macOS Catalina is compatible with these computers for a list of devices that are supported.

Note

Devices that are currently enrolled on macOS 10.13.x and 10.14 will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if running macOS 10.14 or below.

What do I need to do to prepare for this change?

Check your Intune reporting to see what devices or users may be affected. Go to Devices > All devices and filter by macOS. You can add in additional columns to help identify who in your organization has devices running macOS 10.14 or below. Request that your users upgrade their devices to a supported OS version before the release of macOS 12.

Update your iOS Company Portal minimum version to v4.16.0

We have recently released an updated Company Portal for iOS to the Apple Store that is a required app update. The minimum supported version of the iOS Company Portal is now v4.16.0.

What action do I need to take?

If you have enabled the Block installing apps using App Store device restriction setting, you will likely need to push an update to the related devices. Otherwise, no action is needed, but if you have a helpdesk, you may want to make them aware of the prompt to update the Company Portal app.

How does this affect me?

User impact - Most users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. Users that have an earlier app version will be prompted to update to the latest Company Portal app.

Note

If you have enabled the Block installing apps using App Store device restriction setting, you may need to manually push an update to the related devices.

Plan for Change: Intune ending support for standalone client apps on Microsoft Tunnel

Beginning on June 14, 2021, the Microsoft Defender for Endpoint app on Android supports Microsoft Tunnel functionality and is the official tunnel client app for Android Enterprise customers. With the release of Microsoft Defender for Endpoint as the Microsoft Tunnel client app, the standalone Microsoft Tunnel app for Android is deprecated with support ending after January 31, 2022. When support ends, the standalone tunnel app will be removed from the Google Play store.

How this change will affect your organization

If you use the standalone tunnel app for Android, you'll need to move to the Microsoft Defender for Endpoint app before January 31, 2022 to ensure users can still access the Tunnel Gateway configuration.

What you need to do to prepare

For your devices that run Android Enterprise and currently use the standalone tunnel app, plan to replace the standalone tunnel app with the Defender for Endpoint app. New devices should use Microsoft Defender for Endpoint as the tunnel client app.

Upgrade to the Microsoft Intune Management Extension

We’ve released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are less than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see CVE-2021-31980 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31980.

What action do I need to take?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security Antivirus Windows 10 Profiles

We've made a minor change to improve the Antivirus profile experience for Windows 10. There’s no end-user effect as this is a change only in what you’ll see in the UI.

How does this affect me?

Previously, when you configured a Windows security profile for Endpoint security Antivirus policy, you had two options for most settings: Yes and Not configured. Moving forward, those same settings now include Yes, Not configured, and a new option of No. Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you now have the option to explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting (Hide the Virus and threat protection area) was set to Not configured and the child setting was set to Yes, both the parent and child settings will be set to Not configured, which will take effect when you edit the profile.

What action do I need to take?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for Change: Intune ending company portal support for unsupported versions of Windows

Intune follows Windows 10 lifecycle for supported Windows 10 versions. We’re now removing support for the associated Windows 10 Company Portals for those Windows versions that are out of the Modern Support policy.

How does this affect me?

Given that Microsoft no longer supports these OSs, this may not affect you; you have likely already upgraded your OS or devices. This will only affect you if you are still managing unsupported Windows 10 versions. Windows and Company portal versions this affects include:

  • Windows 10, Version 1507, Company portal version 10.1.721.0
  • Windows 10, Version 1511, Company portal version 10.1.1731.0
  • Windows 10, Version 1607, Company portal version 10.3.5601.0
  • Windows 10, Version 1703, Company portal version 10.3.5601.0
  • Windows 10, Version 1709, any Company portal version

We will not uninstall these Company portal versions mentioned above, but we will remove them from the Microsoft Store and stop testing our service releases with them.

User Impact: If you continue to use an unsupported version of Window 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. The user will not be able to be co-managed with System Center Configuration Manager and Intune.

What do I need to do?

In the Microsoft Endpoint Manager admin center, use the Discovered apps feature to find apps with these versions. On a user’s device, the Company Portal version is shown in the Settings page of the company portal. Update to a supported Windows/Company Portal version.

Plan for Change: Intune moving to support Android 6.0 and higher in April 2021

As mentioned in MC234534, Intune will be moving to support Android 6.0 (Marshmallow) and higher in the April (2104) service release.

How this change will affect your organization

Given that the Office mobile apps for Android ended support for Android 5.x (Lollipop) on June 30, 2019 (MC181101) this change may not affect you; you have likely already upgraded your OS or devices. However, if you have any device that is still running Android version 5.x, or decide to enroll any device that is running Android version 5.x, please note that these devices will no longer be supported. Either update them to Android version 6.0 (Marshmallow) or higher or replace them with a device on Android version 6.0 or higher.

Note

Teams Android devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

What you need to do to prepare

Notify your helpdesk, if applicable, of this upcoming change in support. You also have two admin options to help inform your end users or block enrollment.

  1. Here’s how you can warn end users:
    • Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send a message to users before marking them noncompliant.
    • Configure an app protection policy Conditional launch setting with a Min OS version requirement to warn users.
  2. Here’s how you can block devices on versions below Android 6.0:
    • Set enrollment restrictions to prevent devices on Android 5.x from enrolling
    • Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices on Android 5.x non-compliant.
    • Configure an app protection policy Conditional launch setting with a Min OS version requirement to block users from app access.

See also

For details about recent developments, see What's new in Microsoft Intune.