In development for Microsoft Intune
To help in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition to the information on this page:
- If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office message center.
- When a feature enters production, whether it's a preview or generally available, the feature description will move from this page to What's new.
- This page and the What's new page are updated periodically. Check back for additional updates.
- Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.
This page reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This page doesn't describe all features in development.
RSS feed: Find out when this page is updated by copying and pasting the following URL into your feed reader:
This article was last updated on the date listed under the title above.
Update to device icons in Company Portal and Intune apps on Android
We're updating the device icons in the Company Portal and Intune apps on Android devices to create a more modern look and feel and to align with the Microsoft Fluent Design System. For related information, see Update to icons in Company Portal app for iOS/iPadOS and macOS.
S/MIME for Outlook on iOS and Android Enterprise devices managed without enrollment
You'll be able to enable S/MIME for Outlook on iOS and Android Enterprise devices using app configuration policies for devices managed without enrollment. In Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed apps. Additionally, you can choose whether or not to allow users to change this setting in Outlook. For more information about Outlook configuration settings, see Microsoft Outlook configuration settings.
iOS Company Portal will support Apple's Automated Device Enrollment without user affinity
iOS Company Portal will be supported on devices enrolled using Apple's Automated Device Enrollment without requiring an assigned user. An end user can sign in to the iOS Company Portal to establish themselves as the primary user on an iOS/iPadOS device enrolled without device affinity. For more information about Automated Device Enrollment, see Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrollment.
Win32 app installation notifications and the Company Portal
End users will be able to decide whether the applications shown in the Microsoft Intune Web Company Portal should be opened by the Company Portal app or the Web Company Portal. This option is only available if the end user has the Company Portal app installed and launches a Web Company Portal application outside of a browser.
The Company Portal adds Configuration Manager application support
The Company Portal now supports Configuration Manager applications. This feature allows end users to see both Configuration Manager and Intune deployed applications in the Company Portal for co-managed customers. This support will help administrators consolidate their different end-user portal experiences. For more information, see Use the Company Portal app on co-managed devices.
Set device compliance state from third-party MDM partners
Microsoft 365 customers who own third-party MDM solutions will be able to enforce Conditional Access policies for Microsoft 365 apps on iOS and Android via integration with Microsoft Intune Device Compliance service. Third-party MDM vendor will leverage the Intune Device Compliance service to send device compliance data to Intune. Intune will then evaluate to determine if the device is trusted and set the conditional access attributes in Azure AD. Customers will be required to set Azure AD Conditional Access policies from within the Microsoft Endpoint Manager admin center or the Azure AD portal.
New VPN settings for Windows 10 and newer devices
When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > VPN for profile > Base VPN):
- Device Tunnel: Allows devices to automatically connect to VPN without requiring any user interaction, including user logon. This feature requires you to enable Always On, and use Machine certificates as the authentication method.
- Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations, which allow you to match client and server settings.
To see the settings you can configure, go to Windows device settings to add VPN connections using Intune.
- Windows 10 and newer
New features for Managed Home Screen on Android Enterprise device owner dedicated devices (COSU)
On Android Enterprise devices, administrators will be able to use device configuration profiles to customize the Managed Home Screen on dedicated devices using multi-app kiosk mode (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile > Device experience).
Specifically, you can:
- Customize icons, change the screen orientation, and show app notifications on badge icons
- Hide the Managed Settings entry point
- Easier access the debug menu
- Create an allowed list of Wi-Fi networks
- Easier access to the device information
For more information, see Android Enterprise device settings to allow or restrict features.
- Android Enterprise device owner, dedicated devices (COSU)
Corporate-owned, personally enabled devices (preview)
Intune will support Android Enterprise corporate-owned devices with a work profile for OS versions Android 8 and above. Corporate-owned devices with a work profile is one of the corporate management scenarios in the Android Enterprise solution set. This scenario is for single user devices intended for corporate and personal use. This corporate-owned, personally-enabled (COPE) scenario offers:
- work and personal profile containerization
- device-level control for admins
- a guarantee for end users that their personal data and applications will remain private
The first public preview release will include a subset of the features that will be included in the generally available release. Additional features will be added on a rolling basis. The features that will be available in the first preview include:
- Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
- Device configuration: A subset of the existing fully managed and dedicated device settings.
- Device compliance: The compliance policies that are currently available for fully managed devices.
- Device Actions: Delete device (factory reset), reboot device, and lock device.
- App management: App assignments, app configuration, and the associated reporting capabilities
- Conditional Access
Device compliance logs now in English
The IntuneDeviceComplianceOrg logs only have enumerations for ComplianceState, OwnerType, and DeviceHealthThreatLevel. In a future update, these logs will have English information in the columns.
PowerShell scripts support for BYOD devices
PowerShell scripts will support Azure AD registered devices in Intune. For more information about PowerShell, see Use PowerShell scripts on Windows 10 devices in Intune. This functionality does not support devices running Windows 10 Home edition.
Log Analytics will include device details log
Intune device detail logs will be available in Reports > Log analytics. You can correlate device details to build custom queries and Azure workbooks.
Tenant attach: Device timeline in the admin center
When Configuration Manager synchronizes a device to Microsoft Endpoint Manager through tenant attach, you'll be able to see a timeline of events. This timeline shows past activity on the device that can help you troubleshoot problems. For more information, see Configuration Manager technical preview 2005.
Tenant attach: Install an application from the admin center
You'll be able to initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Management admin center. For more information, see Configuration Manager technical preview 2005.
Tenant attach: CMPivot from the admin center
You'll be able to bring the power of CMPivot to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to be able to initiate real-time queries from the cloud against an individual ConfigMgr managed device and return the results back to the admin center. This gives all the traditional benefits of CMPivot, which allows IT Admins and other designated personas the ability to quickly assess the state of devices in their environment and take action. For more information, see Configuration Manager technical preview 2005.
Tenant attach: Run Scripts from the admin center
You'll be able to bring the power of the Configuration Manager on-premises Run Scripts feature to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to run PowerShell scripts from the cloud against an individual Configuration Manager managed device. This gives all the traditional benefits of PowerShell scripts that have already been defined and approved by the Configuration Manager admin to this new environment. For more information, see Configuration Manager technical preview 2005.
New merge logic for Windows 10 devices
Today, if a customer reimages a device and then re-enrolls it, multiple records for the device will appear in the Microsoft Endpoint Manager admin console. New merge logic is in development to merge such duplicate records for Windows 10 devices.
Updates to the remote lock action for macOS devices
Updates to the remote lock action for macOS devices will include:
- The recovery pin will be displayed for 30 days before deletion (instead of seven days).
- If an admin has a second browser open and tries to trigger the command again from a different tab or browser, Intune will allow the command to go through. But the reporting status will be set to failed rather than generating a new pin.
- The admin won't be able to issue another remote lock command if the previous command is still pending or if the device hasn’t checked back in. These changes are designed to prevent the correct pin from being overwritten after multiple remote lock commands.
Deploy Software Updates to macOS devices
You'll be able to deploy Software Updates to groups of macOS devices. This feature includes critical, firmware, configuration file, and other updates. You'll be able to send updates on the next device check-in or select a weekly schedule to deploy updates in or out of time windows that you set. This helps when you want to update devices outside standard work hours or when your help desk is fully staffed. You'll also get a detailed report of all macOS devices with updates deployed. You can drill into the report on a per-device basis to see the statuses of particular updates.
Monitor and troubleshoot
Additional Data Warehouse v1.0 properties
Additional properties are available using the Intune Data Warehouse v1.0. The following properties are now exposed via the devices entity:
ethernetMacAddress- The unique network identifier of this device.
office365Version- The version of Office 365 that is installed on the device.
The following properties are now exposed via the devicePropertyHistories entity:
physicalMemoryInBytes- The physical memory in bytes.
totalStorageSpaceInBytes- Total storage capacity in bytes.
For more information, see Microsoft Intune Data Warehouse API.
Power BI compliance report template V2.0
Admins will be able to update the Power BI compliance report template version from V1.0 to V2.0. V2.0 will include an improved design, as well as changes to the calculations and data that are being surfaced as part of the template. For related information, see Connect to the Data Warehouse with Power BI.
Role-based access control
Scope tag support for customization policies
You'll be able to assign scope tags to Customization policies. To do so, go to Microsoft Endpoint Manager admin center > Tenant administration> Customization where you will see Scope tags configuration options.
Assign profile and Update profile permission changes
Role-based access control permissions will be changing for Assign profile and Update profile:
- Assign profile: Admins with this permission will be able to also assign the profiles to tokens and assign a default profile to a token.
- Update profile: Admins with this permission will be able to update existing profiles only.
App protection policy support for Symantec Endpoint Security and Check Point Sandblast
In October of 2019, Intune app protection policy added the capability to use data from some of our Microsoft Threat Defense partners (MTD partners). We are adding support for the following partners, to use an app protection policy to block, or selectively wipe the user's corporate data based on the health of a device:
- Check Point Sandblast on Android, iOS and iPadOS
- Symantec Endpoint Security on Android, iOS and iPadOS
For information about using app protection policy with MTD partners, see Create Mobile Threat Defense app protection policy with Intune.
Store the recovery key for a macOS device that was encrypted with FileVault before enrolling with Intune
Soon, end users of a macOS device that wasn’t encrypted by FileVault policy from Intune, or was encrypted prior to being enrolled with Intune, won’t need to decrypt their device so it can then be re-encrypted by Intune. Instead, the current encryption can stay in place and the user can go to the Company Portal website where they can choose Store recovery key to submit their personal recovery key for the encrypted macOS device. Upon submission of a valid key, Intune will rotate the personal key to generate a new key, which remains available to the user through the Company Portal website, the iOS/ Company Portal, the Android Company Portal, or the Intune app. Users can then access those locations from any device to view the key should they become locked out of their macOS device.
Hide the personal recovery key from a device user during macOS FileVault disk encryption
We’re adding a new setting called Hide recovery key to the endpoint security disk encryption policy for FileVault (Endpoint security > Disk encryption > Create profile > macOS > FileVault). When you enable the new setting, Intune hides the personal recovery key from the user of the macOS device during encryption. By hiding the key at this time, you can help keep it secure as users won’t be able to write it down while waiting for the device to encrypt. Instead, if recovery is needed, a user can always use any device to view their personal recovery key through the Intune Company Portal website.
Improved view of security baseline details for devices
We're working to improve the display of details for security baseline settings, when you drill into the details for a device (Endpoint security > Devices). For each assigned security baseline, you’ll be able to view a flat list of details for each setting that includes setting categories, setting names, and the state of each setting on that device.
Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices
We’re adding two new settings to the Updates category of endpoint security antivirus policy for Windows 10 devices what can help you manage how devices get update definitions (Endpoint security > ** Antivirus** > Create Policy > Windows 10 and later > Microsoft Defender Antivirus).
With the new settings, you’ll be able to add UNC file shares as download source locations for definition updates, and define the order in which different source locations are contacted. The new settings will manage the following Defender CSPs:
Endpoint detection and response policy for onboarding Tenant Attached devices to MDATP is moving out of preview
As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies support for use with devices managed by Configuration Manager will soon move out of preview and become Generally Available (Endpoint security > Endpoint detection and response > Create Policy > Windows 10 and windows Server). When you configure Tenant Attach for Configuration Manager, you can then use the EDR policies to onboard devices managed by Configuration Manager to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
Improvements for the security baselines node
To improve the usability of the security baseline node in the Microsoft Endpoint Manager admin center, we’re removing the Overview tab for each baseline and will instead open the baselines Profile tab (Endpoint security > Security baselines > baseline).
The Overview page for each baseline displays charts and tiles that aggregate results from the last baseline version you deployed. That information is duplicated from what you see if you drill-in to a version for more details. After the Overview page is removed, those charts and aggregate details will remain available when you drill into the version directly.
Firewall rule migration tool preview
As a public preview, we're working on a PowerShell based tool that will migrate Windows Defender Firewall rules. When you install and run the tool, it automatically creates Endpoint security Firewall Rule policies for Intune that are based on the current configuration of a Windows 10 client.
New settings for the Device Control profile in endpoint security Attack surface reduction policy
We’re adding several settings for Windows 10 devices to the Device control profile for endpoint security Attack surface Reduction policy (Endpoint security > Attack surface reduction > Create Policy > Windows 10 and later > Device control).
The new settings will be the same as those settings that are available today in Device restriction profiles for Device configuration. The settings being added to the Device control profile should include various Bluetooth settings.
These notices provide important information that can help you prepare for future Intune changes and features.
Microsoft Intune support for Windows 10 Mobile ending
Microsoft mainstream support for Windows 10 Mobile ended in December 2019. As mentioned in this support statement, Windows 10 Mobile users will no longer be eligible to receive new security updates, non-security hotfixes, free assisted support options or online technical content updates from Microsoft. Based on the all-up Mobile OS support, Microsoft Intune will now end support for both the Company Portal for the Windows 10 Mobile app and the Windows 10 Mobile Operating System on August 10, 2020.
How does this affect me?
If you have Windows 10 Mobile devices deployed in your organization, between now and August 10, 2020 you can enroll new devices, add, or remove policies and apps, or update any management settings. After August 10, we will stop new enrollments, and eventually remove Windows 10 Mobile management from the Intune UI. Devices will no longer check into the Intune service and we will delete device and policy data.
What do I need to do to prepare for this change?
You can check your Intune reporting to see what devices or users may be affected. Go to Devices > All devices and filter by OS. You can add in additional columns to help identify who in your organization has devices running Windows 10 Mobile. Request that your end users upgrade their devices or discontinue using the devices for corporate access.
End of support for legacy PC management
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as Mobile Device Management (MDM) devices to keep them managed by Intune.
Move to the Microsoft Endpoint Manager admin center for all your Intune management
In MC208118 posted last March, we introduced a new, simple URL for your Microsoft Endpoint Manager – Intune administration: https://endpoint.microsoft.com. Microsoft Endpoint Manager is a unified platform that includes Microsoft Intune and Configuration Manager. Starting August 1, 2020, we will remove Intune administration at https://portal.azure.com and recommend you instead use https://endpoint.microsoft.com for all your endpoint management.
Decreasing support for Android device administrator
Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of Android Enterprise was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.
How does this affect me?
Because of these changes by Google, in the fourth quarter of 2020, you will no longer have as extensive management capabilities on impacted device administrator-managed devices.
This date was previously communicated as third quarter of 2020, but it has been moved out based on the latest information from Google.
Device types that will be impacted
Devices that will be impacted by the decreasing device administrator support are those for which all three conditions below apply:
- Enrolled in device administrator management.
- Running Android 10 or later.
- Not a Samsung device.
Devices will not be impacted if they are any of the below:
- Not enrolled with device administrator management.
- Running an Android version below Android 10.
- Samsung devices. Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you additional time to plan the transition off device administrator management for Samsung devices.
Settings that will be impacted
Google's decreased device administrator support prevents configuration of these settings from applying on impacted devices.
Configuration profile device restriction settings
- Block Camera
- Set Minimum password length
- Set Number of sign-in failures before wiping device (will not apply on devices without a password set, but will apply on devices with a password)
- Set Password expiration (days)
- Set Required password type
- Set Prevent use of previous passwords
- Block Smart Lock and other trust agents
Compliance policy settings
- Set Required password type
- Set Minimum password length
- Set Number of days until password expires
- Set Number of previous passwords to prevent reuse
Additional impacts based on Android OS version
Android 10: For all device administrator-managed devices (including Samsung) running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:
- Network access control for VPN will no longer work
- Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned
- The IMEI and serial number will no longer be visible to IT admins in Intune
Android 11: We are currently testing Android 11 support on the latest developer beta release to evaluate if it will cause impact on device administrator-managed devices.
User experience of impacted settings on impacted devices
Impacted configuration settings:
- For already enrolled devices that already had the settings applied, the impacted configuration settings will continue being enforced.
- For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings will not be enforced (but all other configuration settings will still be enforced).
Impacted compliance settings:
- For already enrolled devices that already had the settings applied, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page, the device will be out of compliance, and the password requirements will still be enforced in the Settings app.
- For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page and the device will be out of compliance, but stricter password requirements will not be enforced in the Settings app.
Cause of impact
Devices will begin being impacted in the fourth quarter of 2020. At that time, there will be a Company Portal app update that will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).
At that point, device administrator-managed devices that are not manufactured by Samsung will be impacted once the user completes both these actions:
- Updates to Android 10 or later.
- Updates the Company Portal app to the version that targets API level 29.
What do I need to do to prepare for this change?
To avoid the reduction in functionality coming in the fourth quarter of 2020, we recommend the following:
- New enrollments: Onboard new devices into Android Enterprise management (where available) and/or app protection policies. Avoid onboarding new devices into device administrator management.
- Previously enrolled devices: If a device administrator-managed device is running Android 10 or later or may update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator management to Android Enterprise management and/or app protection policies. You can leverage the streamlined flow to move Android devices from device administrator to work profile management.
- Move Android devices from device administrator to work profile management
- Set up enrollment of Android Enterprise work profile devices
- Set up enrollment of Android Enterprise dedicated devices
- Set up enrollment of Android Enterprise fully managed devices
- How to create an assign app protection policies
- How to use Intune in environments without Google Mobile Services
- Understanding app protection policies and work profiles on Android Enterprise devices
- Google’s blog about what you need to know about Device Admin deprecation
- Google's guidance for migration from device administrator to Android Enterprise
- Google's documentation of deprecated device administrator APIs
Plan for Change: Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS
In the July Company Portal release, we’ll be changing the iOS/iPadOS enrollment flow for Apple’s Automated Device Enrollment (formerly known as DEP). The enrollment flow change is only encountered during the “Enroll with User Affinity” flow. Previously, if you set the “Install Company Portal” to “no” as part of your configuration, users could still install the Company Portal app from the store which would then trigger enrollment where the user would add in the appropriate serial number. With this upcoming Company Portal release, we’ll be removing that serial number confirmation screen. Instead, you’ll want to create a corresponding app configuration policy to send down alongside the Company Portal to ensure that users can successfully enroll, or set the “Install Company Portal” to “Yes” as part of your configuration.
- See the post here for more info.
For details about recent developments, see What's new in Microsoft Intune.