What's new in Microsoft Intune

Learn what's new each week in Microsoft Intune.

You can also read:

Note

Each monthly update can take up to three days to rollout and will be in the following order:

  • Day 1: Asia Pacific (APAC)
  • Day 2: Europe, Middle East, Africa (EMEA)
  • Day 3: North America
  • Day 4+: Intune for Government

Some features roll out over several weeks and might not be available to all customers in the first week.

For a list of upcoming Intune feature releases, see In development for Microsoft Intune.

For new information about Windows Autopilot solutions, see:

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Week of December 16, 2024 (Service release 2412)

App management

Increased scale for Customization policies

You can now create up to 25 policies that customize the Company Portal and Intune app experience. The previous maximum number of Customization policies was 10. Navigate to the Intune admin center, and select Tenant administration > Customization.

For more information about customizing the Company Portal and Intune apps, see Customizing the user experience.

Device security

Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint

You can now manage the Microsoft Defender for Endpoint CSP setting for tamper protection on unenrolled devices you mange as part of the Defender for Endpoint security settings management scenario.

With this support, tamper protection configurations from Windows Security Experience profiles for Antivirus policies now apply to all devices instead of only to those that are enrolled with Intune.

Device configuration

Ending support for administrative templates when creating a new configuration profile

Customers cannot create new Administrative Templates configuration profile through Devices > Configuration > Create > New policy > Windows 10 and later > Administrative Templates. A (retired) tag is seen next to Administrative Templates and the Create button is now greyed out. Other templates will continue to be supported.

However, customers can now use the Settings Catalog for creating new Administrative Templates configuration profile by navigating to Devices > Configuration > Create > New policy > Windows 10 and later > Settings Catalog.

There are no changes in the following UI experiences:

  • Editing an existing Administrative template.
  • Deleting an existing Administrative template.
  • Adding, modifying or deleting settings in an existing Administrative template.
  • Imported Administrative templates (Preview) template, which is used for Custom ADMX.

For more information, see Use ADMX templates on Windows 10/11 devices in Microsoft Intune.

Applies to:

  • Windows

Device management

More Wi-Fi configurations are now available for personally-owned work profile devices

Intune Wi-Fi configuration profiles for Android Enterprise personally-owned work profile devices now support configuration of pre-shared keys and proxy settings.

You can find these settings in the admin console in Devices > Manage devices > Configuration > Create > New Policy. Set Platform to Android Enterprise and then in the Personally-Owned Work Profile section, select Wi-Fi and select the Create button.

In the Configuration settings tab, when you select Basic Wi-Fi type, several new options are available:

  1. Security type, with options for Open (no authentication), WEP-Pre-shared key, and WPA-Pre-shared key.

  2. Proxy settings, with the option to select Automatic and then specify the proxy server URL.

It was possible to configure these in the past with Custom Configuration policies, but going forward, we recommend setting these in the Wi-Fi Configuration profile, because Intune is ending support for Custom policies in April 2024..

For more information, see Wi-Fi settings for personally-owned work profile devices..

Applies to:

  • Android Enterprise

Week of December 9, 2024

Tenant administration

Intune now supports Ubuntu 24.04 LTS for Linux management.

We're now supporting device management for Ubuntu 24.04 LTS. You can enroll and manage Linux devices running Ubuntu 24.04, and assign standard compliance policies, custom configuration scripts, and compliance scripts.

For more information, see the following in Intune documentation:

Applies to:

  • Linux Ubuntu Desktops

Week of December 2, 2024

Device enrollment

Change to enrollment behavior for iOS enrollment profile type

At Apple WWDC 2024, Apple ended support for profile-based Apple user enrollment. For more information, see Support has ended for profile-based user enrollment with Company Portal. As a result of this change, we updated the behavior that occurs when you select Determine based on user choice as the enrollment profile type for bring-your-own-device (BYOD) enrollments.

Now when users select I own this device during a BYOD enrollment, Microsoft Intune enrolls them via account-driven user enrollment, rather than profile-based user enrollment, and then secures only work-related apps. Less than one percent of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices. There is no change for iOS users who select My company owns this device during a BYOD enrollment. Intune enrolls them via device enrollment with Intune Company Portal, and then secures their entire device.

If you currently allow users in BYOD scenarios to determine their enrollment profile type, you must take action to ensure account-driven user enrollment works by completing all prerequisites. For more information, see Set up account driven Apple user enrollment. If you don't give users the option to choose their enrollment profile type, there are no action items.

Device management

Device Inventory for Windows

Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.

You can now choose what you want to collect from your devices, using the catalog of properties and then view the collected properties in the Resource Explorer view.

For more information, see:

Applies to:

  • Windows 10 and later (Corporate owned devices managed by Intune)

Week of November 18, 2024 (Service release 2411)

App management

Configuration values for specific managed applications on Intune enrolled iOS devices

Starting with Intune's September (2409) service release, the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values are automatically sent to managed applications on Intune enrolled iOS devices for the following apps:

  • Microsoft Excel
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Teams
  • Microsoft Word

For more information, see Plan for Change: Specific app configuration values will be automatically sent to specific apps and Intune Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases.

Additional installation error reporting for LOB apps on AOSP devices

Additional details are now provided for app installation reporting of Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You can view installation error codes and detailed error messages for LOB apps in Intune.

For information about app installation error details, see Monitor app information and assignments with Microsoft Intune.

Applies to:

  • Android Open Source Project (AOSP) devices

Microsoft Teams app protection on VisionOS devices (preview)

Microsoft Intune app protection policies (APP) are now supported on the Microsoft Teams app on VisionOS devices.

To learn more about how to target policies to VisionOS devices, see Managed app properties for more information about filters for managed app properties.

Applies to:

  • Microsoft Teams for iOS on VisionOS devices

Device configuration

New settings available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

A new setting Set Copilot Hardware Key is now available in the Settings Catalog. To see this and other settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.

Applies to:

  • Windows 11

Device Firmware Configuration Interface (DFCI) support for Samsung devices

You can now use DFCI profiles to manage UEFI (BIOS) settings for Samsung devices that run Windows 10 or Windows 11. Not all Samsung devices running Windows are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

You can manage DFCI profiles from within the Microsoft Intune admin center by going to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type.

For more information about DFCI profiles, see:

Applies to:

  • Windows

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

We've added new settings to the Settings Catalog. To view available settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Restrictions:

  • Allow Apps To Be Hidden
  • Allow Apps To Be Locked
  • Allow Call Recording
  • Allow Default Browser Modification
  • Allow External Intelligence Integrations
  • Allow External Intelligence Integrations Sign In
  • Allow Mail Summary
  • Allow RCS Messaging
macOS

Restrictions:

  • Allow External Intelligence Integrations
  • Allow External Intelligence Integrations Sign In
  • Allow Mail Summary
  • Allow Media Sharing Modification
  • Force Bypass Screen Capture Alert

The following settings have been deprecated by Apple and will be marked as deprecated in the Settings Catalog:

macOS

Networking > Firewall:

  • Enable Logging
  • Logging Option

View profiles for your Endpoint Security policies in the Device Configuration node of the admin center

We’ve updated the Configuration view for Devices in the Microsoft Intune admin center to now display profiles for your endpoint security policies alongside your device configuration policies. This means you can view a combined list of your device configuration policies and the supported endpoint security policies in a single location where you can then select a policy to view and edit it.

The combined view supports the endpoint security profiles you create for the macOS and Windows platforms for the following endpoint security policy types:

  • Account Protection
  • Antivirus
  • Application Control
  • Attack Surface Reduction
  • Disk encryption
  • Endpoint Detection and Response
  • Endpoint Privilege Management
  • Firewall

When viewing the list of policies, endpoint security policies are identified by their template type, like Microsoft Defender Antivirus, in the Policy type column.

To view the combined list profiles for all device types, in the Microsoft Intune admin center go to Devices > All devices and below Manage devices, select Configuration.

While you can view endpoint security policies in the device configuration node, you must still create new endpoint security policies in the endpoint security node. Additionally, the combined view does not display endpoint security profiles for the Windows (ConfigMgr) platform or for Linux.

Windows 365 Link is the first Cloud PC device built by Microsoft to connect securely to Windows 365 in seconds, providing a responsive, high-fidelity Windows desktop experience in the Microsoft Cloud.

Windows 365 Link runs a small Windows based OS called Windows CPC, and shows up in Intune alongside other managed Windows devices and Cloud PCs.

Also, Device actions, such as Wipe, Restart, and Collect diagnostics work similarly to other Windows devices. As the OS is purpose built to directly connect to Windows 365, this results in only a fraction of Windows configuration policies being applicable, minimizing decision points.

The process to configure and apply those applicable policies is simple and familiar because the process is the same as your other Windows devices. Secondly, Windows 365 Link has no ability to store data locally, no local apps, no local admin users, and automatically keeps itself up to date.

This means several Intune features are not applicable including application and update management, along with scripts and remediations.

Windows 365 Link is now available in public preview. For more information, see Windows 365 Link—the first Cloud PC device for Windows 365.

Store macOS certificates in user keychain

A new deployment channel setting in Microsoft Intune enables you to store macOS authentication certificates in the user keychain. This enhancement strengthens system security and improves the user experience by reducing certificate prompts. Prior to this change, Microsoft Intune automatically stored user and device certificates in the system keychain. The deployment channel setting is available in Simple Certificate Enrollment Protocol (SCEP) and Public Key Cryptography Standards (PKCS) certificate profiles for macOS, and in VPN, Wi-Fi, and wired network settings configuration profiles for macOS.

For more information about the profiles and their new setting, see:

Evaluate compliance of Windows Subsystem for Linux (generally available)

Now generally available, Microsoft Intune supports compliance checks for instances of Windows Subsystem for Linux (WSL) running on a Windows host device. You can create a Windows 10/11 compliance policy that contains the allowed Linux distribution names and versions evaluated on WSL. Microsoft Intune includes the WSL compliance results in the overall compliance state of the host device.

For more information about WSL compliance, see Evaluate compliance for Windows Subsystem for Linux.

Intune Apps

Newly available protected apps for Intune

The following protected app is now available for Microsoft Intune:

  • Microsoft Designer by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

ICCID is inventoried for Android Enterprise Dedicated and Fully Managed

We've added the ability to view a device's ICCID number for devices enrolled as Android Enterprise Dedicated or Android Fully Managed. Admins can view ICCID numbers in their device inventory.

You can now find the ICCID number for Android devices by navigating to Devices > Android. Select a device of interest. In the side panel, under Monitor select Hardware. The ICCID number will be in the Network details group. The ICCID number isn't supported for Android Corporate-Owned Work Profile devices.

Applies to:

  • Android dedicated and fully managed

New device actions for single device query

We've added the Intune remote device actions to Single device query to help you manage your devices remotely. From the device query interface, you'll be able to run device actions based on query results for faster and more efficient troubleshooting.

Applies to:

  • Windows

For more information, see:

Week of October 28, 2024

Device security

Defender for Endpoint security settings support in government cloud environments (generally available)

Now generally available, customer tenants in the Government Community Cloud (GCC), US Government Community High (GCC High), and Department of Defense (DoD) environments can use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. Previously, support for Defender security settings was in public preview.

This capability is known as Defender for Endpoint security settings management.

Week of October 14, 2024 (Service release 2410)

App management

Updates to app configuration policies for Android Enterprise devices

App configuration policies for Android Enterprise devices now support overriding the following permissions:

  • Access background location
  • Bluetooth (connect)

For more information about app configuration policies for Android Enterprise devices, see Add app configuration policies for managed Android Enterprise devices.

Applies to:

  • Android Enterprise devices

Device configuration

Windows Autopilot device preparation support in Intune operated by 21Vianet in China

Intune now supports Windows Autopilot device preparation policy for Intune operated by 21Vianet in China cloud. Customers with tenants located in China can now use Windows Autopilot device preparation with Intune to provision devices.

For information about this Autopilot support, see the following in the Autopilot documentation:

Device management

Minimum OS version for Android devices is Android 10 and later for user-based management methods

Beginning in October 2024, Android 10 and later is the minimum Android OS version that is supported for user-based management methods, which includes:

  • Android Enterprise personally-owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

For enrolled devices on unsupported OS versions (Android 9 and lower)

  • Intune technical support is not provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune doesn't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices are not affected by this change.

Collection of additional device inventory details

Intune now collects additional files and registry keys to assist in troubleshooting the Device Hardware Inventory feature.

Applies to:

  • Windows

Week of October 7, 2024

App management

New UI for Intune Company Portal app for Windows

The UI for the Intune Company Portal app for Windows is updated. Users now see an improved experience for their desktop app without changing the functionality they've used in the past. Specific UI improvements are focused on the Home, Devices, and Downloads & updates pages. The new design is more intuitive and highlights areas where users need to take action.

For more information, see New look for Intune Company Portal app for Windows. For end user details, see Install and share apps on your device.

Device security

New strong mapping requirements for SCEP certificates authenticating with KDC

The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that a Simple Certificate Enrollment Protocol (SCEP) certificate's subject alternative name (SAN) must have a security identifier (SID) extension that maps to the user or device SID in Active Directory. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working.

To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a URI attribute and the OnPremisesSecurityIdentifier variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID.

For more information and steps, see Update certificate connector: Strong mapping requirements for KB5014754.

Applies to:

  • Windows 10/11, iOS/iPadOS, and macOS user certificates
  • Windows 10/11 device certificates

This requirement isn't applicable to device certificates used with Microsoft Entra joined users or devices, because the SID attribute is an on-premises identifier.

Defender for Endpoint security settings support in government cloud environments (public preview)

In public preview, customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments can now use Intune to manage the Defender security settings on the devices that onboarded to Defender without enrolling those devices with Intune. This capability is known as Defender for Endpoint security settings management.

For more information about the Intune features supported in GCC High and DoD environments, see Intune US Government service description.

Week of September 30, 2024

Device security

Updates to PKCS certificate issuance process in Microsoft Intune Certificate Connector, version 6.2406.0.1001

We updated the process for Public Key Cryptography Standards (PKCS) certificate issuance in Microsoft Intune to support the security identifiers (SID) information requirements described in KB5014754. As part of this update, an OID attribute containing the user or device SID is added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID.

The SID update is available for user certificates across all platforms, and for device certificates specifically on Microsoft Entra hybrid joined Windows devices.

For more information, see:

Week of September 23, 2024 (Service release 2409)

App management

Working Time settings for app protection policies

Working time settings allow you to enforce policies that limit access to apps and mute message notifications received from apps during non-working time. The limit access setting is now available for the Microsoft Teams and Microsoft Edge apps. You can limit access by using App Protection Policies (APP) to block or warn end users from using the iOS/iPadOS or Android Teams and Microsoft Edge apps during non-working time by setting the Non-working time conditional launch setting. Also, you can create a non-working time policy to mute notifications from the Teams app to end users during non-working time.

For more information, see:

Applies to:

  • Android
  • iOS/iPadOS

Streamlined app creation experience for apps from Enterprise App Catalog

We've streamlined the way apps from Enterprise App Catalog are added to Intune. We now provide a direct app link rather than duplicating the app binaries and metadata. App contents now download from a *.manage.microsoft.com subdomain. This update helps to improve the latency when adding an app to Intune. When you add an app from Enterprise App Catalog, it syncs immediately and is ready for additional action from within Intune.

Update Enterprise App Catalog apps

Enterprise App Management is enhanced to allow you to update an Enterprise App Catalog app. This capability guides you through a wizard that allows you to add a new application and use supersedence to update the previous application.

For more information, see Guided update supersedence for Enterprise App Management.

Device configuration

Samsung ended support for multiple Android device administrator (DA) settings

On Android device administrator managed (DA) devices, Samsung has deprecated many Samsung Knox APIs (opens Samsung's web site) configuration settings.

In Intune, this deprecation impacts the following device restrictions settings, compliance settings, and trusted certificate profiles:

In the Intune admin center, when you create or update a profile with these settings, the impacted settings are noted.

Though the functionality might continue to work, there's no guarantee that it will continue working for any or all Android DA versions supported by Intune. For more information on Samsung support for deprecated APIs, see What kind of support is offered after an API is deprecated? (opens Samsung's web site).

Instead, you can manage Android devices with Intune using one of the following Android Enterprise options:

Applies to:

  • Android device administrator (DA)

Device Firmware Configuration Interface (DFCI) supports VAIO devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type.

Some VAIO devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

For more information about DFCI profiles, see:

Applies to:

  • Windows 10
  • Windows 11

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Math Settings:

  • Calculator

    • Basic Mode
    • Math Notes Mode
    • Scientific Mode
  • System Behavior

    • Keyboard Suggestions
    • Math Notes

Web Content Filter:

  • Hide Deny List URLs
macOS

Declarative Device Management (DDM) > Math Settings:

  • Calculator

    • Basic Mode
    • Math Notes Mode
    • Programmer Mode
    • Scientific Mode
  • System Behavior

    • Keyboard Suggestions
    • Math Notes

System Configuration > System Extensions:

  • Non Removable From UI System Extensions
  • Non Removable System Extensions

End users might see a different consent experience for remote log collection after the Android APP SDK 10.4.0 and iOS APP SDK 19.6.0 updates. End users no longer see a common prompt from Intune and only see a prompt from the application, if it has one.

Adoption of this change is per-application and is subject to each applications release schedule.

Applies to:

  • Android
  • iOS/iPadOS

Device enrollment

New Setup Assistant screens available for configuration for ADE

New Setup Assistant screens are available to configure in the Microsoft Intune admin center. You can hide or show these screens during automated device enrollment (ADE).

For macOS:

  • Wallpaper: Show or hide the macOS Sonoma wallpaper setup pane that appears after an upgrade on devices running macOS 14.1 and later.
  • Lockdown mode: Show or hide the lockdown mode setup pane on devices running macOS 14.1 and later.
  • Intelligence: Show or hide the Apple Intelligence setup pane on devices running macOS 15 and later.

For iOS/iPadOS:

  • Emergency SOS: Show or hide the safety setup pane on devices running iOS/iPadOS 16 and later.
  • Action button: Show or hide the setup pane for the action button on devices running iOS/iPadOS 17 and later.
  • Intelligence: Show or hide the Apple Intelligence setup pane on devices running iOS/iPadOS 18 and later.

You can configure these screens in new and existing enrollment policies. For more information and additional resources, see:

Extended expiration date for corporate-owned, user-associated AOSP enrollment tokens

Now when you create an enrollment token for Android Open Source Project (AOSP) corporate-owned, user-associated devices, you can select an expiration date that's up to 65 years into the future, an improvement over the previous 90 day expiration date. You can also modify the expiration date of existing enrollment tokens for Android Open Source Project (AOSP) corporate-owned, user-associated devices.

Device security

New disk encryption template for Personal Data Encryption

You can now use the new Personal Data Encryption (PDE) template that is available through endpoint security disk encryption policy. This new template configures the Windows PDE configuration service provider (CSP), which was introduced in Windows 11 22H2. The PDE CSP is also available through the settings catalog.

PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.

Applies to:

  • Windows 11 version 22h2 or later

For more information about PDE, including prerequisites, related requirements, and recommendations, see the following articles in the Windows security documentation:

Intune Apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Notate for Intune by Shafer Systems, LLC

For more information about protected apps, see Microsoft Intune protected apps.

Week of September 9, 2024

App management

Managed Home Screen user experience update

All Android devices automatically migrate to the updated Managed Home Screen (MHS) user experience. For more information, see Updates to the Managed Home Screen experience.

Device enrollment

Support has ended for Apple profile-based user enrollment with Company Portal

Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: profile-based enrollment and account-driven enrollment. Apple ended support for profile-based user enrollment, known in Intune as user enrollment with Company Portal. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for profile-based user enrollment with Company Portal. Users can no longer enroll devices targeted with this enrollment profile type. This change doesn't affect devices that are already enrolled with this profile type, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices.

There's no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected.

We recommend account-driven user enrollment as a replacement method for devices. For more information about your BYOD enrollment options in Intune, see:

For more information about the device enrollment types supported by Apple, see Intro to Apple device enrollment types in the Apple Platform Deployment guide.

Device management

Intune now supports iOS/iPadOS 16.x as the minimum version

Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.

For more information on this change, see Plan for change: Intune is moving to support iOS/iPadOS 16 and later.

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement for supported versus allowed iOS/iPadOS versions for user-less devices.

Applies to:

  • iOS/iPadOS

Intune now supports macOS 13.x as the minimum version

With Apple's release of macOS 15 Sequoia, Microsoft Intune, the Company Portal app, and the Intune MDM agent will now require macOS 13 (Ventura) and later.

For more information on this change, see Plan for change: Intune is moving to support macOS 13 and later

Note

macOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement.

Applies to:

  • macOS

Week of August 19, 2024 (Service release 2408)

Microsoft Intune Suite

Easy creation of Endpoint Privilege Management elevation rules from support approval requests and reports

You can now create Endpoint Privilege Management (EPM) elevation rules directly from a support approved elevation request or from details found in the EPM Elevation report. With this new capability, you won’t need to manually identify specific file detection details for elevation rules. Instead, for files that appear in the Elevation report or a support approved elevation request, you can select that file to open its elevation detail pane, and then select the option to Create a rule with these file details.

When you use this option, you can then choose to add the new rule to one of your existing elevation policies, or create a new policy with only the new rule.

Applies to:

  • Windows 10
  • Windows 11

For information about this new capability, see Windows elevation rules policy in the Configure policies for Endpoint Privilege management article.

Introducing the Resource performance report for physical devices in Advanced Analytics

We're introducing the Resource performance report for Windows physical devices in Intune Advanced Analytics. The report is included as an Intune-add on under Microsoft Intune Suite.

The resource performance scores and insights for physical devices are aimed to help IT admins make CPU/RAM asset management and purchase decisions that improve the user experience while balancing hardware costs.

For more information, see:

App management

Managed Home Screen for Android Enterprise Fully Managed devices

Managed Home Screen (MHS) is now supported on Android Enterprise Fully Managed devices. This capability offers organizations the ability to leverage MHS in scenarios where a device is associated with a single user.

For related information, see:

Updates to the Discovered Apps report

The Discovered Apps report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we're including it as a column in the Discovered Apps report.

For more information, see Intune Discovered apps.

Improvements to Intune Management Extension logs

We have updated how log activities and events are made for Win32 apps and the Intune Management Extension (IME) logs. A new log file (AppWorkload.log) contains all logging information related to app deployment activities conducted by the IME. These improvements provide better troubleshooting and analysis of app management events on the client.

For more information, see Intune management extension logs.

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Apple Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Safari Extension Settings:

  • Managed Extensions
    • Allowed Domains
    • Denied Domains
    • Private Browsing
    • State

Declarative Device Management (DDM) > Software Update Settings:

  • Automatic Actions

    • Download
    • Install OS Updates
  • Deferrals

    • Combined Period In Days
  • Notifications

  • Rapid Security Response

    • Enable
    • Enable Rollback
  • Recommended Cadence

Restrictions:

  • Allow ESIM Outgoing Transfers
  • Allow Genmoji
  • Allow Image Playground
  • Allow Image Wand
  • Allow iPhone Mirroring
  • Allow Personalized Handwriting Results
  • Allow Video Conferencing Remote Control
  • Allow Writing Tools
macOS

Authentication > Extensible Single Sign On (SSO):

  • Platform SSO
    • Authentication Grace Period
    • FileVault Policy
    • Non Platform SSO Accounts
    • Offline Grace Period
    • Unlock Policy

Authentication > Extensible Single Sign On Kerberos:

  • Allow Password
  • Allow SmartCard
  • Identity Issuer Auto Select Filter
  • Start In Smart Card Mode

Declarative Device Management (DDM) > Disk Management:

  • External Storage
  • Network Storage

Declarative Device Management (DDM) > Safari Extension Settings:

  • Managed Extensions
    • Allowed Domains
    • Denied Domains
    • Private Browsing
    • State

Declarative Device Management (DDM) > Software Update Settings:

  • Allow Standard User OS Updates

  • Automatic Actions

    • Download
    • Install OS Updates
    • Install Security Update
  • Deferrals

    • Major Period In Days
    • Minor Period In Days
    • System Period In Days
  • Notifications

  • Rapid Security Response

    • Enable
    • Enable Rollback

Restrictions:

  • Allow Genmoji
  • Allow Image Playground
  • Allow iPhone Mirroring
  • Allow Writing Tools

System Policy > System Policy Control:

  • Enable XProtect Malware Upload

Enhancements to multi administrative approval

Multi administrative approval adds the ability to limit application access policies to Windows applications or all non-Windows applications or both. We're adding a new access policy to the multiple administrative approval feature to allow approvals for changes to multiple administrative approval.

For more information, see Multi admin approval.

Device enrollment

Account-driven Apple User Enrollment now generally available for iOS/iPadOS 15+

Intune now supports account-driven Apple User Enrollment, the new, and improved version of Apple User Enrollment, for devices running iOS/iPadOS 15 and later. This new enrollment method utilizes just-in-time registration, removing the Company Portal app for iOS as an enrollment requirement. Device users can initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience.

For more information, see Set up account driven Apple User Enrollment on Microsoft Learn.

Apple announced they are ending support for profile-based Apple User Enrollment. As a result, Microsoft Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18. We recommend enrolling devices with account-driven Apple User Enrollment for similar functionality and an improved user experience.

Use corporate Microsoft Entra account to enable Android Enterprise management options in Intune

Managing Intune-enrolled devices with Android Enterprise management options previously required you to connect your Intune tenant to your managed Google Play account using an enterprise Gmail account. Now you can use a corporate Microsoft Entra account to establish the connection. This change is happening in new tenants, and doesn't affect tenants that have already established a connection.

For more information, see Connect Intune account to Managed Google Play account - Microsoft Intune | Microsoft Learn.

Device management

21Vianet support for Mobile Threat Defense connectors

Intune operated by 21Vianet now supports Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices for MTD vendors that also have support in that environment. When an MTD partner is supported and you sign in to a 21Vianet tenant, the supported connectors are available.

Applies to:

  • Android
  • iOS/iPadOS

For more information, see:

New cpuArchitecture filter device property for app and policy assignments

When you assign an app, compliance policy, or configuration profile, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.

A new cpuArchitecture device filter property is available for Windows and macOS devices. With this property, you can filter app and policy assignments depending on the processor architecture.

For more information on filters and the device properties you can use, see:

Applies to:

  • Windows 10
  • Windows 11
  • macOS

Device security

Windows platform name change for endpoint security policies

When you create an endpoint security policy in Intune, you can select the Windows platform. For multiple templates in endpoint security, there are now only two options to choose for the Windows platform: Windows and Windows (ConfigMgr).

Specifically, the platform name changes are:

Original New
Windows 10 and later​ Windows
Windows 10 and later (ConfigMgr)​ Windows (ConfigMgr)​
Windows 10, Windows 11, and Windows Server Windows
Windows 10, Windows 11, and Windows Server​ (ConfigMgr) Windows (ConfigMgr)​

These changes apply to the following policies:

  • Antivirus
  • Disk encryption
  • Firewall
  • Endpoint Privilege Management
  • Endpoint detection and response
  • Attack surface reduction
  • Account protection
What you need to know
  • This change is only in the user experience (UX) that admins see when they create a new policy. There is no effect on devices.
  • The functionally is the same as the previous platform names.
  • There are no additional tasks or actions for existing policies.

For more information on endpoint security features in Intune, see Manage endpoint security in Microsoft Intune.

Applies to:

  • Windows

Target Date Time setting for Apple software update enforcement schedules updates using the local time on devices

You can specify the time that OS updates are enforced on devices in their local time zone. For example, configuring an OS update to be enforced at 5pm schedules the update for 5pm in the device's local time zone. Previously, this setting used the time zone of the browser where the policy was configured.

This change only applies to new policies that are created in the August 2408 release and later. The Target Date Time setting is in the settings catalog at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative Device Management > Software Update.

In a future release, the UTC text will be removed from the Target Date Time setting.

For more information on using the settings catalog to configure software updates, see Managed software updates with the settings catalog.

Applies to:

  • iOS/iPadOS
  • macOS

Intune Apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Singletrack for Intune (iOS) by Singletrack
  • 365Pay by 365 Retail Markets
  • Island Browser for Intune (Android) by Island Technology, Inc.
  • Recruitment.Exchange by Spire Innovations, Inc.
  • Talent.Exchange by Spire Innovations, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Tenant administration

Organizational messages now in Microsoft 365 admin center

The organizational message feature has moved out of the Microsoft Intune admin center and into its new home in the Microsoft 365 admin center. All organizational messages you created in Microsoft Intune are now in the Microsoft 365 admin center, where you can continue to view and manage them. The new experience includes highly requested features such as the ability to author custom messages, and deliver messages on Microsoft 365 apps.

For more information, see:

Week of July 29, 2024

Microsoft Intune Suite

Endpoint Privilege Management, Advanced Analytics, and Intune Plan 2 are available for GCC High and DoD

We are excited to announce that the following capabilities from the Microsoft Intune Suite are now supported in U.S. Government Community Cloud (GCC) High and U.S. Department of Defense (DoD) environments.

Add-on capabilities:

Plan 2 capabilities:

For more information, see:

Device enrollment

ACME protocol support for iOS/iPadOS and macOS enrollment

As we prepare to support managed device attestation in Intune, we are starting a phased rollout of an infrastructure change for new enrollments that includes support for the Automated Certificate Management Environment (ACME) protocol. Now when new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. ACME provides better protection than SCEP against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.

Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. There is no change to the end user's enrollment experience, and no changes to the Microsoft Intune admin center. This change only impacts enrollment certificates and has no impact on any device configuration policies.

ACME is supported for Apple Device Enrollment, Apple Configurator enrollment, and Automated device enrollment (ADE) methods. Eligible OS versions include:

  • iOS 16.0 or later
  • iPadOS 16.1 or later
  • macOS 13.1 or later

Week of July 22, 2024 (Service release 2407)

Microsoft Intune Suite

New actions for Microsoft Cloud PKI

The following actions have been added for Microsoft Cloud PKI issuing and root certification authorities (CA):

  • Delete: Delete a CA.
  • Pause: Temporarily suspend use of a CA.
  • Revoke: Revoke a CA certificate.

You can access all new actions in the Microsoft Intune admin center and Graph API. For more information, see Delete Microsoft Cloud PKI certification authority.

App management

Intune support for additional macOS app types from the Company Portal

Intune supports the capability to deploy DMG and PKG apps as Available in the Intune macOS Company Portal. This capability enables end users to browse and install agent-deployed applications using Company Portal for macOS. This capability requires a minimum version of the Intune agent for macOS v2407.005 and Intune Company Portal for macOS v5.2406.2.

Newly available Enterprise App Catalog apps for Intune

The Enterprise App Catalog has updated to include additional apps. For a complete list of supported apps, see Apps available in the Enterprise App Catalog.

The Intune App SDK and Intune App Wrapping Tool are now in a different GitHub repo

The Intune App SDK and Intune App Wrapping Tool have moved to a different GitHub repository and a new account. There are redirects in place for all existing repositories. In addition, the Intune sample applications are also included in this move. This change relates to both Android and iOS platforms.

Device configuration

New clipboard transfer direction settings available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.

Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection:

  • Restrict clipboard transfer from server to client
  • Restrict clipboard transfer from server to client (User)
  • Restrict clipboard transfer from client to server
  • Restrict clipboard transfer from client to server (User)

For more information on configuring the clipboard transfer direction in Azure Virtual Desktop, see Configure the clipboard transfer direction and types of data that can be copied in Azure Virtual Desktop.

Applies to:

  • Windows 11
  • Windows 10

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Restrictions:

  • Allow Auto Dim
macOS

Privacy > Privacy Preferences Policy Control:

  • Bluetooth Always

Android Enterprise has new values for the Allow access to all apps in Google Play store setting

In an Intune device restrictions configuration policy, you can configure the Allow access to all apps in Google Play store setting using the Allow and Not configured options (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Fully managed, dedicated and corporate-owned work profile > Device restrictions for profile type > Applications).

The available options are updated to Allow, Block, and Not configured.

There's no impact to existing profiles using this setting.

For more information on this setting and the values you can currently configure, see Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Applies to:

  • Android Enterprise Fully managed, dedicated and corporate-owned work profile

Device enrollment

New support for Red Hat Enterprise Linux

Microsoft Intune now supports device management for Red Hat Enterprise Linux. You can enroll and manage Red Hat Enterprise Linux devices, and assign standard compliance policies, custom configuration scripts, and compliance scripts. For more information, see Deployment guide: Manage Linux devices in Microsoft Intune and Enrollment guide: Enroll Linux desktop devices in Microsoft Intune.

Applies to:

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8

New Intune report and device action for Windows enrollment attestation (public preview)

Use the new device attestation status report in Microsoft Intune to find out if a device has attested and enrolled securely while being hardware-backed. From the report, you can attempt remote attestation via a new device action.

For more information, see:

Just-in-time registration and compliance remediation available for all iOS/iPadOS enrollments

You can now configure just-in-time (JIT) registration and JIT compliance remediation for all Apple iOS and iPadOS enrollments. These Intune-supported features improve the enrollment experience because they can take the place of the Intune Company Portal app for device registration and compliance checks. We recommend setting up JIT registration and compliance remediation for new enrollments, and to improve the experience for existing enrolled devices. For more information, see Set up just in time registration in Microsoft Intune.

Device management

Consolidation of Intune profiles for identity protection and account protection

We have consolidated the Intune profiles that were related to identity and account protection, into a single new profile named Account protection. This new profile is found in the account protection policy node of endpoint security, and is now the only profile template that remains available when creating new policy instances for identity and account protection. The new profile includes Windows Hello for Business settings for both users and devices, and settings for Windows Credential Guard.

Because this new profile uses Intune’s unified settings format for device management, the profiles settings are also available through the settings catalog, and help to improve the reporting experience in the Intune admin center.

You can continue to use any instances of the following profile templates that you already have in place, but Intune no longer supports creating new instances of these profiles:

  • Identity protection – previously available from Devices > Configuration > Create > New Policy > Windows 10 and later > Templates > Identity Protection
  • Account protection (Preview) – previously available from Endpoint Security > Account protection > Windows 10 and later > Account protection (Preview)

Applies to:

  • Windows 10
  • Windows 11

New operatingSystemVersion filter property with new comparison operators (preview)

There's a new operatingSystemVersion filter property. This property:

  • Is in public preview and still being developed. So, some features, like Preview devices, don't work yet.

  • Should be used instead of the existing OSVersion property. The OSVersion property is being deprecated.

    When operatingSystemVersion is generally available (GA), the OSVersion property will retire, and you won't be able to create new filters using this property. Existing filters that use OSVersion continue to work.

  • Has new comparison operators:

    • GreaterThan: Use for version value types.

      • Allowed values: -gt | gt
      • Example: (device.operatingSystemVersion -gt 10.0.22000.1000)
    • GreaterThanOrEquals: Use for version value types.

      • Allowed values: -ge | ge
      • Example: (device.operatingSystemVersion -ge 10.0.22000.1000)
    • LessThan: Use for version value types.

      • Allowed values: -lt | lt
      • Example: (device.operatingSystemVersion -lt 10.0.22000.1000)
    • LessThanOrEquals: Use for version value types.

      • Allowed values: -le | le
      • Example: (device.operatingSystemVersion -le 10.0.22000.1000)

For managed devices, operatingSystemVersion applies to:

  • Android
  • iOS/iPadOS
  • macOS
  • Windows

For managed apps, operatingSystemVersion applies to:

  • Android
  • iOS/iPadOS
  • Windows

For more information on filters and the device properties you can use, see:

Government community cloud (GCC) support for Remote Help for macOS devices

GCC customers can now use Remote Help for macOS devices on both web app and native application.

Applies to:

  • macOS 12, 13 and 14

For more information, see:

Device security

Updated security baseline for Windows 365 Cloud PC

You can now deploy the Intune security baseline for Windows 365 Cloud PC. This new baseline is based on Windows version 24H1. This new baseline version uses the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.

Use of Intune security baselines can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.

As with all baselines, the default baseline represents the recommended configurations for each setting, which you can modify to meet the requirements of your organization.

Applies to:

  • Windows 10
  • Windows 11

To view the new baselines included settings with their default configurations, see, Windows 365 baseline settings version 24H1.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Asana: Work in one place (Android) by Asana, Inc.
  • Goodnotes 6 (iOS) by Time Base Technology Limited
  • Riskonnect Resilience by Riskonnect, Inc.
  • Beakon Mobile App by Beakon Mobile Team
  • HCSS Plans: Revision control (iOS) by Heavy Construction Systems Specialists, Inc.
  • HCSS Field: Time, cost, safety (iOS) by Heavy Construction Systems Specialists, Inc.
  • Synchrotab for Intune (iOS) by Synchrotab, LLC

For more information about protected apps, see Microsoft Intune protected apps.

Week of July 15, 2024

Device management

New setting in the Device Control profile for Attack surface reduction policy

We've added a new category and setting to the Device Control profile for the Windows 10, Windows 11, and Windows Server platform of Intune Attack surface reduction policy.

The new setting is Allow Storage Card, and found in the new System category of the profile. This setting is also available from the Intune settings catalog for the Windows devices.

This setting controls whether the user is allowed to use the storage card for device storage, and can prevent programmatic access to the storage card. For more information on this new setting, see AllowStorageCard in the Windows documentation.

Week of July 8, 2024

Device management

Copilot in Intune now has the device query feature using Kusto Query Language (KQL) (public preview)

When you use Copilot in Intune, there's a new device query feature that uses KQL. Use this feature to ask questions about your devices using a natural language. If device query can answer your question, Copilot generates the KQL query you can run to get the data you want.

To learn more about how you can currently use Copilot in Intune, see Microsoft Copilot in Intune.

Monitor and Troubleshoot

New actions for policies, profiles, and apps

You can now remove, reinstall, and reapply individual policies, profiles, and apps for iOS/iPadOS devices and Android corporate owned devices. You can apply these actions without changing assignments or group membership. These actions are intended to help resolve customer challenges that are external to Intune. Also, these actions can help to quickly restore end user productivity.

For more information, see Remove apps and configuration

App management

MAC address available from the Managed Home Screen app

MAC address details are now available from the Device Information page of the Managed Home Screen (MHS) app. For information about MHS, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

New configuration capabilities for Managed Home Screen

You can now configure Managed Home Screen (MHS) to enable a virtual app-switcher button that allows end users to easily navigate between apps on their kiosk devices from MHS. You can select between a floating or swipe-up app-switcher button. The configuration key is virtual_app_switcher_type and the possible values are none, float, and swipe_up. For information related to configuring the Managed Home Screen app, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Device enrollment

Update for Apple user and device enrollments with Company Portal

We've made changes to the device registration process for Apple devices enrolling with Intune Company Portal. Previously, Microsoft Entra device registration occurred during enrollment. With this change, registration occurs after enrollment.

Existing enrolled devices aren't affected by this change. For new user or device enrollments that utilize Company Portal, users must return to Company Portal to complete registration:

  • For iOS users: Users with notifications enabled are prompted to return to the Company Portal app for iOS. If they disable notifications, they aren't alerted, but still need to return to Company Portal to complete registration.

  • For macOS devices: The Company Portal app for macOS detects the installation of the management profile and automatically register the device, unless the user closes the app. If they close the app, they must reopen it to complete registration.

If you're using dynamic groups, which rely on device registration to work, it's important for users to complete device registration. Update your user guidance and admin documentation as needed. If you're using Conditional Access (CA) policies, no action is required. When users attempt to sign in to a CA-protected app, they are prompted to return to Company Portal to complete registration.

These changes are currently rolling out and will be made available to all Microsoft Intune tenants by the end of July. There's no change to the Company Portal user interface. For more information about device enrollment for Apple devices, see:

Week of June 24, 2024

Device enrollment

Add corporate device identifiers for Windows

Microsoft Intune now supports corporate device identifiers for devices running Windows 11, version 22H2 and later so that you can identify corporate machines ahead of enrollment. When a device that matches the model, manufacturer, and serial number criteria enrolls, Microsoft Intune marks it as a corporate device and enable the appropriate management capabilities. For more information, see Add corporate identifiers.

Week of June 17, 2024 (Service release 2406)

Microsoft Intune Suite

Endpoint Privilege Management support for MSI and PowerShell file types

Endpoint Privilege Management (EPM) elevation rules now support the elevation of Windows Installer and PowerShell files in addition to executable files that were previously supported. The new file extensions that EPM supports include:

  • .msi
  • .ps1

For information about using EPM, see Endpoint Privilege Management.

View the certification authority key type in Microsoft Cloud PKI properties

A new Microsoft Cloud PKI property called CA keys is available in the admin center and shows the type of certification authority keys used for signing and encryption. The property displays one of the following values:

  • HSM: Indicates the use of a hardware security module-backed key.
  • SW: Indicates the use of a software-backed key.

Certification authorities created with a licensed Intune Suite or Cloud PKI standalone add-on use HSM signing and encryption keys. Certification authorities created during a trial period use software-backed signing and encryption keys. For more information about Microsoft Cloud PKI, see Overview of Microsoft Cloud PKI for Microsoft Intune.

App management

US GCC and GCC High support for Managed Home Screen

Managed Home Screen (MHS) now supports sign-in for the US Government Community (GCC), US Government Community (GCC) High, and U.S. Department of Defense (DoD) environments. For more information, see Configure the Managed Home Screen and Microsoft Intune for US Government GCC service description.

Applies to:

  • Android Enterprise

Updates to the Managed Apps report

The Managed Apps report now provides details about Enterprise App Catalog apps for a specific device. For more information about this report, see Managed Apps report.

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Restrictions:

  • Allow Web Distribution App Installation

System Configuration > Font:

  • Font
  • Name
macOS

Privacy > Privacy Preferences Policy Control:

  • Bluetooth Always

Applies to:

  • iOS/iPadOS
  • macOS

OS Version picker available for configuring managed iOS/iPadOS DDM software updates using the settings catalog

Using the Intune settings catalog, you can configure Apple's declarative device management (DDM) feature to manage software updates on iOS/iPadOS devices.

When you configure a managed software update policy using the settings catalog, you can:

  • Select a target OS version from a list of updates made available by Apple.
  • Manually enter the target OS version, if needed.

For more information about configuring managed software update profiles in Intune, see Use the settings catalog to configure managed software updates.

Applies to:

  • iOS/iPadOS

Intune admin center UI updates at Devices > By platform

In the Intune admin center, you can select Devices > By platform, and view the policy options for the platform you select. These platform-specific pages are updated and include tabs for navigation.

For a walkthrough of the Intune admin center, see Tutorial: Walkthrough Microsoft Intune admin center.

Device enrollment

RBAC changes to enrollment platform restrictions for Windows

We've updated role-based access controls (RBAC) for all enrollment platform restrictions in the Microsoft Intune admin center. The Global Administrator and Intune Service Administrator roles can create, edit, delete, and reprioritize enrollment platform restrictions. For all other built-in Intune roles, restrictions are read-only.

Applies to:

  • Android
  • Apple
  • Windows 10/11

It's important to know that with these changes:

  • Scope tag behavior doesn't change. You can apply and use scope tags as usual.
  • If an assigned role or permission is currently preventing a user from viewing enrollment platform restrictions, nothing changes. The user will still be unable to view enrollment platform restrictions in the admin center.

For more information, see Create device platform restrictions.

Device management

Updates to replace Wandera with Jamf is complete in the Intune admin center

We've completed a rebrand in the Microsoft Intune admin center to support replacing Wandera with Jamf. This includes updates to the name of the Mobile Threat Defense connector, which is now Jamf, and changes to the minimum required platforms to use the Jamf connector:

  • Android 11 and later
  • iOS / iPadOS 15.6 and later

For information about Jamf and other Mobile Threat Defense (MTD) vendors that Intune supports, see Mobile Threat Defense partners.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Atom Edge (iOS) by Arlanto GmbH
  • HP Advance for Intune by HP Inc.
  • IntraActive by Fellowmind
  • Microsoft Azure (Android) by Microsoft Corporation
  • Mobile Helix Link for Intune by Mobile Helix
  • VPSX Print for Intune by Levi, Ray & Shoup, Inc.

For more information about protected apps, see Microsoft Intune protected apps

Monitor and troubleshoot

View BitLocker recovery key in Company Portal apps for iOS and macOS

End users can view the BitLocker recovery key for an enrolled Windows device and the FileVault recovery key for an enrolled Mac in the Company Portal app for iOS and Company Portal app for macOS. This capability will reduce helpdesk calls in the event the end user gets locked out of their corporate machines. End users can access the recovery key for an enrolled device by signing into the Company Portal app and selecting Get recovery key. This experience is similar to the recovery process on the Company Portal website, which also allows end users to see recovery keys.

You can prevent end users within your organization from accessing BitLocker recovery keys by configuring the Restrict non-admin users from recovering the BitLocker keys for their owned device setting in Microsoft Entra ID.

Applies to:

  • macOS
  • Windows 10/11

For more information, see:

Role-based access control

New granular RBAC controls for Intune endpoint security

We’ve begun to replace the role-based access control (RBAC) rights to endpoint security policies that are granted by the Security baselines permission with a series of more granular permissions for specific endpoint security tasks. This change can help you assign the specific rights your Intune admins require to do specific jobs instead of relying on either the built-in Endpoint Security Manager role or a custom role that includes the Security baseline permission. Prior to this change, the Security baseline permission grants rights across all endpoint security policies.

The following new RBAC permissions are available for endpoint security workloads:

  • App Control for Business
  • Attack surface reduction
  • Endpoint detection and response

Each new permission supports the following rights for the related policy:

  • Assign
  • Create
  • Delete
  • Read
  • Update
  • View Reports

Each time we add a new granular permission for an endpoint security policy to Intune, those same rights are removed from the Security baselines permission. If you use custom roles with the Security baselines permission, the new RBAC permission is assigned automatically to your custom roles with the same rights that were granted through the Security baseline permission. This autoassignment ensures your admins continue to have the same permissions they have today.

For more information about current RBAC permissions and built-in roles, see:

Important

With this release, the granular permission of Antivirus for endpoint security policies might be temporarily visible in some Tenants. This permission is not released and isn't supported for use. Configurations of the Antivirus permission are ignored by Intune. When Antivirus becomes available to use as a granular permission, it's availability will be announced in this What's new in Microsoft Intune article.

Week of June 3, 2024

Device enrollment

New enrollment time grouping feature for devices

Enrollment time grouping is a new, faster way to group devices during enrollment. When configured, Intune adds devices to the appropriate group without requiring inventory discovery and dynamic membership evaluations. To set up enrollment time grouping, you must configure a static Microsoft Entra security group in each enrollment profile. After a device enrolls, Intune adds it to the static security group and delivers assigned apps and policies.

This feature is available for Windows 11 devices enrolling via Windows Autopilot device preparation. For more information, see Enrollment time grouping in Microsoft Intune.

Week of May 27, 2024

Microsoft Intune Suite

New primary endpoint for Remote Help

To improve the experience for Remote Help on Windows, Web, and macOS devices, we have updated the primary endpoint for Remote Help:

  • Old primary endpoint: https://remoteassistance.support.services.microsoft.com
  • New primary endpoint: https://remotehelp.microsoft.com

If you use Remote Help and have firewall rules that block the new primary endpoint, admins and users might experience connectivity issues or disruptions when using Remove Help.

To support the new primary endpoint on Windows devices, upgrade Remote Help to version 5.1.124.0. Web and macOS devices don't require an updated version of Remote Help to make use of the new primary endpoint.

Applies to:

  • macOS 11, 12, 13 and 14
  • Windows 10/11
  • Windows 11 on ARM64 devices
  • Windows 10 on ARM64 devices
  • Windows 365

For information on the newest version of Remote Help, see the March 13, 2024 entry for What's New for Remote Help. For information about Intune endpoints for Remote Help, see Remote Help in Network endpoints for Microsoft Intune.

Device management

Evaluate compliance of Windows Subsystem for Linux (public preview)

Now in a public preview, Microsoft Intune supports compliance checks for instances of Windows Subsystem for Linux (WSL) running on a Windows host device.

With this preview you can create a custom compliance script that evaluates the required distribution and version of WSL. WSL compliance results are included in the overall compliance state of the host device.

Applies to:

  • Windows 10
  • Windows 11

For information about this capability, see Evaluate compliance of Windows Subsystem for Linux (public preview).

Week of May 20, 2024 (Service release 2405)

Device configuration

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the macOS Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

Microsoft AutoUpdate (MAU):

  • Microsoft Teams (work or school)
  • Microsoft Teams classic

Microsoft Defender > Features:

  • Use Data Loss Prevention
  • Use System Extensions

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • macOS

Device enrollment

Stage Android device enrollment to reduce end-user steps

To reduce the enrollment time for end users, Microsoft Intune supports device staging for Android Enterprise devices. With device staging, you can stage an enrollment profile and complete all related enrollment steps for workers receiving these devices:

  • Corporate-owned fully managed devices
  • Corporate-owned devices with a work profile

When frontline workers receive the devices, all they have to do is connect to Wi-Fi and sign in to their work account. A new device staging token is required to enable this feature. For more information, see Device staging overview.

Device management

End user access to BitLocker Recovery Keys for enrolled Windows devices

End users can now view the BitLocker Recovery Key for enrolled Windows devices from the Company Portal website. This capability can reduce helpdesk calls in the event the end user gets locked out of their corporate machines. End users can access the recovery key for an enrolled device by signing into the Company Portal website and selecting Show recovery key. This experience is similar to the MyAccount website, which also allows end users to see recovery keys.

You can prevent end users within your organization from accessing BitLocker recovery keys by configuring the Microsoft Entra toggle Restrict non-admin users from recovering the BitLocker key(s) for their owned device.

For more information, see:

New version of Windows hardware attestation report

We've released a new version of the Windows hardware attestation report that shows the value of settings attested by Device Health Attestation and Microsoft Azure Attestation for Windows 10/11. The Windows hardware attestation report is built on a new reporting infrastructure, and reports on new settings added to Microsoft Azure Attestation. The report is available in the admin center under Reports > Device Compliance > Reports.

For more information, see Intune reports.

The Windows health attestation report previously available under Devices > Monitor has been retired.

Applies to:

  • Windows 10
  • Windows 11

Optional Feature updates

Feature updates can now be made available to end users as Optional updates, with the introduction of Optional Feature updates. End users see the update in the Windows Update settings page in the same way that it's shown for consumer devices.

End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a Required update, admins can change the setting on the policy and update the rollout settings so that the update is deployed as a Required update to devices that don't yet have it installed.

For more information on Optional Feature updates, see Feature updates for Windows 10 and later policy in Intune.

Applies to:

  • Windows 10
  • Windows 11

Device security

Updated security baseline for Microsoft Defender for Endpoint

You can now deploy the Intune security baseline for Microsoft Defender for Endpoint. The new baseline, version 24H1, uses the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.

Use of Intune security baselines can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.

As with all baselines, the default baseline represents the recommended configurations for each setting, which you can modify to meet the requirements of your organization.

Applies to:

  • Windows 10
  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Fellow.app by Fellow Insights Inc
  • Unique Moments by Unique AG

For more information about protected apps, see Microsoft Intune protected apps.

Week of May 6, 2024

Device management

Intune and the macOS Company Portal app support Platform SSO (public preview)

On Apple devices, you can use Microsoft Intune and the Microsoft Enterprise SSO plug-in to configure single sign-on (SSO) for apps and websites that support Microsoft Entra authentication, including Microsoft 365.

On macOS devices, Platform SSO is available in public preview. Platform SSO expands the SSO app extension by allowing you to configure different authentication methods, simplify the sign-in process for users, and reduce the number of passwords they need to remember.

Platform SSO is included in the Company Portal app version 5.2404.0 and newer.

For more information on Platform SSO and to get started, see:

Applies to:

  • macOS 13 and later

Tenant administration

Customize your Intune admin center experience

You can now customize your Intune admin center experience by using collapsible navigation and favorites. The left navigation menus in the Microsoft Intune admin center are updated to support expanding and collapsing each subsection of the menu. In addition, you can set admin center pages as favorites. This portal capability will gradually roll out over the next week.

By default, menu sections are expanded. You can choose your portal menu behavior by selecting the Settings gear icon at the top right to display the Portal settings. Then, select Appearance + startup views and set the Service menu behavior to Collapsed or Expanded as the default portal option. Each menu section retains the expanded or collapsed state that you choose. Additionally, selecting the star icon next to a page on the left navigation adds the page to a Favorites section near the top of the menu.

For related information, see Change the Portal settings.

Week of April 29, 2024

App management

Updates to the Managed Home Screen experience

We recently released and improved the Managed Home Screen experience, which is now Generally Available. The app is redesigned to improve the core workflows throughout the application. The updated design offers a more usable and supportable experience.

With the release, we stop investing in previous Managed Home Screen workflows. New features and fixes for Managed Home Screen are only added to the new experience. During August 2024, the new experience is automatically enabled for all devices.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Require end users to enter PIN to resume activity on Managed Home Screen

In Intune, you can require end users to enter their session PIN to resume activity on Managed Home Screen after the device is inactive for a specified period of time. Set the Minimum inactive time before session PIN is required setting to the number of seconds the device is inactive before the end user must input their session PIN.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Device IPv4 and IPv6 details available from Managed Home Screen

IPv4 and IPv6 connectivity details are now both available from the Device Information page of the Managed Home Screen app. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Updates to Managed Home Screen sign-in support

Managed Home Screen now supports domainless sign-in. Admins can configure a domain name, which will be automatically appended to usernames upon sign-in. Also, Managed Home Screen supports a custom login hint text to be displayed to users during the sign-in process.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Allow end users to control Android Enterprise device auto-rotation

In Intune, you can now expose a setting in the Managed Home Screen app that allows the end user to turn on and off the device's auto-rotation. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Allow end users to adjust Android Enterprise device screen brightness

In Intune, you can expose settings in the Managed Home Screen app to adjust screen brightness for Android Enterprise devices. You can choose to expose a setting in the app to allow end users to access a brightness slider to adjust the device screen brightness. Also, you can expose a setting to allow end users to toggle adaptive brightness.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Migrated to .NET MAUI from Xamarin

Xamarin.Forms has evolved into .NET Multi-platform App UI (MAUI). Existing Xamarin projects should be migrated to .NET MAUI. For more information about upgrading Xamarin projects to .NET, see the Upgrade from Xamarin to .NET & .NET MAUI documentation.

Xamarin support ended as of May 1, 2024 for all Xamarin SDKs including Xamarin.Forms and Intune App SDK Xamarin Bindings. For Intune support on Android and iOS platforms, see Intune App SDK for .NET MAUI - Androidand Microsoft Intune App SDK for MAUI.iOS.

Week of April 22, 2024 (Service release 2404)

App management

Auto update available with Win32 app supersedence

Win32 app supersedence provides the capability to supersede apps deployed as available with auto-update intent. For example, if you deploy a Win32 app (app A) as available and installed by users on their device, you can create a new Win32 app (app B) to supersede app A using auto-update. All targeted devices and users with app A installed as available from the Company Portal are superseded with app B. Also, only app B shows in the Company Portal. You can find the auto-update feature for available app supersedence as a toggle under the Available assignment in the Assignments tab.

For more information about app supersedence, see Add Win32 app supersedence.

Device configuration

Error message is shown when OEMConfig policy exceeds 500 KB on Android Enterprise devices

On Android Enterprise devices, you can use an OEMConfig device configuration profile to add, create and/or customize OEM specific settings.

When you create an OEMConfig policy that exceeds 500 KB, then the following error is shown in the Intune admin center:

Profile is larger than 500KB. Adjust profile settings to decrease the size.

Previously, OEMConfig policies that exceeded 500 KB were shown as pending.

For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise

Device security

Windows Firewall CSP changes for processing Firewall Rules

Windows changed how the Firewall configuration service provider (CSP) enforces rules from Atomic blocks of firewall rules. The Windows Firewall CSP on a device implements the firewall rule settings from your Intune endpoint security Firewall policies. The change of CSP behavior now enforces an all-or-nothing application of firewall rules from each Atomic block of rules.

  • Previously, the CSP on a device would go through the firewall rules in an Atomic block of rules - one rule (or setting) at a time with the goal of applying all the rules in that Atomic block, or none of them. If the CSP encountered any issue with applying any rule from the block to the device, the CSP wouldn't only stop that rule, but also cease to process subsequent rules without trying to apply them. However, rules that applied successfully before a rule failed, would remain applied to the device. This behavior can lead to a partial deployment of firewall rules on a device, since the rules that were applied before a rule failed to apply aren't reversed.

  • With the change to the Firewall CSP, when any rule in the block is unsuccessful in applying to the device, all the rules from that same Atomic block that were applied successfully are rolled back. This behavior ensures the desired all-or-nothing behavior is implemented and prevents a partial deployment of firewall rules from that block. For example, if a device receives an Atomic block of firewall rules that has a misconfigured rule that can't apply, or has a rule that isn't compatible with the devices operating system, then the CSP fails all the rules from that block, And, it rolls back any rules that applied to that device.

This change of Firewall CSP behavior is available on devices that run the following Windows versions or later:

  • Windows 11 21H2
  • Windows 11 22H2
  • Windows 10 21H2

For more information on the subject of how the Windows Firewall CSP uses Atomic blocks to contain firewall rules, see the note near the top of Firewall CSP in the Windows documentation.

For troubleshooting guidance, see the Intune support blog How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation process.

CrowdStrike – New mobile threat defense partner

We added CrowdStrike Falcon as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the CrowdStrike connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment in your compliance policies.

With the Intune 2404 service release, the CrowdStrike connector is now available in the admin center. However, it isn't useable until CrowdStrike publishes the required App Configuration profile details necessary to support iOS and Android devices. The profile details are expected sometime after second week of May.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Asana: Work in one place by Asana, Inc.
  • Freshservice for Intune by Freshworks, Inc.
  • Kofax Power PDF Mobile by Tungsten Automation Corporation
  • Remote Desktop by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Windows update distribution report

The Windows update distribution report in Intune provides a summarized report. This report shows:

  • The number of devices that are on each quality update level.
  • The percentage of coverage for each update across Intune managed devices, including co-managed devices.

You can drill down further in the report for each quality update that aggregates devices based on the Windows 10/11 feature version and the update statuses.

Finally, the admins can get the list of devices that aggregate to the numbers shown in the previous two reports, which can also be exported and used for troubleshooting and analysis along with the Windows Update for business reports.

For more information on Windows update distribution reports, see Windows Update reports on Intune.

Applies to:

  • Windows 10
  • Windows 11

Intune support of Microsoft 365 remote application diagnostics

The Microsoft 365 remote application diagnostics allows Intune admins to request Intune app protection logs and Microsoft 365 application logs (where applicable) directly from the Intune console. You can find this report in the Microsoft Intune admin center by selecting Troubleshooting + support > Troubleshoot > select a user > Summary > App protection*. This feature is exclusive to applications that are under Intune app protection management. If supported, the application specific logs are gathered and stored within dedicated storage solutions for each application.

For more information, see Collect diagnostics from an Intune managed device.

Remote Help supports full control of a macOS device

Remote Help now supports helpdesk connecting to a user's device and requesting full control of the macOS device.

For more information, see:

Applies to:

  • macOS 12, 13 and 14

What's new archive

For previous months, see the What's new archive.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Blocking screen capture in the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

We recently released updated versions of the Intune App SDK and the Intune App Wrapping Tool. Included in these releases (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) is the support for blocking screen capture, Genmojis and writing tools in response to the new AI features in iOS/iPadOS 18.2.

How does this affect you or your users?

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions screen capture will be blocked if you've configured “Send Org data to other apps” to a value other than “All apps”. To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting “com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Review your app protection policies and if needed, create a Managed apps app configuration policy to allow screen capture by configuring the above setting (Apps > App configuration policies > Create > Managed apps > Step 3 ‘Settings’ under General configuration). For more information review, iOS app protection policy settings – Data protection and App configuration policies - Managed apps.

Take Action: Update to the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

To support the upcoming release of iOS/iPadOS 18.2, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. Important: If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:

As a best practice, always update your iOS apps to the latest App SDK or App Wrapping Tool to ensure that your app continues to run smoothly.

How does this affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool, you will need to update to the latest version to support iOS 18.2.

How can you prepare?

For apps running on iOS 18.2, you must update to the new version of the Intune App SDK for iOS:

For apps running on iOS 18.2, you must update to the new version of the Intune App Wrapping Tool for iOS:

Important

The above listed SDK releases have added support for blocking screen capture, Genmojis and writing tools in response to new AI features in iOS 18.2. For apps that have updated to the above listed version of the SDK, screen capture block will be applied if you have configured Send Org data to other apps to a value other than All apps. See iOS/iPadOS app protection policy settings for more info. You can configure app configuration policy setting com.microsoft.intune.mam.screencapturecontrol = Disabled if you wish to allow screen capture for your iOS devices. See App configuration policies for Microsoft Intune for more info. Intune will be providing more granular controls for blocking specific AI features in the future. Please follow What's new in Microsoft Intune to stay up to date.

Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.2. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to Apps > Monitor > App protection status, then review Platform version and iOS SDK version.

If you have questions, leave a comment on the applicable GitHub announcement. Additionally, if you have not already, navigate to the applicable GitHub repository and subscribe to Releases and Discussions (Watch > Custom > select Releases, Discussions) to ensure you stay up-to-date with the latest SDK releases, updates, and other important announcements.

Plan for Change: Specific app configuration values will be automatically sent to specific apps

Starting with Intune's September (2409) service release, the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values will be automatically sent to managed applications on Intune enrolled iOS devices for the following apps: Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Teams and Microsoft Word. Intune will continue to expand this list to include additional managed apps.

How does this affect you or your users?

If these values aren't configured correctly for iOS devices, there is a possibility of either the policy not getting delivered to the app or the wrong policy is delivered. For more information, see Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases.

How can you prepare?

No additional action is needed.

Plan for Change: Implement strong mapping for SCEP and PKCS certificates

With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows will enforce these changes on February 11, 2025.

To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. For more information, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates

How does this affect you or your users?

These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:

  • SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users.
  • PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. Important: Before you modify the registry key, review how to change the registry key and how to back up and restore the registry.

For detailed steps and additional guidance, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates

How can you prepare?

If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:

Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support

We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.

How does this affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.

How can you prepare?

If you choose to build apps targeting Android API 35, you'll need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you’ve wrapped your app and are targeting API 35 you'll need to use the new version of the App wrapper (v1.0.4549.6).

Note

As a reminder, while apps must update to the latest SDK if targeting Android 15, apps do not need to update the SDK to simply run on Android 15.

You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.

Here are the public repositories:

Take Action: Enable multifactor authentication for your tenant before October 15, 2024

Starting on or after October 15, 2024, to further increase security, Microsoft will require admins to use multi-factor authentication (MFA) when signing into the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. To take advantage of the extra layer of protection MFA offers, we recommend enabling MFA as soon as possible. To learn more, review Planning for mandatory multifactor authentication for Azure and admin portals.

Note

This requirement also applies to any services accessed through the Intune admin center, such as Windows 365 Cloud PC.

How does this affect you or your users?

MFA must be enabled for your tenant to ensure admins are able to sign-in to the Azure portal, Microsoft Entra admin center and Intune admin center after this change.

How can you prepare?

  • If you haven't already, set up MFA before October 15, 2024, to ensure your admins can access the Azure portal, Microsoft Entra admin center, and Intune admin center.
  • If you're unable to set up MFA before this date, you can apply to postpone the enforcement date.
  • If MFA hasn't been set up before the enforcement starts, admins will be prompted to register for MFA before they can access the Azure portal, Microsoft Entra admin center, or Intune admin center on their next sign-in.

For more information, refer to: Planning for mandatory multifactor authentication for Azure and admin portals.

Plan for Change: Intune is moving to support iOS/iPadOS 16 and later

Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 16/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).

Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this may not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 16/iPadOS 16 while the allowed OS version will change to iOS 13/iPadOS 13 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 13 and higher later this year

Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Ventura is compatible with these computers.

Note

Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 12.x or below.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Ending support for Intune App SDK Xamarin Bindings in May 2024

With the end of support for Xamarin Bindings, Intune will end support for Xamarin apps and the Intune App SDK Xamarin Bindings beginning on May 1, 2024.

How does this affect you or your users?

If you have iOS and/or Android apps built with Xamarin and are using the Intune App SDK Xamarin Bindings to enable app protection policies, upgrade your apps to .NET MAUI.

How can you prepare?

Upgrade your Xamarin based apps to .NET MAUI. Review the following documentation for more information on Xamarin support and upgrading your apps:

Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID

Last year we announced a new Microsoft Intune GitHub repository based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, in May 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed.

How does this affect you or your users?

If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.

How can you prepare?

Update your PowerShell scripts by:

  1. Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform.
  2. Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.

For detailed step-by-step instructions visit powershell-intune-samples/Updating App Registration (github.com).

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:

  • Android Enterprise personally owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

  • Intune technical support won't be provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

  • Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
  • Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
  • Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.

Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in December 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning December 31, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

  1. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
  2. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

Plan for Change: Ending support for Microsoft Store for Business and Education apps

In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune.

How does this affect you or your users?

If you're using Microsoft Store for Business and Education apps:

  1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.
  2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users might still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data.
  3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later.

The retirement of Microsoft Store for Business and Education was announced in 2021. When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.

How can you prepare?

We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:

Related information

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP without enrollment scenario at the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.