What's new in the Microsoft Intune - previous months

Week of April 15, 2024

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Atom Edge by Arlanto Apps

For more information about protected apps, see Microsoft Intune protected apps.

Week of April 1, 2024

Device management

Copilot in Intune is available in the Intune admin center (public preview)

Copilot in Intune is integrated in the Intune admin center, and can help you get information quickly. You can use Copilot in Intune for the following tasks:

Copilot can help you manage your settings and policies

  • Copilot tooltip on settings: When you add settings to a policy or review settings in an existing policy, there's a new Copilot tooltip. When you select the tooltip, you get AI generated guidance based on Microsoft content and recommendations. You can see what each setting does, how the setting works, any recommended values, if the setting is configured in another policy, and more.

  • Policy summarizer: On existing policies, you get a Copilot summary of the policy. The summary describes what the policy does, the users and groups assigned to the policy, and the settings in the policy. This feature can help you understand the impact of a policy and its settings on your users and devices.

Copilot shows device details and can help troubleshoot

  • All about a device: On a device, you can use Copilot to get key information about the device, including its properties, configuration, and status information.

  • Device compare: Use Copilot to compare the hardware properties and device configurations of two devices. This feature helps you determine what's different between two devices with similar configurations, especially when troubleshooting.

  • Error code analyzer: Use Copilot in the device view to analyze an error code. This feature helps you understand what the error means and provides a potential resolution.

Intune capabilities in Copilot for Security

Intune has capabilities available in the Copilot for Security portal. SOC Analysts and IT admins can use these capabilities to get more information on policies, devices, group membership, and more. On a single device, you can get more specific information that's unique to Intune, like compliance status, device type, and more.

You can also ask Copilot to tell you about a user's devices and get a quick summary of critical information. For example, the output shows links to the user's devices in Intune, device ID, enrollment date, last check-in date, and compliance status. If you're an IT admin and reviewing a user, then this data provides a quick summary.

As a SOC analyst that's investigating a suspicious or potentially compromised user or device, information like enrollment date and last check-in can help you make informed decisions.

For more information on these features, see:

Applies to:

  • Android
  • iOS/iPadOS
  • macOS
  • Windows

GCC customers can use Remote Help for Windows and Android devices

The Microsoft Intune Suite includes advanced endpoint management and security features, including Remote Help.

On Windows and enrolled Android Enterprise dedicated devices, you can use remote help on US Government GCC environments.

For more information on these features, see:

Applies to:

  • Windows 10/11
  • Windows 10/11 on ARM64 devices
  • Windows 365
  • Samsung and Zebra devices enrolled as Android Enterprise dedicated devices

Device configuration

New BIOS device configuration profile for OEMs

There's a new BIOS configuration and other settings device configuration policy for OEMs. Admins can use this new policy to enable or disable different BIOS features that secure device. In the Intune device configuration policy, you add the BIOS configuration file, deploy a Win32 app, and then assign the policy to your devices.

For example, admins can use the Dell Command tool (opens Dell's website) to create the BIOS configuration file. Then, they add this file to the new Intune policy.

For more information on this feature, see Use BIOS configuration profiles on Windows devices in Microsoft Intune.

Applies to

  • Windows 10 and later

Week of March 25, 2024 (Service release 2403)

Microsoft Intune Suite

New elevation type for Endpoint Privilege Management

Endpoint Privilege Management has a new file elevation type, support approved. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone Intune add-on.

A support-approved elevation gives you a third option for both the default elevation response and the elevation type for each rule. Unlike automatic or user confirmed, a support-approved elevation request requires Intune administrators to manage which files can run as elevated on a case-by-case basis.

With support approved elevations, users can request approval to elevate an application that isn't explicitly allowed for elevation by automatic or user approved rules. This takes the form of an elevation request that must be reviewed by an Intune administrator who can approve or deny the elevation request.

When the request is approved, users are notified that the application can now be run as elevated, and they have 24 hours from the time of approval to do so before the elevation approval expires.

Applies to:

  • Windows 10
  • Windows 11

For more information on this new capability, see Support approved elevation requests.

App management

Extended capabilities for Managed Google Play apps on personally owned Android devices with a work profile

There are new capabilities extended to work profile devices. The following capabilities were previously available only on corporate-owned devices:

  • Available apps for device groups: You can use Intune to make apps available for device groups through the Managed Google Play store. Previously, apps could only be made available to user groups.

  • Update priority setting: You can use Intune to configure the app update priority on devices with a work profile. To learn more about this setting, see Update a Managed Google Play app.

  • Required apps display as available in Managed Google Play: You can use Intune to make required apps available for users through the Managed Google Play store. Apps that are part of existing policies now display as available.

These new capabilities will follow a phased rollout over multiple months.

Applies to:

  • Android Enterprise personally owned devices with a work profile

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Passcode:

  • Maximum Passcode Age In Days
  • Minimum Complex Characters
  • Require Alphanumeric Passcode

Restrictions:

  • Allow Marketplace App Installation
macOS

Declarative Device Management (DDM) > Passcode:

  • Change At Next Auth
  • Custom Regex
  • Failed Attempts Reset In Minutes
  • Maximum Passcode Age In Days
  • Minimum Complex Characters
  • Require Alphanumeric Passcode

Full Disk Encryption > FileVault:

  • Recovery Key Rotation In Months

New settings available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.

  • Delivery optimization:

    • DO Disallow Cache Server Downloads On VPN - This setting blocks downloads from Microsoft Connected Cache servers when the device connects using VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected using VPN.

    • DO Set Hours To Limit Background Download Bandwidth - This setting specifies the maximum background download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

    • DO Set Hours To Limit Foreground Download Bandwidth - This setting specifies the maximum foreground download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

    • DO Vpn Keywords - This policy allows you to set one or more keywords used to recognize VPN connections.

  • Messaging:

    • Allow Message Sync - This policy setting allows the backup and restore of cellular text messages to Microsoft's cloud services.
  • Microsoft Defender Antivirus:

    • Specify the maximum depth to scan archive files
    • Specify the maximum size of archive files to be scanned

For more information on these settings, see:

Applies to:

  • Windows 10 and later

New archive file scan settings added to Antivirus policy for Windows devices

We added the following two settings to the Microsoft Defender Antivirus profile for endpoint security Antivirus policy that apply to Windows 10 and Windows 11 devices:

With Antivirus policy, you can manage these settings on devices enrolled by Intune and on devices managed through the Defender for Endpoint security settings management scenario.

Both settings are also available in the settings catalog at Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type > Defender.

Applies to:

  • Windows 10
  • Windows 11

Updates to assignment filters

You can use Intune assignment filters to assign a policy based on rules you create.

Now, you can:

  • Use managed app assignment filters for Window MAM app protection policies and app configuration policies.
  • Filter your existing assignment filters by Platform, and by the Managed apps or Managed devices filter type. When you have many filters, this feature makes it easier to find specific filters you created.

For more information on these features, see:

This feature applies to:

  • Managed devices on the following platforms:

    • Android device administrator
    • Android Enterprise
    • Android (AOSP)
    • iOS/iPadOS
    • macOS
    • Windows 10/11
  • Managed apps on the following platforms:

    • Android
    • iOS/iPadOS
    • Windows

Device management

New compliance setting lets you verify device integrity using hardware-backed security features

A new compliance setting called Check strong integrity using hardware-backed security features lets you verify device integrity using hardware-backed key attestation. If you configure this setting, strong integrity attestation is added to Google Play's integrity verdict evaluation. Devices must meet device integrity to remain compliant. Microsoft Intune marks devices that don't support this type of integrity check as noncompliant.

This setting is available in profiles for Android Enterprise fully managed, dedicated, and corporate-owned work profile, under Device Health > Google Play Protect. It only becomes available when the Play integrity verdict policy in your profile is set to Check basic integrity or Check basic integrity & device integrity.

Applies to:

  • Android Enterprise

For more information, see Device compliance - Google Play Protect.

New compliance settings for Android work profile, personal devices

Now you can add compliance requirements for work profile passwords without impacting device passwords. All new Microsoft Intune settings are available in compliance profiles for Android Enterprise personally owned work profiles under System Security > Work Profile Security, and include:

  • Require a password to unlock work profile
  • Number of days until password expires
  • Number of previous passwords to prevent reuse
  • Maximum minutes of inactivity before password is required
  • Password complexity
  • Required password type
  • Minimum password length

If a work profile password fails to meet requirements, Company Portal marks the device as noncompliant. Intune compliance settings take precedence over the respective settings in an Intune device configuration profile. For example, the password complexity in your compliance profile is set to medium. The password complexity in a device configuration profile is set to high. Intune prioritizes and enforces the compliance policy.

Applies to:

  • Android Enterprise personally owned devices with a work profile

For more information, see Compliance settings - Android Enterprise.

Windows quality updates support for expediting non-security updates

Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.

Applies to:

  • Windows 11 devices

For more information about installing an expedited update, see Expedite Windows quality updates in Microsoft Intune.

Introducing a remote action to pause the config refresh enforcement interval

In the Windows Settings Catalog, you can configure Configuration Refresh. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune. The device will replay and re-enforce settings based on previously received policy to minimize the chance for configuration drift.

To support this feature, a remote action is added to allow a pause in action. If an admin needs to make changes or run remediation on a device for troubleshooting or maintenance, they can issue a pause from Intune for a specified period. When the period expires, settings are enforced again.

The remote action Pause configuration refresh can be accessed from the device summary page.

For more information, see:

Device security

Updated security baseline for Windows version 23H2

You can now deploy the Intune security baseline for Windows version 23H2. This new baseline is based on the version 23H2 of the Group Policy security baseline found in the Security Compliance Toolkit and Baselines from the Microsoft Download Center, and includes only the settings that are applicable to devices managed through Intune. Use of this updated baseline can help you maintain best-practice configurations for your Windows devices.

This baseline uses the unified settings platform seen in the Settings Catalog. It features an improved user interface and reporting experience, consistency and accuracy improvements related to setting tattooing, and can support assignment filters for profiles.

Use of Intune security baselines can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations, which you can modify to meet the requirements of your organization.

Applies to:

  • Windows 10
  • Windows 11

To view the new baselines included settings with their default configurations, see, Windows MDM security baseline version 23H2.

Use a rootless implementation of Podman to host Microsoft Tunnel

When prerequisites are met, you can use a rootless Podman container to host a Microsoft Tunnel server. This capability is available when you use Podman for Red Hat Enterprise Linux (RHEL) version 8.8 or later, to host Microsoft Tunnel.

When using a rootless Podman container, the mstunnel services run under a non-privileged service user. This implementation can help limit impact from a container escape. To use a rootless Podman container, you must start the tunnel installation script using a modified command line.

For more information about this Microsoft Tunnel install option, see Use a rootless Podman container.

Improvements for Intune deployments of Microsoft Defender for Endpoint

We improved and simplified the experience, workflow, and report details for onboarding devices to Microsoft Defender when using Intune's endpoint detection and response (EDR) policy. These changes apply for Windows devices managed by Intune and by the tenant-attach scenario. These improvements include:

  • Changes to the EDR node, dashboards, and reports to improve the visibility of your Defender EDR deployment numbers. See About the endpoint detection and response node.

  • A new tenant-wide option to deploy a preconfigured EDR policy that streamlines the deployment of Defender for Endpoint to applicable Windows devices. See Use a preconfigured EDR policy.

  • Changes to Intune's the Overview page of the endpoint security node. These changes provide a consolidated view of reports for the device signals from Defender for Endpoint on your managed devices. See Use a preconfigured EDR policy.

These changes apply to the Endpoint security and endpoint detection and response nodes of the admin center, and the following device platforms:

  • Windows 10
  • Windows 11

Windows quality updates support expediting non-security updates

Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.

Applies to:

  • Windows 11 devices

For more information about installing an expedited update, see Expedite Windows quality updates in Microsoft Intune.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Cerby by Cerby, Inc.
  • OfficeMail Go by 9Folders, Inc.
  • DealCloud by Intapp, Inc.
  • Intapp 2.0 by Intapp, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Week of March 3, 2024

Device enrollment

Role-based access control changes to enrollment settings for Windows Hello for Business

We updated Role-based access control (RBAC) in the enrollment area for Windows Hello for Business. Enrollment settings related to Windows Hello for Business are read-only for all roles except the Intune Service Administrator. The Intune Service Administrator can create and edit Windows Hello for Business enrollment settings.

For more information, see Role-based access control in the Windows Hello at device enrollment article.

Device security

New enrollment configuration for Windows Hello for Business

A new Windows Hello for Business enrollment setting, Enable enhanced sign in security is available in the Intune admin center. Enhanced sign-in security is a Windows Hello feature that prevents malicious users from gaining access to a user's biometrics through external peripherals.

For more information about this setting, see Create a Windows Hello for Business policy.

HTML formatting supported in noncompliance email notifications

Intune now supports HTML formatting in noncompliance email notifications for all platforms. You can use supported HTML tags to add formatting such as italics, URL links, and bulleted lists to your organization's messages.

For more information, see Create a notification message template.

Week of February 26, 2024

Microsoft Intune Suite

New Microsoft Cloud PKI service

Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. ​Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone Intune add-on. The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see Overview of Microsoft Cloud PKI.

Applies to:

  • Windows
  • Android
  • iOS/iPadOS
  • macOS

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Cinebody by Super 6 LLC

For more information about protected apps, see Microsoft Intune protected apps.

Week of February 19, 2024 (Service release 2402)

App management

More app configuration permissions for Android apps

There are six new permissions that can be configured for an Android app using an app configuration policy. They are:

  • Allow background body sensor data
  • Media Video (read)
  • Media Images (read)
  • Media Audio (read)
  • Nearby Wifi Devices
  • Nearby Devices

For more information about how to use app config policies for Android apps, see Add app configuration policies for managed Android Enterprise devices.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Bob HR by Hi Bob Ltd
  • ePRINTit SaaS by ePRINTit USA LLC
  • Microsoft Copilot by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Update to Intune Management Extension on Windows

To support expanded functionality and bug fixes, use .NET Framework 4.7.2 or higher with the Intune Management Extension on Windows clients. If a Windows client continues to use an earlier version of the .NET Framework, the Intune Management Extension continues to function. The .NET Framework 4.7.2 is available from Windows Update as of July 10, 2018, which is included in Windows 10 1809 (RS5) and newer. Multiple versions of the .NET Framework can coexist on a device.

Applies to:

  • Windows 10
  • Windows 11

Device configuration

Use assignment filters on Endpoint Privilege Management (EPM) policies

You can use assignment filters to assign a policy based on rules you create. A filter allows you to narrow the assignment scope of a policy, like targeting devices with a specific OS version or a specific manufacturer.

You can use filters on Endpoint Privilege Management (EPM) policies.

For more information, see:

Applies to:

  • Windows 10
  • Windows 11

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS
  • Restrictions

    • Allow Live Voicemail
    • Force Classroom Unprompted Screen Observation
    • Force Preserve ESIM On Erase
macOS
  • Full Disk Encryption > FileVault > Force Enable In Setup Assistant
  • Restrictions > Force Classroom Unprompted Screen Observation

For more information, see:

Import up to 20 custom ADMX and ADML administrative templates

You can import custom ADMX and ADML administrative templates in Microsoft Intune. Previously, you could import up to 10 files. Now, you can upload up to 20 files.

Applies to:

  • Windows 10
  • Windows 11

For more information on this feature, see Import custom ADMX and ADML administrative templates into Microsoft Intune (public preview).

New setting for updating MAC address randomization on Android Enterprise devices

There's a new MAC address randomization setting on Android Enterprise devices (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Wi-Fi for profile type).

Starting with Android 10, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Using randomized MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address. However, randomized MAC addresses break functionality that relies on a static MAC address, including network access control (NAC).

Your options:

  • Use device default: Intune doesn't change or update this setting. By default, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Any updates made by the user to the setting persist.

  • Use randomized MAC: Enables MAC address randomization on devices. When devices connect to a new network, devices present a randomized MAC address, instead of the physical MAC address. If the user changes this value on their device, it resets to Use randomized MAC on the next Intune sync.

  • Use device MAC: Forces devices to present their actual Wi-Fi MAC address instead of a random MAC address. This setting allows devices to be tracked by their MAC address. Only use this value when necessary, such as for network access control (NAC) support. If the user changes this value on their device, it resets to Use device MAC on the next Intune sync.

Applies to:

  • Android 13 and newer

For more information on the Wi-Fi settings you can configure, see Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune.

Turn Off Copilot in Windows setting in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There's a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows for platform > Settings catalog for profile type.

  • Windows AI > Turn Off Copilot in Windows (User)

    • If you enable this policy setting, users can't use Copilot. The Copilot icon won't appear on the taskbar.
    • If you disable or don't configure this policy setting, users can use Copilot when it's available to them.

This setting uses the Policy CSP - WindowsAI.

For more information about configuring Settings Catalog policies in Intune, including user scope vs. device scope, see Create a policy using settings catalog.

Applies to:

  • Windows 10 and later

Windows Autopilot self-deploying mode is now generally available

Windows Autopilot self-deploying mode is now generally available and out of preview. Windows Autopilot self-deploying mode enables you to deploy Windows devices with little to no user interaction. Once the device connects to network, the device provisioning process starts automatically: the device joins Microsoft Entra ID, enrolls in Intune, and syncs all device-based configurations targeted to the device. Self-deploying mode ensures that the user can't access desktop until all device-based configuration is applied. The Enrollment Status Page (ESP) is displayed during OOBE so users can track the status of the deployment. For more information, see:

This information is also published in Windows Autopilot: What's new.

Windows Autopilot for pre-provisioned deployment is now generally available

Windows Autopilot for pre-provisioned deployment is now generally available and out of preview. Windows Autopilot for pre-provisioned deployment is used by organizations that want to ensure devices are business-ready before the user accesses them. With pre-provisioning, admins, partners, or OEMs can access a technician flow from the Out-of-box experience (OOBE) and kick off device setup. Next, the device is sent to the user who completes provisioning in the user phase. Pre-provisioning delivers most the configuration in advance so the end user can get to the desktop faster. For more information, see:

This information is also published in Windows Autopilot: What's new.

Device enrollment

ESP setting to install required apps during Windows Autopilot pre-provisioning

The setting Only fail selected blocking apps in technician phase is now generally available to configure in Enrollment Status Page (ESP) profiles. This setting only appears in ESP profiles that have blocking apps selected.

For more information, see Set up the Enrollment Status Page.

New local primary account configuration for macOS automated device enrollment

Configure local primary account settings for Macs enrolling in Intune via Apple automated device enrollment. These settings, supported on devices running macOS 10.11 and later, are available in new and existing enrollment profiles under the new Account Settings tab. For this feature to work, the enrollment profile must be configured with user-device affinity and one of the following authentication methods:

  • Setup Assistant with modern authentication
  • Setup Assistant (legacy)

Applies to:

  • macOS 10.11 and later

For more information about macOS account settings, see Create an Apple enrollment profile in Intune.

Await final configuration for macOS automated device enrollment now generally available

Now generally available, await final configuration enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies are installed on devices. The locked experience works on devices targeted with new and existing enrollment profiles, enrolling via one of these authentication methods:

  • Setup Assistant with modern authentication
  • Setup Assistant (legacy)
  • Without user device affinity

Applies to:

  • macOS 10.11 and later

For information about how to enable await final configuration, see Create an Apple enrollment profile.

Device management

AOSP devices check for new tasks and notifications approximately every 15 minutes

On devices enrolled with Android (AOSP) management, Intune attempts to check for new tasks and notifications approximately every 15 minutes. To use this feature, devices must be using the Intune app version 24.02.4 or newer.

Applies to:

  • Android (AOSP)

For more information, see:

New device management experience for Government clouds in Microsoft Intune

In government clouds, there's a new device management experience in the Intune admin center. The Devices area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster.

If you want to try the new experience before your tenant is updated, go to Devices > Overview, select the Preview upcoming changes to Devices and provide feedback notification banner, and select Try it now.

Bulk approval of drivers

Bulk actions are now available for Windows Driver update policies. With bulk actions, multiple driver updates can be approved, paused, or declined at the same time, saving time and effort.

When you bulk approve drivers, the date for when the drivers become available to applicable devices can also be set, enabling drivers to be installed together.

Applies to:

  • Windows 10
  • Windows 11

For more information, see Bulk driver updates.

App Control for Business policy limitation is resolved

A previously documented limitation for App Control for Business policy (WDAC), that limited the number of active policies per device to 32, is resolved by Windows. The issue involves a potential Boot stop failure when more than 32 policies are active on a device.

This issue is resolved for devices that run Windows 10 1903 or later with a Windows security update released on or after March 12, 2024. Older versions of Windows can expect to receive this fix in future Windows security updates.

Applies to:

  • Windows 10 version 1903 and later

To learn more about App Control for Business policy for Intune, see Manage approved apps for Windows devices with App Control for Business policy and Managed Installers for Microsoft Intune.

Tenant administration

Customization pane support for excluding groups

The Customization pane now supports selecting groups to exclude when assigning policies. You can find this setting in the Microsoft Intune admin center by selecting Tenant administration > Customization.

For more information, see Assign policies in Microsoft Intune.

Week of January 29, 2024

Microsoft Intune Suite

Microsoft Intune Enterprise Application Management

Enterprise Application Management provides an Enterprise App Catalog of Win32 applications that are easily accessible in Intune. You can add these applications to your tenant by selecting them from the Enterprise App Catalog. When you add an Enterprise App Catalog app to your Intune tenant, default installation, requirements, and detection settings are automatically provided. You can modify these settings as well. Intune hosts Enterprise App Catalog apps in Microsoft storage.

For more information, see:

Microsoft Intune Advanced Analytics

Intune Advanced Analytics provides comprehensive visibility of the end-user experience in your organization and optimizes it with data driven insights. It includes near real-time data about your devices with Device query, increased visibility with custom device scopes, a battery health report and a detailed device timeline for troubleshooting device issues, and anomaly detection to help identify potential vulnerabilities or risks across your device estate.

  • Battery health report

    The battery health report provides visibility into the health of batteries in your organization's devices and its influence on user experience. The scores and insights in this report are aimed to help IT admins with asset management and purchase decisions that improve user experience while balancing hardware costs.

  • Run on-demand device queries on single devices

    Intune allows you to quickly gain on-demand information about the state of your device. When you enter a query on a selected device, Intune runs a query in real time.

    The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.

    Applies to:

    • Windows devices

Intune Advanced Analytics is part of the Microsoft Intune Suite. For added flexibility, this new set of capabilities, together with the existing Advanced Analytics features, is also now available as an individual add-on to Microsoft subscriptions that include Intune.

To use Device query and battery health report in your tenant, or any of the existing Advanced Analytics capabilities, you must have a license for either:

  • The Intune Advanced Analytics add-on
  • The Microsoft Intune Suite add-on

For more information, see:

Week of January 22, 2024 (Service release 2401)

App management

Install DMG and PKG apps up to 8 GB in size on managed Macs

The size-limit of DMG and PKG apps that can be installed using Intune on managed Macs has been increased. The new limit is 8 GB and is applicable to apps (DMG and unmanaged PKG) that are installed using the Microsoft Intune management agent for macOS.

For more information about DMG and PKG apps, see Add a macOS DMG app to Microsoft Intune and Add an unmanaged macOS PKG app to Microsoft Intune.

Intune support of store-signed LOB apps for Surface Hub devices

Intune now supports the deployment of store-signed LOB apps (single file .appx, .msix, .appxbundle, and .msixbundle) to Surface Hub devices. The support for store-signed LOB apps enables offline store apps to be deployed to Surface Hub devices following the retirement of the Microsoft Store for Business.

Route SMS/MMS messages to specific app

You can configure an app protection policy to determine which SMS/MMS app must be used when the end user intends to send a SMS/MMS message after getting redirected from a policy managed app. When the end user selects on a number with the intent of sending an SMS/MMS message, the app protection settings are used to redirect to the configured SMS/MMS app. This capability relates to the Transfer messaging data to setting and applies to both iOS/iPadOS and Android platforms.

For more information, see iOS app protection policy settings and Android app protection policy settings.

End user app PIN reset

For managed apps that require a PIN to access, allowed end users can now reset the app PIN at any time. You can require an app PIN in Intune by selecting the PIN for access setting in iOS/iPadOS and Android app protection policies.

For more information about app protection policies, see App protection policies overview.

Maximum app package size

The maximum package size for uploading apps to Intune is changed from 8 GB to 30 GB for paid customers. Trial tenants are still restricted to 8 GB.

For more information, see Win32 app management in Microsoft Intune.

Device configuration

New setting that disables location on Android Enterprise devices

On Android Enterprise devices, there's a new setting that allows admins to control the location (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions for profile type > General):

  • Location: Block disables the Location setting on the device and prevents users from turning it on. When this setting is disabled, then any other setting that depends on the device location is affected, including the Locate device remote action. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using location on the device.

Applies to:

  • Android Enterprise

For more information on the settings you can configure, see Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Date and time picker for managed software updates in the settings catalog on iOS/iPadOS and macOS devices

Using the settings catalog, you can enforce managed updates on iOS/iPadOS and macOS devices by entering a date and time (Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative Device Management > Software Update).

Previously, you had to manually type the date and time. Now, there's a date and time picker for the Target Local Date Time setting:

Declarative Device Management (DDM) > Software Update:

  • Target Local Date Time

Important

If you create a policy using this setting before the January 2024 release, then this setting shows Invalid Date for the value. The updates are still scheduled correctly and use the values you originally configured, even though it shows Invalid Date.

To configure a new date and time, you can delete the Invalid Date values, and select a new date and time using the date time picker. Or, you can create a new policy.

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring Managed software updates in Intune, see Use the settings catalog to configure managed software updates.

Device management

New device management experience in Microsoft Intune

We're rolling out an update to the device management experience in the Intune admin center. The Devices area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster. The new experience, previously in public preview, will gradually roll out for general availability over the coming weeks. The public preview experience continues to be available until your tenant receives the update.

The availability of this new admin center experience varies tenant by tenant. While a few will see this update immediately, many might not see the new experience for several weeks. For Government clouds, the availability of this experience is estimated around late February 2024.

Due to the rollout timelines, we're updating our documentation to the new experience as soon as possible to help ease the transition to the new admin center layout. We're unable to provide a side-by-side content experience during this transition and believe providing documentation that aligns to the newer experience brings more value to more customers. If you want to try the new experience and align with doc procedures before your tenant is updated, go to Devices > Overview, select the notification banner that reads Preview upcoming changes to Devices and provide feedback, and select Try it now.

BlackBerry Protect Mobile now supports app protection policies

You can now use Intune app protection policies with BlackBerry Protect Mobile (powered by Cylance AI). With this change, Intune supports BlackBerry Protect Mobile for mobile application management (MAM) scenarios for unenrolled devices. This support includes the use of risk assessment with Conditional Access and configuration of Conditional Launch settings for unenrolled devices.

While configuring the CylancePROTECT Mobile connector (formerly BlackBerry Mobile), you now can select options to turn on App protection policy evaluation for both Android and iOS/iPadOS devices.

For more information, see Set up BlackBerry Protect Mobile, and Create Mobile Threat Defense app protection policy with Intune.

Device security

Support for Intune Defender Update control policies for devices managed by Microsoft Defender for Endpoint

You can now use the endpoint security policy for Defender Update control (Antivirus policy) from the Microsoft Intune admin center with the devices you manage through the Microsoft Defender for Endpoint security settings management capability.

  • Defender Update control policies are part of endpoint security Antivirus policy.

Applies to the following when you use the Windows 10, Windows 11, and Windows Server platform:

  • Windows 10
  • Windows 11

With this support available, devices that are assigned this policy while managed by Defender for Endpoint but not enrolled with Intune, will now apply the settings from the policy. Check your policy to make sure only the devices you intend to receive the policy will get it.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • PrinterOn Print by PrinterOn, Inc. (iOS/iPadOS)
  • Align for Intune by MFB Technologies, Inc. (iOS/iPadOS)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Monitoring reports for devices

In Intune, you can view a new list of all device monitoring reports. You can find these reports in Microsoft Intune admin center by selecting Devices > Monitor. The Monitor pane provides reports related to configuration, compliance, enrollment, and software updates. Additionally, there are other reports that you can view, such as Device actions.

For more information, see Intune reports.

Exported report data maintains search results

Intune can now maintain your report search and filter results when exporting report data. For example, when you use the Noncompliant devices and settings report, set the OS filter to "Windows", and search for "PC", the exported data will only contain Windows devices with "PC" in their name. This capability is also available when calling the ExportJobs API directly.

Easy upload of diagnostic logs for Microsoft Tunnel servers

You can now use a single click within the Intune admin center to have Intune enable, collect, and submit eight hours of verbose logs for a Tunnel Gateway Server to Microsoft. The verbose logs can then be referenced while working with Microsoft to identify or resolve issues with a Tunnel server.

In contrast, the collection of verbose logs previously required you to sign on to the server, run manual tasks and scripts to enable and collect verbose logs, and then copy them to a location from which you can transfer them to Microsoft.

To find this new capability, in the admin center go to Tenant administration > Microsoft Tunnel Gateway > select a server > select the Logs tab. On this tab, is a new section named Send verbose server logs with button labeled Send logs, and a list view that displays the various log sets that have been collected and submitted to Microsoft.

When you select the Send logs button:

  • Intune captures and submits the current server logs as a baseline, prior to collecting verbose logs.
  • Verbose logging is automatically enabled at level 4, and runs for eight hours to provide time to reproduce an issue for capture in those logs.
  • After eight hours, Intune submits the verbose logs and then restores the server to its default verbosity level of zero (0), for normal operations. If you previously set logs to run at a higher verbosity level, you can restore your custom verbosity level after log collection and upload is complete.
  • Each time Intune collects and submits logs, it updates the list view below the button.
  • Below the button is a list of past log submissions, displaying their verbosity level and an Incident ID that you can use when working with Microsoft to reference a specific set of logs.

For more information about this capability, see Easy upload of diagnostic logs for Tunnel servers.

Week of December 11, 2023 (Service release 2312)

App management

Support to add unmanaged PKG-type applications to managed macOS devices is now generally available

You can now upload and deploy unmanaged PKG-type applications to managed macOS devices using the Intune MDM agent for macOS devices. This feature enables you to deploy custom PKG installers, such as unsigned apps and component packages. You can add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS app (PKG) for app type.

Applies to:

  • macOS

For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB) apps to Microsoft Intune. For more information about the Intune MDM agent for macOS devices, see Microsoft Intune management agent for macOS.

Windows MAM supported in government cloud environments and in 21 Vianet in China

Customer tenants in US Government Community (GCC), US Government Community (GCC) High, and Department of Defense (DoD) environments are now able to use Windows MAM. For related information, see Deploying apps using Intune on the GCC High and DoD Environments and Data protection for Windows MAM.

In addition, Windows MAM is available for Intune operated by 21Vianet in China. For more information, see Intune operated by 21Vianet in China.

Device configuration

Updated security baseline for Microsoft Edge v117

We released a new version of the Intune security baseline for Microsoft Edge, version v117. This update brings support for recent settings so you can continue to maintain best-practice configurations for Microsoft Edge.

We also updated our reference article for this baseline where you can view the default configuration of the settings this baseline version includes.

Device management

Support for variables in noncompliant email notifications

Use variables to personalize email notifications that are sent when a user's device becomes noncompliant. The variables included in the template, such as {{username}} and {{devicename}}, are replaced by the actual username or device name in the email that users receive. Variables are supported with all platforms.

For more information and a list of supported variables, see Create a notification message template.

Updated report visualization for Microsoft Defender for Endpoint connector

We updated the reporting visualization for the Microsoft Defender for Endpoint connector. This report visualization displays the count of devices that are onboarded to Defender for Endpoint based on status from the Defender CSP, and visually aligns to other recent report views that use a bar to represent the percentage of devices with different status values.

Device security

New settings for scheduling Antivirus scans added to Antivirus policy for Windows devices

We added two settings to the Microsoft Defender Antivirus profile for endpoint security Antivirus policy that applies to Windows 10 and Windows 11 devices. These two settings work together to first enable support for a random start time of a device's antivirus scan, and to then define a range of time during which the randomized scan start can begin. These settings are supported with devices managed by Intune and devices managed through the Defender for Endpoint security settings management scenario.

In addition to being added to the Microsoft Defender Antivirus profile, both settings are now available from the settings catalog.

Applies to:

  • Windows 10
  • Windows 11

Microsoft Tunnel support for direct proxy exclusion list in VPN profiles for Android Enterprise

Intune now supports configuration of a Proxy exclusion list when you configure a VPN profile for Microsoft Tunnel for Android devices. With an exclusion list, you can exclude specific domains from your proxy setup without requiring the use of a Proxy Auto-Configuration (PAC) file. The proxy exclusion list is available with both Microsoft Tunnel and Microsoft Tunnel for MAM.

The proxy exclusion list is supported in environments that use a single proxy. The exclusion list isn't suitable or supported when you use multiple proxy servers, for which you should continue to use a .PAC file.

Applies to:

  • Android Enterprise

Microsoft Tunnel server health metric to report on TLS certificate revocation

We added a new health metric for Microsoft Tunnel named TLS certificate revocation. This new health metric report on the status of the Tunnel Servers TLS certificate by accessing the Online Certificate Status Protocol (OCSP) or CRL address as defined in the TLS certificate. You can view the status of this new check with all the health checks in the Microsoft Intune admin center by navigating to Tenant administration > Microsoft Tunnel Gateway > Health status, selecting a server, and then selecting that servers Health check tab.

This metric runs as part of the existing Tunnel Health checks, and supports the following status:

  • Healthy: The TLs certificate isn't revoked
  • Warning: Unable to check if the TLS certificate is revoked
  • Unhealthy: The TLS certificate is revoked, and should be updated

For more information about the TLS certificate revocation check, see Monitor Microsoft Tunnel.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Akumina EXP by Akumina Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Week of November 27, 2023

App management

Configure offline caching in Microsoft 365 (Office) for Android devices

When the Save As to Local Storage setting is set to blocked in an app protection policy, you can use a configuration key in an app configuration policy to enable or disable offline caching. This setting is only applicable to the Microsoft 365 (Office) app on Android.

For more information, see Data protection settings in Microsoft 365 (Office).

Win32 app grace period settings on a device

On a device where a Win32 app with grace period settings is deployed, low-rights users without administrative privileges can now interact with the grace period UX. Admins on the device continue to be able to interact with the grace period UX on the device.

For more information about grace period behavior, see Set Win32 app availability and notifications.

Managed Home Screen app configuration additions

Now in public preview, Microsoft Managed Home Screen (MHS) is updated to improve the core workflows and user experience. In addition to some user interface changes, there's a new top bar navigation where admins can configure device identifying attributes to be displayed. Additionally, users can access settings, sign in/out, and view notifications when permissions are requested on the top bar.

You can add more settings to configure the Managed Home Screen app for Android Enterprise. Intune now supports the following settings in your Android Enterprise app configuration policy:

  • Enable updated user experience
  • Top Bar Primary Element
  • Top Bar Secondary Element
  • Top Bar User Name Style

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Intune APP SDK for .NET MAUI

Using the Intune APP SDK for .NET MAUI, you can develop Android or iOS apps for Intune that incorporate the .NET Multi-platform App UI. Apps developed using this framework allow you to enforce Intune mobile application management. For .NET MAUI support on Android, see Intune App SDK for .NET MAUI - Android. For .NET MAUI support on iOS, see Intune App SDK for .NET MAUI - iOS.

Week of November 13, 2023 (Service release 2311)

App management

New grace period status added in apps for Android, Android AOSP

The Intune Company Portal app for Android and Microsoft Intune app for Android AOSP now show a grace period status for devices that don't meet compliance requirements but are still within their given grace period. Users can see the date by which devices must be compliant, and the instructions for how to become compliant. If users don't update their device by the given date, the device is marked as noncompliant.

For more information, see the following articles:

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Managed Settings:

  • Data roaming
  • Personal hotspot
  • Voice roaming (deprecated): This setting is deprecated in iOS 16.0. Data roaming is the replacement setting.
Shared iPad

Managed Settings:

  • Diagnostic submission
macOS

Microsoft Defender > Antivirus engine:

  • Enable passive mode (deprecated): This setting is deprecated. Enforcement level is the replacement setting.
  • Enable real-time protection (deprecated): This setting is deprecated. Enforcement level is the replacement setting.
  • Enforcement level

Settings to manage Windows Subsystem for Linux are now available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings to the Windows settings catalog for Windows Subsystem for Linux (WSL). These settings enable Intune integration with WSL so admins can manage deployments of WSL and controls into Linux instances themselves.

To find these settings, in the Microsoft Intune admin center go to Devices > Configuration > Create > New Policy > Windows 10 and later for platform > Settings catalog for profile type.

Windows Subsystem for Linux:

  • Allow kernel debugging
  • Allow custom networking configuration
  • Allow custom system distribution configuration
  • Allow kernel command line configuration
  • Allow custom kernel configuration
  • Allow WSL1
  • Allow the Windows Subsystem for Linux
  • Allow the Inbox version of the Windows Subsystem For Linux
  • Allow user setting firewall configuration
  • Allow nested virtualization
  • Allow passthrough disk mount
  • Allow the debug shell

Applies to:

  • Windows 10
  • Windows 11

Device enrollment

Enrollment for iOS/iPadOS devices in shared device mode now generally available

Now generally available to configure in the Microsoft Intune admin center, set up automated device enrollment for iOS/iPadOS devices that are in shared device mode. Shared device mode is a feature of Microsoft Entra that enables your frontline workers to share a single device throughout the day, signing in and out as needed.

For more information, see Set up enrollment for devices in shared device mode.

Device management

Improvements to new device experience in admin center (public preview)

We made the following changes to the new Devices experience in the Microsoft Intune admin center:

  • More entry points to platform-specific options: Access the platform pages from the Devices navigation menu.
  • Quick entry to monitoring reports: Select the titles of the metrics cards to go to the corresponding monitoring report.
  • Improved navigation menu: We added icons back in to provide more color and context as you navigate.

Flip the toggle in the Microsoft Intune admin center to try out the new experience while it's in public preview and share your feedback.

For more information, see:

Device security

Additional settings for the Linux Antivirus policy template

We expanded support for Linux by adding the following settings to the Microsoft Defender Antivirus template for Linux devices:

  • cloudblocklevel
  • scanarhives
  • scanafterdefinitionupdate
  • maximumondemandscanthreads
  • behaviormonitoring
  • enablefilehashcomputation
  • networkprotection
  • enforcementlevel
  • nonexecmountpolicy
  • unmonitoredfilesystems

The Microsoft Defender Antivirus template for Linux is supported for devices managed by Intune, and devices managed only by Defender through the Defender for Endpoint security settings management scenario.

Updated security baseline for Microsoft 365 Apps for Enterprise

We released a new version of the Intune security baseline for Microsoft 365 Apps for Enterprise, version 2306.

The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to your Office Apps that meet the security recommendations of the Office and security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations. You can modify the default baseline to meet the requirements of your organization.

We also updated our reference article for this baseline where you can view the default configuration of the settings this baseline version includes.

Deprecation and replacement of two settings found in the Linux and macOS endpoint security Antivirus policies

There are two deprecated settings that in the Antivirus engine category of Microsoft Defender Antivirus profiles of both macOS and Linux. These profiles are available as part of Intune's endpoint security Antivirus policies.

For each platform, a single setting replaces the two deprecated settings. This new setting aligns with how Microsoft Defender for Endpoint manages the device configurations.

The following are the two deprecated settings:

  • Enable real-time protection now appears as Enable real-time protection (deprecated)
  • Enable passive mode now appears as Enable passive mode (deprecated)

The new setting that replaces the two deprecated settings:

  • Enforcement level - By default, Enforcement level is set to Passive and supports options of Real time and On demand.

These settings are also available from the Intune settings catalog for each platform, where the old settings are also marked as deprecated and replaced by the new setting.

With this change, a device that has either of the deprecated settings configured will continue to apply that configuration until the device is targeted by the new setting Enforcement level. Once targeted by Enforcement Level, the deprecated settings no longer are applied to the device.

The deprecated settings will be removed from the Antivirus profiles and the settings catalog in a future update to Intune.

Note

The changes for Linux are now available. The macOS settings are marked as deprecated, but the Enforcement level setting will not be available until December.

Applies to:

  • Linux
  • macOS

Microsoft Defender Firewall profiles are renamed to Windows Firewall

To align to Firewall branding changes in Windows, we are updating the names of Intune profiles for endpoint security Firewall policies. In profiles that have Microsoft Defender Firewall in the name we're replacing that with Windows Firewall.

The following platforms have profiles that are affected, with only the profile names being affected by this change:

  • Windows 10 and later (ConfigMgr)
  • Windows 10, Windows 11, and Windows Server

Endpoint security Firewall policy for Windows Firewall to manage firewall settings for Windows Hyper-V

We added new settings to the Windows Firewall profile (formerly Microsoft Defender Firewall) for endpoint security Firewall policy. The new settings can be used to manage Windows Hyper-V settings. To configure the new settings, in the Microsoft Intune admin center, go to Endpoint security > Firewall > Platform: Windows 10, Windows 11, and Windows Server > Profile: Windows Firewall.

The following settings are added to the Firewall category:

  • Target - When Target is set to Windows Subsystem for Linux, the following child settings are applicable:
    • Enable Public Network Firewall
    • Enable Private Network Firewall
    • Allow Host Policy Merge
    • Enable Domain Network Firewall
    • Enable Loopback

Applies to:

  • Windows 10
  • Windows 11

For more information about these settings, see Windows Firewall with Advanced Security.

New Endpoint Security Firewall policy profile for Windows Hyper-V Firewall Rules

We released a new profile named Windows Hyper-V Firewall Rules that you can find through the Windows 10, Windows 11, and Windows Server platform path for endpoint security Firewall policy. Use this profile to manage the firewall settings and rules that apply to specific Hyper-V containers on Windows, including applications like the Windows Subsystem for Linux (WSL) and the Windows Subsystem for Android (WSA).

Applies to:

  • Windows 10
  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Hey DAN for Intune by Civicom, Inc.
  • Microsoft Azure by Microsoft Corporation (iOS)
  • KeePassium for Intune by KeePassium Labs (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Week of November 6, 2023

App management

Minimum version update for iOS Company Portal

Users are required to update to v5.2311.1 of the iOS Company Portal. If you enabled the Block installing apps using App Store device restriction setting, you'll likely need to push an update to the related devices that use this setting. Otherwise, no action is needed.

If you have a helpdesk, you might want to make them aware of the prompt to update the Company Portal app. In most cases, users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. Users that have an earlier app version are prompted to update to the latest Company Portal app.

Device security

Defender for Endpoint security settings management enhancements and support for Linux and macOS are generally available

The improvements that were introduced in the Defender for Endpoint security settings management opt-in public preview are now generally available.

With this change, the default behavior for security settings management includes all the behavior added for the opt-in preview – without having to enable support for preview features in Microsoft Defender for Endpoint. This includes the general availability and support for the following endpoint security profiles for Linux and macOS:

Linux:

  • Microsoft Defender Antivirus
  • Microsoft Defender Antivirus exclusions
  • Endpoint detection and response

MacOS:

  • Microsoft Defender Antivirus
  • Microsoft Defender Antivirus exclusions
  • Endpoint detection and response

For more information, see Microsoft Defender for Endpoint Security settings management in the Intune documentation.

Device management

Feature updates and reports support Windows 11 policies

The new setting on Feature update policies enables an organization to deploy Windows 11 to those devices that are eligible for the upgrade, while ensuring devices not eligible for the upgrade are on the latest Windows 10 feature update with a single policy. As a result, admins don't need to create or manage groups of eligible and non-eligible devices.

For more information on feature updates, see Feature updates for Windows 10 and later.

Week of October 30, 2023

Device security

Strict Tunnel Mode in Microsoft Edge available for Microsoft Tunnel for MAM on Android and iOS/iPadOS devices

In Intune, you can use the Microsoft Tunnel for mobile application management (MAM) on Android and iOS/iPadOS devices. With the MAM tunnel, unmanaged devices (devices not enrolled in Intune) can access on-premises apps and resources.

There's a new Strict Tunnel Mode feature you can configure for Microsoft Edge. When users sign into Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again.

To configure this feature, create a Microsoft Edge app configuration policy, and add the following setting:

  • Key: com.microsoft.intune.mam.managedbrowser.StrictTunnelMode
  • Value: True

Applies to:

  • Android Enterprise version 10 and later
  • iOS/iPadOS version 14 and later

For more information, see:

Week of October 23, 2023 (Service release 2310)

App management

Update for users of Android Company Portal app

If users launch a version of the Android Company Portal app below version 5.0.5333.0 (released November 2021), they'll see a prompt encouraging them to update their Android Company Portal app. If a user with an older Android Company Portal version attempts a new device registration using a recent version of the Authenticator app, the process will likely fail. To resolve this behavior, update the Android Company Portal app.

Minimum SDK version warning for iOS devices

The Min SDK version for the iOS Conditional Launch setting on iOS devices now includes a warn action. This action warns end users if the min SDK version requirement isn't met.

For more information, see iOS app protection policy settings.

Minimum OS for Apple LOB and store apps

You can configure the minimum operating system to be the latest Apple OS releases for both Apple line-of-business apps and iOS/iPadOS store apps. You can set the minimum operating system for Apple apps as follows:

  • iOS/iPadOS 17.0 for iOS/iPadOS line-of-business apps
  • macOS 14.0 for macOS line-of-business apps
  • iOS/iPadOS 17.0 for iOS/iPadOS store apps

Applies to:

  • iOS/iPadOS
  • macOS

Android (AOSP) supports line-of-business (LOB) apps

You can install and uninstall mandatory LOB apps on AOSP devices by using the Required and Uninstall group assignments.

Applies to:

  • Android

To learn more about managing LOB apps, see Add an Android line-of-business app to Microsoft Intune.

Configuration scripts for unmanaged macOS PKG apps

You can now configure pre-install and post-install scripts in unmanaged macOS PKG apps. This feature gives you greater flexibility over custom PKG installers. Configuring these scripts is optional and requires the Intune agent for macOS devices v2309.007 or higher.

For more information about adding scripts to unmanaged macOS PKG apps, see Add an unmanaged macOS PKG app.

Device configuration

FSLogix settings are available in the Settings Catalog and Administrative Templates

The FSLogix settings are available in the Settings Catalog and in Administrative Templates (ADMX) for you to configure.

Previously, to configure FSLogix settings on Windows devices, you imported them using the ADMX import feature in Intune.

Applies to:

  • Windows 10
  • Windows 11

For more information on these features, see:

Use delegated scopes in your Managed Google Play apps that configure enhanced permissions on Android Enterprise devices

In your Managed Google Play apps, you can give apps enhanced permissions using delegated scopes.

When your apps include delegated scopes, you can configure the following settings in a device configuration profile (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions for profile type > Applications):

  • Allow other apps to install and manage certificates: Admins can select multiple apps for this permission. The selected apps are granted access to certificate installation and management.
  • Allow this app to access Android security logs: Admins can select one app for this permission. The selected app is granted access to security logs.
  • Allow this app to access Android network activity logs: Admins can select one app for this permission. The selected app is granted access to network activity logs.

To use these settings, your Managed Google Play app must use delegated scopes.

Applies to:

  • Android Enterprise fully managed devices
  • Android Enterprise dedicated devices
  • Android Enterprise corporate-owned devices with a work profile

For more information on this feature, see:

Samsung ended support for kiosk mode on Android device administrator (DA) devices

Samsung marked the Samsung Knox kiosk APIs used on Android device administrator as deprecated in Knox 3.7 (Android 11).

Though the functionality might continue to work, there's no guarantee that it will continue working. Samsung won't fix bugs that might arise. For more information on Samsung support for deprecated APIs, see What kind of support is offered after an API is deprecated? (opens Samsung's web site).

Instead, you can manage kiosk devices with Intune using dedicated device management.

Applies to:

  • Android device administrator (DA)

Import and export settings catalog policies

The Intune settings catalog lists all the settings you can configure, and all in one place (Devices > Manage devices > Configuration > Create > New Policy > Select your platform > For Profile type, select Settings catalog).

The settings catalog policies can be imported and exported:

  • To export an existing policy, select the profile > select the ellipsis > Export JSON.
  • To import a previously exported settings catalog policy, select Create > Import policy > select the previously exported JSON file.

For more information about the settings catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Note

This feature is continuing to roll out. It may be a couple of weeks before it's available in your tenant.

New setting to block users from using the same password to unlock the device and access the work profile on Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, users can use the same password to unlock the device and access the work profile.

There's a new setting that can enforce different passwords to unlock the device and access the work profile (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise > Personally Owned Work Profile for platform > Device Restrictions for profile type):

  • One lock for device and work profile: Block prevents users from using the same password for the lock screen on the device and work profile. End users are required to enter the device password to unlock the device and enter their work profile password to access their work profile. When set to Not Configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to access their work profile using a single password.

This setting is optional and doesn't impact existing configuration profiles.

Currently, if the work profile password doesn't meet the policy requirements, then device users see a notification. The device isn't marked as non-compliant. A separate compliance policy for the work profile is being created and will be available in a future release.

Applies to:

  • Android Enterprise personally owned devices with a work profile (BYOD)

For a list of settings you can configure on personally owned devices with a work profile, see Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > macOS > Settings catalog for profile type.

Privacy > Privacy Preferences Policy Control:

  • System Policy App Data

Restrictions:

  • Force On Device Only Dictation

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Device enrollment

Web based device enrollment with JIT registration for personal iOS/iPadOS devices

Intune supports web-based device enrollment with just in time (JIT) registration for personal devices set up via Apple device enrollment. JIT registration reduces the number of authentication prompts shown to users throughout the enrollment experience and establishes SSO across the device. Enrollment takes place on the web version of Intune Company Portal, eliminating need for the Company Portal app. Also, this enrollment method enables employees and students without managed Apple IDs to enroll devices and access volume-purchased apps.

For more information, see Set up web based device enrollment for iOS.

Device management

Updates to the Intune add-ons page

The Intune add-ons page under Tenant administration includes Your add-ons, All add-ons, and Capabilities. It provides an enhanced view into your trial or purchased licenses, the add-on capabilities you're licensed to use in your tenant, and support for new billing experiences in Microsoft admin center.

For more information, see Use Intune Suite add-ons capabilities.

Remote Help for Android is now Generally available

Remote Help is generally available for Android Enterprise Dedicated devices from Zebra and Samsung.

With Remote Help, IT Pros can remotely view the device screen and take full control in both attended and unattended scenarios, to diagnose and resolve issues quickly and efficiently.

Applies to:

  • Android Enterprise Dedicated devices, manufactured by Zebra or Samsung

For more information, see Remote Help on Android.

Device security

Configure declarative software updates and passcode policies for Apple devices in the Settings Catalog

You can manage software updates and passcode using Apple's declarative device management (DDM) configuration using the settings catalog (Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative device management).

For more information about DDM, see Apple's declarative device management (DDM) (opens Apple's website).

DDM allows you to install a specific update by an enforced deadline. The autonomous nature of DDM provides an improved user experience as the device handles the entire software update lifecycle. It prompts users that an update is available and also downloads, prepares the device for the installation, & installs the update.

In the settings catalog, the following declarative software update settings are available at Declarative device management > Software Update:

  • Details URL: The web page URL that shows the update details. Typically, this URL is a web page hosted by your organization that users can select if they need organization-specific help with the update.
  • Target Build Version: The target build version to update the device to, like 20A242. The build version can include a supplemental version identifier, like 20A242a. If the build version you enter isn't consistent with the Target OS Version value you enter, then the Target OS Version value takes precedence.
  • Target Local Date Time: The local date time value that specifies when to force install the software update. If the user doesn't trigger the software update before this time, then the device force installs it.
  • Target OS Version: The target OS version to update the device to. This value is the OS version number, like 16.1. You can also include a supplemental version identifier, like 16.1.1.

For more information on this feature, see Manage software updates with the settings catalog.

In the settings catalog, the following declarative passcode settings are available at Declarative device management > Passcode:

  • Automatic Device Lock: Enter the maximum time period that a user can be idle before the system automatically locks the device.
  • Maximum Grace Period: Enter the maximum time period that a user can unlock the device without a passcode.
  • Maximum Number of Failed Attempts: Enter the maximum number of wrong passcode attempts before:
    • iOS/iPadOS wipes the device
    • macOS locks the device
  • Minimum Passcode Length: Enter the minimum number of characters a passcode must have.
  • Passcode Reuse Limit: Enter the number of previously used passcodes that can't be used.
  • Require Complex Passcode: When set to True, a complex passcode is required. A complex passcode doesn't have repeated characters, and doesn't have increasing or decreasing characters, like 123 or CBA.
  • Require Passcode on Device: When set to True, the user must set a passcode to access the device. If you don't set other passcode restrictions, then there aren't any requirements about the length or quality of the passcode.

Applies to:

  • iOS/iPadOS 17.0 and later
  • macOS 14.0 and later

For information about the settings catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Mvision Mobile is now Trellix Mobile Security

The Intune Mobile Threat Defense partner Mvision Mobile has transitioned to Trellix Mobile Security. With this change, we've updated our documentation and the Intune admin center UI. For example, the Mvision Mobile connector is now Trellix Mobile Security. Existing installs of the Mvision Mobile connector also update to Trellix Mobile Security.

If you have questions about this change, reach out to your Trellix Mobile Security representative.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • BuddyBoard by Brother Industries, LTD
  • Microsoft Loop by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Updated reports for Policy compliance and Setting compliance are now generally available

The following device compliance reports are out of public preview and are now generally available:

With this move to general availability, the older versions of both reports have been retired from the Intune admin center and are no longer available.

For more information about these changes, see the Intune Support Team blog at https://aka.ms/Intune/device_compl_report.

Tenant administration

Intune admin center home page update

The Intune admin center home page has been redesigned with a fresh new look and more dynamic content. The Status section has been simplified. You can explore Intune related capabilities in the Spotlight section. The Get more out of Intune section provides links to the Intune community and blog, and Intune customer success. Also, the Documentation and training section provides links to What's New in Intune, Feature in development, and more training. In Microsoft Intune admin center, select Home.

Week of October 16, 2023

Tenant administration

endpoint.microsoft.com URL redirects to intune.microsoft.com

Previously, it was announced that the Microsoft Intune admin center has a new URL (https://intune.microsoft.com).

The https://endpoint.microsoft.com URL now redirects to https://intune.microsoft.com.

Week of September 18, 2023 (Service release 2309)

App management

MAM for Windows general availability

You can now enable protected MAM access to org data via Microsoft Edge on personal Windows devices. This capability uses the following functionality:

  • Intune Application Configuration Policies (ACP) to customize the org user experience in Microsoft Edge
  • Intune Application Protection Policies (APP) to secure org data and ensure the client device is healthy when using Microsoft Edge
  • Windows Security Center threat defense integrated with Intune APP to detect local health threats on personal Windows devices
  • Application Protection Conditional Access to ensure the device is protected and healthy before granting protected service access via Microsoft Entra ID.

Intune Mobile Application Management (MAM) for Windows is available for Windows 11, build 10.0.22621 (22H2) or later. This feature includes the supporting changes for Microsoft Intune (2309 release), Microsoft Edge (v117 stable branch and later) and Windows Security Center (v 1.0.2309.xxxxx and later). App Protection Conditional Access is in Public Preview.

Sovereign cloud support is expected in the future. For more information, see App protection policy settings for Windows.

Device configuration

OEMConfig profiles that don't deploy successfully aren't shown as "pending"

For Android Enterprise devices, you can create a configuration policy that configures the OEMConfig app (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > OEMConfig for profile type).

Previously, OEMConfig profiles that exceed 350 KB show a "pending" state. This behavior changed. An OEMConfig profile that exceeds 350 KB isn't deployed to the device. Profiles in a pending state or profiles larger that 350 KB aren't shown. Only profiles that successfully deploy are shown.

This change is a UI change only. No changes are made to the corresponding Microsoft Graph APIs.

To monitor the profile pending status in the Intune admin center, go to Devices > Manage devices > Configuration > Select the profile > Device status.

Applies to:

  • Android Enterprise

For more information on OEM Configuration, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Config Refresh settings are in the settings catalog for Windows Insiders

In the Windows Settings Catalog, you can configure Config Refresh. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune.

Config Refresh:

  • Enable config refresh
  • Refresh cadence (minutes)

Applies to:

  • Windows 11

For more information on the Settings Catalog, see Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Managed Settings now available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

The settings within the Managed Settings command are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS > Settings catalog for profile type.

Managed Settings > App Analytics:

  • Enabled: If true, enable sharing app analytics with app developers. If false, disable sharing app analytics.

Applies to:

  • Shared iPad

Managed Settings > Accessibility Settings:

  • Bold Text Enabled
  • Grayscale Enabled
  • Increase Contrast Enabled
  • Reduce Motion Enabled
  • Reduce Transparency Enabled
  • Text Size
  • Touch Accommodations Enabled
  • Voice Over Enabled
  • Zoom Enabled

Managed Settings > Software Update Settings:

  • Recommendation Cadence: This value defines how the system presents software updates to the user.

Managed Settings > Time Zone:

  • Time Zone: The Internet Assigned Numbers Authority (IANA) time zone database name.

Applies to:

  • iOS/iPadOS

Managed Settings > Bluetooth:

  • Enabled: If true, enable the Bluetooth setting. If false, disable the Bluetooth setting.

Managed Settings > MDM Options:

  • Activation Lock Allowed While Supervised: If true, a supervised device registers itself with Activation Lock when the user enables Find My.

Applies to:

  • iOS/iPadOS
  • macOS

For more information on these settings, see Apple's developer website. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

New setting available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There's a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > macOS > Settings catalog for profile type.

Microsoft Defender > Cloud delivered protection preferences:

  • Cloud Block Level

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Intune integration with the Zebra Lifeguard Over-the-Air service is generally available

Microsoft Intune supports integration with Zebra Lifeguard Over-the-Air service, which allows you to deliver OS updates and security patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can select the firmware version you want to deploy, set a schedule, and stagger update downloads and installs. You can also set minimum battery, charging status, and network conditions requirements for when the update can happen.

This integration is now generally available for Android Enterprise Dedicated and Fully Managed Zebra devices that are running Android 8 or later. It also requires a Zebra account and Intune Plan 2 or Microsoft Intune Suite.

Previously, this feature was in public preview and free for use. With this release as generally available, this solution now requires an add-on license for its use.

For licensing details, see Intune add-ons.

Device enrollment

SSO support during enrollment for Android Enterprise fully managed and corporate-owned devices with a work profile

Intune supports single sign-on (SSO) on Android Enterprise devices that are fully managed or corporate-owned with a work profile. With the addition of SSO during enrollment, end users enrolling their devices only need to sign in once with their work or school account.

Applies to:

  • Android Enterprise corporate owned devices with a work profile
  • Android Enterprise fully managed

For more information on these enrollment methods, see:

Device management

Introducing Remote Help on macOS

The Remote Help web app allows users to connect to macOS devices and join a view-only remote assistance session.

Applies to:

  • 11 Big Sur
  • 12 Monterey
  • 13 Ventura

For more information on Remote Help on macOS, see Remote Help.

Management certificate expiration date

Management certificate expiration date is available as a column in the Devices workload. You can filter on a range of expiration dates for the management certificate and also export a list of devices with an expiration date matching the filter.

This information is available in Microsoft Intune admin center by selecting Devices > All devices.

Windows Defender Application Control (WDAC) references are updated to App Control for Business

Windows renamed Windows Defender Application Control (WDAC) as App Control for Business. With this change, the references in Intune docs and the Intune admin center are updated to reflect this new name.

Intune supports iOS/iPadOS 15.x as the minimum version

Apple released iOS/iPadOS version 17. Now, the minimum version supported by Intune is iOS/iPadOS 15.x.

Applies to:

  • iOS/iPadOS

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement for supported versus allowed iOS/iPadOS versions for user-less devices.

Government tenant support for endpoint security Application Control policy and managed installer

We've added support to use endpoint security Application Control policies, and to configure a managed installer, to the following sovereign cloud environments:

  • US Government clouds
  • 21Vianet in China

Support for Application Control policy and managed installers was originally released in preview in June 2023. Application Control policies in Intune are an implementation of Defender Application Control (WDAC).

Device security

Endpoint Privilege Management support for Windows 365 devices

You can now use Endpoint Privilege Management to manage application elevations on Windows 365 devices (also known as Cloud PCs).

This support doesn't include Azure Virtual Desktop.

Elevation report by Publisher for Endpoint Privilege Management

We've released a new report named Elevation report by Publisher for Endpoint Privilege Management (EPM). With this new report you can view all managed and unmanaged elevations, which are aggregated by the publisher of the app that is elevated.

You'll find the report in the Report node for EPM in the Intune admin center. Navigate to Endpoint security > Endpoint Privilege Management and then select the Reports tab.

macOS support with Intune Endpoint security policies for Endpoint detection and response

Intune Endpoint security policies for Endpoint detection and response (EDR) now support macOS. To enable this support, we've added a new EDR template profile for macOS. Use this profile with macOS devices enrolled with Intune and macOS devices managed through the opt-in public preview of the Defender for Endpoint security settings management scenario.

The EDR template for macOS includes the following settings for the Device tags category from Defender for Endpoint:

  • Type of tag – The GROUP tag, tags the device with the specified value. The tag is reflected in the admin center on the device page and can be used for filtering and grouping devices.
  • Value of tag - Only one value per tag can be set. The Type of a tag is unique and shouldn't be repeated in the same profile.

To learn more about Defender for Endpoint settings that are available for macOS, see Set preferences for Microsoft Defender for Endpoint on macOS in the Defender documentation.

Linux support with Intune Endpoint security policies for Endpoint detection and response

Intune Endpoint security policies for Endpoint detection and response (EDR) now support Linux. To enable this support, we've added a new EDR template profile for Linux. Use this profile with Linux devices enrolled with Intune and Linux devices managed through the opt-in public preview of the Defender for Endpoint security settings management scenario.

The EDR template for Linux includes the following settings for the Device tags category from Defender for Endpoint:

  • Value of tag - Only one value per tag can be set. The Type of a tag is unique and shouldn't be repeated in the same profile.
  • Type of tag – The GROUP tag, tags the device with the specified value. The tag is reflected in the admin center on the device page and can be used for filtering and grouping devices.

You can learn more about Defender for Endpoint settings that are available for Linux in Set preferences for Microsoft Defender for Endpoint on Linux in the Defender documentation.

Monitor and troubleshoot

Updated reports for Update rings for Windows 10 and later

Reporting for Update rings for Windows 10 and later has been updated to use Intune's improved reporting infrastructure. These changes align to similar improvements introduced for other Intune features.

With this change for reports for Update rings for Windows 10 and later, when you select an update rings policy in the Intune admin center, there isn't a left-pane navigation for Overview, Manage, or Monitor options. Instead, the policy view opens to a single pane that includes the following policy details:

  • Essentials – including the policy name, created and modified dates, and more details.
  • Device and user check-in status – This view is the default report view and includes:
    • A high-level overview of device status for this policy, and a View report button to open a more comprehensive report view.
    • A streamlined representation and count of the different device status values returned by devices assigned to the policy. The simplified bar and chart replace former doughnut charts seen in the prior reporting representation.
  • Two other report tiles to open more reports. These tiles include:
    • Device assignment status – This report combines the same information as the previous Device status and User status reports, which are no longer available. However, with this change, pivots and drill-in through based on the user name is no longer available.
    • Per setting status – This new report provides success metrics for each setting configured differently than the defaults, allowing for new insight to which settings might not be successfully deploying to your organization.
  • Properties – View details for each configuration page of the policy, including an option to Edit each areas profile details.

For more information about reports for update rings for Windows 10 and later, see Reports for Update rings for Windows 10 and later policy in the Windows Update reports for Microsoft Intune article.

Role-based access

Updating the scope of UpdateEnrollment

With the introduction of a new role UpdateEnrollment, the scope of UpdateOnboarding is getting updated.

The UpdateOnboarding setting for custom and built-in roles is modified to only manage or change the Android Enterprise binding to Managed Google Play and other account-wide configurations. Any built-in roles that used UpdateOnboarding will now have UpdateEnrollmentProfiles included.

The resource name is being updated from Android for work to Android Enterprise.

For more information, see Role-based access control (RBAC) with Microsoft Intune.

Week of September 11, 2023

Device configuration

Introducing Remote Launch on Remote Help

With Remote Launch, the helper can launch Remote Help seamlessly on the helper and user's device from Intune by sending a notification to the user's device. This feature allows both helpdesk and the sharer to be connected to a session quickly without exchanging session codes.

Applies to:

  • Windows 10/11

For more information, see Remote Help.

Week of September 4, 2023

Device management

Microsoft Intune ending support for Android device administrator on devices with GMS access in August 2024

Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on August 30, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable.

If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends.

For more information, see Ending support for Android device administrator on GMS devices.

Week of August 28, 2023

Device configuration

Windows and Android support for 4096-bit key size for SCEP and PFX certificate profiles

Intune SCEP certificate profiles and PKCS certificate profiles for Windows and Android devices now support a Key size (bits) of 4096. This key size is available for new profiles and existing profiles you choose to edit.

  • SCEP profiles have always included the Key size (bits) setting and now support 4096 as an available configuration option.
  • PKCS profiles don't include the Key size (bits) setting directly. Instead, an admin must modify the certificate template on the Certification Authority to set the Minimum key size to 4096.

If you use a third-party Certificate Authority (CA), you might need to contact your vendor for assistance with implementing the 4096-bit key size.

When updating or deploying new certificate profiles to take advantage of this new key size, we recommend using a staggered deployment approach. This approach can help avoid creating excessive demand for new certificates across a large number of devices at the same time.

With this update, be aware of the following limitations on Windows devices:

  • 4096-bit key storage is supported only in the Software Key Storage Provider (KSP). The following don't support storing keys of this size:
    • The hardware TPM (Trusted Platform Module). As a workaround you can use the Software KSP for key storage.
    • Windows Hello for Business. There isn't a workaround at this time.

Tenant administration

Access policies for multiple Administrator Approval are now generally available

Access policies for multiple Administrator Approval are out of public preview and are now generally available. With these policies, you can protect a resource, like App deployments, by requiring any change to the deployment to be approved by one of a group of users who are approvers for the resource, before that change is applied.

For more information, see Use Access policies to require multiple administrative approval.

Week of August 21, 2023 (Service release 2308)

App management

Managed Home Screen end-users prompted to grant exact alarm permission

Managed Home Screen uses the exact alarm permission to do the following actions:

  • Automatically sign out users after a set time of inactivity on the device
  • Launch a screen saver after a set period of inactivity
  • Automatically relaunch MHS after a certain period of time when a user exits kiosk mode

For devices running Android 14 and higher, by default, the exact alarm permission will be denied. To make sure critical user functionality isn't impacted, end-users are prompted to grant exact alarm permission upon first launch of Managed Home Screen. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android's developer documentation.

Managed Home Screen notifications

For Android devices running Android 13 or higher that target API level 33, by default, applications don't have permission to send notifications. In previous versions of Managed Home Screen, when an admin had enabled automatic relaunch of Managed Home Screen, a notification was displayed to alert users of the relaunch. To accommodate change to notification permission, in the scenario when an admin has enabled auto-relaunch of Managed Home Screen, the application will now display a toast message alerting users of the relaunch. Managed Home Screen is able to auto-grant permission for this notification, so no change is required for admins configuring Managed Home Screen to accommodate the change in notification permission with API level 33. For more information about Android 13 (API level 33) notification messages, see the Android developer documentation. For more information about Managed Home Screen, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

New macOS web clip app type

In Intune, end users can pin web apps to the dock on your macOS devices (Apps > macOS > Add > macOS web clip).

Applies to:

  • macOS

For related information about the settings you can configure, see Add web apps to Microsoft Intune.

Win32 app configurable installation time

In Intune, you can set a configurable installation time to deploy Win32 apps. This time is expressed in minutes. If the app takes longer to install than the set installation time, the system will fail the app install. Max timeout value is 1440 minutes (1 day). For more information about Win32 apps, see Win32 app management in Microsoft Intune.

Samsung Knox conditional launch check

You can add more detection of device health compromises on Samsung Knox devices. Using a conditional launch check within a new Intune App Protection Policy, you can require that hardware-level device tamper detection and device attestation be performed on compatible Samsung devices. For more information, see the Samsung Knox device attestation setting in the Conditional launch section of Android app protection policy settings in Microsoft Intune.

Device configuration

Remote Help for Android in public preview

Remote Help is available in public preview for Android Enterprise Dedicated devices from Zebra and Samsung. With Remote Help, IT Pros can remotely view the device screen and take full control in both attended and unattended scenarios, to diagnose and resolve issues quickly and efficiently.

Applies to:

  • Android Enterprise Dedicated devices, manufactured by Zebra or Samsung

For more information, see Remote Help on Android.

Group Policy analytics is generally available

Group Policy analytics is generally available (GA). Use Group Policy analytics to analyze your on-premises group policy objects (GPOs) for their migration to Intune policy settings.

Applies to:

  • Windows 11
  • Windows 10

For more information about Group Policy analytics, see Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune.

New SSO, login, restrictions, passcode, and tamper protection settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS > Settings catalog for profile type.

iOS/iPadOS 17.0 and later

Restrictions:

  • Allow iPhone Widgets On Mac
macOS

Microsoft Defender > Tamper protection:

  • Process's arguments
  • Process path
  • Process's Signing Identifier
  • Process's Team Identifier
  • Process exclusions
macOS 13.0 and later

Authentication > Extensible Single Sign On (SSO):

  • Account Display Name
  • Additional Groups
  • Administrator Groups
  • Authentication Method
  • Authorization Right
  • Group
  • Authorization Group
  • Enable Authorization
  • Enable Create User At Login
  • Login Frequency
  • New User Authorization Mode
  • Account Name
  • Full Name
  • Token To User Mapping
  • User Authorization Mode
  • Use Shared Device Keys
macOS 14.0 and later

Login > Login Window Behavior:

  • Autologin Password
  • Autologin Username

Restrictions:

  • Allow ARD Remote Management Modification
  • Allow Bluetooth Sharing Modification
  • Allow Cloud Freeform
  • Allow File Sharing Modification
  • Allow Internet Sharing Modification
  • Allow Local User Creation
  • Allow Printer Sharing Modification
  • Allow Remote Apple Events Modification
  • Allow Startup Disk Modification
  • Allow Time Machine Backup

Security > Passcode:

  • Password Content Description
  • Password Content Regex

Device enrollment

Just-in-time registration and compliance remediation for iOS/iPadOS Setup Assistant with modern authentication now generally available

Just in time (JIT) registration and compliance remediation for Setup Assistant with modern authentication are now out of preview and generally available. With just in time registration, the device user doesn't need to use the Company Portal app for Microsoft Entra registration and compliance checking. JIT registration and compliance remediation are embedded into the user's provisioning experience, so they can view their compliance status and take action within the work app they're trying to access. Also, this establishes single-sign on across the device. For more information about how to set up JIT registration, see Set up Just in Time Registration.

Awaiting final configuration for iOS/iPadOS automated device enrollment now generally available

Now generally available, awaiting final configuration enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies install on devices. The locked experience works on devices targeted with new and existing enrollment profiles. Supported devices include:

  • iOS/iPadOS 13+ devices enrolling with Setup Assistant with modern authentication
  • iOS/iPadOS 13+ devices enrolling without user affinity
  • iOS/iPadOS 13+ devices enrolling with Microsoft Entra ID shared mode

This setting is applied once during the out-of-box automated device enrollment experience in Setup Assistant. The device user doesn't experience it again unless they re-enroll their device. Awaiting final configuration is enabled by default for new enrollment profiles. For information about how to enable awaiting final configuration, see Create an Apple enrollment profile.

Device management

Changes to Android notification permission prompt behavior

We've updated how our Android apps handle notification permissions to align with recent changes made by Google to the Android platform. As a result of Google changes, notification permissions are granted to apps as follows:

  • On devices running Android 12 and earlier: Apps are permitted to send notifications to users by default.
  • On devices running Android 13 and later: Notification permissions vary depending on the API the app targets.
    • Apps targeting API 32 and lower: Google has added a notification permission prompt that appears when the user opens the app. Management apps can still configure apps so that they're automatically granted notification permissions.
    • Apps targeting API 33 and higher: App developers define when the notification permission prompts appear. Management apps can still configure apps so that they're automatically granted notification permissions.

You and your device users can expect to see the following changes now that our apps target API 33:

  • Company Portal used for work profile management: Users see a notification permission prompt in the personal instance of the Company Portal when they first open it. Users don't see a notification permission prompt in the work profile instance of Company Portal because notification permissions are automatically permitted for Company Portal in the work profile. Users can silence app notifications in the Settings app.
  • Company Portal used for device administrator management: Users see a notification permission prompt when they first open the Company Portal app. Users can adjust app notification settings in the Settings app.
  • Microsoft Intune app: No changes to existing behavior. Users don't see a prompt because notifications are automatically permitted for the Microsoft Intune app. Users can adjust some app notification settings in the Settings app.
  • Microsoft Intune app for AOSP: No changes to existing behavior. Users don't see a prompt because notifications are automatically permitted for the Microsoft Intune app. Users can't adjust app notification settings in the Settings app.

Device security

Defender Update controls to deploy updates for Defender is now generally available

The profile Defender Update controls for Intune Endpoint security Antivirus policy, which manages update settings for Microsoft Defender, is now generally available. This profile is available for the Windows 10, Windows 11, and Windows Server platform. While in public preview, this profile was available for the Windows 10 and later platform.

The profile includes settings for the rollout release channel by which devices and users receive Defender Updates that are related to daily security intelligence updates, monthly platform updates, and monthly engine updates.

This profile includes the following settings, which are all directly taken from Defender CSP - Windows Client Management.

  • Engine Updates Channel
  • Platform Updates Channel
  • Security Intelligence Updates Channel

These settings are also available from the settings catalog for the Windows 10 and later profile.

Elevation report by applications for Endpoint Privilege Management

We've released a new report named Elevation report by applications for Endpoint Privilege Management (EPM). With this new report you can view all managed and unmanaged elevations, which are aggregated by the application that elevated. This report can aid you in identifying applications that might require elevation rules to function properly, including rules for child processes.

You'll find the report in the Report node for EPM in the Intune admin center. Navigate to Endpoint security > Endpoint Privilege Management and then select the Reports tab.

New settings available for macOS Antivirus policy

The Microsoft Defender Antivirus profile for macOS devices has been updated with nine more settings, and three new settings categories:

Antivirus engine – The following settings are new in this category:

  • Degree of parallelism for on-demand scans – Specifies the degree of parallelism for on-demand scans. This setting corresponds to the number of threads used to perform the scan and impacts the CPU usage, and the duration of the on-demand scan.
  • Enable file hash computation – Enables or disables file hash computation feature. When this feature is enabled, Windows Defender computes hashes for files it scans. This setting helps improve the accuracy of Custom Indicator matches. However, enabling Enable file hash computation can impact device performance.
  • Run a scan after definitions are updated – Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting triggers an antivirus scan on the running processes of the device.
  • Scanning inside archive files – If true, Defender unpacks archives and scan files inside them. Otherwise archive content is skipped, which improves scanning performance.

Network protection – A new category that includes the following setting:

  • Enforcement level – Configure this setting to specify if network protection is disabled, in audit mode, or enforced.

Tamper protection - A new category that includes the following setting:

  • Enforcement level - Specify whether tamper protection is disabled, in audit mode, or enforced.

User interface preferences – A new category that includes the following settings:

  • Control sign-in to consumer version - Specify whether users can sign into the consumer version of Microsoft Defender.
  • Show / hide status menu icon – Specify whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.
  • User initiated feedback – Specify whether users can submit feedback to Microsoft by going to Help > Send Feedback.

New profiles that you create include the original settings and the new settings. Your existing profiles automatically update to include the new settings, with each new setting set to Not configured until you choose to edit that profile to change it.

For more information about how to set preferences for Microsoft Defender for Endpoint on macOS in enterprise organizations, see Set preferences for Microsoft Defender for Endpoint on macOS.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • VerityRMS by Mackey LLC (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

CloudDesktop log now collected with Windows diagnostics data

The Intune remote action to collect diagnostics from a Windows device now includes data in a log file.

Log file:

  • %temp%\CloudDesktop*.log

Anomaly detection device cohorts in Intune Endpoint analytics is generally available

Anomaly detection device cohorts in Intune Endpoint analytics is now generally available.

Device cohorts are identified in devices associated with a high or medium severity anomaly. Devices are correlated into groups based on one or more factors they have in common like an app version, driver update, OS version, device model. A correlation group will contain a detailed view with key information about the common factors between all affected devices in that group. You can also view a breakdown of devices currently affected by the anomaly and 'at risk' devices. "At risk" devices haven't yet shown symptoms of the anomaly.

For more information, see Anomaly detection in Endpoint analytics.

Improved user experience for device timeline in Endpoint Analytics

The user interface (UI) for device timeline in Endpoint analytics is improved and includes more advanced capabilities (support for sorting, searching, filtering, and exports). When viewing a specific device timeline in Endpoint analytics, you can search by event name or details. You can also filter the events and choose the source and level of events that appear on the device timeline and select a time range of interest.

For more information, see Enhanced device timeline.

Updates for compliance policies and reports

We've made several improvements to the Intune compliance policies and reports. With these changes, the reports more closely align to the experience in use for device configuration profiles and reports. We've updated our compliance report documentation to reflect the available compliance report improvements.

Compliance report improvements include:

  • Compliance details for Linux devices.
  • Redesigned reports that are up-to-date and simplified, with newer report versions beginning to replace older report versions, which will remain available for some time.
  • When viewing a policy for compliance, there isn't a left-pane navigation. Instead, the policy view opens to a single pane that defaults to the Monitor tab and its Device status view.
    • This view provides a high-level overview of device status for this policy, supports drilling in to review the full report, and a per-setting status view of the same policy.
    • The doughnut chart is replaced by a streamlined representation and count of the different device status values returned by devices assigned the policy.
    • You can select the Properties tab to view the policy details, and review and edit its configuration and assignments.
    • The Essentials section is removed with those details appearing in the policy's Properties tab.
  • The updated status reports support sorting by columns, the use of filters, and search. Combined, these enhancements enable you to pivot the report to display specific subsets of details you want to view at that time. With these enhancements, we have removed the User status report as it has become redundant. Now, while viewing the default Device status report you can focus the report to display the same information that was available from User status by sorting on the User Principal Name column, or searching for a specific username in the search box.
  • When viewing status reports, the count of devices that Intune displays now remains consistent between different report views as you drill in for deeper insights or details.

For more information about these changes, see the Intune Support Team blog at https://aka.ms/Intune/device_compl_report.

Week of August 14, 2023

App management

Use the Turn off the Store application setting to disable end user access to Store apps, and allow managed Intune Store apps

In Intune, you can use the new Store app type to deploy Store apps to your devices.

Now, you can use the Turn off the Store application policy to disable end users' direct access to Store apps. When it's disabled, end users can still access and install Store apps from the Windows Company Portal app and through Intune app management. If you want to allow random store app installs outside of Intune, then don't configure this policy.

The previous Only display the private store within the Microsoft Store app policy doesn't prevent end users from directly accessing the store using the Windows Package Manager winget APIs. So, if your goal is to block random unmanaged Store application installs on client devices, then it's recommended to use the Turn off the Store application policy. Don't use the Only display the private store within the Microsoft Store app policy . Applies to:

  • Windows 10 and later

For more information, see Add Microsoft Store Apps to Microsoft Intune.

Week of August 7, 2023

Role-based access control

Introducing a new role-based access control (RBAC) permission under the resource Android for work

Introducing a new RBAC Permission for creating a custom role in Intune, under the resource Android for work. The permission Update Enrollment Profile allows the admin to manage or change both AOSP and Android Enterprise Device Owner enrollment profiles that are used to enroll devices.

For more information, see Create custom role.

Week of July 31, 2023

Device security

New BitLocker profile for Intune's endpoint security Disk encryption policy

We have released a new experience creating new BitLocker profiles for endpoint security Disk Encryption policy. The experience for editing your previously created BitLocker policy remains the same, and you can continue to use them. This update applies only for the new BitLocker policies you create for the Windows 10 and later platform.

This update is part of the continuing rollout of new profiles for endpoint security policies, which began in April 2022.

App management

Uninstall Win32 and Microsoft store apps using the Windows Company Portal

End-users can uninstall Win32 apps and Microsoft store apps using the Windows Company Portal if the apps were assigned as available and were installed on-demand by the end-users. For Win32 apps, you have the option to enable or disable this feature (off by default). For Microsoft store apps, this feature is always on and available for your end-users. If an app can be uninstalled by the end-user, the end-user will be able to select Uninstall for the app in the Windows Company Portal. For related information, see Add apps to Microsoft Intune.

Week of July 24, 2023 (Service release 2307)

App management

Intune supports new Google Play Android Management API

Changes have been made to how Managed Google Play public apps are managed in Intune. These changes are to support Google's Android Management APIs (opens Google's web site).

Applies to:

  • Android Enterprise

To learn more about changes to the admin and user experience, see Support Tip: Intune moving to support new Google Play Android Management API.

App report for Android Enterprise corporate-owned devices

You can now view a report containing all apps found on a device for Android Enterprise corporate-owned scenarios, including system apps. This report is available in Microsoft Intune admin center by selecting Apps > Monitor > Discovered apps. You'll see Application Name and Version for all apps detected as installed on the device. It can take up to 24 hours for app information to populate the report.

For related information, see Intune discovered apps.

Add unmanaged PKG-type applications to managed macOS devices [Public Preview]

You can now upload and deploy unmanaged PKG-type applications to managed macOS devices using the Intune MDM agent for macOS devices. This feature enables you to deploy custom PKG installers, such as unsigned apps and component packages. You can add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS app (PKG) for app type.

Applies to:

  • macOS

For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB) apps to Microsoft Intune. For more information about the Intune MDM agent for macOS devices, see Microsoft Intune management agent for macOS.

New settings available for the iOS/iPadOS web clip app type

In Intune, you can pin web apps to your iOS/iPadOS devices (Apps > iOS/iPadOS > Add > iOS/iPadOS web clip). When you add web clips, there are new settings available:

  • Full screen: If configured to Yes, launches the web clip as a full-screen web app without a browser. There isn't a URL nor search bar, and no bookmarks.
  • Ignore manifest scope: If configured to Yes, a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip's URL. This setting has no effect when Full screen is set to No. Available in iOS 14 and later.
  • Precomposed: If configured to Yes, prevents Apple's application launcher (SpringBoard) from adding "shine" to the icon.
  • Target application bundle identifier: Enter the application bundle identifier that specifies the application that opens the URL. Available in iOS 14 and later.

Applies to:

  • iOS/iPadOS

For more information, see Add web apps to Microsoft Intune.

Change to default settings when adding Windows PowerShell scripts

In Intune, you can use policies to deploy Windows PowerShell scripts to your Windows devices (Devices > Scripts > Add > Windows 10 and later). When you add a Windows PowerShell script, there are settings you configure. To increase secure-by-default behavior of Intune, the default behavior of the following settings has changed:

  • The Run this script using the logged on credentials setting defaults to Yes. Previously, the default was No.
  • The Enforce script signature check setting defaults to Yes. Previously, the default was No.

This behavior applies to new scripts you add, not existing scripts.

Applies to:

  • Windows 10 and later (excluding Windows 10 Home)

For more information about using Windows PowerShell scripts in Intune, see Use PowerShell scripts on Windows 10/11 devices in Intune.

Device configuration

Added Support for Scope tags

You can now add scope tags when creating deployments using Zebra LifeGuard Over-the-Air integration (in public preview).

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

Microsoft AutoUpdate (MAU):

  • Current Channel (Monthly)

Microsoft Defender > User interface preferences:

  • Control sign-in to consumer version

Microsoft Office > Microsoft Outlook:

  • Disable Do not send response

User Experience > Dock:

  • MCX Dock Special Folders

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Compliance Retrieval service support for MAC address endpoints

We've now added MAC address support to the Compliance Retrieval service.

The initial release of the CR service included support for using only the Intune device ID with the intent to eliminate the need to manage internal identifiers like serial numbers and MAC addresses. With this update, organizations that prefer to use MAC addresses over certificate authentication can continue to do so while implementing the CR service.

While this update adds MAC address support to the CR service, our recommendation is to use certificate-based authentication with the Intune device ID included in the certificate.

For information about the CR service as a replacement for the Intune Network Access Control (NAC) service, see the Intune blog at https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696.

Settings insight within Intune security baselines is generally available

Announcing the general availability of Settings insight in Microsoft Intune.

The Settings insight feature adds insight to settings giving you confidence in configurations that have been successfully adopted by similar organizations. Settings insight is currently available for security baselines.

Navigate to Endpoint security > Security baselines. While creating and editing a workflow, these insights are available for all settings with light bulbs.

Device security

Tamper protection support for Windows on Azure Virtual Desktop

Intune now supports use of endpoint security Antivirus policy to manage Tamper protection for Windows on Azure Virtual Desktop multi-session devices. Support for Tamper protection requires devices to onboard to Microsoft Defender for Endpoint before the policy that enables Tamper protection is applied.

EpmTools PowerShell module for Endpoint Privilege Management

The EpmTools PowerShell module is now available for use with Intune Endpoint Privilege Management (EPM). EpmTools includes the cmdlets like Get-FileAttributes that you can use to retrieve file details to help build accurate elevation rules, and other cmdlets you can use to troubleshoot or diagnose EPM policy deployments.

For more information, see EpmTools PowerShell module.

Endpoint Privilege Management support to manage elevation rules for child processes

With Intune Endpoint Privilege Management (EPM) you can manage which files and processes are allowed to Run as Administrator on your Windows devices. Now, EPM elevation rules support a new setting, Child process behavior.

With Child process behavior, your rules can manage the elevation context for any child processes created by the managed process. Options include:

  • Allowing all child processes created by the managed process to always run as elevated.
  • Allow a child process to run as elevated only when it matches the rule that manages its parent process.
  • Deny all child processes from running in an elevated context, in which case they run as standard users.

Endpoint Privilege Management is available as an Intune add-on. For more information, see Use Intune Suite add-on capabilities.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Dooray! for Intune

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Updated reports for Setting compliance and Policy compliance are in public preview

We've released two new reports as a public preview for Intune device compliance. You can find these new preview reports in the Intune admin center at Reports > Device compliance > Reports tab:

Both reports are new instances of existing reports, and deliver improvements over the older versions, including:

  • Details for Linux settings and devices
  • Support for sorting, searching, filtering, exports, and paging views
  • Drill-down reports for deeper details, which are filtered based on the column you select.
  • Devices are represented a single time. This behavior is in contrast to the original reports, which could count a device more than once if multiple users used that device.

Eventually, the older report versions that are still available in the admin center at Devices > Monitor will be retired.

Week of July 10, 2023

App management

Updates to app configuration policy reporting

As part of our continuing efforts to improve the Intune reporting infrastructure, there have been several user interface (UI) changes for app configuration policy reporting. The UI has been updated with the following changes:

  • There isn't a User status tile or a Not applicable device tile on the Overview section of the App configuration policies workload.
  • There isn't a User install status report on the Monitor section of the App configuration policies workload.
  • The Device install status report under the Monitor section of the App configuration policies workload no longer shows the Pending state in the Status column.

You can configure policy reporting in Microsoft Intune admin center by selecting Apps > App configuration policies.

Week of July 3, 2023

Device management

Intune support for Zebra devices on Android 13

Zebra will be releasing support for Android 13 on their devices. You can read more at Migrating to Android 13 (opens Zebra's web site).

  • Temporary issues on Android 13

    The Intune team thoroughly tested Android 13 on Zebra devices. Everything continues working as normal, except for the following two temporary issues for device administrator (DA) devices.

    For Zebra devices running Android 13 and enrolled with DA management:

    1. App installations don't happen silently. Instead, users get a notification from the Company Portal app (if they allow notifications) that asks for permission to allow the app installation. If a user doesn't accept the app installation when prompted, then the app doesn't install. Users will have a persistent notification in the notification drawer until they allow the installation.

    2. New MX profiles don't apply to Android 13 devices. Newly enrolled Android 13 devices don't receive configuration from MX profiles. MX profiles that previously applied to enrolled devices continue to apply.

    In an update coming later in July, these issues will be resolved and the behavior will return to how it was before.

  • Update devices to Android 13

    You'll soon be able to use Intune's Zebra LifeGuard Over-the-Air integration to update Android Enterprise dedicated and fully managed devices to Android 13. For more information, see Zebra LifeGuard Over-the-Air Integration with Microsoft Intune.

    Before you migrate to Android 13, review Migrating to Android 13 (opens Zebra's web site).

  • OEMConfig for Zebra devices on Android 13

    OEMConfig for Zebra devices on Android 13 requires using Zebra's new Zebra OEMConfig Powered by MX OEMConfig app (opens the Google Play store). This new app can also be used on Zebra devices running Android 11, but not earlier versions.

    For more information on this app, go to the New Zebra OEMConfig app for Android 11 and later blog post.

    The Legacy Zebra OEMConfig app (opens the Google Play store) can only be used on Zebra devices running Android 11 and earlier.

For more general information about Intune Android 13 support, go to the Day Zero support for Android 13 with Microsoft Intune blog post.

Device security

Defender for Endpoint security settings management enhancements and support for Linux and macOS in public preview

With Defender for Endpoint security settings management, you can use Intune's endpoint security policies to manage Defender security settings on devices that onboard to Defender for Endpoint but aren't enrolled with Intune.

Now, you can opt in to a public preview from within the Microsoft Defender portal to gain access to several enhancements for this scenario:

  • Intune's endpoint security policies become visible in and can be managed from within the Microsoft Defender portal. This enables security admins to remain in the Defender portal to manage Defender and the Intune endpoint security policies for Defender security settings management.

  • Security settings management supports deploying Intune endpoint security Antivirus policies to devices that run Linux and macOS.

  • For Windows devices, the Windows Security Experience profile is now supported with security settings management.

  • A new onboarding workflow removes the Microsoft Entra hybrid join prerequisite. Microsoft Entra hybrid join requirements prevented many Windows devices from successfully onboarding to Defender for Endpoint security settings management. With this change, those devices can now complete enrollment and start processing policies for security settings management.

  • Intune creates a synthetic registration in Microsoft Entra ID for devices that can't fully register with Microsoft Entra ID. Synthetic registrations are device objects created in Microsoft Entra ID that enable devices to receive and report back on Intune policies for security settings management. In addition, should a device with a synthetic registration become fully registered, the synthetic registration is removed from Microsoft Entra ID in deference to the full registration.

If you don't opt in to the Defender for Endpoint Public Preview, the previous behaviors remain in place. In this case, while you can view the Antivirus profiles for Linux, you can't deploy it as its supported only for devices managed by Defender. Similarly, the macOS profile that's currently available for devices enrolled with Intune can't be deployed to devices managed by Defender.

Applies to:

  • Linux
  • macOS
  • Windows

Week of June 26, 2023

Device configuration

Android (AOSP) supports assignment filters

Android (AOSP) supports assignment filters. When you create a filter for Android (AOSP), you can use the following properties:

  • DeviceName
  • Manufacturer
  • Model
  • DeviceCategory
  • oSVersion
  • IsRooted
  • DeviceOwnership
  • EnrollmentProfileName

For more information on filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Applies to:

  • Android

On-demand remediation for a Windows device

A new device action that is in public preview allows you to run a remediation on-demand on a single Windows device. The Run remediation device action allows you to resolve issues without having to wait for a remediation to run on its assigned schedule. You'll also be able to view the status of remediations under Remediations in the Monitor section of a device.

The Run remediation device action is rolling-out and can take a few weeks to reach all customers.

For more information, see Remediations.

Device management

Windows Driver update management in Intune is generally available

Announcing the general availability of Windows Driver update management in Microsoft Intune. With driver update policies, you can view a list of driver updates that are recommended and applicable to your Windows 10 and Windows 11 device that are assigned to the policy. Applicable driver updates are those that can update a device's driver version. Driver update policies update automatically to add new updates as they're published by the driver manufacturer and remove older drivers that no longer apply to any device with the policy.

Update policies can be configured for one of two approval methods:

  • With Automatic approval, each new recommended driver that's published by the driver manufacturer and added to the policy is automatically approved for deployment to applicable devices. Policies set for automatic approvals can be configured with a deferral period before the automatically approved updates are installed on devices. This deferral gives you time to review the driver and to pause its deployment if necessary.

  • With manual approval, all new driver updates are automatically added to the policy, but an admin must explicitly approve each update before Windows Update deploys it to a device. When you manually approve an update, you choose the date when Windows Update will begin to deploy it to your devices.

To help you manage driver updates, you review a policy and decline an update you don't want to install. You can also indefinitely pause any approved update, and reapprove a paused update to restart its deployment.

This release also includes driver update reports that provide a success summary, per-device update status for each approved driver, and error and troubleshooting information. You can also select an individual driver update and view details about it across all the policies that include that driver version.

To learn about using Windows Driver update policies, see Manage policy for Windows Driver updates with Microsoft Intune.

Applies to:

  • Windows 10
  • Windows 11

Week of June 19, 2023 (Service release 2306)

App management

MAM for Microsoft Edge for Business [Preview]

You can now enable protected MAM access to org data via Microsoft Edge on personal Windows devices. This capability uses the following functionality:

  • Intune Application Configuration Policies (ACP) to customize the org user experience in Microsoft Edge
  • Intune Application Protection Policies (APP) to secure org data and ensure the client device is healthy when using Microsoft Edge
  • Windows Defender client threat defense integrated with Intune APP to detect local health threats on personal Windows devices
  • Application Protection Conditional Access to ensure the device is protected and healthy before granting protected service access via Microsoft Entra ID

For more information, see Preview: App protection policy settings for Windows.

To participate in the public preview, complete the opt-in form.

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Networking > Network Usage Rules:

  • SIM Rules
macOS

Authentication > Extensible Single Sign On (SSO):

  • Authentication Method
  • Denied Bundle Identifiers
  • Registration Token

Full Disk Encryption > FileVault:

  • Output path
  • Username
  • Password
  • UseKeyChain

Device Firmware Configuration Interface (DFCI) supports Asus devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type.

Some Asus devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

For more information about DFCI profiles, see:

Applies to:

  • Windows 10
  • Windows 11

Saaswedo Datalert telecom expense management is removed in Intune

In Intune, you could manage telecom expenses using Saaswedo's Datalert telecom expense management. This feature is removed from Intune. This removal includes:

  • The Telecom Expense Management connector

  • Telecom expenses RBAC category

    • Read permission
    • Update permission

For more information from Saaswedo, see The datalert service is unavailable (opens Saaswedo's web site).

Applies to:

  • Android
  • iOS/iPadOS

Settings insight within Intune security baseline

The Settings insight feature adds insights to security baselines giving you confidence in configurations that are successfully adopted by similar organizations.

Navigate to Endpoint security > Security baselines. When you create and edit the workflow, these insights are available for you in the form of a light bulb.

Device management

New endpoint security Application Control policy in preview

As a public preview, you can use a new endpoint security policy category, Application Control. Endpoint security Application Control policy includes:

  • Policy to set the Intune Management Extension as a tenant-wide managed installer. When enabled as a managed installer, apps you deploy through Intune (after enablement of Managed Installer) to Windows devices are tagged as installed by Intune. This tag becomes useful when you use Application Control policies to manage which apps you want to allow or block from running on your managed devices.

  • Application Control policies that are an implementation of Defender Application Control (WDAC). With Endpoint security Application Control policies, it's easy to configure policy that allows trusted apps to run on your managed devices. Trusted apps are installed by a managed installer or from the App store. In addition to built-in trust settings, these policies also support custom XML for application control so you can allow other apps from other sources to run to meet your organizations requirements.

To get started with using this new policy type, see Manage approved apps for Windows devices with Application Control policy and Managed Installers for Microsoft Intune

Applies to:

  • Windows 10
  • Windows 11

Endpoint analytics is available to tenants in Government cloud

With this release, Endpoint analytics is available to tenants in Government cloud.

Learn more about Endpoint analytics.

Introducing in-session connection mode switch in Remote Help

In Remote Help, you can now take advantage of the in-session connection mode switch feature. This feature can help effortlessly transition between full control and view-only modes, granting flexibility and convenience.

For more information on Remote Help, see Remote Help.

Applies to:

  • Windows 10/11

Device security

Update to Endpoint Privilege Management reports

Intune's Endpoint Privilege Management (EPM) reports now support exporting the full reporting payload to a CSV file. With this change, you can now export all events from an elevation report in Intune.

Endpoint Privilege Managements run with elevated access option now available on the top-level menu for Windows 11

The Endpoint Privilege Management option to Run with elevated access is now available as a top-level right-click option on Windows 11 devices. Previous to this change, standard users were required to select Show more options to view the Run with elevated access prompt on Windows 11 devices.

Endpoint Privilege Management is available as an Intune add-on. For more information, see Use Intune Suite add-on capabilities.

Applies to:

  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Idenprotect Go by Apply Mobile Ltd (Android)
  • LiquidText by LiquidText, Inc. (iOS)
  • MyQ Roger: OCR scanner PDF by MyQ spol. s r.o.
  • CiiMS GO by Online Intelligence (Pty) Ltd
  • Vbrick Mobile by Vbrick Systems

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Microsoft Intune troubleshooting pane is now generally available

The Intune troubleshooting pane is now generally available. It provides details about user's devices, policies, applications, and status. The troubleshooting pane includes the following information:

  • A summary of policy, compliance, and application deployment status.
  • Support for exporting, filtering, and sorting all reports.
  • Support to filter by excluding policies and applications.
  • Support to filter to a user's single device.
  • Details about available device diagnostics and disabled devices.
  • Details about offline devices that haven't checked-in to the service for three or more days.

You can find the troubleshooting pane in Microsoft Intune admin center by selecting Troubleshooting + support > Troubleshoot.

Updated troubleshoot + support pane in Intune

The Troubleshooting + support pane in the Intune admin center has been updated by consolidating the Roles and Scopes report into a single report. This report now includes all relevant role and scope data from both Intune and Microsoft Entra ID, providing a more streamlined and efficient experience. For related information, see Use the troubleshooting dashboard to help users at your company.

Download mobile app diagnostics

Now generally available, access user-submitted mobile app diagnostics in the Intune admin center, including app logs sent through Company Portal apps, which include Windows, iOS, Android, Android AOSP, and macOS. In addition, you can retrieve app protection logs via Microsoft Edge. For more information, see Company Portal app logs and Use Microsoft Edge for iOS and Android to access managed app logs.

Week of June 12, 2023

Device management

New Devices from HTC and Pico supported on Microsoft Intune for Android Open Source Devices

Microsoft Intune for Android open source project devices (AOSP) now supports the following devices:

  • HTC Vive XR Elite
  • Pico Neo 3 Pro
  • Pico 4

For more information, see:

Applies to:

  • Android (AOSP)

App management

Microsoft Store for Business or Microsoft Store for Education

Apps added from the Microsoft Store for Business or Microsoft Store for Education won't deploy to devices and users. Apps show as "not applicable" in reporting. Apps already deployed are unaffected. Use the new Microsoft Store app to deploy Microsoft Store apps to devices or users. For related information, see Plan for Change: Ending support for Microsoft Store for Business and Education apps for upcoming dates when Microsoft Store for Business apps will no longer deploy and Microsoft Store for Business apps will be removed.

For more information, see the following resources:

Week of June 5, 2023

Device configuration

Android Enterprise 11+ devices can use Zebra's latest OEMConfig app version

On Android Enterprise devices, you can use OEMConfig to add, create, and customize OEM-specific settings in Microsoft Intune (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > OEMConfig).

There's a new Zebra OEMConfig Powered by MX OEMConfig app that aligns more closely to Google's standards. This app supports Android Enterprise 11.0 and newer devices.

The older Legacy Zebra OEMConfig app continues to support devices with Android 11 and earlier.

In your Managed Google Play, there are two versions of Zebra OEMConfig app. Be sure to select the correct app that applies to your Android device versions.

For more information on OEMConfig and Intune, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise 11.0 and newer

Week of May 29, 2023

Device management

Intune UI displays Windows Server devices as distinct from Windows clients for the Security Management for Microsoft Defender for Endpoint scenario

To support the Security Management for Microsoft Defender for Endpoint (MDE security configuration) scenario, Intune now differentiates Windows devices in Microsoft Entra ID as either Windows Server for devices that run Windows Server, or as Windows for devices that run Windows 10 or Windows 11.

With this change, you can improve policy targeting for MDE security configuration. For example, you can use dynamic groups that consist of only Windows Server devices, or only Windows client devices (Windows 10/11).

For more information about this change, see the Intune Customer Success blog Windows Server devices now recognized as a new OS in Microsoft Intune, Microsoft Entra ID, and Defender for Endpoint .

Tenant administration

Organizational messages for Windows 11 now generally available

Use organizational messages to deliver branded, personalized call-to-actions to employees. Select from more than 25 messages that support employees through device onboarding and lifecycle management, in 15 different languages. Messages can be assigned to Microsoft Entra user groups. They're shown just above the taskbar, in the notifications area, or in the Get started app on devices running Windows 11. Messages continue to appear or reappear based on the frequency you configure in Intune, and until the user has visited the customized URL.

Other features and functionality added in this release include:

  • Confirm licensing requirements prior to first message.
  • Choose from eight new themes for taskbar messages.
  • Give messages a custom name.
  • Add scope groups and scope tags.
  • Edit the details of a scheduled message.

Scope tags were previously unavailable for organizational messages. With the addition of scope tag support, Intune adds the default scope tag to every message created before June 2023. Admins that want access to those messages must be associated with a role that has the same tag. For more information about available features and how to set up organizational messages, see Overview of organizational messages.

Week of May 22, 2023 (Service release 2305)

App management

Update to macOS shell scripts maximum running time limit

Based on customer feedback, we're updating the Intune agent for macOS (version 2305.019) to extend the maximum script run time to 60 minutes. Previously, the Intune agent for macOS only allowed shell scripts to run for up to 15 minutes before reporting the script as a failure. The Intune agent for macOS 2206.014 and higher supports the 60-minute timeout.

Assignment filters support app protection policies and app configuration policies

Assignment filters support MAM app protection policies and app configuration policies. When you create a new filter, you can fine tune MAM policy targeting using the following properties:

  • Device Management Type
  • Device Manufacturer
  • Device Model
  • OS Version
  • Application Version
  • MAM Client Version

Important

All new and edited app protection policies that use Device Type targeting are replaced with assignment filters.

For more information on filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Update to MAM reporting in Intune

MAM reporting has been simplified and overhauled, and now uses Intune's newest reporting infrastructure. Benefits of this include improved data accuracy and instantaneous updating. You can find these streamlined MAM reports in the Microsoft Intune admin center by selecting Apps > Monitor. All MAM data available to you is contained within the new App protection status report and App configuration status report.

Global quiet time app policy settings

The global quiet time settings allow you to create policies to schedule quiet time for your end users. These settings automatically mute Microsoft Outlook email and Teams notifications on iOS/iPadOS and Android platforms. These policies can be used to limit end user notifications received after work hours. For more information, see Quiet time notification policies.

Device configuration

Introducing enhanced chat in Remote Help

Introducing enhanced chat with Remote Help. With the new and enhanced chat you can maintain a continuous thread of all messages. This chat provides support for special characters and other languages including Chinese and Arabic.

For more information on Remote Help, see Remote Help.

Applies to:

  • Windows 10/11

Remote Help administrators can reference audit log sessions

For Remote Help, in addition to existing session reports, administrators can now reference audit logs sessions created in Intune. This feature enables administrators to reference past events for troubleshooting and analyzing log activities.

For more information on Remote Help, see Remote Help.

Applies to:

  • Windows 10
  • Windows 11

Turn on/off Personal data encryption on Windows 11 devices using the settings catalog

The settings catalog includes hundreds of settings that you can configure and deploy to your devices.

In the settings catalog, you can turn on/off Personal data encryption (PDE). PDE is a security feature introduced in Windows 11 version 22H2 that provides more encryption features for Windows.

PDE is different than BitLocker. PDE encrypts individual files and content, instead of whole volumes and disks. You can use PDE with other encryption methods, such as BitLocker.

For more information on the settings catalog, see:

This feature applies to:

  • Windows 11

Visual Studio ADMX settings are in the Settings Catalog and Administrative Templates

Visual Studio settings are included in the Settings Catalog and Administrative Templates (ADMX). Previously, to configure Visual Studio settings on Windows devices, you imported them with ADMX import.

For more information on these policy types, see:

Applies to:

  • Windows 10
  • Windows 11

Group policy analytics supports scope tags

In Group Policy analytics, you import your on-premises GPO. The tool analyzes your GPOs and shows the settings that can (and can't) be used in Intune.

When you import your GPO XML file in Intune, you can select an existing scope tag. If you don't select a scope tag, then the Default scope tag is automatically selected. Previously, when you imported a GPO, the scope tags assigned to you were automatically applied to the GPO.

Only admins within that scope tag can see the imported policies. Admins not in that scope tag can't see the imported policies.

Also, admins within their scope tag can migrate the imported policies that they have permissions to see. To migrate an imported GPO into a Settings Catalog policy, a scope tag must be associated with the imported GPO. If a scope tag isn't associated, then it can't migrate to a Settings Catalog policy. If no scope tag is selected, then a default scope tag is automatically applied.

For more information on scope tags and Group Policy analytics, see:

Introducing Intune integration with the Zebra Lifeguard Over-the-Air service (public preview)

Now available in public preview, Microsoft Intune supports integration with Zebra Lifeguard Over-the-Air service, which allows you to deliver OS updates and security patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can select the firmware version you want to deploy, set a schedule, and stagger update downloads and installs. You can also set minimum battery, charging status, and network conditions requirements for when the update can happen.

Available for Android Enterprise Dedicated and Fully Managed Zebra devices that are running Android 8 or later, and requires an account with Zebra.

New Google domain allowlist settings for Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, you can configure settings that restrict device features and settings.

Currently, there's an Add and remove accounts setting that can allow Google accounts be added to the work profile. For this setting, when you select Allow all accounts types, you can also configure:

  • Google domain allow-list: Restricts users to add only certain Google account domains in the work profile. You can import a list of allowed domains or add them in the admin center using the contoso.com format. When left blank, by default, the OS might allow adding all Google domains in the work profile.

For more information on the settings you can configure, see Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

Applies to:

  • Android Enterprise personally owned devices with a work profile

Renaming Proactive remediation to Remediations and moving to a new location

Proactive remediations are now Remediations and are available from Devices > Remediations. You can still find Remediations in both the new location and the existing Reports > Endpoint Analytics location until the next Intune service update.

Remediations are currently not available in the new Devices experience preview.

Applies to:

  • Windows 10
  • Windows 11

Remediations are now available in Intune for US Government GCC High and DoD

Remediations (previously known as proactive remediations) are now available in Microsoft Intune for US Government GCC High and DoD.

Applies to:

  • Windows 10
  • Windows 11

Create inbound and outbound network traffic rules for VPN profiles on Windows devices

Note

This setting is coming in a future release, possibly the 2308 Intune release.

You can create a device configuration profile that deploys a VPN connection to devices (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > VPN for profile type).

In this VPN connection, you can use the Apps and Traffic rules settings to create network traffic rules.

There's a new Direction setting you can configure. Use this setting to allow Inbound and Outbound traffic from the VPN connection:

  • Outbound (default): Allows only traffic to external networks/destinations to flow using the VPN. Inbound traffic is blocked from entering the VPN.
  • Inbound: Allows only traffic coming from external networks/ sources to flow using the VPN. Outbound traffic is blocked from entering the VPN.

For more information on the VPN settings you can configure, including the network traffic rule settings, see Windows device settings to add VPN connections using Intune.

Applies to:

  • Windows 10 and later

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

Microsoft Defender > Antivirus engine:

  • Scanning inside archive files
  • Enable file hash computation

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Wipe device action and new obliteration behavior setting available for macOS

You can now use the Wipe device action instead of Erase for macOS devices. You can also configure the Obliteration Behavior setting as part of the Wipe action.

This new key allows you to control the wipe fallback behavior on Macs that have Apple Silicon or the T2 Security Chip. To find this setting, navigate to Devices > By platform > macOS > [Select a device] > Overview > Wipe in the Device action area.

For more information on the Obliteration Behavior setting, go to Apple's Platform Deployment site Erase Apple devices - Apple Support.

Applies to:

  • macOS

Device enrollment

Account driven Apple User Enrollment available for iOS/iPadOS 15+ devices (public preview)

Intune supports account driven user enrollment, a new and improved variation of Apple User Enrollment for iOS/iPadOS 15+ devices. Now available for public preview, the new option utilizes just-in-time registration, which eliminates the need for the Company Portal app during enrollment. Device users can initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience. You can continue to target iOS/iPadOS devices using the existing profile-based user enrollment method that uses Company Portal. Devices running iOS/iPadOS, version 14.8.1 and earlier remain unaffected by this update and can continue to use the existing method. For more information, see Set up account driven Apple User Enrollment.

Device security

New security baseline for Microsoft 365 Office Apps

We've released a new security baseline to help you manage security configurations for M365 Office Apps. This new baseline uses an updated template and experience that uses the unified settings platform seen in the Intune settings catalog. You can view the list of settings in the new baseline at Microsoft 365 Apps for Enterprise baseline settings (Office).

The new Intune security baseline format aligns the presentation of settings that are available to the settings found in the Intune settings catalog. This alignment helps resolve past issues for setting names and implementations for settings that could create conflicts. The new format also improves the reporting experience for baselines in the Intune admin center.

The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to your Office Apps that meet the security recommendations of the Office and security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations. You can modify the default baseline to meet the requirements of your organization.

To learn more, see Security baselines overview.

Applies to:

  • Windows 10
  • Windows 11

Security baseline update for Microsoft Edge version 112

We've released a new version of the Intune security baseline for Microsoft Edge, version 112. In addition to releasing this new version for Microsoft Edge, the new baseline uses an updated template experience that uses the unified settings platform seen in the Intune settings catalog. You can view the list of settings in the new baseline at Microsoft Edge baseline settings (version 112 and higher).

The new Intune security baseline format aligns the presentation of settings that are available to the settings found in the Intune settings catalog. This alignment helps resolve past issues for setting names and implementations for settings that could create conflicts. The new format also improves the reporting experience for baselines in the Intune admin center.

Now that the new baseline version is available, all new profiles you create for Microsoft Edge use the new baseline format and version. While the new version becomes the default baseline version, you can continue to use the profiles you've previously created for older versions of Microsoft Edge. But, you can't create new profiles for those older versions of Microsoft Edge.

To learn more, see Security baselines overview.

Applies to:

  • Windows 10
  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Achievers by Achievers Inc.
  • Board.Vision for iPad by Trusted Services PTE. LTD.
  • Global Relay by Global Relay Communications Inc.
  • Incorta (BestBuy) by Incorta, Inc. (iOS)
  • Island Enterprise Browser by Island (iOS)
  • Klaxoon for Intune by Klaxoon (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Week of May 8, 2023

Device configuration

Device Firmware Configuration Interface (DFCI) supports Dynabook devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type.

Some Dynabook devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

For more information about DFCI profiles, see:

Applies to:

  • Windows 10
  • Windows 11

eSIM bulk activation for Windows PCs via download server is now available on the Settings Catalog

You can now perform at-scale configuration of Windows eSIM PCs using the Settings Catalog. A download server (SM-DP+) is configured using a configuration profile.

Once the devices receive the configuration, they automatically download the eSIM profile. For more information, see eSIM configuration of a download server.

Applies to:

  • Windows 11
  • eSIM capable devices

Week of May 1, 2023

App management

macOS shell scripts maximum running time limit

We have fixed an issue that caused Intune tenants with long-running shell scripts to not report back on the script run status. The macOS Intune agent stops any macOS shell scripts that run longer than 15 minutes. These scripts report as failed. The new behavior is enforced from macOS Intune agent version 2305.019.

DMG app installation for macOS

The DMG app installation feature for macOS is now generally available. Intune supports required and uninstall assignment types for DMG apps. The Intune agent for macOS is used to deploy DMG apps.

Deprecation of Microsoft Store for Business and Education

The Microsoft Store for Business connector is no longer available in the Microsoft Intune admin center. Apps added from the Microsoft Store for Business or Microsoft Store for Education won't sync with Intune. Apps that have previously synced continue to be available and deploy to devices and users.

It's now also possible to delete Microsoft Store for Business apps from the Apps pane in the Microsoft Intune admin center so that you can clean up your environment as you move to the new Microsoft Store app type.

For related information, see Plan for Change: Ending support for Microsoft Store for Business and Education apps for upcoming dates when Microsoft Store for Business apps won't deploy and Microsoft Store for Business apps are removed.

Device configuration

Remote Help now supports Conditional Access capability

Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For example, multifactor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses.

For more information, see:

Device security

Updated settings for Microsoft Defender in endpoint security Antivirus policy

We've updated the available settings in the Microsoft Defender Antivirus profile for endpoint security Antivirus policy. You can find this profile in the Intune admin center at Endpoint security > Antivirus > Platform: Windows 10, Windows 11, and Windows Server > Profile: Microsoft Defender Antivirus.

  • The following settings have been added:

    • Metered Connection Updates
    • Disable Tls Parsing
    • Disable Http Parsing
    • Disable Dns Parsing
    • Disable Dns Over Tcp Parsing
    • Disable Ssh Parsing
    • Platform Updates Channel
    • Engine Updates Channel
    • Security Intelligence Updates Channel
    • Allow Network Protection Down Level
    • Allow Datagram Processing On Win Server
    • Enable Dns Sinkhole

    For more information about these settings, see the Defender CSP. The new settings are also available through the Intune Settings Catalog.

  • The following setting has been deprecated:

    • Allow Intrusion Prevention System

    This setting now appears with the Deprecated tag. If this deprecated setting was previously applied on a device, the setting value is updated to NotApplicable and has no effect on the device. If this setting is configured on a device, there's no effect on the device.

Applies to:

  • Windows 10
  • Windows 11

Week of April 17, 2023 (Service release 2304)

App management

Changes to iCloud app backup and restore behavior on iOS/iPadOS and macOS devices

As an app setting, you can select to Prevent iCloud app backup for iOS/iPadOS and macOS devices. You can not backup managed App Store apps and line-of-business (LOB) apps on iOS/iPadOS, as well as managed App Store apps on macOS devices (macOS LOB apps don't support this feature), for both user and device licensed VPP/non-VPP apps. This update includes both new and existing App Store/LOB apps sent with and without VPP that are being added to Intune and targeted to users and devices.

Preventing the backup of the specified managed apps ensures that these apps can be properly deployed via Intune when the device is enrolled and restored from backup. If the admin configures this new setting for new or existing apps in their tenant, then managed apps can and will be reinstalled for devices. But, Intune doesn't allow them to be backed up.

This new setting appears in Microsoft Intune admin center by modifying the properties of an app. For an existing app, you can select Apps > iOS/iPadOS or macOS > select the app > Properties > Assignment Edit. If no group assignment has been set, select Add group to add a group. Modify either the setting under VPN, Uninstall on device removal, or Install as removable. Then, select Prevent iCloud app backup. The Prevent iCloud app backup setting is used to prevent backup of app data for the application. Set to No to allow the app to be backed up by iCloud.

For more information, see Changes to applications' backup and restore behavior on iOS/iPadOS and macOS devices and Assign apps to groups with Microsoft Intune.

Prevent automatic updates for Apple VPP apps

You can control the automatic update behavior for Apple VPP at the per-app assignment level using the Prevent automatic updates setting. This setting is available in Microsoft Intune admin center by selecting Apps > iOS/iPadOS or macOS > Select a volume purchase program app > Properties > Assignments > Select a Microsoft Entra group > App settings.

Applies to:

  • iOS/iPadOS
  • macOS

Device configuration

Updates to the macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

A new setting is available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

The new setting is located under:

Microsoft AutoUpdate (MAU) > [targeted app]:

  • Update channel override

The following settings have been deprecated:

Microsoft AutoUpdate (MAU) > [targeted app]:

  • Channel Name (Deprecated)

Privacy > Privacy Preferences Policy Control > Services > Listen Event or Screen Capture:

  • Allowed

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, go to Create a policy using settings catalog.

The Microsoft Enterprise SSO plug-in for Apple devices is now generally available

In Microsoft Intune, there's a Microsoft Enterprise SSO plug-in. This plug-in provides single sign-on (SSO) to iOS/iPadOS and macOS apps and websites that use Microsoft Entra ID for authentication.

This plug-in is now generally available (GA).

For more information about configuring the Microsoft Enterprise SSO plug-in for Apple devices in Intune, go to Microsoft Enterprise SSO plug-in in Microsoft Intune.

Applies to:

  • iOS/iPadOS
  • macOS

Disable Activation Lock device action for supervised macOS devices

You can now use the Disable Activation Lock device action in Intune to bypass Activation Lock on Mac devices without requiring the current username or password. This new action is available in Devices > By platform > macOS > select one of your listed devices > Disable Activation Lock.

More information on managing Activation Lock is available at Bypass iOS/iPadOS Activation Lock with Intune or on Apple's website at Activation Lock for iPhone, iPad, and iPod touch - Apple Support.

Applies to:

  • macOS 10.15 or later

ServiceNow Integration is now Generally Available (GA)

Now generally available, you can view a list of ServiceNow incidents associated with the user you've selected in the Intune Troubleshooting workspace. This new feature is available under Troubleshooting + Support > select a user > ServiceNow Incidents. The incidents shown have a direct link back to the source incident and show key information from the incident. All incidents listed link the "Caller" identified in the incident with the user selected for Troubleshooting.

For more information, go to Use the troubleshooting portal to help users at your company.

More permissions to support administrators in controlling delivery of organization messages

With more permissions administrators can control delivery of content created and deployed from Organizational messages and the delivery of content from Microsoft to users.

The Update organizational message control RBAC permission for organizational messages determines who can change the Organizational Messages toggle to allow or block Microsoft direct messages. This permission is also added to the Organizational Messages Manager built-in role.

Existing custom roles for managing Organizational Messages must be modified to add this permission for users to modify this setting.

Device management

Endpoint security firewall rules support for ICMP type

You can now use the IcmpTypesAndCodes setting to configure inbound and outbound rules for Internet Control Message Protocol (ICMP) as part of a firewall rule. This setting is available in the Microsoft Defender Firewall rules profile for the Windows 10, Windows 11, and Windows Server platform.

Applies to:

  • Windows 11 and later

Manage Windows LAPS with Intune policies (public preview)

Now available in a public preview, manage Windows Local Administrator Password Solution (Windows LAPS) with Microsoft Intune Account protection policies. To get started, see Intune support for Windows LAPS.

Windows LAPS is a Windows feature that allows you to manage and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices.

To manage LAPS, Intune configures the Windows LAPS configuration service provider (CSP) that is built in to Windows devices. It takes precedence over other sources of Windows LAPS configurations, like GPOs or the Microsoft Legacy LAPS tool. Some of the capabilities you can use when Intune manages Windows LAPS include:

  • Define password requirements like complexity and length that apply to the local administrator accounts on a device.
  • Configure devices to rotate their local admin account passwords on a schedule. And, back up the account and password in your Microsoft Entra ID or on-premises Active Directory.
  • Use an Intune device action from the admin center to manually rotate the password for an account on your own schedule.
  • View account details from within the Intune admin center, like the account name and password. This information can help you recover devices that are otherwise inaccessible.
  • Use Intune reports to monitor your LAPS policies, and when devices last rotated passwords manually or by schedule.

Applies to:

  • Windows 10
  • Windows 11

New settings available for macOS software update policies

macOS software update policies now include the following settings to help manage when updates install on a device. These settings are available when the All other updates update type is configured to Install later:

  • Max User Deferrals: When the All other updates update type is configured to Install later, this setting allows you to specify the maximum number of times a user can postpone a minor OS update before it's installed. The system prompts the user once a day. Available for devices running macOS 12 and later.

  • Priority: When the All other updates update type is configured to Install later, this setting allows you to specify values of Low or High for the scheduling priority for downloading and preparing minor OS updates. Available for devices running macOS 12.3 and later.

For more information, see Use Microsoft Intune policies to manage macOS software updates.

Applies to:

  • macOS

Introducing the new partner portals page

You can now manage hardware specific information on your HP or Surface devices from our partner portals page.

The HP link takes you to HP Connect where you can update, configure, and secure the BIOS on your HP devices. The Microsoft Surface link takes you to the Surface Management Portal where you can get insights into device compliance, support activity, and warranty coverage.

To access the Partner portals page, you must enable the Devices pane preview and then navigate to Devices > Partner Portals.

Windows Update compatibility reports for Apps and Drivers are now generally available

The following Microsoft Intune reports for Windows Update compatibility are out of preview and now generally available:

  • Windows feature update device readiness report - This report provides per-device information about compatibility risks that are associated with an upgrade or update to a chosen version of Windows.

  • Windows feature update compatibility risks report - This report provides a summary view of the top compatibility risks across your organization for a chosen version of Windows. You can use this report to understand which compatibility risks impact the greatest number of devices in your organization.

These reports can help you plan an upgrade from Windows 10 to 11, or for installing the latest Windows feature update.

Device security

Microsoft Intune Endpoint Privilege Management is generally available

Microsoft Endpoint Privilege Management (EPM) is now generally available and no longer in preview.

With Endpoint Privilege Management, admins can set policies that allow standard users to perform tasks normally reserved for an administrator. To do so, you configure policies for automatic and user-confirmed workflows that elevate the run-time permissions for apps or processes you select. You then assign these policies to users or devices that have end users running without Administrator privileges. After the device receives a policy, EPM brokers the elevation on behalf of the user, allowing them to elevate approved applications without needing full administrator privileges. EPM also includes built-in insights and reporting.

Now that EPM is out of preview, it requires another license to use. You can choose between a stand-alone license that adds only EPM, or license EPM as part of the Microsoft Intune Suite. For more information, see Use Intune Suite add-on capabilities.

While Endpoint Privilege Management is now generally available, the reports for EPM will transition to a feature in preview, and will receive some more enhancements before being removed from preview.

Support for WDAC Application ID tagging with Intune Firewall Rules policy

Intune's Microsoft Defender Firewall Rules profiles, which are available as part of endpoint security Firewall policy, now include the Policy App ID setting. This setting is described in the MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId CSP and supports specifying a Windows Defender Application Control (WDAC) Application ID tag.

With this capability, you can scope your firewall rules to an application or a group of applications and rely on your WDAC policies to define those applications. By using tags to link to and rely on WDAC policies, your Firewall Rules policy won't need to rely on the firewall rules option of an absolute file path, or use of a variable file path that can reduce security of the rule.

Use of this capability requires you to have WDAC policies in place that include AppId tags that you can then specify in your Intune Microsoft Defender Firewall Rules.

For more information, see the following articles in the Windows Defender Application Control documentation:

Applies to:

  • Windows 10/11

New App and browser isolation profile for Intune's endpoint security Attack Surface Reduction policy

We have released a new experience creating new App and Browser Isolation profiles for endpoint security Attack Surface Reduction policy. The experience for editing your previously created App and Browser isolation policies remains the same, and you can continue to use them. This update applies only for the new App and Browser Isolation policies you create for the Windows 10 and later platform.

This update is part of the continuing rollout of new profiles for endpoint security policies, which began in April 2022.

Additionally, the new profile includes the following changes for the settings it includes:

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • ixArma by INAX-APPS (iOS)
  • myBLDNG by Bldng.ai (iOS)
  • RICOH Spaces V2 by Ricoh Digital Services
  • Firstup - Intune by Firstup, Inc. (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Role-based access control

New Assign (RBAC) permissions for organizational messages

The Assign RBAC permissions for organizational messages determines who can assign target Microsoft Entra groups to an organizational message. To access RBAC permissions, sign in to the Microsoft Intune admin center and go to Tenant administration > Roles.

This permission is also added to the Organizational Messages Manager built-in role. Existing custom roles for managing Organizational Messages must be modified to add this permission for users to modify this setting.

Tenant administration

Delete organizational messages

You can now delete organizational messages from Microsoft Intune. After you delete a message, it's removed from Intune, and no longer appears in the admin center. You can delete a message anytime, regardless of its status. Intune automatically cancels active messages after you delete them. For more information, see Delete organizational messages.

Review audit logs for organizational messages

Use audit logs to track and monitor organizational message events in Microsoft Intune. To access the logs, sign in to the Microsoft Intune admin center and go to Tenant administration > Audit logs. For more information, see Audit logs for Intune activities.

Week of April 10, 2023

Device configuration

User configuration support for Windows 10 multi-session VMs is now GA

You can now:

  • Configure user scope policies using Settings catalog and assign to groups of users.
  • Configure user certificates and assign to users.
  • Configure PowerShell scripts to install in the user context and assign to users.

Applies to:

Week of April 3, 2023

Device configuration

Add Google accounts to Android Enterprise personally owned devices with a work profile

On Android Enterprise personally owned devices with a work profile, you can configure settings that restrict device features and settings. Currently, there's an Add and remove accounts setting. This setting prevents accounts from being added in the work profile, including preventing Google accounts.

This setting changed. You can now add Google accounts. The Add and remove accounts setting options are:

  • Block all accounts types: Prevents users from manually adding or removing accounts in the work profile. For example, when you deploy the Gmail app into the work profile, you can prevent users from adding or removing accounts in this work profile.

  • Allow all accounts types: Allows all accounts, including Google accounts. These Google accounts are blocked from installing apps from the Managed Google Play Store.

    This setting requires:

    • Google Play app version 80970100 or higher
  • Allow all accounts types, except Google accounts (default): Intune doesn't change or update this setting. By default, the OS might allow adding accounts in the work profile.

For more information on the settings you can configure, go to Android Enterprise device settings list to allow or restrict features on personally owned devices using Intune.

Applies to:

  • Android Enterprise personally owned devices with a work profile

Week of March 27, 2023

App management

Update macOS DMG apps

You can now update apps of type macOS apps (DMG) deployed using Intune. To edit a DMG app that's already created in Intune, upload the app update with the same bundle identifier as the original DMG app. For related information, see Add a macOS DMG app to Microsoft Intune.

Install required apps during pre-provisioning

A new toggle is available in the Enrollment Status Page (ESP) profile that allows you to select whether you want to attempt to install required applications during the Windows Autopilot pre-provisioning technician phase. We understand that installing as many applications as possible during pre-provisioning is desired to reduce the end user setup time. If there's an app install failure, ESP continues except for the apps specified in the ESP profile. To enable this function, you need to edit your Enrollment Status Page profile by selecting Yes on the new setting entitled Only fail selected apps in technician phase. This setting only appears if you have blocking apps selected. For information about ESP, go to Set up the Enrollment Status Page.

Week of March 20, 2023 (Service release 2303)

App management

More minimum OS versions for Win32 apps

Intune supports more minimum operating system versions for Windows 10 and 11 when installing Win32 apps. In Microsoft Intune admin center, select Apps > Windows > Add > Windows app (Win32). In the Requirements tab next to Minimum operating system, select one of the available operating systems. Other OS options include:

  • Windows 10 21H2
  • Windows 10 22H2
  • Windows 11 21H2
  • Windows 11 22H2

Managed apps permission is no longer required to manage VPP apps

You can view and manage VPP apps with only the Mobile apps permission assigned. Previously, the Managed apps permission was required to view and manage VPP apps. This change doesn't apply to Intune for Education tenants who still need to assign the Managed apps permission. More information about permissions in Intune is available at Custom role permissions.

Device configuration

New settings and setting options available in the macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

New settings include:

Microsoft Defender > Tamper protection:

  • Enforcement level

Microsoft Office > Microsoft OneDrive:

  • Automatic upload bandwidth percentage
  • Automatically and silently enable the Folder Backup feature (aka Known Folder Move)
  • Block apps from downloading online-only files
  • Block external sync
  • Disable automatic sign in
  • Disable download toasts
  • Disable personal accounts
  • Disable tutorial
  • Display a notification to users once their folders have been redirected
  • Enable Files On-Demand
  • Enable simultaneous edits for Office apps
  • Force users to use the Folder Backup feature (aka Known Folder Move)
  • Hide dock icon
  • Ignore named files
  • Include ~/Desktop in Folder Backup (aka Known Folder Move)
  • Include ~/Documents in Folder Backup (aka Known Folder Move)
  • Open at login
  • Prevent users from using the Folder Backup feature (aka Known Folder Move)
  • Prompt users to enable the Folder Backup feature (aka Known Folder Move)
  • Set maximum download throughput
  • Set maximum upload throughput
  • SharePoint Prioritization
  • SharePoint Server Front Door URL
  • SharePoint Server Tenant Name

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, go to Create a policy using settings catalog.

Add custom Bash scripts to configure Linux devices

In Intune, you can add existing Bash scripts to configure Linux devices (Devices > By platform > Linux > Scripts).

When you create this script policy, you can set the context that the script runs in (user or root), how frequently the script runs, and how many times execution should retry.

For more information on this feature, go to Use custom Bash scripts to configure Linux devices in Microsoft Intune.

Applies to:

  • Linux Ubuntu Desktops

Device enrollment

Support for the await final configuration setting for iOS/iPadOS Automated device enrollment (public preview)

Now in public preview, Intune supports a new setting called Await final configuration in eligible new and existing iOS/iPadOS automated device enrollment profiles. This setting enables an out-of-the-box locked experience in Setup Assistant. It prevents device users from accessing restricted content or changing settings on the device until most Intune device configuration policies are installed. You can configure the setting in an existing automated device enrollment profile, or in a new profile (Devices > By platform > iOS/iPadOS > Device onboarding > Enrollment > Enrollment program tokens > Create profile). For more information, see Create an Apple enrollment profile.

New setting gives Intune admins control over device-to-category mapping

Control visibility of the device category prompt in Intune Company Portal. You can now hide the prompt from end users and leave the device-to-category mapping up to Intune admins. The new setting is available in the admin center under Tenant Administration > Customization > Device Categories. For more information, see Device categories.

Support for multiple enrollment profiles and tokens for fully managed devices

Create and manage multiple enrollment profiles and tokens for Android Enterprise fully managed devices. With this new functionality, you can now use the EnrollmentProfileName dynamic device property to automatically assign enrollment profiles to fully managed devices. The enrollment token that came with your tenant remains in a default profile. For more information, see Set up Intune enrollment of Android Enterprise fully managed devices.

New Microsoft Entra frontline worker experience for iPad (public preview)

This capability begins to roll out to tenants in mid-April.

Intune now supports a frontline worker experience for iPhones and iPads using Apple automated device enrollment. You can now enroll devices that are enabled in Microsoft Entra ID shared mode via zero-touch. For more information about how to configure automated device enrollment for shared device mode, see Set up enrollment for devices in Microsoft Entra shared device mode.

Applies to:

  • iOS/iPadOS

Device management

Endpoint security firewall policy support for log configurations

You can now configure settings in endpoint security Firewall policy that configure firewall logging options. These settings can be found in the Microsoft Defender Firewall profile template for the Windows 10 and later platform, and are available for the Domain, Private, and Public profiles in that template.

Following are the new settings, all found in the Firewall configuration service provider (CSP):

  • Enable Log Success Connections
  • Log File Path
  • Enable Log Dropped Packets
  • Enable Log Ignored Rules

Applies to:

  • Windows 11

Endpoint security firewall rules support for Mobile Broadband (MBB)

The Interface Types setting in endpoint security Firewall policy now include the option for Mobile Broadband. Interface Types is available in the Microsoft Defender Firewall Rules profile for all platforms that support Windows. For information about the use of this setting and option, see Firewall configuration service provider (CSP).

Applies to:

  • Windows 10
  • Windows 11

Endpoint security firewall policy support for network list manager settings

We've added a pair of network list manager settings to endpoint security Firewall policy. To help determine when a Microsoft Entra device is or isn't on your on-premises domain subnets, you can use the network list manager settings. This information can help firewall rules apply correctly.

The following settings are found in a new category named Network List Manager, that's available in the Microsoft Defender Firewall profile template for the Windows 10, Windows 11, and Windows Server platform:

  • Allowed Tls Authentication Endpoints
  • Configured Tls Authentication Network Name

For information about Network Categorization settings, see NetworkListManager CSP.

Applies to:

  • Windows 10
  • Windows 11

Improvements to Devices area in admin center (public preview)

The Devices area in the admin center now has a more consistent UI, with more capable controls and an improved navigation structure so you can find the information you need faster. To opt in to the public preview and try out the new experience, go to Devices and flip the toggle at the top of the page. Improvements include:

  • A new scenario-focused navigation structure.
  • New location for platform pivots to create a more consistent navigation model.
  • A reduction in journey, helping you get to your destination faster.
  • Monitoring and reports are within the management workflows, giving you easy access to key metrics and reports without having to leave the workflow.
  • A consistent way across list views to search, sort, and filter data.

For more information about the updated UI, see Try new Devices experience in Microsoft Intune.

Device security

Microsoft Intune Endpoint Privilege Management (public preview)

As a public preview, you can now use Microsoft Intune Endpoint Privilege Management. With Endpoint Privilege Management, admins can set policies that allow standard users to perform tasks normally reserved for an administrator. Endpoint Privilege Management can be configured in the Intune admin center at Endpoint security > Endpoint Privilege Management.

With the public preview, you can configure policies for automatic and user-confirmed workflows that elevate the run-time permissions for apps or processes you select. You then assign these policies to users or devices that have end users running without Administrator privileges. Once policy is received, Endpoint Privilege Management will broker the elevation on behalf of the user, allowing them to elevate approved applications without needing full administrator privileges. The preview also includes built-in insights and reporting for Endpoint Privilege Management.

To learn how to activate the public preview and use Endpoint Privilege Management policies, start with Use Endpoint Privilege Management with Microsoft Intune. Endpoint Privilege Management is part of the Intune Suite offering, and free to try while it remains in public preview.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • EVALARM by GroupKom GmbH (iOS)
  • ixArma by INAX-APPS (Android)
  • Seismic | Intune by Seismic Software, Inc.
  • Microsoft Viva Engage by Microsoft (formally Microsoft Yammer)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Diagnostic data collection for Endpoint Privilege Management

To support the release of Endpoint Privilege Management, we've updated Collect diagnostics from a Windows device to include the following data, which is collected from devices enabled for Endpoint Privilege Management:

  • Registry keys:

    • HKLM\SOFTWARE\Microsoft\EPMAgent
  • Commands:

    • %windir%\system32\pnputil.exe /enum-drivers
  • Log files:

    • %ProgramFiles%\Microsoft EPM Agent\Logs\*.*
    • %windir%\system32\config\systemprofile\AppData\Local\mdm\*.log

View status for pending and failed organizational messages

We've added two more states to organizational message reporting details to make it easier to track pending and failed messages in the admin center.

  • Pending: The message hasn't been scheduled yet and is currently in progress.
  • Failed: The message failed to schedule due to a service error.

For information about reporting details, see View reporting details for organizational messages.

You can now view information for tenant attach devices in the existing antivirus reports under the Endpoint Security workload. A new column differentiates between devices managed by Intune and devices managed by Configuration Manager. This reporting information is available in Microsoft Intune admin center by selecting Endpoint security > Antivirus.

Week of March 13, 2023

Device management

Meta Quest 2 and Quest Pro are now in Open Beta (US only) on Microsoft Intune for Android Open Source Devices

Microsoft Intune for Android open source project devices (AOSP) has welcomed Meta Quest 2 and Quest Pro into Open Beta for the US market.

For more information, go to Operating systems and browsers supported by Microsoft Intune

Applies to:

  • Android (AOSP)

App management

Trusted Root Certificates Management for Intune App SDK for Android

If your Android application requires SSL/TLS certificates issued by an on-premises or private certificate authority to provide secure access to internal websites and applications, the Intune App SDK for Android now has support for certificate trust management. For more information and examples, see Trusted Root Certificates Management.

System context support for UWP apps

In addition to user context, you can deploy Universal Windows Platform (UWP) apps from the Microsoft Store app (new) in system context. If a provisioned .appx app is deployed in system context, the app auto-installs for each user that logs in. If an individual end user uninstalls the user context app, the app still shows as installed because it's still provisioned. In addition, the app must not already be installed for any users on the device. Our general recommendation is to not mix install contexts when deploying apps. Win32 apps from the Microsoft Store app (new) already support system context.

Week of March 6, 2023

App management

Deploy Win32 apps to device groups

You can now deploy Win32 apps with Available intent to device groups. For more information, see Win32 app management in Microsoft Intune.

Device management

New URL for Microsoft Intune admin center

The Microsoft Intune admin center has a new URL: https://intune.microsoft.com. The previously used URL, https://endpoint.microsoft.com, continues to work but will redirect to the new URL in late 2023. We recommend taking the following actions to avoid issues with Intune access and automated scripts:

  • Update login or automation to point to https://intune.microsoft.com.
  • Update your firewalls, as needed, to allow access to the new URL.
  • Add the new URL to your favorites and bookmarks.
  • Notify your helpdesk and update IT administrator documentation.

Tenant administration

Add CMPivot queries to Favorites folder

You can add your frequently used queries to a Favorites folder in CMPivot. CMPivot allows you to quickly assess the state of a device managed by Configuration Manager via Tenant Attach and take action. The functionality is similar to one already present in the Configuration Manager console. This addition helps you keep all your most used queries in one place. You can also add tags to your queries to help search and find queries. The queries saved in the Configuration Manager console aren't automatically added to your Favorites folder. You need to create new queries and add them to this folder. For more information about CMPivot, see Tenant attach: CMPivot usage overview.

Device enrollment

New Microsoft Store apps now supported with the Enrollment Status Page

The Enrollment Status Page (ESP) now supports the new Microsoft store applications during Windows Autopilot. This update enables better support for the new Microsoft Store experience and should be rolling out to all tenants starting with Intune 2303. For related information, see Set up the Enrollment Status Page.

Week of February 27, 2023

Device configuration

Support for Locate device on Android Enterprise corporate owned fully managed and Android Enterprise corporate owned work profile devices

You can now use "Locate device" on Android Enterprise corporate owned fully managed and Android Enterprise corporate owned work profile devices. With this feature, admins are able to locate lost or stolen corporate devices on-demand.

In Microsoft Intune admin center, you need to turn the feature on using a device configuration profiles (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Device Restrictions for profile type).

Select Allow on the Locate device toggle for fully managed and corporate owned work profile devices and select applicable groups. Locate device is available when you select Devices, and then select All devices. From the list of devices you manage, select a supported device, and choose the Locate device remote action.

For information on locating lost or stolen devices with Intune, go to:

Applies to:

  • Android Enterprise corporate owned fully managed
  • Android Enterprise corporate owned dedicated devices
  • Android Enterprise corporate owned work profile

Intune add-ons

Microsoft Intune Suite provides mission-critical advanced endpoint management and security capabilities into Microsoft Intune.

You can find add-ons to Intune in the Microsoft Intune admin center under Tenant administration > Intune add-ons.

For detailed information, see Use Intune Suite add-on capabilities.

View ServiceNow Incidents in the Intune Troubleshooting workspace (Preview)

In public preview, you can view a list of ServiceNow incidents associated with the user you've selected in the Intune Troubleshooting workspace. This new feature is available under Troubleshooting + Support > select a user > ServiceNow Incidents. The list of incidents shown have a direct link back to the source incident and show key information from the incident. All incidents listed link the "Caller" identified in the incident with the user selected for Troubleshooting.

For more information, go to Use the troubleshooting portal to help users at your company.

Device security

Microsoft Tunnel for MAM is now generally available

Now out of preview and generally available, you can add Microsoft Tunnel for Mobile Application Management to your tenant. Tunnel for MAM supports connections from unenrolled Android and iOS devices. This solution provides your tenant with a lightweight VPN solution that allows mobile devices access to corporate resources while adhering to your security policies.

In addition, MAM Tunnel for iOS now supports Microsoft Edge.

Previously, Tunnel for MAM for Android and iOS was in public preview and free for use. With this release as generally available, this solution now requires an add-on license for its use.

For licensing details, see Intune add-ons.

Applies to:

  • Android
  • iOS

Tenant administration

Organizational messages now support custom destination URLs

You can now add any custom destination URL to organizational messages in the taskbar, notifications area, and Get Started app. This feature applies to Windows 11. Messages created with Microsoft Entra registered domains that are in a scheduled or active state are still supported. For more information, see Create organizational messages.

Week of February 20, 2023 (Service release 2302)

App management

Latest iOS/iPadOS version available as minimum OS requirement for LOB and store apps

You can specify iOS/iPadOS 16.0 as the minimum operating system for line-of-business and store app deployments. This setting option is available in Microsoft Intune admin center by selecting Apps > iOS/iPadOS > iOS store app or Line-of-business app. For more information about managing apps, see Add apps to Microsoft Intune.

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Egnyte for Intune by Egnyte

For more information about protected apps, see Microsoft Intune protected apps.

Device configuration

Endpoint Manager admin center is renamed to Intune admin center

The Microsoft Endpoint Manager admin center is now called the Microsoft Intune admin center.

A new Associated Assignments tab for your filters

When you assign an app or policy, you can filter the assignment using different device properties, such as device manufacturer, model, and ownership. You can create and associate a filter with the assignment.

After you create a filter, there's a new Associated Assignments tab. This tab shows all the policy assignments, the groups that receive the filter assignments, and if the filter is using Exclude or Include:

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Devices > Organize devices > Filters > Select an existing filter > Associated Assignments tab.

For more information on filters, go to:

Size and generation included in iOS/iPadOS model information

You can view the size and generation for enrolled iOS/iPadOS devices as part of the Model attribute in Hardware device details.

Go to Devices > All devices > select one of your listed devices and select Hardware to open its details. For example, iPad Pro 11 inch (third generation) displays for the device model instead of iPad Pro 3. For more information, go to: See device details in Intune

Applies to:

  • iOS/iPadOS

Disable Activation Lock device action for supervised iOS/iPadOS devices

You can use the Disable Activation Lock device action in Intune to bypass Activation Lock on iOS/iPadOS devices without requiring the current username or password.

This new action is available under Devices > iOS/iPadOS > select one of your listed devices > Disable Activation Lock.

More information on managing Activation Lock is available at Bypass iOS/iPadOS Activation Lock with Intune or on Apple's website at Activation Lock for iPhone, iPad, and iPod touch - Apple Support.

Applies to:

  • iOS/iPadOS

Allow Temporary Enterprise Feature Control is available in the Settings Catalog

In on-premises group policy, there's an Enable features introduced via servicing that are off by default setting.

In Intune, this setting is known as Allow Temporary Enterprise Feature Control and is available in the Settings Catalog. This servicing adds features that off by default. When set to Allowed, these features are enabled and turned on.

For more information on this feature, go to:

The Windows features that enabled by this policy setting should release later in 2023. Intune is releasing this policy setting now for your awareness and preparation, which is before any need to use the setting with future Windows 11 releases.

For more information on the settings catalog, go to Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Applies to:

  • Windows 11

Device management

Device Control support for Printer Protection (Preview)

In public preview, Device Control profiles for Attack Surface Reduction policy now support reusable settings groups for Printer Protection.

Microsoft Defender for Endpoint Device Control Printer Protection enables you to audit, allow, or prevent printer with or without exclusions within Intune. It allows you to block users from printing via a non-corporate network printer or non-approved USB printer. This feature adds another layer of security and data protection for work from home and remote work scenarios.

Applies to:

  • Windows 10
  • Windows 11

Support to delete stale devices that are managed through Security Management for Microsoft Defender for Endpoint

You can now Delete a device that's managed through the Security Management for Microsoft Defender for Endpoint solution from within the Microsoft Intune admin center. The delete option appears along with other device management options when you view the device's Overview details. To locate a device managed by this solution, in the admin center go to Devices > All devices, and then select a device that displays either MDEJoined or MDEManaged in the Managed by column.

New settings and setting options available in the Apple Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Login > Service Management - Managed Login Items:

  • Team Identifier

Microsoft Office > Microsoft Office:

  • Office Activation Email Address

Applies to:

  • macOS

Networking > Domains:

  • Cross Site Tracking Prevention Relaxed Domains

Applies to:

  • iOS/iPadOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Device security

Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior (Preview)

As part of a public preview for Endpoint security Antivirus policy, you can use the new profile Defender Update controls for the Windows 10 and later platform to manage update settings for Microsoft Defender. The new profile includes settings for the rollout release channel. With the rollout channel, devices and users receive Defender Updates that are related to daily security intelligence updates, monthly platform updates, and monthly engine updates.

This profile includes the following settings, which are all directly taken from Defender CSP - Windows Client Management.

  • Engine Updates Channel
  • Platform Updates Channel
  • Security Intelligence Updates Channel

These settings are also available from the settings catalog for the Windows 10 and later profile.

Applies to:

  • Windows 10
  • Windows 11

Week of February 6, 2023

Tenant administration

Apply recommendations and insights to enrich the Configuration Manager site health and device management experience

You can now use the Microsoft Intune admin center to view recommendations and insights for your Configuration Manager sites. These recommendations can help you improve the site health and infrastructure and enrich the device management experience.

Recommendations include:

  • How to simplify your infrastructure
  • Enhance device management
  • Provide device insights
  • Improve the health of the site

To view recommendations, open the Microsoft Intune admin center and go to Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager, and select a site to view recommendations for that site. Once selected, the Recommendations tab displays each insight along with a Learn more link. This link opens details on how to apply that recommendation.

For more information, see Enable Microsoft Intune tenant attach - Configuration Manager.

Week of January 30, 2023

Device management

HTC Vive Focus 3 supported on Microsoft Intune for Android Open Source Devices

Microsoft Intune for Android open source project devices (AOSP) now supports HTC Vive Focus 3.

For more information, go to Operating systems and browsers supported by Microsoft Intune

Applies to:

  • Android (AOSP)

Introducing support for laser pointers in Remote Help

In Remote Help, you can now use a laser pointer when you're providing assistance on Windows.

For more information on Remote Help, go to Remote Help.

Applies to:

  • Windows 10/11

Week of January 23, 2023 (Service release 2301)

App management

Configure whether to show Configuration Manager apps in Windows Company Portal

In Intune, you can choose whether to show or hide Configuration Manager apps from appearing in the Windows Company Portal. This option is available in Microsoft Intune admin center by selecting Tenant administration > Customization. Next to Settings, select Edit. The option to Show or Hide the Configuration Manager applications are located in the App Sources section of the pane. For related information about configuring the Company Portal app, see How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Block pinning web pages to Managed Home Screen app

On Android Enterprise dedicated devices using Managed Home Screen, you can now use app configuration to configure the Managed Home Screen app to block pinning browser web pages to Managed Home Screen. The new key value is block_pinning_browser_web_pages_to_MHS. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Device management

Grace period status visible in Microsoft Intune app for Android

The Microsoft Intune app for Android now shows a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users can see the date by which devices must be compliant, and the instructions for how to become compliant. If they don't update their device by the given date, the device is marked as noncompliant. For more information, see the following docs:

Software update policies for macOS are now generally available

Software update policies for macOS devices are now generally available. This general availability applies to supervised devices running macOS 12 (Monterey) and later. Improvements are being made to this feature.

For more information, see Use Microsoft Intune policies to manage macOS software updates.

Windows Autopilot device diagnostics

Windows Autopilot diagnostics is available to download in Microsoft Intune admin center from either in the Autopilot deployments monitor or Device Diagnostics monitor for an individual device.

Device enrollment

Enrollment notifications now generally available

Enrollment notifications are now generally available, and are supported on Windows, Apple, and Android devices. This feature is only supported with user-driven enrollment methods. For more information, see Set up enrollment notifications.

Skip or show Terms of Address pane in Setup Assistant

Configure Microsoft Intune to skip or show a new Setup Assistant pane called Terms of Address during Apple Automated Device Enrollment. The Terms of Address lets users on iOS/iPadOS and macOS devices personalize their device by selecting how the system addresses them: feminine, neutral, or masculine. The pane is visible during enrollment by default, and is available for select languages. You can hide it on devices running iOS/iPadOS 16 and later, and macOS 13 and later. For more information about the Setup Assistant screens supported in Intune, see:

Device security

Microsoft Tunnel for Mobile Application Management for iOS/iPadOS (Preview)

As a public preview, you can use the Mobile Application Management (MAM) to the Microsoft Tunnel VPN gateway for iOS/iPadOS. With this preview for iOS devices that haven't enrolled with Intune, supported apps on those unenrolled devices can use Microsoft Tunnel to connect to your organization when working with corporate data and resources. This feature includes VPN gateway support for:

  • Secure access to on-premises apps and resources using modern authentication
  • Single Sign On and Conditional Access

For more information, go to:

Applies to:

  • iOS/iPadOS

Attack surface reduction policy support for Security settings management for Microsoft Defender for Endpoint

Devices managed through the MDE Security configuration scenario support attack surface reduction policy. To use this policy with devices that use Microsoft Defender for Endpoint but aren't enrolled with Intune:

  1. In the Endpoint Security node, create a new Attack surface reduction policy.
  2. Select Windows 10, Windows 11, and Windows Server as the Platform.
  3. Select Attack Surface Reduction Rules for the Profile.

Applies to:

  • Windows 10
  • Windows 11

SentinelOne – New mobile threat defense partner

You can now use SentinelOne as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the SentinelOne connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment in your compliance policy. The SentinelOne connector can also send risk levels to app protection policies.

Device configuration

Device Firmware Configuration Interface (DFCI) supports Fujitsu devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type).

Some Fujitsu devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

For more information about DFCI profiles, go to:

Applies to:

  • Windows 10
  • Windows 11

Support for Bulk Device Actions on devices running Android (AOSP)

You can now complete "Bulk Device Actions" for devices running Android (AOSP). The bulk device actions supported on devices running Android (AOSP) are Delete, Wipe and Restart.

Applies to:

  • Android (AOSP)

Updated descriptions for iOS/iPadOS and macOS settings in the settings catalog

The settings catalog lists all the settings you can configure, and all in one place. For the iOS/iPadOS and macOS settings, for each setting category, the descriptions are updated to include more detailed information.

For more information on the settings catalog, go to:

Applies to:

  • iOS/iPadOS
  • macOS

New settings available in the Apple Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Accounts > Subscribed Calendars:

  • Account Description
  • Account Host Name
  • Account Password
  • Account Use SSL
  • Account Username

Applies to:

  • iOS/iPadOS

Networking > Domains:

  • Cross Site Tracking Prevention Relaxed Domains

Applies to:

  • macOS

The following settings are also in Settings Catalog. Previously, they were only available in Templates:

File Vault:

  • User Enters Missing Info

Applies to:

  • macOS

Restrictions:

  • Rating Region

Applies to:

  • iOS/iPadOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Filter app and policy assignments by the device's Microsoft Entra join type (deviceTrustType)

When you assign an app or policy, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.

A new device filter property deviceTrustType is available for Windows 10 and later devices. With this property, you can filter app and policy assignments depending on the Microsoft Entra join type. The values include Microsoft Entra joined, Microsoft Entra hybrid joined, and Microsoft Entra registered.

For more information on filters and the device properties you can use, go to:

Applies to:

  • Windows 10 and later

Monitor and troubleshoot

Download mobile app diagnostics in the Microsoft Intune admin center (public preview)

Now in public preview, access user-submitted mobile app diagnostics in the admin center, including app logs sent through Company Portal app for Android, Android (AOSP), or Windows, with support for iOS, macOS, and Microsoft Edge for iOS coming at a later date. For more information about accessing mobile app diagnostics for Company Portal, see Configure Company Portal.

WinGet troubleshooting using diagnostic files

WinGet is a command line tool that enables you to discover, install, upgrade, remove, and configure applications on Windows 10 and Windows 11 devices. When working with Win32 app management in Intune, you can now use the following file locations to help troubleshoot WinGet:

  • %TEMP%\winget\defaultstate*.log
  • Microsoft-Windows-AppXDeployment/Operational
  • Microsoft-Windows-AppXDeploymentServer/Operational

Intune troubleshooting pane update

A new experience for the Intune Troubleshooting pane provides details about user's devices, policies, applications, and status. The troubleshooting pane includes the following information:

  • A summary of policy, compliance, and application deployment status.
  • Support for exporting, filtering, and sorting all reports.
  • Support to filter by excluding policies and applications.
  • Support to filter to a user's single device.
  • Details about available device diagnostics and disabled devices.
  • Details about offline devices that haven't checked-in to the service for three or more days.

You can find the troubleshooting pane in Microsoft Intune admin center by selecting Troubleshooting + support > Troubleshoot. To view the new experience during preview, select Preview upcoming changes to Troubleshooting and provide feedback to display the Troubleshooting preview pane, then select Try it now.

New report for devices without compliance policy (preview)

We've added a new report named Devices without compliance policy to the Device compliance reports you can access through the Reports node of the Microsoft Intune admin center. This report, which is in preview, uses a newer reporting format that provides for more capabilities.

To learn about this new organizational report, see Devices without compliance policy (Organizational).

An older version of this report remains available through the Devices > Monitor page of the admin center. Eventually, that older report version will retire, though it remains available for now.

Service health messages for tenant issues that require administrative attention

The Service health and message center page in the Microsoft Intune admin center can now display messages for Issues in your environment that require action. These messages are important communications that are sent to a tenant to alert administrators about issues in their environment that might require action to resolve.

You can view messages for Issues in your environment that require action in the Microsoft Intune admin center by going to Tenant administration > Tenant status and then selecting the Service health and message center tab.

For more information about this page of the admin center, see View details about your Tenant on the Intune tenant status page.

Tenant administration

Improved UI experience for multiple certificate connectors

We've added pagination controls to the Certificate connectors view to help improve the experience when you have more than 25 certificate connectors configured. With the new controls, you can see the total number of connector records and easily navigate to a specific page when viewing your certificate connectors.

To view certificate connectors, in the Microsoft Intune admin center, go to Tenant administration > Connectors and tokens > Certificate connectors.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Voltage SecureMail by Voltage Security

For more information about protected apps, see Microsoft Intune protected apps.

Scripts

Preview PowerShell script package content in Endpoint Analytics

Admins can now see a preview of a PowerShell script's content for proactive remediations. The content is displayed in a grayed-out box with scrolling capability. Admins can't edit the content of the script in the preview. In Microsoft Intune admin center, select Reports > Endpoint analytics > Proactive remediations. For more information, see PowerShell scripts for Proactive remediations.

Week of January 16, 2023

App management

Win32 app supersedence GA

The feature set for Win32 app supersedence GA is available. It adds support for apps with supersedence during ESP, and also allows supersedence & dependency relationships to be added in the same app subgraph. For more information, see Win32 app supersedence improvements. For information about Win32 app supersedence, see Add Win32 app supersedence.

Week of January 9, 2023

Device configuration

The Company Portal app enforces Password Complexity setting on Android Enterprise 12+ personally owned devices with a work profile

On Android Enterprise 12+ personally owned devices with a work profile, you can create a compliance policy and/or device configuration profile that sets the password complexity. Starting with the 2211 release, this setting is available in the Intune admin center:

  • Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Personally owned with a work profile > Device restrictions for profile type > Password
  • Devices > Compliance policies > Create policy > Android Enterprise for platform > Personally owned with a work profile

The Company Portal app enforces the Password complexity setting.

For more information on this setting and the other settings you can configure on personally owned devices with a work profile, go to:

Applies to:

  • Android Enterprise 12+ personally owned devices with a work profile

Week of December 19, 2022

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Appian for Intune by Appian Corporation (Android)

For more information about protected apps, see Microsoft Intune protected apps.

Week of December 12, 2022 (Service release 2212)

Device configuration

Remote Help client app includes a new option to disable chat functionality in the Tenant level setting

In the Remote Help app, admins can disable chat functionality from the new tenant level setting. Turning on the disable chat feature removes the chat button in the Remote Help app. This setting can be found in the Remote Help Settings tab under Tenant Administration in Microsoft Intune.

For more information, see Configure Remote Help for your tenant.

Applies to: Windows 10/11

New settings available in the macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

New settings include:

File Vault > File Vault Options:

  • Block FV From Being Disabled
  • Block FV From Being Enabled

Restrictions:

  • Allow Bluetooth Modification

Applies to:

  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are default settings for SSO extension requests on iOS, iPadOS, and macOS devices

When you create a single sign-on app extension configuration profile, there are some settings that you configure. The following settings use the following default values for all SSO extension requests:

  • AppPrefixAllowList key

    • macOS default value: com.microsoft.,com.apple.
    • iOS/iPadOS default value: com.apple.
  • browser_sso_interaction_enabled key

    • macOS default value: 1
    • iOS/iPadOS default value: 1
  • disable_explicit_app_prompt key

    • macOS default value: 1
    • iOS/iPadOS default value: 1

If you configure a value other than the default value, then the configured value overwrites the default value.

For example, you don't configure the AppPrefixAllowList key. By default, all Microsoft apps (com.microsoft.) and all Apple apps (com.apple.) are enabled for SSO on macOS devices. You can overwrite this behavior by adding a different prefix to the list, such as com.contoso..

For more information on the Enterprise SSO plug-in, go to Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS and macOS devices in Microsoft Intune.

Applies to:

  • iOS/iPadOS
  • macOS

Device enrollment

Enrollment token lifetime increases to 65 years for Android Enterprise dedicated devices

Now you can create an enrollment profile for Android Enterprise dedicated devices that's valid for up to 65 years. If you have an existing profile, the enrollment token still expires at whatever date you chose when you created the profile, but during renewal you can extend the lifetime. For more information about creating an enrollment profile, see Set up Intune enrollment for Android Enterprise dedicated devices.

Device management

Update policies for macOS now available for all supervised devices

Software update policies for macOS devices now apply to all macOS supervised devices. Previously, only those devices that enrolled through Automated Device Enrollment (ADE) would qualify to receive updates. For more information on configuring update policies for macOS, see Use Microsoft Intune policies to manage macOS software updates.

Applies to:

  • macOS

Policy and reports for Windows feature updates and expedited quality updates are now Generally Available

Both the policies and reports for managing feature updates and quality updates (expedited updates) for Windows 10 and later, are out of preview and now generally available.

For more information about these policies and reports, see:

Applies to:

  • Windows 10/11

Week of November 28, 2022

App management

Microsoft Store apps in Intune

You can now search, browse, configure, and deploy Microsoft Store apps within Intune. The new Microsoft Store app type is implemented using the Windows Package Manager. This app type features an expanded catalog of apps, which includes both UWP apps and Win32 apps. Roll out of this feature is expected to complete by December 2, 2022. For more information, see Add Microsoft Store apps to Microsoft Intune.

Tenant administration

Access policies for multiple Administrator Approval (public preview)

In public preview, you can use Intune access policies to require that a second Administrator Approval account approve a change before the change is applied. This capability is known as multiple Administrator Approval (MAA).

You create an access policy to protect a type of resource, like App deployments. Each access policy also includes a group of users who are approvers for the changes protected by the policy. When a resource, like an app deployment configuration, is protected by an access policy, any changes that made to the deployment, including creating, deleting, or modifying an existing deployment, won't apply until a member of the approvers group for that access policy reviews and approves that change.

Approvers can also reject requests. The individual requesting a change and the approver can provide notes about the change, or why it was approved or rejected.

Access policies are supported for the following resources:

  • Apps – Applies to app deployments, but doesn't apply to app protection policies.
  • Scripts – Applies to deploying scripts to devices that run macOS or Windows.

For more information, see Use Access policies to require multiple administrative approval.

Device security

Microsoft Tunnel for Mobile Application Management for Android (Preview)

As a public preview, you can now use Microsoft Tunnel with unenrolled devices. This capability is called Microsoft Tunnel for Mobile Application Management (MAM). This preview supports Android, and without any changes to your existing Tunnel infrastructure, supports the Tunnel VPN gateway for:

  • Secure access to on-premises apps and resources using modern authentication
  • Single Sign On and Conditional Access

To use Tunnel MAM, unenrolled devices must install Microsoft Edge, Microsoft Defender for Endpoint, and the Company Portal. You can then use the Microsoft Intune admin center to configure the following profiles for the unenrolled devices:

  • An App configuration profile for managed apps, to configure Microsoft Defender on devices for use as the Tunnel client app.
  • A second App configuration profile for managed apps, to configure Microsoft Edge to connect to Tunnel.
  • An App protection profile to enable automatic start of the Microsoft Tunnel connection.

Applies to:

  • Android Enterprise

Week of November 14, 2022 (Service release 2211)

App management

Control the display of Managed Google Play apps

You can group Managed Google Play apps into collections and control the order that collections are displayed when selecting apps in Intune. You can also make apps visible via search only. This capability is available in Microsoft Intune admin center by selecting Apps > All apps > Add > Managed Google Play app. For more information, see Add a Managed Google Play store app directly in the Intune admin center.

Device configuration

New password complexity setting for Android Enterprise 12+ personally owned devices with a work profile

On Android Enterprise 11 and older personally owned devices with a work profile, you can set the following password settings:

  • Devices > Compliance > Android Enterprise for platform > Personally owned work profile > System security > Required password type, Minimum password length
  • Devices > Manage devices > Configuration > Android Enterprise for platform > Personally owned work profile > Device restrictions > Work profile settings > Required password type, Minimum password length
  • Devices > Manage devices > Configuration > Android Enterprise for platform > Personally owned work profile > Device restrictions > Password > Required password type, Minimum password length

Google is deprecating the Required password type and Minimum password length settings for Android 12+ personally owned devices with a work profile and replacing them with new password complexity requirements. For more information about this change, go to Day zero support for Android 13.

The new Password complexity setting has the following options:

  • None: Intune doesn't change or update this setting. By default, the OS might not require a password.
  • Low: Pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked.
  • Medium: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked. The length, alphabetic length, or alphanumeric length must be at least four characters.
  • High: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are blocked. The length must be at least eight characters. The alphabetic or alphanumeric length must be at least six characters.

On Android 12+, if you currently use the Required password type and Minimum password length settings in a compliance policy or device configuration profile, then we recommend using the new Password complexity setting instead.

If you continue to use the Required password type and Minimum password length settings, and don't configure the Password complexity setting, then new devices running Android 12+ might default to the High password complexity.

For more information on these settings and what happens to existing devices with the deprecated settings configured, go to:

Applies to:

  • Android Enterprise 12.0 and newer personally owned devices with a work profile

New settings available in the iOS/iPadOS and macOS Settings Catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the Settings Catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Networking > DNS Settings:

  • DNS Protocol
  • Server Addresses
  • Server Name
  • Server URL
  • Supplemental Match Domains
  • On Demand Rules
  • Action
  • Action Parameters
  • DNS Domain Match
  • DNS Server Address Match
  • Interface Type Match
  • SSID Match
  • URL String Probe
  • Prohibit Disablement

File Vault:

  • Defer
  • Defer Don't Ask At User Logout
  • Defer Force At User Login Max Bypass Attempts
  • Enable
  • Show Recovery Key
  • Use Recovery Key

File Vault > File Vault Recovery Key Escrow:

  • Device Key
  • Location

Restrictions:

  • Allow Air Play Incoming Requests

Applies to:

  • macOS

Web > Web Content Filter:

  • Allow List Bookmarks
  • Auto Filter Enabled
  • Deny List URLs
  • Filter Browsers
  • Filter Data Provider Bundle Identifier
  • Filter Data Provider Designated Requirement
  • Filter Grade
  • Filter Packet Provider Bundle Identifier
  • Filter Packet Provider Designated Requirement
  • Filter Packets
  • Filter Sockets
  • Filter Type
  • Organization
  • Password
  • Permitted URLs
  • Plugin Bundle ID
  • Server Address
  • User Defined Name
  • User Name
  • Vendor Config

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Device Firmware Configuration Interface (DFCI) supports Panasonic devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type).

New Panasonic devices running Windows 10/11 are being enabled for DFCI starting Fall 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Panasonic devices.

Contact your device vendor or device manufacturer to ensure you get eligible devices.

For more information about DFCI profiles, go to:

Applies to:

  • Windows 10
  • Windows 11

Sign in and background item management support on macOS devices using the settings catalog

On macOS devices, you can create a policy that automatically opens items when users sign in to their macOS devices. For example, you can open apps, documents, and folders.

In Intune, the settings catalog includes new Service Management settings at Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type > Login > Service Management. These settings can prevent users from disabling the managed login and background items on their devices.

For more information on the settings catalog, go to:

Applies to:

  • macOS 13 and newer

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Varicent by Varicent US OpCo Corporation
  • myBLDNG by Bldng.ai
  • Enterprise Files for Intune by Stratospherix Ltd
  • ArcGIS Indoors for Intune by ESRI
  • Meetings by Decisions by Decisions AS
  • Idenprotect Go by Apply Mobile Ltd

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Review Cloud PC connectivity health checks and errors in Microsoft Intune admin center

You can now review connectivity health checks and errors in the Microsoft Intune admin center to help you understand if your users are experiencing connectivity issues. There's also a troubleshooting tool to help resolve connectivity issues. To see the checks, select Devices > Windows 365 > Azure network connections > select a connection in the list > Overview.

Tenant administration

Deliver organizational messages for Windows 11 (public preview)

Use Microsoft Intune to deliver important messages and call-to-actions to employees on their devices. Organizational messages are preconfigured messages intended to improve employee communication in remote and hybrid-work scenarios. They can be used to help employees adapt to new roles, learn more about their organization, and stay informed of new updates and trainings. You can deliver messages just above the taskbar, in the notifications area, or in the Get Started app on Windows 11 devices.

During public preview, you can:

  • Select from various preconfigured, common messages to assign to Microsoft Entra user groups.
  • Add your organization's logo.
  • Include a custom destination URL in the message that redirects device users to a specific place.
  • Preview messages in 15 supported languages, in dark and light theme.
  • Schedule a delivery window and message frequency.
  • Track the status of messages and the number of views and clicks they receive. Views and clicks are aggregated by messages.
  • Cancel scheduled or active messages.
  • Configure a new built-in role in Intune called Organizational Messages Manager, which allows assigned admins to view and configure messages.

All configurations need to be done in the Microsoft Intune admin center. The Microsoft Graph API isn't available to use with organizational messages. For more information, see Overview of organizational messages.

Week of November 7, 2022

App management

Ending support for Windows Information Protection

Windows Information Protection (WIP) policies without enrollment are being deprecated. You can no longer create new WIP policies without enrollment. Until December of 2022, you can modify existing policies until the deprecation of the without enrollment scenario is complete. For more information, go to Plan for Change: Ending support for Windows Information Protection.

Device Configuration

User configuration support for Windows 11 multi-session VMs is now generally available

You can now:

  • Configure user scope policies using Settings catalog and assign to groups of users, including ADMX-ingested policies
  • Configure user certificates and assign to users
  • Configure PowerShell scripts to install in the user context and assign to users

Applies to:

Week of October 31, 2022

App management

Primary MTD service app protection policy setting for Intune

Intune now supports both Microsoft Defender for Endpoint and one non-Mobile Threat Defense (MTD) connector to be turned "On" for App Protection Policy evaluation per platform. This feature enables scenarios where a customer might want to migrate between Microsoft Defender for Endpoint and non-Microsoft MTD service. And, they don't want a pause in protection via risk scores in App Protection Policy. A new setting has been introduced under Conditional Launch health checks titled "Primary MTD service" to specify which service should be enforced for the end user. For more information, see Android app protection policy settings and iOS app protection policy settings.

Week of October 24, 2022 (Service release 2210)

App management

Use filters with app configuration policies for managed devices

You can use filters to refine the assignment scope when deploying app configuration policies for managed devices. You must first create a filter using any of the available properties for iOS and Android. Then, in Microsoft Intune admin center you can assign your managed app configuration policy by selecting Apps > App configuration policies > Add > Managed devices and go to the assignment page. After selecting a group, you can refine the applicability of the policy by choosing a filter and deciding to use it in Include or Exclude mode. For related information about filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune admin center.

Device configuration

Group Policy analytics automatically applies scope tags assigned to admins when they import Group Policy objects

In Group Policy analytics, you can import your on-premises GPOs to see the policy settings that support cloud-based MDM providers, including Microsoft Intune. You can also see any deprecated settings or settings not available.

Now, scope tags assigned to admins are automatically applied when these admins import GPOs into Group Policy analytics.

For example, admins have Charlotte, London, or Boston scope tags assigned to their role:

  • An admin with the Charlotte scope tag imports a GPO.
  • The Charlotte scope tag is automatically applied to the imported GPO.
  • All admins with the Charlotte scope tag can see the imported object.
  • Admins with only the London or only the Boston scope tags can't see the imported object from the Charlotte admin.

For admins to see the analytics or migrate the imported GPO to an Intune policy, these admins must have one of the same scope tags as the admin that did the import.

For more information on these features, go to:

Applies to:

  • Windows 11
  • Windows 10

New network endpoints for Microsoft Intune

New network endpoints have been added to our documentation to accommodate new Azure Scale Units (ASU) that are added to the Intune service. We recommend updating your firewall rules with the latest list of IP addresses to ensure that all network endpoints for Microsoft Intune are up-to-date.

For the full list, go to Network endpoints for Microsoft Intune.

Filter app and group policy assignments using Windows 11 SE operating system SKUs

When you assign an app or policy, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.

Two new Windows 11 SE operating system SKUs are available. You can use these SKUs in your assignment filters to include or exclude Windows 11 SE devices from applying group-targeted policies and applications.

For more information on filters and the device properties you can use, go to:

Applies to:

  • Windows 11 SE

New settings available in the iOS/iPadOS and macOS settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place.

New settings are available in the settings catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Networking > Cellular:

  • Enable XLAT464

Applies to:

  • iOS/iPadOS

Privacy > Privacy Preferences Policy Control:

  • System Policy App Bundles

Applies to:

  • macOS

Restrictions:

  • Allow Rapid Security Response Installation
  • Allow Rapid Security Response Removal

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

New settings for Device Firmware Configuration Interface (DFCI) profiles on Windows devices

You can create a DFCI profile that enables the Windows OS to pass management commands from Intune to UEFI (Unified Extensible Firmware Interface) (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface)

You can use this feature to control BIOS settings. There are new settings you can configure in the DFCI policy:

  • Cameras:

    • Front camera
    • Infrared camera
    • Rear camera
  • Radios:

    • WWAN
    • NFC
  • Ports

    • SD Card

For more information on DFCI profiles, go to:

Applies to:

  • Windows 11 on supported UEFI
  • Windows 10 RS5 (1809) and later on supported UEFI

Device enrollment

iOS/iPadOS Setup Assistant with modern authentication supports Just in Time Registration (public preview)

Intune supports just in time (JIT) Registration for iOS/iPadOS enrollment scenarios that use Setup Assistant with modern authentication. JIT Registration reduces the number of authentication prompts shown to users throughout the provisioning experience, giving them a more seamless onboarding experience. It eliminates the need to have the Company Portal app for Microsoft Entra registration and compliance checks, and establishes single sign-on across the device. JIT Registration is available in public preview for devices enrolling through Apple automated device enrollment and running iOS/iPadOS 13.0 or later. For more information, see Authentication methods for automated device enrollment.

Device management

Connect Chrome OS devices in Intune (public preview)

View company or school-owned devices that run on Chrome OS in the Microsoft Intune admin center. Now in public preview, you can establish a connection between the Google Admin console and Microsoft Intune admin center. Device information about your Chrome OS endpoints is synced into Intune and viewable in your device inventory list. Basic remote actions, such as restart, wipe, and lost mode are also available in the admin center. For more information about how to set up a connection, see Configure Chrome Enterprise connector.

Manage macOS software updates with Intune

You can now use Intune policies to manage macOS software updates for devices that enrolled using Automated Device Enrollment (ADE). See Manage macOS software update policies in Intune.

Intune supports the following macOS update types:

  • Critical updates
  • Firmware updates
  • Configuration file updates
  • All other updates (OS, built-in apps)

In addition to scheduling when a device updates, you can manage behaviors, like:

  • Download and install: Download or install the update, depending on the current state.
  • Download only: Download the software update without installing it.
  • Install immediately: Download the software update and trigger the restart countdown notification.
  • Notify only: Download the software update and notify the user through the App Store.
  • Install later: Download the software update and install it at a later time.
  • Not configured: No action taken on the software update.

For information from Apple about managing macOS software updates, see Manage software updates for Apple devices - Apple Support in the Apple's Platform Deployment documentation. Apple maintains a list of security updates at Apple security updates - Apple Support.

Deprovision Jamf Pro from within the Microsoft Intune admin center

You can now deprovision your Jamf Pro to Intune integration from within the Microsoft Intune admin center. This feature can be useful should you no longer have access to the Jamf Pro console, through which you can also deprovision integration.

This capability functions similarly to disconnecting Jamf Pro from within the Jamf Pro console. So, after you remove the integration, your organization's Mac devices are removed from Intune after 90 days.

New hardware details available for individual devices running on iOS/iPadOS

Select Devices > All devices > select one of your listed devices and open it's Hardware details. The following new details are available in the Hardware pane of individual devices:

  • Battery level: Shows the battery level of the device anywhere between 0 and 100, or defaults to null if the battery level can't be determined. This feature is available for devices running iOS/iPadOS 5.0 and later.
  • Resident users: Shows the number of users currently on the shared iPad device, or defaults to null if the number of users can't be determined. This feature is available for devices running iOS/iPadOS 13.4 and later.

For more information, go to View device details with Microsoft Intune.

Applies to

  • iOS/iPadOS

Use the $null value in filters

When you assign apps and policies to groups, you can use filters to assign a policy based on rules you create (Tenant administration > Filters > Create). These rules use different device properties, such as category or the enrollment profile.

Now, you can use the $null value with the -Equals and -NotEquals operators.

For example, use the $null value in the following scenarios:

  • You want to target all devices that don't have a category assigned to the device.
  • You want to target devices that don't have an enrollment profile property assigned to the device.

For more information on filters and the rules you can create, go to:

Applies to:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 10/11

Device security

Reusable groups of settings for removable storage in Device Control profiles (preview)

In public preview, you can use reusable groups of settings with device control profiles in your attack surface reduction policies.

The reusable groups for device control profiles include a collection of settings that support managing read, write, and execute access for removable storage. Examples of common scenarios include:

  • Prevent write and execute access to all but allow specific approved USBs
  • Audit write and execute access to all but block specific unapproved USBs
  • Only allow specific user groups to access specific removable storage on a shared PC

Applies to:

  • Windows 10 or later

Reusable groups of settings for Microsoft Defender Firewall Rules (preview)

In public preview, you can use reusable groups of settings that you can use with profiles for Microsoft Defender Firewall Rules. The reusable groups are collections of remote IP addresses and FQDNs that you define one time and can then use with one or more firewall rule profiles. You don't need to reconfigure the same group of IP addresses in each individual profile that might require them.

Features of the reusable settings groups include:

  • Add one or more remote IP addresses.

  • Add one or more FQDNs that can auto resolve to the remote IP address, or for one or more simple keywords when auto resolve for the group is off.

  • Use each settings group with one or more firewall rule profiles and the different profiles can support different access configurations for the group.

    For example, you can create two firewall rule profiles that reference the same reusable settings group and assign each profile to a different group of devices. The first profile can block access to all the remote IP addresses in the reusable settings group, while the second profile can be configured to allow access.

  • Edits to a settings group that's in use are automatically applied to all Firewall Rules profiles that use that group.

Attack surface reduction rule exclusions on a per-rule basis

You can now configure per-rule exclusions for Attack surface reduction rules policies. Per-rule exclusions are enabled through a new per-rule setting ASR Only Per Rule Exclusions.

When you create or edit attack surface reduction rule policies and change a setting that supports exclusions from the default of Not configured to any of the other available options, the new per-setting exclusion option becomes available. Any configurations for that setting instance of ASR Only Per Rule Exclusions apply to only that setting.

You can continue to configure global exclusions that apply to all attack surface reduction rules on the device by using the setting Attack Surface Reduction Only Exclusions.

Applies to:

  • Windows 10/11

Note

ASR policies don't support merge functionality for ASR Only Per Rule Exclusions and a policy conflict can result when multiple policies that configure ASR Only Per Rule Exclusions for the same device conflict. To avoid conflicts, combine the configurations for ASR Only Per Rule Exclusions into a single ASR policy. We are investigating adding policy merge for ASR Only Per Rule Exclusions in a future update.

Grant apps permission to silently use certificates on Android Enterprise devices

You can now configure silent use of certificates by apps on Android Enterprise devices that enrolled as Fully Managed, Dedicated, and Corporate-Owned work Profile.

This capability is available on a new Apps page in the certificate profile configuration workflow by setting Certificate access to Grant silently for specific apps (require user approval for other apps). With this configuration, the apps you then select silently use the certificate. All other apps continue to use the default behavior, which is to require user approval.

This capability supports the following certificate profiles for only Android Enterprise Fully Managed, Dedicated, and Corporate-Owned work Profiles:

In-app notifications for Microsoft Intune app

Android Open Source Project(AOSP) device users can now receive compliance notifications in the Microsoft Intune app. This capability is only available on AOSP user-based devices. For more information, see AOSP compliance notifications.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • MyITOps for Intune by MyITOps, Ltd
  • MURAL - Visual Collaboration by Tactivos, Inc

For more information about protected apps, see Microsoft Intune protected apps.

Week of October 17, 2022

App management

Enhanced app picker for managed apps on Android devices

Android device users can select, view, and remove their default app selections in the Intune Company Portal app. Company Portal securely stores the device user's default choices for managed apps. Users can view and remove their selections in the Company Portal app by going to Settings > Default Apps > See defaults. This feature is an enhancement to the Android custom app picker for managed apps, which is a part of the Android MAM SDK. For more information about how to view default apps, see View and edit default apps.

Week of October 10, 2022

Device management

Microsoft Endpoint Manager branding change

As of October 12, 2022, the name Microsoft Endpoint Manager will no longer be used. Going forward, we refer to cloud-based unified endpoint management as Microsoft Intune and on-premises management as Microsoft Configuration Manager. With the launch of advanced management, Microsoft Intune is the name of our growing product family for endpoint management solutions at Microsoft. For details, see the official announcement on the endpoint management Tech Community blog. Documentation changes are ongoing to remove Microsoft Endpoint Manager.

For more information, see Intune documentation.

Grace period status visible in Windows Company Portal

Windows Company Portal now displays a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If users don't update their device by the given date, their device status changes to noncompliant. For more information about setting grace periods, see Configure compliance policies with actions for noncompliance and Check access from Device details page.

Linux device management available in Microsoft Intune

Microsoft Intune now supports Linux device management for devices running Ubuntu Desktop 22.04 or 20.04 LTS. Intune admins don't need to do anything to enable Linux enrollment in the Microsoft Intune admin center. Linux users can enroll supported Linux devices on their own and use the Microsoft Edge browser to access corporate resources online.

In the admin center, you can:

Week of October 03, 2022

Device Security

In Remote Help, a link has been added to the non-compliance warning notification View device compliance information and it allows a helper to learn more about why the device isn't compliant in Microsoft Intune.

For more information, go to:

Applies to: Windows 10/11

Week of September 26, 2022

Monitor and troubleshoot

Open Help and Support without losing your context in the Microsoft Intune admin center

You can now use the ? icon in the Microsoft Intune admin center to open a help and support session without losing your current node of focus in the admin center. The ? icon is always available in the upper right of the title bar of the admin center. This change adds another way to access Help and support.

When you select ?, the admin center opens the help and support view in a new and separate side-by-side pane. By opening this separate pane, you're free to navigate the support experience without affecting your original location and focus on the admin center.

Week of September 19, 2022 (Service release 2209)

App management

New app types for Microsoft Intune

As an admin, you can create and assign two new types of Intune apps:

  • iOS/iPadOS web clip
  • Windows web link

These new app types work in a similar way to the existing web link application type, however they apply only for their specific platform, whereas web link applications apply across all platforms. With these new app types, you can assign to groups and also use assignment filters to limit the scope of assignment. This functionality is in the Microsoft Intune admin center > Apps > All Apps > Add.

Device management

Microsoft Intune is ending support for Windows 8.1

Microsoft Intune is ending support on October 21, 2022 for devices running Windows 8.1. After that date, technical assistance and automatic updates that help protect your devices running Windows 8.1 will no longer be available. Also, because the sideloading scenario for line-of-business apps is only applicable to Windows 8.1 devices, Intune no longer supports Windows 8.1 sideloading. Sideloading is installing, and then running or testing an app that isn't cerified by the Microsoft Store. In Windows 10/11, "sideloading" is simply setting a device config policy to include "Trusted app installation".

Group member count visible in assignments

When assigning policies in the admin center, you can now see the number of users and devices in a group. Having both counts help you pinpoint the right group and understand the impact the assignment has before you apply it.

Device configuration

New lock screen message when adding custom support information to Android Enterprise devices

On Android Enterprise devices, you can create a device restrictions configuration profile that shows a custom support message on the devices (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type > Custom support information).

There's a new setting you can configure:

  • Lock screen message: Add a message that's shown on the device lock screen.

When you configure the Lock screen message, you can also use the following device tokens to show device-specific information:

  • {{AADDeviceId}}: Microsoft Entra device ID
  • {{AccountId}}: Intune tenant ID or account ID
  • {{DeviceId}}: Intune device ID
  • {{DeviceName}}: Intune device name
  • {{domain}}: Domain name
  • {{EASID}}: Exchange Active Sync ID
  • {{IMEI}}: IMEI of the device
  • {{mail}}: Email address of the user
  • {{MEID}}: MEID of the device
  • {{partialUPN}}: UPN prefix before the @ symbol
  • {{SerialNumber}}: Device serial number
  • {{SerialNumberLast4Digits}}: Last four digits of the device serial number
  • {{UserId}}: Intune user ID
  • {{UserName}}: User name
  • {{userPrincipalName}}: UPN of the user

Note

Variables aren't validated in the UI and are case sensitive. As a result, you might see profiles saved with incorrect input. For example, if you enter {{DeviceID}}, instead of {{deviceid}} or {{DEVICEID}}, then the literal string is shown instead of the device's unique ID. Be sure to enter the correct information. All lowercase or all uppercase variables are supported, but not a mix.

For more information on this setting, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android 7.0 and newer
  • Android Enterprise corporate owned fully managed
  • Android Enterprise corporate owned dedicated devices
  • Android Enterprise corporate owned work profile

Filter on the user scope or device scope in the settings catalog for Windows devices

When you create a settings catalog policy, you can use Add settings > Add filter to filter settings based on the Windows OS edition (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type).

When you Add filter, you can also filter on the settings by user scope or device scope.

For more information on the settings catalog, go to Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices.

Applies to:

  • Windows 10
  • Windows 11

Android Open Source Project (AOSP) platform is generally available

Microsoft Intune management of corporate-owned devices that run on the Android Open Source Project (AOSP) platform is now generally available (GA). This feature includes the full suite of capabilities that are available as part of the public preview.

Currently, Microsoft Intune only supports the new Android (AOSP) management option for RealWear devices.

Applies to:

  • Android Open Source Project (AOSP)

Device Firmware Configuration Interface (DFCI) now supports Acer devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type).

New Acer devices running Windows 10/11 will be enabled for DFCI in later 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Acer devices.

Contact your device vendor or device manufacturer to ensure you get eligible devices.

For more information about DFCI profiles in Intune, go to Use Device Firmware Configuration Interface (DFCI) profiles on Windows devices in Microsoft Intune.

Applies to:

  • Windows 10
  • Windows 11

New settings available in the iOS/iPadOS and macOS settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings available in the settings catalog. In the Microsoft Intune admin center, you can see these settings at Devices > Manage devices > Configuration > Create > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

New settings include:

Accounts > LDAP:

  • LDAP Account Description
  • LDAP Account Host Name
  • LDAP Account Password
  • LDAP Account Use SSL
  • LDAP Account User Name
  • LDAP Search Settings

Applies to:

  • iOS/iPadOS
  • macOS

The following settings are also in settings catalog. Previously, they were only available in Templates:

Privacy > Privacy Preferences Policy Control:

  • Accessibility
  • Address Book
  • Apple Events
  • Calendar
  • Camera
  • File Provider Presence
  • Listen Event
  • Media Library
  • Microphone
  • Photos
  • Post Event
  • Reminders
  • Screen Capture
  • Speech Recognition
  • System Policy All Files
  • System Policy Desktop Folder
  • System Policy Documents Folder
  • System Policy Downloads Folder
  • System Policy Network Volumes
  • System Policy Removable Volumes
  • System Policy Sys Admin Files

Applies to:

  • macOS

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Device enrollment

Set up enrollment notifications (public preview)

Enrollment notifications inform device users, via email or push notification, when a new device has been enrolled in Microsoft Intune. You can use enrollment notifications for security purposes. They can notify users and help them report devices enrolled in error, or for communicating to employees during the hiring or onboarding process. Enrollment notifications are available to try now in public preview for Windows, Apple, and Android devices. This feature is only supported with user-driven enrollment methods.

Device security

Assign compliance policies to the All devices group

The All devices option is now available for compliance policy assignments. With this option, you can assign a compliance policy to all enrolled devices in your organization that match the policy's platform. You don't need to create a Microsoft Entra group that contains all devices.

When you include the All devices group, you can then exclude individual groups of devices to further refine the assignment scope.

Trend Micro – New mobile threat defense partner

You can now use Trend Micro Mobile Security as a Service as an integrated mobile threat defense (MTD) partner with Intune. By configuring the Trend MTD connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment.

For more information, see:

Grace period status visible on Intune Company Portal website

The Intune Company Portal website now shows a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If they don't update their device by the given date, their status changes to noncompliant. For more information about setting grace periods, see Configure compliance policies with actions for noncompliance.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • RingCentral for Intune by RingCentral, Inc.
  • MangoApps, Work from Anywhere by MangoSpring, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Week of September 12, 2022

Device management

Intune now requires iOS/iPadOS 14 and higher

With Apple's release of iOS/iPadOS 16, Microsoft Intune and the Intune Company Portal will now require iOS/iPadOS 14 and higher. For more information, see Supported operating systems and browsers in Intune.

Intune now requires macOS 11.6 and higher

With Apple's release of macOS 13 Ventura, Microsoft Intune, the Company Portal app, and the Intune MDM agent will now require macOS 11.6 (Big Sur) and later. For more information, see Supported operating systems and browsers in Intune.

Week of September 05, 2022

Device management

Remote Help version: 4.0.1.13 release

With Remote Help 4.0.1.13, fixes were introduced to address an issue that prevented people from having multiple sessions open at the same time. The fixes also addressed an issue where the app was launching without focus, and prevented keyboard navigation and screen readers from working on launch.

For more information, go to Use Remote Help with Intune and Microsoft Intune.

Week of August 29, 2022

App management

Updated Microsoft Intune App SDK for Android

The developer guide for the Intune App SDK for Android has been updated. The updated guide provides the following stages:

  • Planning the integration
  • MSAL prerequisite
  • Getting started with MAM
  • MAM integration essentials
  • Multi-Identity
  • App configuration
  • App participation features

For more information, see Intune App SDK for Android.

Week of August 22, 2022

Device management

Use Intune role-based access control (RBAC) for tenant attached devices

You can now use Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Intune admin center. For example, when using Intune as the role-based access control authority, a user with Intune's Help Desk Operator role doesn't need an assigned security role or other permissions from Configuration Manager. For more information, see Intune role-based access control for tenant attached clients.

Week of August 15, 2022 (Service release 2208)

App management

Android strong biometric change detection

The Android Fingerprint instead of PIN for access setting in Intune, which allows the end-user to use fingerprint authentication instead of a PIN, is being modified. This change allows you to require end-users to set strong biometrics. And, if a change in strong biometrics is detected, you can require end-users to confirm their app protection policy (APP) PIN. You can find Android app protection policies in Microsoft Intune admin center by selecting Apps > App protection policies > Create policy > Android. For more information, see Android app protection policy settings in Microsoft Intune.

Noncompliance details available for Android (AOSP) in Microsoft Intune app

Android (AOSP) users can view noncompliance reasons in the Microsoft Intune app. These details describe why a device is marked noncompliant. This information is available on the Device details page for devices enrolled as user-associated Android (AOSP) devices.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Nexis Newsdesk Mobile by LexisNexis
  • My Portal by MangoApps (Android)
  • Re:Work Enterprise by 9Folders, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Device enrollment

Configure zero-touch enrollment from Microsoft Intune admin center

Now you can configure Android zero-touch enrollment from the Microsoft Intune admin center. This feature lets you link your zero-touch account to Intune, add support information, configure zero-touch enabled devices, and customize provisioning extras. For more information about how to enable zero-touch from the admin center, see Enroll by using Google Zero Touch.

Device management

Custom settings for Windows 10/11 device compliance is now generally available

Support for the following custom features is generally available:

Applies to:

  • Windows 10/11

View contents of macOS shell scripts and custom attributes

You can view the contents of macOS shell scripts and custom attributes after you upload the scripts to Intune. You can view Shell scripts and custom attributes in Microsoft Intune admin center by selecting Devices > By platform > macOS. For more information, see Use shell scripts on macOS devices in Intune.

Reset passcode remote action available for Android (AOSP) Corporate devices

You can use Reset passcode remote action from the Microsoft Intune admin center for Android Open Source Project (AOSP) Corporate devices.

For information on remote actions, see:

Applies to:

  • Android Open Source Project (AOSP)

Device configuration

Certificate profiles support for Android (AOSP) devices

You can now use Simple Certificate Enrollment Protocol (SCEP) certificate profiles with corporate-owned and userless devices that run the Android Open Source Project (AOSP) platform.

Import, create, and manage custom ADMX and ADML administrative templates

You can create a device configuration policy that uses built-in ADMX templates. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Administrative templates.

You can also import custom and third party/partner ADMX and ADML templates into the Intune admin center. Once imported, you can create a device configuration policy, assign the policy to your devices, and manage the settings in the policy.

For information, go to:

Applies to:

  • Windows 11
  • Windows 10

Add an HTTP proxy to Wi-Fi device configuration profiles on Android Enterprise

On Android Enterprise devices, you can create a Wi-Fi device configuration profile with basic and enterprise settings. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile for platform > Wi-Fi.

When you create the profile, you can configure an HTTP proxy using a PAC file or configure the settings manually. You can configure an HTTP proxy for each Wi-Fi network in your organization.

When the profile is ready, you can deploy this profile to your Fully Managed, Dedicated, and Corporate-Owned Work Profile devices.

For more information on the Wi-Fi settings you can configure, go to Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune.

Applies to:

  • Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile

iOS/iPadOS settings catalog supports declarative device management (DDM)

On iOS/iPadOS 15+ devices enrolled using User Enrollment, the settings catalog automatically uses Apple's declarative device management (DDM) when configuring settings.

  • No action is required to use DDM. The feature is built into the settings catalog.
  • There's no impact to existing policies in the settings catalog.
  • iOS/iPadOS devices that aren't enabled for DDM continue to use Apple's standard MDM protocol.

For more information, go to:

Applies to:

  • iOS/iPadOS 15 or later devices enrolled using Apple User Enrollment

New macOS settings available in the settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. New settings are available in the settings catalog. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

New settings include:

Microsoft Auto Update:

  • Current Channel
  • Number of minutes for the final countdown timer

Restrictions:

  • Allow Universal Control

The following settings are also in settings catalog. Previously, they were only available in Templates:

Authentication > Extensible Single Sign On:

  • Extension Data
  • Extension Identifier
  • Hosts
  • Realm
  • Screen Locked Behavior
  • Team Identifier
  • Type
  • URLs

Authentication > Extensible Single Sign On > Extensible Single Sign On Kerberos:

  • Extension Data
  • Allow Automatic Login
  • Allow Password Change
  • Credential Bundle ID ACL
  • Credential Use Mode
  • Custom Username Label
  • Delay User Setup
  • Domain Realm Mapping
  • Help Text
  • Include Kerberos Apps In Bundle ID ACL
  • Include Managed Apps In Bundle ID ACL
  • Is Default Realm
  • Monitor Credentials Cache
  • Perform Kerberos Only
  • Preferred KDCs
  • Principal Name
  • Password Change URL
  • Password Notification Days
  • Password Req Complexity
  • Password Req History
  • Password Req Length
  • Password Req Min Age
  • Password Req Text
  • Require TLS For LDAP
  • Require User Presence
  • Site Code
  • Sync Local Password
  • Use Site Auto Discovery
  • Extension Identifier
  • Hosts
  • Realm
  • Team Identifier
  • Type

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • macOS

New iOS/iPadOS settings in the settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. There are new iOS/iPadOS settings available in the settings catalog. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS for platform > Settings catalog for profile type. Previously, these settings were only available in Templates:

Authentication > Extensible Single Sign On:

  • Extension Data
  • Extension Identifier
  • Hosts
  • Realm
  • Screen Locked Behavior
  • Team Identifier
  • Type
  • URLs

Authentication > Extensible Single Sign On > Extensible Single Sign On Kerberos:

  • Extension Data
  • Allow Automatic Login
  • Credential Bundle ID ACL
  • Domain Realm Mapping
  • Help Text
  • Include Managed Apps In Bundle ID ACL
  • Is Default Realm
  • Preferred KDCs
  • Principal Name
  • Require User Presence
  • Site Code
  • Use Site Auto Discovery
  • Extension Identifier
  • Hosts
  • Realm
  • Team Identifier
  • Type

System Configuration > Lock Screen Message:

  • Asset Tag Information
  • Lock Screen Footnote

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • iOS/iPadOS

Monitor and troubleshoot

New noncompliant devices and settings report

In Reports > Device Compliance > Reports, there's a new Noncompliant devices and settings organization report. This report:

  • Lists each noncompliant device.
  • For each noncompliant device, it shows the compliance policy settings that the devices aren't compliant with.

For more information on this report, go to Noncompliant devices and settings report (Organizational).

Week of August 1, 2022

Device security

Disable use of UDP connections on your Microsoft Tunnel Gateway servers

You can now disable the use of UDP by your Microsoft Tunnel Servers. When you disable use of UDP, the VPN server supports only TCP connections from tunnel clients. To support use of only TCP connections, your devices must use the generally available version of Microsoft Defender for Endpoint as the Microsoft Tunnel client app as the tunnel client app.

To disable UDP, create or edit a Server configuration for Microsoft Tunnel Gateway and select the checkbox for the new option named Disable UDP Connections.

App management

Company Portal for Windows bulk app install

The Company Portal for Windows now allows users to select multiple apps and install in bulk. From the Apps tab of the Company Portal for Windows, select the multi-select view button on the top right corner of the page. Then, select the checkbox next to each app that you need to install. Next, select the Install Selected button to start installation. All selected apps install at the same time without requiring users to right-click each app or navigate to each app's page. For more information, see Install and share apps on your device and How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Week of July 25, 2022 (Service release 2207)

Device management

Initiate compliance checks for your AOSP devices from the Microsoft Intune app

You can now initiate a compliance check for your AOSP devices from the Microsoft Intune app. Go to Device details. This feature is available on devices that are enrolled via the Microsoft Intune app as user-associated (Android) AOSP devices.

Monitor bootstrap escrow status on a Mac

Monitor the bootstrap token escrow status for an enrolled Mac in the Microsoft Intune admin center. A new hardware property in Intune, called Bootstrap token escrowed, reports whether or not a bootstrap token has been escrowed in Intune. For more information about bootstrap token support for macOS, see Bootstrap tokens.

Enable Common Criteria mode for Android Enterprise devices

For Android Enterprise devices, you can use a new setting, Common Criteria mode, to enable an elevated set of security standards that are typically used by only highly sensitive organizations, such as government establishments.

Applies to:

  • Android 5.0 and newer
  • Android Enterprise corporate owned fully managed
  • Android Enterprise corporate owned dedicated devices
  • Android Enterprise corporate owned work profile

The new setting, Common Criteria mode, is found in the System security category when you configure a Device restrictions template for the Android Enterprise - Fully Managed, Dedicated, and Corporate-Owned Work Profile.

Devices that receive a policy with Common Criteria mode set to Require, elevate security components that include but are not limited to:

  • AES-GCM encryption of Bluetooth Long Term Keys
  • Wi-Fi configuration stores
  • Blocks bootloader download mode, the manual method for software updates
  • Mandates additional key zeroization on key deletion
  • Prevents non-authenticated Bluetooth connections
  • Requires that FOTA updates have 2048-bit RSA-PSS signature

Learn more about Common Criteria:

New hardware detail available for individual devices running on iOS/iPadOS and macOS

In Microsoft Intune admin center, select Devices > All devices > select one of your listed devices and open it's Hardware details. The following new detail is available in the Hardware pane of individual devices:

  • Product name: Shows the product name of the device, such as iPad8,12. Available for iOS/iPadOS and macOS devices.

For more information, see View device details with Microsoft Intune.

Applies to:

  • iOS/iPadOS, macOS

Remote Help Version: 4.0.1.12 release

With Remote Help 4.0.1.12, various fixes were introduced to address the 'Try again later' message that appears when not authenticated. The fixes also include an improved auto-update capability.

For more information, see Use Remote Help with Intune.

Device enrollment

Intune supports sign-in from another device during iOS/iPadOS and macOS Setup Assistant with modern authentication

Users going through automated device enrollment (ADE) can now authenticate by signing in from another device. This option is available for iOS/iPadOS and macOS devices enrolling via Setup Assistant with modern authentication. The screen that prompts device users to sign in from another device is embedded into Setup Assistant and shown to them during enrollment. For more information about the sign-in process for users, see [Get the Intune Company Portal app (../user-help/sign-in-to-the-company-portal.md#sign-in-via-another-device).

Detect and manage hardware changes on Windows Autopilot devices

Microsoft Intune will now alert you when it detects a hardware change on an Autopilot-registered device. You can view and manage all affected devices in the admin center. Also, you can remove the affected device from Windows Autopilot and register it again so that the hardware change is accounted for.

Device configuration

New macOS Microsoft AutoUpdate (MAU) settings in the settings catalog

The settings catalog supports settings for Microsoft AutoUpdate (MAU) (Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type).

The following settings are now available:

Microsoft Auto Update:

  • Automatically acknowledge data collection policy
  • Days before forced updates
  • Deferred updates
  • Disable Office Insider membership
  • Enable AutoUpdate
  • Enable check for updates
  • Enable extended logging
  • Register app on launch
  • Update cache server
  • Update channel
  • Update check frequency (mins)
  • Updater optimization technique

The settings can be used to configure preferences for the following applications:

  • Company Portal
  • Microsoft Auto Update
  • Microsoft Defender
  • Microsoft Defender ATP
  • Microsoft Edge
  • Microsoft Edge Beta
  • Microsoft Edge Canary
  • Microsoft Edge Dev
  • Microsoft Excel
  • Microsoft OneNote
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Remote Desktop
  • Microsoft Teams
  • Microsoft Word
  • OneDrive
  • Skype for Business

For more information about the settings catalog, go to:

For more information about Microsoft AutoUpdate settings you can configure, go to:

Applies to:

  • macOS

New iOS/iPadOS settings in the settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. There are new iOS/iPadOS settings available in the settings catalog (Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS for platform > Settings catalog for profile type).

New settings include:

Networking > Cellular:

  • Allowed Protocol Mask
  • Allowed Protocol Mask In Domestic Roaming
  • Allowed Protocol Mask In Roaming
  • Authentication Type
  • Name
  • Password
  • Proxy Port
  • Proxy Server
  • Username

The following settings are also in settings catalog. Previously, they were only available in Templates:

User experience > Notifications:

  • Grouping type
  • Preview type
  • Show In Car Play

Printing > Air Print:

  • Force TLS
  • Port

App Management > App Lock:

  • Disable Auto Lock
  • Disable Device Rotation
  • Disable Ringer Switch
  • Disable Sleep Wake Button
  • Disable Touch
  • Disable Volume Buttons
  • Enable Assistive Touch
  • Enable Invert Colors
  • Enable Mono Audio
  • Enable Speak Selection
  • Enable Voice Control
  • Enable Voice Over
  • Enable Zoom
  • Assistive Touch
  • Invert Colors
  • Voice Control
  • Voice Over
  • Zoom

Networking > Domains:

  • Safari Password Auto Fill Domain

Networking > Network Usage Rules:

  • Application Rules
  • Allow Cellular Data
  • Allow Roaming Cellular Data
  • App Identifier Matches

Restrictions:

  • Allow Account Modification
  • Allow Activity Continuation
  • Allow Adding Game Center Friends
  • Allow Air Drop
  • Allow Air Print
  • Allow Air Print Credentials Storage
  • Allow Air Print iBeacon Discovery
  • Allow App Cellular Data Modification
  • Allow App Clips
  • Allow App Installation
  • Allow App Removal
  • Allow Apple Personalized Advertising
  • Allow Assistant
  • Allow Assistant User Generated Content
  • Allow Assistant While Locked
  • Allow Auto Correction
  • Allow Auto Unlock
  • Allow Automatic App Downloads
  • Allow Bluetooth Modification
  • Allow Bookstore
  • Allow Bookstore Erotica
  • Allow Camera
  • Allow Cellular Plan Modification
  • Allow Chat
  • Allow Cloud Backup
  • Allow Cloud Document Sync
  • Allow Cloud Keychain Sync
  • Allow Cloud Photo Library
  • Allow Cloud Private Relay
  • Allow Continuous Path Keyboard
  • Allow Definition Lookup
  • Allow Device Name Modification
  • Allow Diagnostic Submission
  • Allow Diagnostic Submission Modification
  • Allow Dictation
  • Allow Enabling Restrictions
  • Allow Enterprise App Trust
  • Allow Enterprise Book Backup
  • Allow Enterprise Book Metadata Sync
  • Allow Erase Content And Settings
  • Allow ESIM Modification
  • Allow Explicit Content
  • Allow Files Network Drive Access
  • Allow Files USB Drive Access
  • Allow Find My Device
  • Allow Find My Friends
  • Allow Find My Friends Modification
  • Allow Fingerprint For Unlock
  • Allow Fingerprint Modification
  • Allow Game Center
  • Allow Global Background Fetch When Roaming
  • Allow Host Pairing
  • Allow In App Purchases
  • Allow iTunes
  • Allow Keyboard Shortcuts
  • Allow Listed App Bundle IDs
  • Allow Lock Screen Control Center
  • Allow Lock Screen Notifications View
  • Allow Lock Screen Today View
  • Allow Mail Privacy Protection
  • Allow Managed Apps Cloud Sync
  • Allow Managed To Write Unmanaged Contacts
  • Allow Multiplayer Gaming
  • Allow Music Service
  • Allow News
  • Allow NFC
  • Allow Notifications Modification
  • Allow Open From Managed To Unmanaged
  • Allow Open From Unmanaged To Managed
  • Allow OTAPKI Updates
  • Allow Paired Watch
  • Allow Passbook While Locked
  • Allow Passcode Modification
  • Allow Password Auto Fill
  • Allow Password Proximity Requests
  • Allow Password Sharing
  • Allow Personal Hotspot Modification
  • Allow Photo Stream
  • Allow Podcasts
  • Allow Predictive Keyboard
  • Allow Proximity Setup To New Device
  • Allow Radio Service
  • Allow Remote Screen Observation
  • Allow Safari
  • Allow Screenshot
  • Allow Shared Device Temporary Session
  • Allow Shared Stream
  • Allow Spell Check
  • Allow Spotlight Internet Results
  • Allow System App Removal
  • Allow UI App Installation
  • Allow UI Configuration Profile Installation
  • Allow Unmanaged To Read Managed Contacts
  • Allow Unpaired External Boot To Recovery
  • Allow Untrusted TLS Prompt
  • Allow USB Restricted Mode
  • Allow Video Conferencing
  • Allow Voice Dialing
  • Allow VPN Creation
  • Allow Wallpaper Modification
  • Autonomous Single App Mode Permitted App IDs
  • Blocked App Bundle IDs
  • Enforced Software Update Delay
  • Force Air Drop Unmanaged
  • Force Air Play Outgoing Requests Pairing Password
  • Force Air Print Trusted TLS Requirement
  • Force Assistant Profanity Filter
  • Force Authentication Before Auto Fill
  • Force Automatic Date And Time
  • Force Classroom Automatically Join Classes
  • Force Classroom Request Permission To Leave Classes
  • Force Classroom Unprompted App And Device Lock
  • Force Delayed Software Updates
  • Force Encrypted Backup
  • Force iTunes Store Password Entry
  • Force Limit Ad Tracking
  • Force On Device Only Dictation
  • Force On Device Only Translation
  • Force Watch Wrist Detection
  • Force WiFi Power On
  • Force WiFi To Allowed Networks Only
  • Require Managed Pasteboard
  • Safari Accept Cookies
  • Safari Allow Autofill
  • Safari Allow JavaScript
  • Safari Allow Popups
  • Safari Force Fraud Warning

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • iOS/iPadOS

New macOS settings available in the settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. New settings are available in the settings catalog (Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type).

New settings include:

System configuration > System extensions:

  • Removable System Extensions

The following settings are also in settings catalog. Previously, they were only available in Templates:

System configuration > System extensions:

  • Allow User Overrides
  • Allowed System Extension Types
  • Allowed System Extensions
  • Allowed Team Identifiers

For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • macOS

New search feature in Preview devices when creating a filter

In Microsoft Intune admin center, you can create filters, and then use these filters when assigning apps and policies (Devices > Organize devices > Filters > Create).

When you create a filter, you can select Preview devices to see a list of enrolled devices that match your filter criteria. In Preview devices, you can also search through the list using the device name, OS version, device model, device manufacturer, user principal name of the primary user, and device ID.

For more information on filters, go to Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Week of July 18, 2022

Device management

New event viewers to help debug WMI issues

Intune's remote action to collect diagnostics has been expanded to collect details about Windows Management Instrumentation (WMI) app issues.

The new event viewers include:

  • Microsoft-Windows-WMI-Activity/Operational
  • Microsoft-Windows-WinRM/Operational

For more information about Windows device diagnostics, see Collect diagnostics from a Windows device.

Week of July 4, 2022

Device management

Endpoint analytics scores per device model

Endpoint analytics now displays scores by device model. These scores help admins contextualize the user experience across device models in the environment. Scores per model and per device are available in all Endpoint analytics reports, including the Work from anywhere report.

Monitor and troubleshoot

Use Collect diagnostics to collect details about Windows expedited updates

Intune's remote action to Collect diagnostics now collects more details about Windows expedited updates that you deploy to devices. This information can be of use when troubleshooting problems with expedited updates.

The new details that are collected include:

  • Files: C:\Program Files\Microsoft Update Health Tools\Logs\*.etl
  • Registry Keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate