Which of the following is an example of an embedded OS a Windows B firmware c IOS D Linux?
Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. What's new in Microsoft Intune
In this articleLearn what's new each week in Microsoft Intune. You can also find important notices, past releases, and information about how Intune service updates are released. Note Each monthly update may take up to three days to rollout and will be in the following order:
Some features may roll out over several weeks and might not be available to all customers in the first week. For a list of upcoming Intune feature releases, see In development for Microsoft Intune. For new information about Autopilot, see Windows Autopilot What's New. You can use RSS to be notified when this page is updated. For more information, see How to use the docs. Week of October 10, 2022Device managementMicrosoft Endpoint Manager branding changeAs of October 12, 2022, the name Microsoft Endpoint Manager will no longer be used. Going forward, we’ll refer to cloud-based unified endpoint management as Microsoft Intune and on-premises management as Microsoft Configuration Manager. With the launch of advanced management, Microsoft Intune will also become the name of our growing product family for endpoint management solutions at Microsoft. For details, see the official announcement on the endpoint management Tech Community blog. Documentation changes are ongoing to remove Microsoft Endpoint Manager. For related information, see Endpoint management documentation. Grace period status visible in Windows Company PortalWindows Company Portal now displays a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If users don't update their device by the given date, their device status changes to noncompliant. For more information about setting grace periods, see Configure compliance policies with actions for noncompliance and Check access from Device details page. Linux device management available in Microsoft IntuneMicrosoft Intune now supports Linux device management for devices running Ubuntu Desktop 22.04 or 20.04 LTS. Intune admins don't need to do anything to enable Linux enrollment in the Microsoft Endpoint Manager admin center. Linux users can enroll supported Linux devices on their own and use the Microsoft Edge browser to access corporate resources online. In the admin center, you can:
Week of October 03, 2022Device SecurityNon-compliance warning message includes a linkA link has been added to the notification View device compliance information and it allows a helper to learn more about why the device is not compliant in Microsoft Endpoint Manager. If the device that the helper is connecting to is not compliant with your organization's assigned security policies, then the non-compliance warning about that device is displayed along with a link. For more information, go to: Monitor Device compliance Applies to: Windows 10/11 Week of September 26, 2022Monitor and troubleshootOpen Help and Support without losing your context in the Microsoft Endpoint Manager admin centerYou can now use the ? icon in the Microsoft Endpoint Manager admin center to open a help and support session without losing your current node of focus in the admin center. The ? icon is always available in the upper right of the title bar of the admin center. This change adds an additional method for accessing Help and support. When you select ?, the admin center opens the help and support view in a new and separate side-by-side pane. By opening this separate pane, you’ll be free to navigate the support experience without affecting your original location and focus on the admin center. Week of September 19, 2022 (Service release 2209)App managementNew app types for Microsoft Endpoint ManagerAs an admin, you will be able to create and assign two new types of Intune apps:
These new app types work in a similar way to the existing web link application type, however they apply only for their specific platform, whereas web link applications apply across all platforms. With these new app types, you can assign to groups and also use assignment filters to limit the scope of assignment. You will find this functionality in Microsoft Endpoint Manager admin center, by selecting Apps > All Apps > Add. Device managementMicrosoft Intune will be ending support for Windows 8.1Microsoft Intune will be ending support on October 21, 2022 for devices running Windows 8.1. After that date, technical assistance and automatic updates that help protect your devices running Windows 8.1 will no longer be available. Additionally, because the sideloading scenario for line-of-business apps is only applicable to Windows 8.1 devices, Intune will no longer support Windows 8.1 sideloading. Sideloading is installing, and then running or testing an app that isn't certified by the Microsoft Store. In Windows 10/11, "sideloading" is simply setting a device config policy to include "Trusted app installation". For more information, see Plan for Change: Ending support for Windows 8.1. Group member count visible in assignmentsWhen assigning policies in the admin center, you can now see the number of users and devices in a group. Having both counts will help you pinpoint the right group and understand the impact the assignment has before you apply it. Device configurationNew lock screen message when adding custom support information to Android Enterprise devicesOn Android Enterprise devices, you can create a device restrictions configuration profile that shows a custom support message on the devices (Devices > Configuration profiles > Create profile > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type > Custom support information). There's a new setting you can configure:
When you configure the Lock screen message, you can also use the following device tokens to show device-specific information:
Note Variables aren't validated in the UI and are case sensitive. As a result, you may see profiles saved with incorrect input. For example, if you enter For more information on this setting, go to Android Enterprise device settings to allow or restrict features using Intune. Applies to:
Filter on the user scope or device scope in the Settings Catalog for Windows devicesWhen you create a Settings Catalog policy, you can use Add settings > Add filter to filter settings based on the Windows OS edition (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Settings Catalog (preview) for profile type). When you Add filter, you can also filter on the settings by user scope or device scope. For more information on the settings catalog, go to Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices. Applies to:
Android Open Source Project (AOSP) platform is generally availableMicrosoft Intune management of corporate-owned devices that run on the Android Open Source Project (AOSP) platform is now generally available (GA). This includes the full suite of capabilities that have been made available as part of the public preview. Currently, Microsoft Intune only supports the new Android (AOSP) management option for RealWear devices.
Applies to:
Device Firmware Configuration Interface (DFCI) now supports Acer devicesFor Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type). New Acer devices running Windows 10/11 will be enabled for DFCI in later 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Acer devices. Contact your device vendor or device manufacturer to ensure you get eligible devices. For more information about DFCI profiles in Intune, go to Use Device Firmware Configuration Interface (DFCI) profiles on Windows devices in Microsoft Intune. Applies to:
New settings available in the iOS/iPadOS and macOS Settings CatalogThe Settings Catalog lists all the settings you can configure in a device policy, and all in one place. There are new settings available in the Settings Catalog. In the Microsoft Endpoint Manager admin center, you can see these settings at Devices > Configuration profiles > Create profile > iOS/iPadOS or macOS for platform > Settings catalog for profile type. New settings include: Accounts > LDAP:
Applies to:
The following settings are also in Settings Catalog. Previously, they were only available in Templates: Privacy > Privacy Preferences Policy Control:
Applies to:
For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog. Device enrollmentSet up enrollment notifications (public preview)Enrollment notifications inform device users, via email or push notification, when a new device has been enrolled in Microsoft Intune. You can use enrollment notifications for security purposes to notify users and help them report devices enrolled in error, or for communicating to employees during the hiring or onboarding process. Enrollment notifications are available to try now in public preview for Windows, Apple, and Android devices. This feature is only supported with user-driven enrollment methods. Device securityAssign compliance policies to the All devices groupThe All devices option is now available for compliance policy assignments. With this option you can assign a compliance policy to all enrolled devices in your organization that match the policy's platform, without needing to create an Azure Active Directory group that contains all devices. When you include the All devices group you can then exclude individual groups of devices to further refine the assignment scope. Trend Micro – New mobile threat defense partnerYou can now use Trend Micro Mobile Security as a Service as an integrated mobile threat defense (MTD) partner with Intune. By configuring the Trend MTD connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment. For more information, see:
Grace period status visible on Intune Company Portal websiteThe Intune Company Portal website now shows a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If they don't update their device by the given date, their status changes to noncompliant. For more information about setting grace periods, see Configure compliance policies with actions for noncompliance. Intune appsNewly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Week of September 12, 2022Device managementIntune now requires iOS/iPadOS 14 and higherWith Apple's release of iOS/iPadOS 16, Microsoft Intune and the Intune Company Portal will now require iOS/iPadOS 14 and higher. For related information, see Supported operating systems and browsers in Intune. Intune now requires macOS 11.6 and higherWith Apple's release of macOS 13 Ventura, Microsoft Intune, the Company Portal app, and the Intune MDM agent will now require macOS 11.6 (Big Sur) and later. For related information, see Supported operating systems and browsers in Intune. Week of September 05, 2022Device managementRemote help version: 4.0.1.13 releaseWith Remote help 4.0.1.13 fixes were introduced to address an issue that prevented people from having multiple sessions open at the same time. The fixes also addressed an issue where the app was launching without focus, and prevented keyboard navigation and screen readers from working on launch. For more information, go to Use remote help with Intune and Microsoft Endpoint Manager Week of August 29, 2022App managementUpdated Microsoft Intune App SDK for AndroidThe developer guide for the Intune App SDK for Android has been updated. The updated guide provides the following stages:
For more information, see Intune App SDK for Android. Week of August 22, 2022Device managementUse Intune role-based access control (RBAC) for tenant attached devicesYou can now use Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Endpoint Manager admin center. For example, when using Intune as the role-based access control authority, a user with Intune's Help Desk Operator role doesn't need an assigned security role or additional permissions from Configuration Manager. For more information, see Intune role-based access control for tenant attached clients. Week of August 15, 2022 (Service release 2208)App managementAndroid strong biometric change detectionThe Android Fingerprint instead of PIN for access setting in Intune, which allows the end-user to use fingerprint authentication instead of a PIN, is being modified. This change will allow you to require end-users to set strong biometrics, as well as require end-users to confirm their app protection policy (APP) PIN if a change in strong biometrics is detected. You can find Android app protection polices in Microsoft Endpoint Manager admin center by selecting Apps > App protection policies > Create policy > Android. For more information, see Android app protection policy settings in Microsoft Intune. Noncompliance details available for Android (AOSP) in Microsoft Intune appAndroid (AOSP) users can view noncompliance reasons in the Microsoft Intune app. These details describe why a device is marked noncompliant, and are available on the Device details page for devices enrolled as user-associated Android (AOSP) devices. Intune appsNewly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Device enrollmentConfigure zero-touch enrollment from Microsoft Endpoint Manager admin centerNow you can configure Android zero-touch enrollment from the Microsoft Endpoint Manager admin center. This feature lets you link your zero-touch account to Intune, add support information, configure zero-touch enabled devices, and customize provisioning extras. For more information about how to enable zero-touch from the admin center, see Enroll by using Google Zero Touch. Device managementCustom settings for Windows 10/11 device compliance is now generally availableSupport to create custom compliance policy settings for Windows devices using PowerShell scripts, and to create custom compliance rules and remediation messages that appear in the Company Portal, is now generally available. Applies to:
View contents of macOS shell scripts and custom attributesYou can view the contents of macOS shell scripts and custom attributes after you upload these to Intune. You can view Shell scripts and custom attributes in Microsoft Endpoint Manager admin center by selecting Devices > macOS. For related information, see Use shell scripts on macOS devices in Intune. Reset passcode remote action available for Android (AOSP) Corporate devicesYou'll be able to leverage Reset passcode remote action from the Microsoft Endpoint Manager admin center for Android Open Source Project (AOSP) Corporate devices. For information on remote actions, see:
Applies to:
Device configurationCertificate profiles support for Android (ASOP) devicesYou can now use Simple Certificate Enrollment Protocol (SCEP) certificate profiles with corporate-owned and userless devices that run the Android Open Source Project (AOSP) platform. Import, create, and manage custom ADMX and ADML administrative templatesYou can create a device configuration policy that uses built-in ADMX templates. In Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Administrative templates. You can also import custom and third party/partner ADMX and ADML templates into the Endpoint Manager admin center. Once imported, you can create a device configuration policy, assign the policy to your devices, and manage the settings in the policy. For information, go to:
Applies to:
Add an HTTP proxy to Wi-Fi device configuration profiles on Android EnterpriseOn Android Enterprise devices, you can create a Wi-Fi device configuration profile with basic and enterprise settings. In Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create profile > Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile for platform > Wi-Fi. When you create the profile, you can configure an HTTP proxy using a PAC file or configure the settings manually. You can configure an HTTP proxy for each Wi-Fi network in your organization. When the profile is ready, you can deploy this profile to your Fully Managed, Dedicated, and Corporate-Owned Work Profile devices. For more information on the Wi-Fi settings you can configure, go to Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune. Applies to:
iOS/iPadOS settings catalog supports declarative device management (DDM)On iOS/iPadOS 15+ devices enrolled using User Enrollment, the settings catalog automatically uses Apple’s declarative device management (DDM) when configuring settings.
For more information, go to:
Applies to:
New macOS settings available in the Settings CatalogThe Settings Catalog lists all the settings you can configure in a device policy, and all in one place. New settings are available in the Settings Catalog. In Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create profile > macOS for platform > Settings catalog for profile type. New settings include: Microsoft Auto Update:
Restrictions:
The following settings are also in Settings Catalog. Previously, they were only available in Templates: Authentication > Extensible Single Sign On:
Authentication > Extensible Single Sign On > Extensible Single Sign On Kerberos:
For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog. Applies to:
New iOS/iPadOS settings in the Settings CatalogThe Settings Catalog lists all the settings you can configure in a device policy, and all in one place. There are new iOS/iPadOS settings available in the Settings Catalog. In Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Settings catalog for profile type. Previously, these settings were only available in Templates: Authentication > Extensible Single Sign On:
Authentication > Extensible Single Sign On > Extensible Single Sign On Kerberos:
System Configuration > Lock Screen Message:
For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog. Applies to:
Monitor and troubleshootNew noncompliant devices and settings reportIn Reports > Device Compliance > Reports, there's a new Noncompliant devices and settings organization report. This report:
For more information on this report, go to Noncompliant devices and settings report (Organizational). Week of August 1, 2022Device securityDisable use of UDP connections on your Microsoft Tunnel Gateway serversYou can now disable the use of UDP by your Microsoft Tunnel Servers. When you disable use of UDP, the VPN server supports only TCP connections from tunnel clients. To support use of only TCP connections, your devices must use the generally available version of Microsoft Defender for Endpoint as the Microsoft Tunnel client app as the tunnel client app. To disable UDP, create or edit a Server configuration for Microsoft Tunnel Gateway and select the checkbox for the new option named Disable UDP Connections. App managementCompany Portal for Windows bulk app installThe Company Portal for Windows now allows users to select multiple apps and install in bulk. From the Apps tab of the Company Portal for Windows, select the multi-select view button on the top right corner of the page. Then, select the checkbox next to each app that you need to install. Next, select the Install Selected button to start installation. All selected apps will install at the same time without requiring users to right-click each app or navigate to each app's page. For related information, see Install and share apps on your device and How to configure the Intune Company Portal apps, Company Portal website, and Intune app. Week of July 25, 2022 (Service release 2207)Device managementInitiate compliance checks for your AOSP devices from the Microsoft Intune appYou can now initiate a compliance check for your AOSP devices from the Microsoft Intune app. Go to Device details. This feature is available on devices that are enrolled via the Microsoft Intune app as user-associated (Android) AOSP devices. Monitor bootstrap escrow status on a MacMonitor the bootstrap token escrow status for an enrolled Mac in the Microsoft Endpoint Manager admin center. A new hardware property in Intune, called Bootstrap token escrowed, reports whether or not a bootstrap token has been escrowed in Intune. For more information about bootstrap token support for macOS, see Bootstrap tokens. Enable Common Criteria mode for Android Enterprise devicesFor Android Enterprise devices, you can use a new setting, Common Criteria mode, to enable an elevated set of security standards that are typically used by only highly sensitive organizations, such as government establishments. Applies to:
The new setting, Common Criteria mode, is found in the System security category when you configure a Device restrictions template for the Android Enterprise - Fully Managed, Dedicated, and Corporate-Owned Work Profile. Devices that receive a policy with Common Criteria mode set to Require, elevate security components that include but are not limited to:
Learn more about Common Criteria:
New hardware detail available for individual devices running on iOS/iPadOS and macOSIn Microsoft Endpoint Manager admin center, select Devices > All devices > select one of your listed devices and open it's Hardware details. The following new detail is available in the Hardware pane of individual devices:
For more information, see View device details with Microsoft Intune. Applies to:
Remote help Version: 4.0.1.12 releaseWith Remote help 4.0.1.12 various fixes were introduced to address the 'Try again later' message that appears when not authenticated. The fixes also include an improved auto-update capability. For more information, see Use remote help with Intune and Microsoft Endpoint Manager Device enrollmentIntune supports sign-in from another device during iOS/iPadOS and macOS Setup Assistant with modern authenticationUsers going through automated device enrollment (ADE) can now authenticate by signing in from another device. This option is available for iOS/iPadOS and macOS devices enrolling via Setup Assistant with modern authentication. The screen that prompts device users to sign in from another device is embedded into Setup Assistant and shown to them during enrollment. For more information about the sign-in process for users, see [Get the Intune Company Portal app (../user-help/sign-in-to-the-company-portal.md#sign-in-via-another-device). Detect and manage hardware changes on Windows Autopilot devicesMicrosoft Intune will now alert you when it detects a hardware change on an Autopilot-registered device. You can view and manage all affected devices in the admin center. Additionally, you have the option to remove the affected device from Windows Autopilot and register it again so that the hardware change is accounted for. Device configurationNew macOS Microsoft AutoUpdate (MAU) settings in the Settings CatalogThe Settings Catalog supports settings for Microsoft AutoUpdate (MAU) (Devices > Configuration profiles > Create profile > macOS for platform >Settings catalog (preview) for profile type). The following settings are now available: Microsoft Auto Update:
The settings can be used to configure preferences for the following applications:
For more information about the Settings Catalog, go to:
For more information about Microsoft AutoUpdate settings you can configure, go to:
Applies to:
New iOS/iPadOS settings in the Settings CatalogThe Settings Catalog lists all the settings you can configure in a device policy, and all in one place. There are new iOS/iPadOS settings available in the Settings Catalog (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Settings catalog for profile type). New settings include: Networking > Cellular:
The following settings are also in Settings Catalog. Previously, they were only available in Templates: User experience > Notifications:
Printing > Air Print:
App Management > App Lock:
Networking > Domains:
Networking > Network Usage Rules:
Restrictions:
For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog. Applies to:
New macOS settings available in the Settings CatalogThe Settings Catalog lists all the settings you can configure in a device policy, and all in one place. New settings are available in the Settings Catalog (Devices > Configuration profiles > Create profile > macOS for platform > Settings catalog for profile type). New settings include: System configuration > System extensions:
The following settings are also in Settings Catalog. Previously, they were only available in Templates: System configuration > System extensions:
For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog. Applies to:
New search feature in Preview devices when creating a filterIn Microsoft Endpoint Manager admin center, you can create filters, and then use these filters when assigning apps and policies (Devices > Filters > Create). When you create a filter, you can select Preview devices to see a list of enrolled devices that match your filter criteria. In Preview devices, you can also search through the list using the device name, OS version, device model, device manufacturer, user principal name of the primary user, and device ID. For more information on filters, go to Use filters when assigning your apps, policies, and profiles in Microsoft Endpoint Manager. Week of July 18, 2022Device managementNew event viewers to assist in debugging WMI issuesIntune’s remote action to collect diagnostics has been expanded to collect details about Windows Management Instrumentation (WMI) app issues. The new event viewers include the following:
For more information about Windows device diagnostics, see Collect diagnostics from a Windows device. Week of July 4, 2022Device managementEndpoint analytics scores per device modelEndpoint analytics now displays scores by device model. These scores help admins contextualize the user experience across device models in the environment. Scores per model and per device are available in all Endpoint analytics reports, including the Work from anywhere report. Monitor and troubleshootUse Collect diagnostics to collect details about Windows expedited updatesIntune’s remote action to Collect diagnostics now collects additional details about Windows expedited updates that you deploy to devices. This information can be of use when troubleshooting problems with expedited updates. The new details that are collected include:
Week of June 27, 2022 (Service release 2206)App managementEnterprise feedback policies for Web Company PortalFeedback settings are now available to address M365 enterprise feedback policies for the currently logged in user via the Microsoft 365 Apps admin center. The settings are used to determine whether feedback can be enabled or must be disabled for a user in the Web Company Portal. For related information, see Configure feedback settings for Company Portal and Microsoft Intune apps. App Protection Policies with Android Enterprise dedicated devices and Android (AOSP) devicesIntune-managed Android Enterprise dedicated devices enrolled with Azure Active Directory (Azure AD) shared mode and Android (AOSP) devices can now receive app protection policies and can be targeted separately from other Android device types. For related information, see Add Managed Google Play apps to Android Enterprise devices with Intune. For more information about Android Enterprise dedicated devices and Android (AOSP), see Android Enterprise dedicated devices. Device securityUsers assigned the Endpoint Security Manager admin role can modify Mobile Threat Defense connector settingsWe’ve updated the permissions of the built-in Endpoint Security Manager admin role. The role now has the Modify permission for the Mobile Threat Defense category set to Yes. With this change, users assigned this role have permission to change the Mobile Threat Defense connector (MTD connector) settings for your Tenant. Previously, this permission was set to No. If you missed the previous notice about this coming change, now is a good time to review the users that are assigned the Endpoint Security Manager role for your tenant. If any should not have permissions to edit the MTD connector settings, update their role permissions or create a custom role that includes only Read permissions for Mobile Threat Defense. View the full list of permissions for the built-in Endpoint Security Manager role. Improved certificate profile support for Android Enterprise Fully Managed devicesWe’ve improved our PKCS and SCEP certificate profile support for Android Enterprise Fully Managed (Device Owner) devices. You can now use the Intune device ID variable, CN={{DeviceID}}, as the subject alternative name (SAN) in your certificates for these devices. Device configurationCertificate profiles support for Android (ASOP) devicesYou can now use the following certificate profiles with corporate-owned and userless devices that run the Android Open Source Project (AOSP) platform:
New settings for DFCI profiles on Windows 10/11 devicesOn Windows 10/11 devices, you can create a Device Firmware Configuration Interface (DFCI) profile (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type). DFCI profiles let Intune pass management commands to UEFI (Unified Extensible Firmware Interface) using the DFCI firmware layer. This additional firmware layer makes configuration more resilient to malicious attacks. DFCI also limits end users' control over the BIOS by graying out managed settings. There are new settings you can configure:
For more information, see the following resources:
Applies to:
Add custom support information to Android Enterprise devicesOn Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration profiles > Create profile > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type > Custom support information). There are some new settings you can configure:
By default, the OEM default messages are shown. When you deploy a custom message, the Intune default message is also deployed. If you don't enter a custom message for the device's default language, then the Intune default message is shown. For example, you deploy a custom message for English and French. The user changes the device's default language to Spanish. Since you didn't deploy a custom message to the Spanish language, the Intune default message is shown. The Intune default message is translated for all languages in the Endpoint Manger admin center (Settings > Language + Region). The Language setting value determines the default language used by Intune. By default, it's set to English. In the policy, you can customize the messages for the following languages:
For more information on these settings and the other settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune. Applies to:
Create and deploy Wi-Fi profiles to Android AOSP devicesYou create configure and deploy a Wi-Fi profile to your Android AOSP devices. For more information on these settings, go to Add Wi-Fi settings for Android (AOSP) devices in Microsoft Intune. Applies to:
Settings catalog is generally available (GA) for Windows and macOS devicesThe settings catalog is generally available (GA). For more information, go to:
Applies to:
Migrate feature in Group policy analytics supports sovereign cloudsUsing Group Policy analytics, you can import your on-premises GPOs, and create a settings catalog policy using these GPOs. Previously, this Migrate feature wasn't supported on Sovereign Clouds. The Migrate feature is now supported on Sovereign Clouds. For more information on these features, go to:
iOS/iPadOS platform is in Settings CatalogThe Settings Catalog lists all the settings you can configure in a device policy, and all in one place. The iOS/iPadOS platform and some settings are now available in the Settings Catalog (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Settings catalog for profile type). New settings include: Accounts > Caldav:
Accounts > Carddav:
AirPlay:
Proxies > Global HTTP Proxy:
The following settings are also in Settings Catalog. Previously, they were only available in Templates: Networking > Domains:
Printing > Air Print:
Restrictions:
Security > Passcode:
User Experience > Notifications:
For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog. Applies to:
Use TEAP authentication in wired networks device configuration profiles for Windows devicesOn Windows devices, you can create a Wired Networks device configuration profile that supports the Extensible Authentication Protocol (EAP) (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Wired networks for profile type). When you create the profile, you can use the Tunnel Extensible Authentication Protocol (TEAP). For more information on wired networks, go to Add and use wired networks settings on your macOS and Windows devices in Microsoft Intune. Applies to:
Unlock the work profile on Android Enterprise corporate owned work profile (COPE) devices after a set time using password, PIN, or patternOn Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration profiles > Create profile > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type). On Android Enterprise COPE devices, you can configure the Work profile password > Required unlock frequency setting. Use this setting to select how long users have before they're required to unlock the work profile using a strong authentication method. For more information on this setting, go to Android Enterprise device settings to allow or restrict features using Intune. Applies to:
New macOS settings in Settings CatalogThe Settings Catalog has new macOS settings you can configure (Devices > Configuration profiles > Create profile > macOS for platform >Settings catalog for profile type): Accounts > Caldav:
Accounts > Carddav:
User Experience > Dock:
System Configuration > Energy Saver:
System Configuration > System Logging:
System Configuration > Time Server:
The following settings are also in Settings Catalog. Previously, they were only available in Templates: Security > Passcode:
There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies. For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune. Applies to:
New Microsoft Office and Microsoft Outlook preference settings in the macOS Settings CatalogThe Settings Catalog supports preference settings for Microsoft Office and Microsoft Outlook (Devices > Configuration profiles > Create profile > macOS for platform >Settings catalog (preview) for profile type). The following settings are available: Microsoft Office > Microsoft Office:
Microsoft Office > Microsoft Outlook:
For more information about the Settings Catalog, go to:
For more information about Microsoft Office and Outlook settings you can configure, go to:
Applies to:
Device managementRemotely restart and shut down macOS deviceYou'll be able to remotely restart or shut down a macOS device using device actions. These device actions are available for devices running macOS 10.13 and later. For more information, see Restart devices with Microsoft Intune. Additional Remote actions for Android (AOSP) Corporate devicesFor Android Open Source Project (AOSP) Corporate devices, you can soon leverage additional remote actions from the Microsoft Endpoint Manager admin center - Reboot and Remote lock. For information about these features, see:
Applies to:
User configuration support for Windows 11 multi-session VMs is in public previewYou'll be able to:
Applies to:
Note User support for Windows 10 multi-session builds will be available later this year. For more information, go to Using Azure Virtual Desktop multi-session with Microsoft Intune View a managed device's group membershipIn Devices workload of Intune, you can view the group membership of all Azure AD groups for a managed device. You can select Group Membership by signing in to Microsoft Endpoint Manager admin center and selecting Devices > All Devices > select a device > Group Membership. For more information, see Device group membership report. Improved certificate reporting detailsWe’ve changed what Intune displays when you view certificate details for devices and certificate profiles. To view the report, in the Microsoft Endpoint Manager admin center go to > Devices > Monitor > Certificates. With the improved reporting view, Intune displays information for the following:
The report no longer displays details for certificates that are not valid or that are no longer on a device. Device enrollmentUtilize bootstrap tokens on macOS devicesBootstrap token support, previously in public preview, is now generally available to all Microsoft Intune customers, including GCC High and Microsoft Azure Government Cloud tenants. Intune supports the use of bootstrap tokens on enrolled devices running macOS, version 10.15 or later. Bootstrap tokens allow for non-admin users to have increased MDM permissions, and perform specific software functions on behalf of the IT admin. Bootstrap tokens is supported on:
For more information about how bootstrap tokens work with Intune, see Set up enrollment for macOS devices. Intune appsNewly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Week of June 13, 2022Device securityMicrosoft Tunnel support for Red Hat Enterprise Linux 8.6You can now use Red Hat Enterprise Linux (RHEL) 8.6 with Microsoft Tunnel. There are no additional requirements beyond those that are needed for RHEL 8.5 support. Like RHEL 8.5, you can use the readiness tool (mst-readiness) to check for the presence of the ip_tables module in the Linux kernel. By default, RHEL 8.6 doesn’t load the ip_tables module. For Linux servers that don't load the module, we've provided instructions to load them immediately, and to configure the Linux server to automatically load them at boot. Week of June 6, 2022App managementPhoto library data transfer support via app protection policiesYou can now select to include Photo Library as a supported application storage service. By selecting Photo Library from the Allow users to open data from selected services or the Allow users to save data to selected services setting within Intune, you can allow managed accounts to allow incoming and outgoing data to and from their device's photo library to their managed apps on iOS and Android platforms. In Microsoft Endpoint Manager admin center, select Apps > App protection policies > Create Policy. Choose either iOS/iPadOS or Android. This setting is available as part of the Data protection step and specifically for Policy managed apps. For related information, see Data protection. UI improvements show Android enrollment is available, not requiredWe updated the iconography in the Company Portal for Android app to make it easier for users to recognize when device enrollment is available to them but not required. The new iconography appears in scenarios where the device enrollment availability is set to Available, no prompts in the admin center (Tenant admin > Customization > Create or Edit a policy > Settings). Changes include:
To view screenshots of the changes, see UI updates for Intune end-user apps. Device managementWindows Update compatibility reports for Apps and Drivers (public preview)In public preview, two Windows Update compatibility reports are now available to help you prepare for a Windows upgrade or update. These reports fill a gap that is currently covered by Desktop Analytics, which is scheduled to be retired on November 30, 2022. Use these reports to help you plan for an upgrade from Windows 10 to 11 or for installing the latest Windows feature update:
These reports are rolling out to tenants over the next week. If you don't see them yet, check back again in a day or so. To learn about prerequisites, licensing, and what information is available with these reports, see Windows Update compatibility reports. Week of May 30, 2022 (Service release 2205)App managementiOS Company Portal minimum required versionStarting June 1, 2022, the minimum supported version of the iOS Company Portal app will be v5.2205. If your users are running v5.2204 or below, they will be prompted for an update at login. If you have enabled the Block installing apps using App Store device restriction setting, you will likely need to push an update to the related devices that use this setting. Otherwise, no action is needed. If you have a helpdesk, you may want to make them aware of the prompt to update the Company Portal app. In most cases, users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. For related information, see Intune Company Portal. Push notifications are automatically sent when device ownership changes from Personal to CorporateFor iOS/iPad and Android devices, a push notification is now automatically sent when a device's ownership type is changed from Personal to Corporate. The notification is pushed through the Company Portal app on the device. With this change, we've removed the Company Portal configuration setting that was previously used to manage this notification behavior. iOS/iPadOS notifications require March Company Portal or newerWith Intune's May (2205) service release, we have made service side updates to iOS/iPadOS notifications that require users to have the March Company Portal app (version 5.2203.0) or newer. If you are using functionality that could generate iOS/iPadOS Company Portal push notifications, you must ensure your users update the iOS/iPadOS Company Portal to continue receiving push notifications. There is no additional change in functionality. For related information, see Update the Company Portal app. Deployment of macOS LOB apps by uploading PKG-type installer files is now generally availableYou can now deploy macOS line-of-business (LOB) apps by uploading PKG-type installer files to Intune. This capability is out of public preview and is now generally available. To add a macOS LOB app from Microsoft Endpoint Manager admin center, select Apps > macOS > Add > Line-of-business app. Additionally, the App Wrapping Tool for macOS will no longer be required to deploy macOS LOB apps. For related information, see How to add macOS line-of-business (LOB) apps to Microsoft Intune. Improved report experience on the Managed Apps paneThe Managed Apps pane has been updated to better display managed app details for a device. You can switch between displaying managed app details for the primary user and other users on a device, or display app details for the device without any user. The generated app details will be displayed using the primary user of the device when the report is initially loaded, or displayed with no primary user if none exists. For more information, see Managed Apps report. MSfB licenses and Apple VPP licensesRemoving an Intune license from a user will no longer revoke app licenses granted through the Microsoft Store for Business or through Apple VPP. For related information, see How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune, Revoking iOS app licenses, and Microsoft Intune licensing. Reporting for unlicensed usersIntune will no longer remove users from all Intune reports when they are unlicensed. Until the user is deleted from Azure AD, Intune will continue to report the user in most common scenarios. For related information about reporting, see Intune reports. Device securityNew Device Control profile for Intune’s endpoint security Attack Surface Reduction policyAs part of the continuing rollout of new profiles for endpoint security policies, which began in April 2022, we’ve released a new Device Control profile template for Attack Surface Reduction policy for endpoint security in Intune. This profile replaces the previous profile of the same name for the Windows 10 and later platform. With this replacement, only instances of the new profile can be created. However, any profiles you’ve previously created that use the old profile structure remain available to use, edit, and deploy. The new Device Control profile:
The five new settings focus on removable devices, like USB devices:
Device configurationUnlock Android Enterprise devices after a set time using password, PIN, or patternOn Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration profiles > Create profile > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type). In Device password and Work profile password, there's a new Required unlock frequency setting. Select how long users must unlock the device using a strong authentication method (password, PIN, or pattern). Your options:
2.3.4. Advanced passcode management (opens Android's web site) For a list of the settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune. Applies to:
Use the Settings Catalog to create a Universal Print policy on Windows 11 devicesMany organizations are moving their printer infrastructure to the cloud using Universal Print. In the Endpoint Manager admin center, you can use the Settings Catalog to create a universal print policy (Device configuration > Create profile > Windows 10 and later for platform > Settings catalog for profile type > Printer provisioning). When you deploy the policy, users select the printer from a list of registered Universal Print printers. For more information, go to Create a Universal Print policy in Microsoft Intune. Applies to:
New macOS settings in the Settings CatalogThe Settings Catalog has new macOS settings you can configure (Devices > Configuration profiles > Create profile > macOS for platform >Settings catalog for profile type): Accounts > Accounts:
Networking > Firewall:
Parental Controls > Parental Controls Time Limits:
Proxies > Network Proxy Configuration:
Security > Smart Card:
Software Update:
User Experience > Screensaver User:
There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies. For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune. Applies to:
Intune appsNewly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Device managementSoftware updates page for tenant attached devicesThere's a new Software updates page for tenant attached devices. This page displays the status for software updates on a device. You can review which updates are successfully installed, failed, and are assigned but not yet installed. Using the timestamp for the update status assists with troubleshooting. For more information, see Tenant attach: Software updates in the admin center. Microsoft Defender for Endpoint support for App Sync on iOS/iPadOSBefore you can use this capability you must opt in to an MDE Preview. To opt in, contact
When you use Microsoft Defender for Endpoint (MDE) as your Mobile Threat Defense application, as part of a preview from MDE, you can configure MDE to request Application Inventory data from Intune from iOS/iPadOS devices. The following two settings are now available:
Support for Retire on Android Enterprise corporate-owned work-profiles devicesYou can now use the Retire admin action in the Microsoft Endpoint Manager admin center to remove the work profile including all corporate apps, data, and policies from an Android Enterprise corporate-owned work profile device. Go to Endpoint Manager admin center > Devices pane > All Devices > then select the name of the device you want to retire and select Retire. When you select Retire, the device is unenrolled from Intune management. However, all the data and apps associated with your personal profile will remain untouched on the device. For more information, see Retire or wipe devices using Microsoft Intune. Device enrollmentImprovements for enrollment profiles for Apple Automated Device EnrollmentTwo Setup Assistant skip panes, previously released in Intune for public preview, are now generally available to use in Intune. These screens typically appear in Setup Assistant during Apple Automated Device Enrollment (ADE). You can configure screen visibility while you're setting up an enrollment profile in Intune. Intune-supported screen settings are available in the device enrollment profile under the Setup Assistant tab. The new skip panes are:
There is no change to functionality from the public preview release. Enroll to co-management from Windows AutopilotYou can configure device enrollment in Intune to enable co-management, which happens during the Windows Autopilot process. This behavior directs the workload authority in an orchestrated manner between Configuration Manager and Intune. If the device is targeted with an Autopilot enrollment status page (ESP) policy, the device will wait for Configuration Manager. The Configuration Manager client installs, registers with the site, and applies the production co-management policy. Then the Autopilot ESP continues. For more information, see How to enroll to co-management with Autopilot. Week of May 9, 2022Device securitySecurity Management with Defender for Endpoint is generally availableThe Microsoft Endpoint Manager and Microsoft Defender for Endpoint (MDE) team are excited to announce the general availability of Security Management for MDE devices. As part of this general availability, support for Antivirus, Endpoint Detection and Response, as well as Firewall and Firewall rules are now generally available. This general availability applies to Windows Server 2012 R2 and Later, as well as Windows 10 and Windows 11 clients. In the future we will be adding support for additional platforms and profiles in a preview capacity. For more information, see Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager. Device managementElevation enhancements to Remote helpElevation permissions will no longer be assigned when a session is started. Elevation permissions will now apply only when JIT (just in time) access is requested. The access is requested with the click of a button on the toolbar. When elevation permissions are assigned, the log off behavior for the sharer has been modified as follows:
Week of May 2, 2022App managementUpdate priority of Managed Google Play appsYou can set the update priority of Managed Google Play apps on Android Enterprise devices that are dedicated, fully managed, or corporate-owned with a work profile. By selecting Postpone as the Update Priority app setting, the device will wait for 90 days after a new version of the app is detected before installing the app update. For related information, see Add Managed Google Play apps to Android Enterprise devices with Intune. Week of April 25, 2022 (Service release 2204)App managementUpdated app configuration policies listThe App configuration policies list has been modified in Intune. This list will no longer contain the Assigned column. To view whether an app configuration policy has been assigned, navigate to Microsoft Endpoint Manager admin center > Apps > App configuration policies > select a policy > Properties. Password complexity for Android devicesThe Require device lock setting in Intune has been extended to include values (Low Complexity, Medium Complexity, and High Complexity). If the device lock doesn’t meet the minimum password requirement, you can warn, wipe data, or block the end user from accessing a managed account in a managed app. This feature targets devices that operate on Android 11+. For devices operating on Android 11 and earlier, setting a complexity value of Low, Medium, or High will default to the expected behavior for Low Complexity. For related information, see Android app protection policy settings in Microsoft Intune. management Improvements to Win32 App Log collectionWin32 App Log collection via Intune Management Extension has moved to the Windows 10 device diagnostic platform, reducing time to collect logs from 1-2 hours to 15 minutes. We've also increased the log size from 60mb to 250mb. Along with performance improvements, the app logs are available under the Device diagnostics monitor action for each device, as well as the managed app monitor. For information about how to collect diagnostics, see Collect diagnostics from a Windows device and Troubleshooting Win32 app installations with Intune. Device managementWindows 10 and Windows 11 Enterprise multi-session is generally availableIn addition to the existing functionality, you can now:
For more information, see Windows 10/11 Enterprise multi-session remote desktops. Device actions available to Android (AOSP) users in Microsoft Intune appAOSP device users can now rename their enrolled devices in the Microsoft Intune app. This feature is available on devices enrolled in Intune as user-associated (Android) AOSP devices. For more information about Android (AOSP) management, see Set up Intune enrollment for Android (AOSP) corporate-owned user-associated devices. Support for Audio Alert on Android corporate owned work profiles and fully managed (COBO and COPE) devicesYou can now use the device action Play lost device sound to trigger an alarm sound on the device to assist in locating the lost or stolen Android Enterprise corporate owned work profile and fully managed devices. For more information, see Locate lost or stolen devices. Device enrollmentNew enrollment profile settings for Apple Automated Device Enrollment (public preview)We've added two new Setup Assistant settings that you can use with Apple Automated Device Enrollment. Each setting controls the visibility of a Setup Assistant pane shown during enrollment. Setup Assistant panes are shown during enrollment by default, so you have to adjust the settings in Microsoft Intune if you want to hide them. The new Setup Assistant settings are the following:
To configure Setup Assistant settings for Automated Device Enrollment, create an iOS/iPadOS enrollment profile or macOS enrollment profile in Microsoft Intune. Device securityMicrosoft Defender for Endpoint as the Tunnel client app for iOS is now Generally AvailableUse of Microsoft Defender for Endpoint that supports Microsoft Tunnel on iOS/iPadOS is now out of preview and is generally available. With general availability, a new version of the Defender for Endpoint app for iOS is available from the App store to download and deploy. If you’ve been using the preview version as your Tunnel client app for iOS, we recommend you upgrade to the latest Defender for Endpoint app for iOS soon to gain the benefits of the latest updates and fixes. As of August 30, 2022, the connection type is named Microsoft Tunnel. With this release, by the end of June both the standalone Tunnel client app and the preview version of Defender for Endpoint as the Tunnel client app for iOS will be deprecated and be dropped from support. Soon after that deprecation, the standalone Tunnel client app will no longer function and will no longer support opening connections to Microsoft Tunnel. If you're still using the standalone tunnel app for iOS, plan to migrate to the Microsoft Defender for Endpoint app before support for the standalone app ends and it’s support to connect to Tunnel no longer functions. Attack surface reduction rules profileThe Attack Surface Reduction Rules (ConfigMgr) profile for tenant attached devices is now in public preview. For more information, see Tenant attach: Create and deploy attack surface reduction policies. Device configurationEndpoint security profiles support filtersThere are some new features when using filters:
For more information on filters, see:
Applies to:
Does not apply to:
Create a Settings Catalog policy using your imported GPOs with Group Policy analytics (public preview)Using Group Policy analytics, you can import your on-premises GPO, and see the settings that are supported in Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM providers. When the analysis runs, you see the settings that are ready for migration. There is a Migrate option that creates a Settings Catalog profile using your imported settings. Then, you can assign this profile to your groups. For more information, go to Create a Settings Catalog policy using your imported GPOs in Microsoft Endpoint Manager. Applies to:
New wired networks device configuration profile for Windows devicesThere is a new Wired Networks device configuration profile for Windows 10/11 devices (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Wired networks for profile type). Use this profile to configure common wired network settings, including authentication, EAP type, server trust, and more. For more information on the settings you can configure, go to Add wired network settings for Windows devices in Microsoft Intune. Applies to:
"ADMX_" Policy CSP settings in Administrative Templates and Settings Catalog apply to Windows Professional editionsThe Windows Policy CSP settings that begin with "ADMX_" apply to Windows devices running Windows Professional edition. Previously, these settings were shown as Not applicable on devices running Windows Professional edition. You can use Administrative Templates and Settings Catalog to configure these "ADMX_" settings in a policy, and deploy the policy to your devices (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Settings catalog or Administrative Templates or for profile type). To use this set of "ADMX_" settings, the following updates must be installed on your Windows 10/11 devices:
To learn more about these features, go to:
To see a list of all the ADMX settings that support Windows Professional edition, go to Windows Policy CSP settings. Any setting that begins with "ADMX_" supports Windows Professional edition. Applies to:
New macOS settings in Setting CatalogThe Settings Catalog has new macOS settings you can configure (Devices > Configuration profiles > Create profile > macOS for platform > Settings catalog for profile type): Accounts > Mobile Accounts:
App Management > Autonomous Single App Mode:
App Management > NS Extension Management:
App Store:
Authentication > Directory Service:
Authentication > Identification:
Login > Login Window Login Items:
Media Management Disc Burning:
Parental Controls > Parental Controls Application Restrictions:
Parental Controls > Parental Controls Content Filter:
Parental Controls > Parental Controls Dictionary:
Parental Controls > Parental Controls Game Center:
System Configuration > File Provider:
System Configuration > Screensaver:
User Experience > Finder:
User Experience > Managed Menu Extras:
User Experience > Notifications:
User Experience > Time Machine:
Xsan:
Xsan > Xsan Preferences:
The following settings are also in Settings Catalog. Previously, they were only available in Templates: App Management > Associated Domains:
Networking > Content Caching:
Restrictions:
There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies. For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune. Applies to:
Week of April, 11, 2022Device ManagementUpdating the device diagnostics folder structureIntune now exports Windows Device Diagnostic data in an updated format. With the updated format, the logs collected are named to match the data collected, and when multiple files are collected a folder is created. With the earlier format, the zip file used a flat structure of numbered folders that did not identify their contents. To take advantage of this diagnostic logging update, devices must install one of the following updates:
These updates are available through the Windows Updates on April 12, 2022. App managementUninstall DMG-type applications on managed macOS devices (Public preview)You can use the Uninstall assignment type to remove DMG-type applications on managed macOS devices from Microsoft Endpoint Manager. You can find macOS DMG apps in Microsoft Endpoint Manager admin center by selecting Apps > macOS > macOS app (.DMG). For related information, see Add a macOS DMG app to Microsoft Intune. Week of April 4, 2022Device securityNew profile templates and settings structure for endpoint security policiesWe’ve begun to release new endpoint security profile templates that use the settings format as found in the Settings Catalog. Each new profile template includes the same settings as the older profile it replaces, while bringing the following improvements:
When a new platform and profile template is available for a policy type, the older profile of the same name will no longer be available to create new profiles. Instead, new profiles must use the new profiles and settings format. Eventually, your old profiles will be supported for conversion to the new profile format. Until that conversion is available, you can still use, edit, and deploy your existing profiles. The following profile templates are now available in the new settings format:
Device managementMicrosoft Endpoint Manager premium add-onsMicrosoft Endpoint Manager is introducing a new centralized experience to help IT admins identify premium add-on capabilities. These capabilities can be added for an additional licensing cost available for Microsoft Endpoint Manager using Intune. The first premium add-on is Remote Help. You can find premium add-ons in Intune under Tenant administration > Premium add-ons. The Summary blade shows all premium add-ons that have been released, a short description, and the status of the add-on. You can view the status of each add-on as either Active or Available for trial or purchase. The premium add-ons capability can be used by Global and Billing administrators to start trials or purchase licenses for premium add-ons. For more information about Premium add-ons, see Use Premium add-ons capabilities with Intune. Week of March 28, 2022App managementNewly available protected app for IntuneThe following protected app is now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Week of March 21, 2022 (Service release 2203)App managementiOS/iPadOS notifications will require March Company Portal updateIf you are using a functionality that could generate iOS/iPadOS Company Portal push notifications, you will want to ensure your users update the iOS/iPadOS Company Portal in March or April 2022. There is no additional change in functionality. We will be making service side updates to iOS/iPadOS notifications expected in Intune's May (2205) service release. The Company Portal update will be released prior to the service change, so most users will likely have updated the app and will not be impacted. However, you may want to notify users of this change to ensure all users continue to receive push notifications sent by your organization. For related information, see Update the Company Portal app. Feedback settings for Company Portal and Microsoft Intune appsFeedback settings are provided to address M365 enterprise feedback policies for the currently logged in user via the Microsoft 365 Apps admin center. The settings are used to determine whether feedback can be enabled or must be disabled for a user. This feature is available for Intune Company Portal and Microsoft Intune apps. For more information, see Configure feedback settings for Company Portal and Microsoft Intune apps. Deploy macOS LOB apps by uploading PKG-type installer files (Public preview)You can now upload and deploy PKG-type installer files as macOS line-of-business apps. You can add a macOS LOB app from Microsoft Endpoint Manager admin center by selecting Apps > macOS > Add > Line-of-business app. For more information about macOS LOB apps, see How to add macOS line-of-business apps to Microsoft Intune. Device managementSee the IPv4 address and Wi-Fi subnet ID on Android Enterprise devicesCustomers can view the IPv4 address and Wi-Fi subnet ID reported for Android Enterprise corporate-owned fully managed, dedicated, and work profile devices. Android (AOSP) users can view all devices in Intune appAOSP device users can now view a list of their managed devices and device properties in the Microsoft Intune app. This feature is available on devices enrolled in Intune as user-associated (Android) AOSP devices. Update eSim cellular data plan in bulk for iOS/iPadOS (public preview)You can now perform a Bulk device action (Devices > Bulk device action > Update cellular data) to remotely activate or update the cellular data plan on iOS/iPadOS devices that support it. This feature is currently in public preview. For related information, see Use bulk device actions. Preserve cellular data plan when bulk wiping iOS/iPadOS devicesWhen you perform a Bulk device action (Devices > Bulk device action > Wipe) to remotely wipe iOS/iPadOS devices from Intune, any cellular data plan on the device will be preserved. However, if you would like to have the devices' data plan removed, then you have the option to select a checkbox and remove the cellular data plan when wiping the devices. For related information, see Use bulk device actions. Freeze the install of system updates for Android Enterprise corporate-owned devicesFor Android Enterprise corporate-owned devices that run version 9.0 and later, you can configure freeze periods during which no system or security updates can install. To configure a freeze, use Intune device restriction profiles to set one or more blocks that can recur each year. Each block can be for up to 90 days, but you must have a minimum of 60 days between freeze periods, when system updates are allowed to install. For information about configuring a freeze period, see Freeze periods for system updates in Android Enterprise device settings to allow or restrict features using Intune. For information about Android requirements for implementing a freeze, see FreezePeriod in the Google developer documentation. Device securityTenant attach: Antivirus profileThe Endpoint Security Microsoft Defender Anti-virus profile is now generally available. For more information, see Tenant attach: Create and deploy Antivirus policies from the admin center. Monitor and troubleshootAppxPackaging event viewer is part of collect diagnosticsIntune's remote action to Collect diagnostics will collect additional details from Windows devices. (Devices > Windows > select a Windows device > Collect diagnostics) The new details include the Microsoft-Windows-AppxPackaging/Operational Event Viewer and the following office log files to assist in troubleshooting office installation issues:
Device enrollmentUtilize bootstrap tokens on enrolled macOS devices (public preview)Intune now supports the use of bootstrap tokens on enrolled devices running macOS, version 10.15 or later. Bootstrap tokens allow for non-admin users to have increased MDM permissions, and perform specific software functions on behalf of the IT admin. Tokens are supported on:
Bootstrap tokens will begin to function no sooner than March 26, 2022, and it could take longer before they begin to function in all tenants. For more information about how bootstrap tokens work with Intune, see Set up enrollment for macOS devices. Enroll macOS virtual machines running Apple siliconUse the Company Portal app for macOS to enroll virtual machines running on Apple silicon. Intune supports using macOS virtual machines for testing purposes only. For more information about enrolling virtual machines in Intune, see Set up enrollment for macOS devices. Device configurationNew reporting experience for device configuration profilesThere is now a new reporting experience for device configuration profiles. This reporting experience excludes Windows administrative template (ADMX), Android Enterprise devices with OEMConfig, and Device Firmware Configuration Interface (DFCI) profile types. We are continuing to update Intune's report experience to enhance consistency, accuracy, organization, and data representation, which gives an overall "facelift" of Intune's per policy reporting. The new experience updates the per policy overview page to shift away from donut charts to a sleeker overview chart that quickly updates as devices/users check-in. There are three reports available from the per policy view:
More drilldowns are available and additional assignment filters are supported for each report. For more information about each of these reports, see Intune reports. Google Chrome settings are in Settings Catalog and Administrative TemplatesGoogle Chrome settings are included in the Settings Catalog and Administrative Templates (ADMX). Previously, to configure Google Chrome settings on Windows devices, you created a custom OMA-URI device configuration policy. For more information on these policy types, see:
Applies to:
New macOS settings in the Settings CatalogThe Settings Catalog has new macOS settings you can configure (Devices > Configuration profiles > Create profile > macOS for platform > Settings catalog for profile type): User Experience > Accessibility:
Air Play:
User Experience > Desktop:
Preferences > Global Preferences:
Printing > Printing:
Security > Security Preferences:
Preferences > System Preferences:
Preferences > User Preferences:
The following settings are also in Settings Catalog. Previously, they were only available in Templates: Printing > Air Print:
Networking > Firewall:
Login > Login Items:
Login > Login Window Behavior:
System Policy > System Policy Control:
System Policy > System Policy Managed:
There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies. For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune. Applies to:
Role-based access controlAndroid (AOSP) will support scope tags and RBAC settingsWhen you create a policy for Android (AOSP), you can use role-based access control (RBAC) and scope tags. For more information on these features, see:
Applies to:
Week of March 14, 2022App managementApps UI when using Android 12L OSThe Android 12L OS contains new features designed to improve the Android 12 experience on large and folding dual-screen devices. Intune apps now supports Android 12L OS on Android dual-screen devices. Display Android Enterprise device serial number using Managed Home Screen appOn Android Enterprise dedicated devices using Managed Home Screen, customers can now use app configuration to configure the Managed Home Screen app to show the serial number for the device on all supported OS versions (8 and above). For information related to the Managed Home Screen app, see Configure the Microsoft Managed Home Screen app for Android Enterprise. Week of February 28, 2022Device configurationCellular data plan for Apple's Automated Device EnrollmentAs part of an iOS/iPadOS enrollment profile when configuring Automated Device Enrollment (ADE), you can now configure devices to activate cellular data. Configuring this option will send a command to activate cellular data plans for your organization's eSim-enabled cellular devices. Your carrier must provision activations for your devices before you can activate data plans using this command. This setting applies to devices running iOS/iPadOS 13.0 and later that are enrolling with ADE. For more information, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment. Week of February 21, 2022 (Service release 2202)Device securityMobile Threat Defense partner Zimperium is now available in GCC High tenantsZimperium is now available as a Mobile Threat Defense (MTD) partner in US GCC High environments. With this support, you’ll find the Intune connector for Zimperium as available in the list of MTD connectors that you can enable in your GCC High tenant. The GCC High environment is a more regulated environment, and only connectors for those MTD partners that are supported for the GCC High environment are available in it. For more information about support in GCC High tenants, Microsoft Intune for US Government GCC High and DoD service description. Manage the app inventory data for iOS/iPadOS devices that Intune sends to third-party MTD partnersYou can now configure the type of application inventory data for personally owned iOS/iPadOS devices that Intune sends to your chosen third-party Mobile Threat Defense (MTD) partner. To control the app inventory data, configure the following setting as part of the MDM Compliance Policy Settings on the Mobile Threat Defense connector for your partner:
For corporate devices, data about managed and unmanaged apps continues to be included with requests for app data by your MTD vendor. Device managementSupport for Audio Alert on Android Dedicated (COSU) devicesYou can now use the Play lost device sound device action to trigger an alarm sound on the device to assist in locating the lost or stolen Android Enterprise dedicated device. For more information, see Locate lost or stolen devices. UI updates when creating an on-demand VPN device configuration policy on iOS/iPadOS devicesYou can create an on-demand VPN connection for your iOS/iPadOS devices (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > VPN for profile type > Automatic VPN > On-demand VPN). The UI is updated to closer match Apple's technical naming. To see the on-demand VPN settings you can configure, go to Automatic VPN settings on iOS and iPadOS devices. Applies to:
On Android Enterprise, use the Connect Automatically setting on enterprise Wi-Fi profilesOn Android Enterprise devices, you can create Wi-Fi profiles that include common enterprise Wi-Fi settings (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned work profile > Wi-Fi for profile type > Enterprise for Wi-Fi type). You can configure the Connect automatically setting that automatically connects to your Wi-Fi network when devices are in range. To see the settings you can configure, go to Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices. Applies to:
Deprecated status in Group Policy Analytics migration readiness report automatically reevaluates your GPOsUsing Group Policy Analytics, you can import your Group Policy Objects (GPOs) to see the settings that are supported in MDM providers, including Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM providers. The Intune product team updates the mapping logic. When the updates happen, the deprecated settings are automatically reevaluated. Previously, you had to reimport your GPOs. For more information on Group Policy Analytics and the reporting, see Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Endpoint Manager. Applies to:
Create terms of use for Android (AOSP) user-associated devicesRequire Android (AOSP) users to accept your terms and conditions in the Intune Company Portal app before they enroll their devices. This feature is available for corporate-owned, user-associated devices only. For more information about creating terms of use in Intune, see Terms and conditions for user access. Enforce Azure AD terms of use with Microsoft Intune or Microsoft Intune Enrollment cloud appsUse the Microsoft Intune cloud app and/or Microsoft Intune Enrollment cloud app to enforce a conditional access, Azure AD Terms of Use acceptance policy on iOS and iPadOS devices during automated device enrollment. This functionality is available when you select Setup Assistant with modern authentication as your authentication method. Both cloud apps now ensure that users accept the terms of use during enrollment and/or during Company Portal sign-in if required by your conditional access policy. New macOS settings in the Settings CatalogThe Settings Catalog lists all the settings you can configure in a device policy, and all in one place. When you create a Settings Catalog policy, there are new settings available for macOS devices (Devices > Configuration profiles > Create profile > macOS for platform > Settings catalog for profile type). New settings include:
For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog. Monitor and troubleshootRemote help is moving in the Microsoft Endpoint Manager admin centerThe remote help page in the Microsoft Endpoint Manager admin center has moved and its now available directly under Tenant administration instead of Connectors and tokens. For more information about remote help, see Use remote help. Week of February 7, 2022Device securityMicrosoft Tunnel support for Red Hat Enterprise Linux 8.5You can now use Red Hat Enterprise Linux (RHEL) 8.5 with Microsoft Tunnel. To support RHEL 8.5, we’ve also updated the readiness tool (mst-readiness) with a new check for the presence of the ip_tables module in the Linux kernel. By default, RHEL 8.5 doesn’t load the ip_tables module. For Linux servers that don't load the module, we've provided instructions to load them immediately, and to configure the Linux server to automatically load them at boot. App managementAdvanced logging setting in Company Portal appThe Enable Advanced Logging setting is available in the Intune Company Portal app versions v5.2202 and higher for iOS/iPadOS and macOS. Device users can able to enable or disable advanced logging on a device. By turning on advanced logging, detailed log reports will be sent to Microsoft to troubleshoot issues. By default, the Enable Advanced Logging setting will be off. Device users should keep this setting off unless otherwise instructed by their organization's IT admin. For related information, see Share Company Portal usage data with Microsoft and Manage Company Portal preferences for macOS. Week of January 31, 2022Device securityPublic preview of Tunnel client functionality in Microsoft Defender for Endpoint app for iOS/iPadOSMicrosoft Tunnel client functionality for iOS/iPadOS is migrating into the Microsoft Defender for Endpoint app. With this preview, you can start to use a preview version of Microsoft Defender for Endpoint as the Tunnel app for supported devices. The existing Tunnel client remains available, but will eventually be phased out in favor of the Defender for Endpoint app. This public preview applies to:
For this preview, you download a preview version of Microsoft Defender for Endpoint from the Apple app store, and then migrate supported devices from the standalone Tunnel client app to the preview app. For details, see Migrate to the Microsoft Defender for Endpoint app. Scripts/DeveloperIntune Data Warehouse updatesThe Week of January 24, 2022 (Service release 2201)App managementDeploy DMG-type applications to managed macOS devicesYou can upload and deploy DMG-type applications to managed Macs from Microsoft Endpoint Manager using the required assignment type. DMG is the file extension for Apple disk image files. DMG-type apps are deployed using the Microsoft Intune MDM agent for macOS. You can add a DMG app from Microsoft Endpoint Manager admin center by selecting Apps > macOS > Add > macOS app (DMG). For more information, see Add a macOS DMG app to Microsoft Intune. Device managementChoose either user or device scope when creating Windows VPN profilesYou can create a VPN profile for Windows devices that configures VPN settings (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > VPN for profile). When you create a profile, use the Use this VPN profile with a user/device scope setting to apply the profile to the user scope or the device scope:
Existing VPN profiles will apply to their existing scope, and aren't impacted by this change. All VPN profiles are installed in the user scope except for the profiles with device tunnel enabled, which requires device scope. For more information on VPN settings you can currently configure, see Windows device settings to add VPN connections using Intune. Applies to:
Filters are Generally Available (GA)You can use filters to include or exclude devices in workload assignments (like policies and apps) based on different device properties. Filters are now generally available (GA). For more information on filters, see Use filters when assigning your apps, policies, and profiles. Automatic device clean-up rules support for Android Enterprise devicesIntune supports the creation of rules to automatically remove devices that appear to be inactive, stale, or unresponsive. You can now use these clean-up rules with Android Enterprise devices that previously did not support them. These rules are now supported for:
To learn more about clean-up rules, see Automatically delete devices with cleanup rules. Use Collect diagnostics to collect additional details from Windows 365 devices through Intune remote actionsIntune’s remote action to Collect diagnostics now collects additional details from Windows 365 (Coud-PC) devices. The new details for Windows 365 devices include the following registry data:
For information about remote actions supported for Windows 365 devices, see Remotely manage Windows 365 devices. Tenant attach features are Generally Available (GA)The following tenant attach features are now generally available:
Device securityNew Account protection policy to configure users in local groups on devices in public previewIn public preview, you can use a new profile for Intune Account protection policies to manage the membership of the built-in local groups on Windows 10 and 11 devices. Each Windows device comes with a set of built-in local groups. Each local group contains a set of users that have rights within that group. With the new Local user group membership (preview) profile for endpoint security Account protection policies, you can manage which users are members of those local groups. To configure local group memberships, you select the built-in local account to modify and then choose the users to add, remove, or replace in the group with other users. Each device that receives the policy the updates the membership of those local groups. Modification of the group membership on each device is done by using the Policy CSP - LocalUsersAndGroups. To learn more, see Manage local groups on Windows devices. Week of January 3, 2022Device managementPreview filtered device list before deploymentNow as you create or edit a filter in Microsoft Intune, you can preview the list of filtered devices. The new view eliminates the need to apply test filters, because you can immediately preview the impact a filter has on devices and adjust filter rules to achieve your desired outcome. For more information about using filters in Microsoft Intune, see Create a filter. Week of December 13, 2021 (Service release 2112)Device managementLaunch Remote help from within the admin centerYou can now launch remote help from within the Microsoft Endpoint Manager admin center. To do so, in the admin center go to All devices and select the device on which assistance is needed. Then select New remote help session, which is available from the remote actions bar across the top of the devices view. Endpoint analytics filteringYou can now add filters to the tables in Endpoint analytics reports. Using filters enables you to discover trends in your environment or spot potential issues. Use filters to assign Endpoint analytics proactive remediations scripts in admin center - public previewIn the Endpoint Manager admin center, you can create filters, and then use these filters when assigning apps and policies. You'll be able to use filters to assign the following policy:
For more information on filters, see Use filters when assigning your apps, policies, and profiles. Applies to:
Device configurationNew option to see the number of profiles with an error or conflict in device configuration profilesIn the Endpoint Manager admin center, there's a new "X policies with error or conflict" option. When you select this option, you automatically go to the Devices > Monitor > Assignment Failures report. This report helps you troubleshoot errors and conflicts. This new option is available in the following locations in the Endpoint Manager admin center:
For more information, see Monitor device profiles in Microsoft Intune and Assignment failures report. Applies to:
New Timeout and Block iCloud Private Relay settings for iOS/iPadOS and macOS devicesOn iOS/iPadOS and macOS devices, you can create a device restrictions policy that manages features on the device (Devices > Configuration Profiles > Create profile > iOS/iPadOS or macOS for platform > Device restrictions). There are new settings:
Applies to:
New device restrictions settings for Android Enterprise corporate-owned devices with a work profileOn Android Enterprise devices, you can configure settings that control features on devices (Devices > Configuration Profiles > Create profile > Android Enterprise for platform > Device restrictions for profile type > General). For Android Enterprise corporate-owned devices with a work profile, there are new settings:
For more information on the settings you can currently configure, see Android Enterprise device settings to allow or restrict features using Intune. Applies to:
Settings Catalog is supported on U.S. Government GCC High and DoDSettings Catalog is available and supported on U.S. Government GCC High and DoD. For more information on Settings Catalog, and what it is, see Use the settings catalog to configure settings on Windows and macOS devices. Applies to:
Enter the certificate common name in Wi-Fi profiles for Android Enterprise fully managed, dedicated, and corporate-owned work profile devicesOn Android Enterprise devices, you can create a Wi-Fi profile that configures enterprise Wi-Fi settings (Devices > Configuration Profiles > Create profile > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Wi-Fi for profile type). When you select Enterprise, there's a new Radius server name setting. This setting is the DNS name used in the certificate presented by the Radius Server during client authentication to the Wi-Fi access point. For example, enter If you have multiple Radius servers with the same DNS suffix in their fully qualified domain name, then you can enter only the suffix. For example, you can enter When you enter this value, user devices can bypass the dynamic trust dialog that's sometimes shown when connecting to the Wi-Fi network. What you need to know:
For more information on the settings you can currently configure, see Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile Wi-Fi settings. Applies to:
New Administrative Templates settings for Microsoft Edge 96, 97, and Microsoft Edge updater on Windows devicesIn Intune, you can use Administrative Templates to configure Microsoft Edge settings (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Administrative Templates for profile type). There are new Administrative Templates settings for Microsoft Edge 96, 97, and the Microsoft Edge updater, including Target Channel override support. Use Target Channel override so users get the Extended Stable release cycle option, which can be set using Group Policy or through Intune. For related information, see:
Applies to:
Intune appsNewly available protected apps for IntuneThe following protected app is now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. BlackBerry – New mobile threat defense partnerYou can now use BlackBerry Protect Mobile (powered by Cylance AI) as an integrated mobile threat defense (MTD) partner with Intune. By connecting the BlackBerry Protect Mobile MTD connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment. For more information, see:
Week of December 6, 2021Device enrollmentApply device type filters to Windows and Apple enrollment restriction policies (preview)Use the new assignment filters in Enrollment Restrictions to include or exclude devices based on device type. For example, you can allow personal devices, while also blocking devices running Windows 10 Home, by applying the operatingsystemSKU assignment filter. Filters can be applied to Windows, macOS, and iOS enrollment policies, with Android support coming at a later date. Filters also enable a new setup experience for enrollment restrictions. For more information about how to create filters, see Create a filter. For more information about using filters with enrollment restrictions, see Set enrollment restrictions. Use filters on Windows Enrollment Status Page profile assignmentsFilters allow you to include or exclude devices in policy or app assignments based on different device properties. When you create an Enrollment Status Page (ESP) profile, you'll be able to use filters when assigning the profile. The All users and All devices assignment options will also be available. In Microsoft Endpoint Manager admin center, select Devices > Enroll devices > Enrollment Status Page > Create. For more information about filters, see Use filters when assigning your apps, policies, and profiles. For more information about ESP profiles, see Set up the Enrollment Status Page. App managementAdditional Session PIN restrictions available for the Microsoft Managed Home Screen appThe Managed Home Screen app for Android Enterprise now has the option to enforce additional restrictions on user's Session PINs. Specifically, Managed Home Screen now offers the following:
For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android Enterprise device settings to allow or restrict features using Intune. Monitor and troubleshootNew event viewer for Windows 10 diagnosticsWe've added a new event viewer to Windows device diagnostics called Microsoft-Windows-Windows Firewall with Advanced Security/Firewall. The event viewer can assist you in troubleshooting issues with the firewall. For more information about Windows device diagnostics, see Collect diagnostics from a Windows device. Device compliance status in Company Portal websiteEnd users can more easily see the compliance status of their devices from the Company Portal website. End users can navigate to the Company Portal website and select the Devices page to see device status. Devices will be listed with a status of Can access company resources, Checking access, or Can't access company resources. For related information, see Manage apps from the Company Portal website and How to configure the Intune Company Portal apps, Company Portal website, and Intune app. Week of November 22, 2021Monitor and troubleshootRemote help app is available as a public previewAs a public preview, you can use of the remote help app with your Intune tenant. With remote help, users who authenticate to your Azure Active directly can remotely assist others by connecting a remote help session between devices. With permissions in remote help managed by Intune role-based access controls, you control who has permissions to help others and the actions they can take while assisting. The capabilities of remote help include:
This feature is rolling out over the next week and should soon be available for your tenant. For more information, see Use remote help. Week of November 15, 2021 (Service release 2111)App managementEnable app update priority for Managed Google Play appsYou can set the update priority of Managed Google Play apps on dedicated, fully managed, and corporate-owned with a work profile Android Enterprise devices. Select High Priority to update an app as soon as the developer has published the update, regardless of charge status, Wi-Fi capability, or end user activity on the device. For related information, see Add Managed Google Play apps to Android Enterprise devices with Intune. Clear app data between sessions for Android Enterprise dedicated devices enrolled with shared device mode (public preview)Using Intune, you can choose to clear app data for applications that have not integrated with Shared device mode to ensure user privacy between sign-in sessions. Users will be required to initiate a sign-out from an application that has integrated with Azure AD's Shared device mode in order for IT-specified apps to have their data cleared. This functionality will be available for Android Enterprise dedicated devices enrolled with shared device mode on Android 9 or later. Export underlying discovered apps list dataIn addition to exporting the summarized discovered apps list data, you can export the more extensive underlying data. The current summarized export experience provides summarized aggregate data, however the additional new experience also provides the raw data. The raw data export will give you the entire dataset, which is used to create the summarized aggregate report. The raw data is a list of every device and each app discovered for that device. This functionality has been added to the Intune console to replace the Intune Data Warehouse Application Inventories dataset. In the Microsoft Endpoint Manager admin center, select Apps > Monitor > Discovered apps > Export to display the export options. For related information, see Intune discovered apps and Export Intune reports using Graph APIs. Filter improvements when displaying platform-specific app listsFilters have been improved when displaying platform-specific app lists in the Microsoft Endpoint Manager admin center. Previously, when navigating to a platform-specific app list, you could not use the App type filter on the list. With this change, you can apply filters (including the App Type and Assignment status filters) on the platform-specific list of apps. For related information, see Intune reports. Newly available protected apps for IntuneThe following protected app is now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. New RBAC permission for Win32 app supersedence and dependency relationshipsA new Microsoft Endpoint Manager permission has been added to create and edit Win32 app supersedence and dependency relationships with other apps. The permission is available under the Mobile apps category by selecting Relate. Starting in the 2202 service release, MEM admins will need this permission to add supersedence and dependency apps when creating or editing a Win32 app in Microsoft Endpoint Manager admin center. To find this permission in Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles > Create. This permission has been added to the following built-in roles:
For related information, see Create a custom role in Intune. Non-applicable status entries are no longer shown in the Device Install Status reportBased on a selected app, the Device Install Status report provides a list of devices and status information for the selected app. App installation details related to the device includes UPN, Platform, Version, Status, Status details, and Last check-in. If the device's platform differs from the application's platform, rather than showing Not Applicable for the Status details of the entry, the entry will no longer be provided. For example, if an Android app has been select and the app is targeted to an iOS device, rather than providing a Not Applicable device status value, the device status for that entry will not be shown in the Device Install Status report. To find this report, in Microsoft Endpoint Manager admin center, select Apps > All Apps > Select an app > Device Install status. For related information, see Device Install Status report for apps (Operational). New ADMX settings for Edge 95 and Edge updaterNew ADMX settings for Edge 95 and Edge updater have been added to Administrative Templates. This includes support for "Target Channel override" which allows customers to opt into the Extended Stable release cycle option at any point using Group Policy or through Intune. In Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create profile. Then, select Platform > Windows 10 and later and Profile > Templates > Administrative Templates. For related information, see Overview of the Microsoft Edge channels, Microsoft Edge Browser Policy Documentation, and Configure Microsoft Edge policy settings in Microsoft Intune. New privacy consent screen during Company Portal installationWe've added a new privacy consent screen to Company Portal for Android to meet privacy requirements for certain app stores, such as those in China. People installing Company Portal for the first time from those stores will see the new screen during installation. The screen explains what information Microsoft collects and how it's used. A person must agree to the terms before they can use the app. Users who installed Company Portal prior to this release will not see the new screen. Device managementEndpoint analytics per device scoringPer device scores in Endpoint analytics are now out of preview and generally available. Per device scores help you identify devices that could be impacting user experience. Reviewing scores per device may help you find and resolve end-user impacting issues before a call is made to the help desk. Safeguard holds are now visible in the Feature update failures reportWhen a device is blocked from installing a Windows update due to a safeguard hold, you’ll now be able to view details about that hold in Feature update failures report in the Microsoft Endpoint Manager admin center. A device with a safeguard hold appears as a device with an error in the report. When you view details for such a device, the Alert Message column displays Safeguard Hold, and the Deployment Error Code column displays the ID of the safeguard hold. Microsoft occasionally places safeguard holds to block installation of an update on a device when something detected on that device is known to result in a poor post-update experience. For example, software or drivers are common reasons to place a safeguard hold. The hold remains in place until the underlying issue is resolved, and the update is safe to install. To learn more about active safeguard holds and expectations for their resolution, go to the Windows release health dashboard at https://aka.ms/WindowsReleaseHealth. Improvements for managing Windows Updates for pre-release buildsWe've improved the experience of using Update rings for Windows 10 and later to manage Windows updates for pre-release builds. The improvements include the following:
Use Update Rings for Windows 10 and later to upgrade to Windows 11We’ve added a new setting to Update Rings for Windows 10 and later that you can use to upgrade eligible devices from Windows 10 to Windows 11, when you are ready to do so.
When set to Yes, Intune displays an information box that confirms that by deploying this setting you are accepting the Microsoft License Terms for devices that upgrade. The information box also contains a link to the Microsoft License Terms. For more information about update rings, see Update Rings for Windows 10 and later. Disable Activation Lock remote device action for iOS/iPadOS has been removed from UIThe remote device action to Disable Activation Lock is no longer available in Intune. You can bypass Activation Lock as detailed at Disable Activation Lock on Supervised iOS/iPadOS devices with Intune. This remote action is removed because the action to disable the iOS/iPadOS Activation Lock feature did not function as intended. Updates for Security BaselinesWe have a pair of updates for security baselines, which add the following settings:
Plan to update your baselines to the latest version. To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes. Use custom settings for Device Compliance for Windows 10/11 devices (public preview)As a public preview, device compliance policy for Windows 10 and Windows 11 devices supports the addition of custom settings to a device compliance policy. Results from custom settings appear in the Microsoft Endpoint Manager admin center along with other compliance policy details. To use custom settings, you create and add the following to the admin center to power custom compliance settings:
With the JSON and script ready, you can then create a standard compliance policy that includes your custom settings. The option to include custom settings is found in a new compliance settings category named Custom Compliance. To learn more, including examples for the .JSON and PowerShell script, see Custom compliance settings. New scheduling options for Feature updates for Windows 10 and laterWe’ve added a trio of Rollout options to support improved scheduling of when the updates from a policy for Feature updates for Windows 10 and later are made available for your devices to install. These new options include:
For more information including details for gradual availability, see Rollout options for Windows Updates. New details for Windows devices available in the Microsoft Endpoint Manager admin centerThe following details for Windows 10 and Windows 11 devices are now collected and can be viewed on a devices details pane of the Microsoft Endpoint Manager admin center:
These details are also included when you export the details from the All devices pane. Settings for Shared iPad now generally availableFour Shared iPad settings are now out of preview and generally available to use when creating an Apple enrollment profile. These settings are applied during automated device enrollment (ADE). For iPadOS 14.5 and later in Shared iPad mode:
For iPadOS 13.0 and later in Shared iPad mode:
For more information about setting up devices in Shared iPad mode, see Create an Apple enrollment profile. Duplicate a settings catalog profileSettings catalog profiles now support duplication. To create a copy of an existing profile, simply select Duplicate. The copy contains the same setting configurations and scope tags as the original profile, but doesn't have any assignments attached to it. For more information about the settings catalog, see Use the settings catalog to configure settings on Windows and macOS devices. Work from anywhere reportThe Work from anywhere report has replaced the Recommended software report in Endpoint analytics. The Work from anywhere report contains metrics for Windows, cloud management, cloud identity, and cloud provisioning. For more information, see the Work from anywhere report article. Device securityView BitLocker recovery keys for tenant attached devicesYou can now view the BitLocker recovery key for tenant-attached devices in the Microsoft Endpoint Manager admin center. The recovery keys continue to be stored on-premises for tenant-attached devices, but the visibility in the admin center is intended to assist your Helpdesk scenarios from within the admin center. To view the keys, your Intune account must have the Intune RBAC permissions to view BitLocker keys, and must be associated with an on-premises user that has the related on-premises permissions in Configuration Manager of Collection Role, with the permission Read BitLocker Recovery Key Permission. Users with the correct permissions can view keys by going to Devices > Windows devices > select a device > Recovery keys. This capability is supported with Configuration Manager sites that run version 2107 or later. For sites that run version 2107, you’ll need to install an update rollup to support Azure AD joined devices. For more information, see KB11121541. BitLocker settings added to settings catalogWe have added 9 BitLocker settings that were previously only available in Group Policy (GP) to the Microsoft Intune settings catalog. To access the settings, go to Devices > Configuration profiles and create a settings catalog profile for devices running Windows 10 and later. Then search BitLocker in the settings catalog to view all settings related to BitLocker. For more information about the settings catalog, see Create a policy using settings catalog. The added settings include:
Monitor and troubleshootMDM support data to refresh automatically in Group Policy analytics toolNow whenever Microsoft makes changes to the mappings in Intune, the MDM Support column in the GP analytics tool automatically updates to reflect the changes. The automation is an improvement over the previous behavior, which required you to reimport your Group Policy object (GPO) to refresh the data. For more information about Group Policy analytics, see Use Group Policy analytics. Week of November 8, 2021App managementUpdate Android Company Portal and Intune apps for custom notificationsWe have made service side updates to custom notifications for Intune's November (2111) service release, which requires users to have updated to recent versions of the Android Company Portal (version 5.0.5291.0, released in October 2021) or Android Intune app (version 2021.09.04, released in September 2021) for the best user experience. If users do not update prior to Intune's November (2111) service release and they are sent a custom notification, they will instead receive a notification telling them to update their app to view the notification. Once they update their app, they will see the message sent by your organization in the Notifications section in the app. For related information, see Send custom notifications in Intune. Device managementLocations deprecated for Android device administratorIn October 2021, support for using locations in device compliance policy for devices enrolled as Android device administrator was deprecated. Use of locations is often referred to as network fencing. For Android device administrator, the policies and dependences that relied on network fence capabilities no longer function. As previously announced, we are re-envisioning support for network fencing and will share more information about those plans when it becomes available. Device securitySecurity Management with Defender for Endpoint (public preview)This feature is in public preview and will roll out to tenants gradually over the next few weeks. You can confirm your tenant has received this capability when the relevant toggles show in both the Microsoft Endpoint Manager admin center and Microsoft Defender for Endpoint. Security Management with Microsoft Defender for Endpoint is a new configuration channel you use to manage the security configuration for Microsoft Defender for Endpoint (MDE) on devices that do not enroll into Microsoft Endpoint Manager. With this scenario, it’s Defender for Endpoint on a device that retrieves, enforces, and reports on the policies for MDE that you deploy from Microsoft Endpoint Manager. The devices are joined to your Azure AD and are also visible in the Microsoft Endpoint Manager admin center alongside other devices you manage with Intune and Configuration Manager. For more information, see Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager. Week of October 25, 2021Device securityMFA changes to Windows Autopilot enrollment flowTo improve the baseline security for Azure Active Directory (Azure AD), we changed Azure AD behavior for multifactor authentication (MFA) during device registration. Previously, if a user completed MFA as part of their device registration, the MFA claim was carried over to the user state after registration was complete. Going forward, the MFA claim is not preserved after registration and users will be prompted to redo MFA for any apps that require MFA by policy. For more information, see Windows Autopilot MFA changes to enrollment flow. Device enrollmentUser AssignmentLast week we made a change to the authentication experience during user enrollment for Autopilot. This change impacts all Autopilot deployments where a user is assigned to a specific device prior to going through enrollment. One-time self-deployment and pre-provisioningWe made a change to the Windows Autopilot self-deployment mode and pre-provisioning mode experience, adding in a step to delete the device record as part of the device re-use process. This change impacts all Windows Autopilot deployments where the Autopilot profile is set to self-deployment or pre-provisioning mode. This change will only affect a device when it is re-used or when it is reset and attempts to redeploy. For more information, see Updates to the Windows Autopilot sign-in and deployment experience. Device managementIntroducing Microsoft Surface Management Portal in Microsoft Endpoint ManagerIn light of our continued commitment to bring commercial customers the best possible experience, we partnered with teams across Microsoft to streamline Surface management into a single view within Microsoft Endpoint Manager. Whether you lead a large organization with thousands of devices or manage IT for a small-medium business, you can gain insights into the health of all your Surface devices and monitor device warranty and support requests in one location. Microsoft Surface management portal is available to U.S. customers now and will be rolling out globally later. For the latest information about Microsoft Surface and the new management portal, follow the Surface IT Pro Blog. Week of October 18, 2021 (Service release 2110)App managementManage iOS/iPadOS Universal Links using App Protection PoliciesYou can configure both Managed Universal Links and Universal Link Exemptions for iOS/IPadOS apps via Application Protection Policy (APP) settings. Managed Universal Links allows http/s links to open into the registered APP protected application instead of the protected browser. Universal Link Exemptions allows http/s links to open into the registered unprotected application instead of the protected browser. For more information, see Data Transfer and Universal Links. Newly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Connected app support for Android personally owned and corporate-owned work profilesYou can now allow users to turn on Connected apps experiences for supported apps. This app configuration setting enables users to connect the app information across the work and personal app instances. In Microsoft Endpoint Manager admin center, choose Apps > App configuration policies > Add > Managed devices. For more information, see Add app configuration policies for managed Android Enterprise devices. Device managementBlock or allow personal apps for Android Enterprise corporate-owned work profile devicesIn device configuration, you can create a list of personal apps that will be blocked or allowed on the device. You can choose to leave the setting as not configured, or create a list of blocked or allowed apps in the personal profile. This setting is available in Microsoft Endpoint Manager admin center by selecting Devices > Android > Configuration profiles > Create profile. For information about Android Enterprise corporate-owned work profile device settings, see Android Enterprise device settings to allow or restrict features using Intune. New settings when configuring Kerberos single sign-on extension on iOS/iPadOS and macOSThere are new device feature settings available when configuring the Kerberos SSO extension on iOS/iPadOS and macOS devices. In Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS or macOS > Configuration profiles > Create profile > select Device features for profile > Single sign-on app extension > Kerberos for SSO app extension type. For related information, see iOS/iPadOS device feature settings and macOS device feature settings in Intune. Four new shared iPad enrollment settings in public previewFour new shared iPad settings are available in Intune for public preview. These settings are applied at the time of automated device enrollment. For iPadOS 14.5 and later in Shared iPad mode: For iPadOS 13.0 and later in Shared iPad mode: Introducing Android (AOSP) management for corporate devicesYou can use Microsoft Intune to manage corporate-owned devices that run on the Android Open Source Project (AOSP) platform. Microsoft Intune currently supports the new Android (AOSP) management option for RealWear devices only. Management capabilities include:
For more information about how to set up Android (AOSP) management, see Enroll Android devices. Device securityManage Windows 10 security updates for Windows 10 Enterprise multi-session VMsYou can now use the settings catalog to manage Windows Update settings for quality (security) updates for Windows Enterprise multi-session VMs. To find the settings you can use with multi-session VMs in the settings catalog:
The settings include:
Week of October 4, 2021App managementImproved flow when saving logs in Android Company Portal appIn the Android Company Portal app, when users download a copy of the Android Company Portal logs, they will now be able to choose which folder the logs will be saved in. To save Android Company Portal logs, users can select Settings > Diagnostic logs > SAVE LOGS. Newly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Device managementRemoval of Wi-Fi MAC address on specific Android Enterprise devicesIntune will no longer display a Wi-Fi MAC address for newly enrolled personally owned work profile devices and devices managed with device administrator running Android 9 and above. Google is requiring all app updates to target API 30 by November 2021. With this change, Android prevents apps from collecting the MAC address used by the device. For related information, see Hardware device details. Use Feature Updates to upgrade devices to Windows 11You can use Feature updates for Windows 10 and later policy to upgrade devices that meet the Windows 11 minimum requirements to Windows 11. It's as easy as configuring a new feature updates policy that specifies the available Windows 11 version as the feature update you want to deploy. For more information, see Upgrade devices to Windows 11. Windows 11 hardware readiness insightsThe Work from anywhere report in Endpoint analytics now provides Windows 11 hardware readiness insights. You can quickly determine how many of your enrolled devices meet the minimum system requirements for Windows 11 and which requirements are the top blockers within your organization. Drill in for a device-level view for Windows 11 hardware readiness status. For more information, see Windows 11 hardware readiness. Week of September 27, 2021 (Service release 2109)App managementNew app categories available to better target app protection policiesWe have improved the UX of Microsoft Endpoint Manager by creating categories of apps that you can use to more easily and quickly target app protection policies. These categories are All public apps, Microsoft apps, and Core Microsoft apps. After you have created the targeted app protection policy, you can select View a list of the apps that will be targeted to view a list of the apps that will be affected by this policy. As new apps are supported, we will dynamically update these categories to include those apps as appropriate, and your policies will be automatically applied to all apps in your selected category. If needed, you can continue to target policies for individual apps as well. For more information, see How to create and assign app protection policies and Create and deploy Windows Information Protection (WIP) policy with Intune. Device configurationNew iOS device restriction settings for built-in apps, doc viewingThere are two new device restriction settings you can configure on iOS devices (Devices > iOS/iPadOS > Configuration profiles > Create profile and select Device restrictions for profile) in Intune.
For more information about iOS device restriction profiles in Intune, see iOS and iPadOS device settings to allow or restrict features using Intune. New macOS device restriction setting blocks users from erasing all content and settings on deviceThere's a new macOS device restriction setting available (Devices > macOS > Configuration profiles > Create profile > and then select Templates > Device restrictions for profile) in Intune. Block users from erasing all content and settings on device (General): Disables the reset option on supervised devices so that users can't reset their device to factory settings. For more information about macOS device restriction profiles in Intune, see macOS device settings to allow or restrict features using Intune. Applies to:
New software update restriction settings for macOSThere are five new software update settings available when configuring a macOS device restriction profile (Devices > macOS > Configuration profiles > Create profile > and then select Templates > Device restrictions for profile) in Intune.
For more information about macOS device restriction profiles in Intune, see macOS device settings to allow or restrict features using Intune. New device restriction setting for Android Enterprise: Developer settingsThere is a new device restriction setting for Android Enterprise devices (Devices > Android Enterprise > Configuration profiles > Create profile and select Device restrictions for profile) in Intune.
For more information about Android Enterprise device restriction profiles, see Android Enterprise device settings to allow or restrict features using Intune. New device restrictions setting prevents sharing work profile contacts with paired Bluetooth devicesA new device restriction setting for corporate-owned work profile devices prevents users from sharing their work profile contacts with paired Bluetooth devices, such as cars or mobile devices. To configure the setting, go to Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device restrictions for profile.
Device managementIntune now supports iOS/iPadOS 13 and higherMicrosoft Intune, including the Intune Company Portal and Intune app protection policies now requires iOS/iPadOS 13 and higher. Intune now supports macOS 10.15 and laterIntune enrollment and the Company Portal now support macOS 10.15 and later. Older versions are not supported. New Android device filtering optionsYou can now choose the following Android enrollment types when filtering by OS in the All devices list in Intune:
In Microsoft Endpoint Manager admin center, select Devices > All devices and view the OS column for specific Android enrollment types. For more information about Android enrollment types, see Intune reports. Settings catalog policies for policy setsIn addition to profiles based on templates, you can add a profile based on the Settings catalog to your policy sets. The Settings catalog is a list of all the settings you can configure. To create a policy set in Microsoft Endpoint Manager admin center, select Devices > Policy sets > Policy sets > Create. For more information, see Use policy sets to group collections of management objects and Use the settings catalog to configure settings on Windows and macOS devices. Configure Managed Home Screen sign-in settings for Android Enterprise dedicated devicesYou can now configure Managed Home Screen sign-in settings in device configuration when using Android Enterprise dedicated devices enrolled using Azure AD Shared device mode. You no longer need to use app configuration for these settings. For related information, see Configure the Microsoft Managed Home Screen app for Android Enterprise. Use Feature Updates to upgrade devices to Windows 11You can use Feature updates for Windows 10 and later policy to upgrade devices that meet the Windows 11 minimum requirements to Windows 11. It's as easy as configuring a new feature updates policy that specifies the available Windows 11 version as the feature update you want to deploy. Use the Collect diagnostics remote action as a bulk device action for Windows devicesWe’ve added the Collect diagnostics remote action as a Bulk device action that you can run for Windows devices. As a bulk device action for Windows devices, use Collect diagnostics to collect Windows device logs from up to 25 devices at a time without interrupting device users. Support for Locate device remote action on Android Enterprise dedicated devicesYou can use the Locate device remote action to get the current location of a lost or stolen Android Enterprise dedicated device that is online. If you attempt to locate a device that’s currently off-line, you’ll see its last known location instead, so long as that device was able to check in with Intune within the last seven days. For more information, see Locate lost or stolen devices. Android Enterprise dedicated devices support the Rename remote actionYou can now use the Rename remote action on Android Enterprise dedicated devices. You can rename devices individually and in bulk. When using bulk Rename actions, the device name must include a variable that adds either a random number or the device's serial number. For more information, see Rename a device in Intune New Azure AD device ID and Intune device ID search parameters addedWhen searching devices in Devices > All devices, you can now search by Azure AD device ID or Intune Device ID. For a list of available device details available in Intune, see View device details with Microsoft Intune. Device securityTenant attach: Device status for endpoint security policiesYou can review the status of endpoint security policies for tenant attached devices. The Device Status page can be accessed for all endpoint security policy types for tenant-attached clients. For more information, see Device status for the endpoint security policy types. Attack surface reduction profiles for Configuration Manager tenant attachWe’ve added two endpoint security profiles for attack surface reduction policy that you can use with devices you manage with Configuration Manager tenant attach. These profiles are in preview and manage the same settings as the similarly named profiles you use for devices managed by Intune. You'll find these new profiles when you configure attack surface reduction policy for the Windows 10 and later (ConfigMgr) platform. The new profiles for tenant attach:
Expanded support for Windows Defender Security Center for tenant attach devicesWe’ve updated the Windows Security experience (preview) profile in endpoint security Antivirus policy to support additional settings for devices you manage with Configuration Manager tenant attach. Previously, this profile was limited to Tamper Protection for your tenant attached devices. The updated profile now includes settings for the Windows Defender Security Center. You can use these new settings to manage the same details for tenant attached devices that you already manage with the similarly named profile for Intune managed devices. For more information about this profile, see Endpoint security Antivirus policy. Intune appsNotifications from the iOS/iPadOS Company Portal appNotifications from the iOS/iPadOS Company Portal app are now delivered to devices using the default Apple sound, rather than being delivered silently. To turn the notification sound off from the iOS/iPadOS Company Portal app, select Settings > Notifications > Comp Portal and select the Sound toggle. For related information, see Company Portal app notifications. Monitor and troubleshootOrganizational report focused on device configurationWe have released a new Device configuration organizational report. This report replaces the existing Assignment status report found in the Microsoft Endpoint Manager admin center under Devices > Monitor. The Device configuration report allows you to generate a list of profiles in the tenant that have devices in a state of success, error, conflict, or not applicable. You can use filters for the profile type, OS, and state. The returned results will provide search, sort, filter, pagination, and export capabilities. In addition to device configuration details, this report provides resource access details, and new settings catalog profile details. For related information, see Intune Reports. Updated support experience in Microsoft Endpoint Manager admin centerAvailable for Intune and co-management support flows, we’ve updated an improved support experience in the Microsoft Endpoint Manager admin center. The new experience guides you to issue-specific troubleshooting insights and web-based solutions, to get you a resolution faster. To learn more about this change, see the support blog post. Safeguard holds are now visible in the Feature update failures reportWhen a device is blocked from installing a Windows update due to a safeguard hold, you’ll now be able to view details about that hold in Feature update failures report in the Microsoft Endpoint Manager admin center. A device with a safeguard hold appears as a device with an error in the report. When you view details for such a device, the Alert Message column displays Safeguard Hold, and the Deployment Error Code column displays the ID of the safeguard hold. Microsoft occasionally places safeguard holds to block installation of an update on a device when something detected on that device is known to result in a poor post-update experience. For example, software or drivers are common reasons to place a safeguard hold. The hold remains in place until the underlying issue is resolved, and the update is safe to install. To learn more about active safeguard holds and expectations for their resolution, go to the Windows release health dashboard at https://aka.ms/WindowsReleaseHealth. Update to the Assignment failures operational reportSecurity baselines and endpoint security profiles have been added to the existing Assignment failures report. The profile types are differentiated using the Policy type column with the ability to filter. Role-based access control (RBAC) permissions have been applied to the report to filter on the set of policies that an admin can see. Those RBAC permissions include the Security Baseline permission, the Device Configuration permission, and the Device Compliance Policies permission. The report shows the number of devices in a state of error and conflict for a given profile, with the ability to drill down into a detailed list of those devices or users and further into the setting details. You can find the Assignment failures report in Microsoft Endpoint Manager admin center by selecting Devices > Monitor, or by selecting Endpoint Security > Monitor. For more information, see Assignment failures report (Operational). Week of September 20, 2021App managementSyncing the iOS/iPadOS/macOS Company Portal versionThe version of the iOS/iPadOS Company Portal and the macOS Company Portal are syncing to version 5.2019 for the next release. Going forward, the iOS/iPadOS and macOS Company Portal apps will have the same version number. For related information, see How to configure the Intune Company Portal apps, Company Portal website, and Intune app. Week of August 23, 2021 (Service release 2108)App managementDevice filter evaluation reports now include filter results for assigned appsIf you’re using filters for assigning apps as available, you can now use the filter evaluation report on a device to determine if an app has been made available for install. You can see this report per device, under Devices > All Devices > select a device > Filter evaluation (preview).
Applies to:
Additional Android SafetyNet evaluation type support for conditional launch policiesConditional launch now supports a sub-setting of SafetyNet device attestation. If you select SafetyNet device attestation as required for conditional launch, you can specify that a specific SafetyNet evaluation type is used. This evaluation type is a hardware-backed key. The presence of a hardware-backed key as the evaluation type will indicate greater integrity of a device. Devices that do not support hardware-backed keys will be blocked by the MAM policy if they are targeted with this setting. For more information about SafetyNet evaluation and hardware-backed key support, see Evaluation types in the Android developer documentation. For more information about Android conditional launch settings, see Conditional launch. Update to Outlook S/MIME settings for iOS and Android devicesYou can now enable Outlook S/MIME settings to always sign and/or always encrypt on iOS and Android devices when using the managed apps option. You can find this setting in Microsoft Endpoint Manager admin center when using managed apps by selecting Apps > App configuration policies. In addition, you can add an LDAP (Lightweight Directory Access Protocol) URL for Outlook S/MIME on iOS and Android devices for both managed apps and managed devices. For related information, see App configuration policies for Microsoft Intune. Scope tags for Managed Google Play appsScope tags determine which objects an admin with specific rights can view in Intune. Most newly created items in Intune take on the scope tags of the creator. This is not the case for Managed Google Play Store apps. You can now optionally assign a scope tag to apply to all newly synced Managed Google Play apps on the Managed Google Play connector pane. The chosen scope tag will only apply to new Managed Google Play apps, not Managed Google Play apps that have already been approved in the tenant. For related information see Add Managed Google Play apps to Android Enterprise devices with Intune and Use role-based access control (RBAC) and scope tags for distributed IT. Content of macOS LOB apps will be displayed in IntuneIntune can now display the contents of macOS LOB apps ( Device configurationUse filters on DFCI configuration profiles on Windows 10/11 devicesIn Endpoint Manager, you can create filters to target devices based on different properties. When you create a Device Firmware Configuration Interface (DFCI) profile, you'll be able to use filters when assigning the profile.
Applies to:
New Deployment Channel setting for custom device configuration profiles on macOS devicesWhen creating a custom device restriction policy for macOS devices, there is a new deployment channel setting available (Devices > Configuration profiles > Create profile > macOS for platform > Templates > Custom for profile). Use the Deployment channel setting to deploy the configuration profile to the user channel or the device channel. If you send the profile to the wrong channel, then deployment can fail. For more information on using a payload in a device profile or a user profile, see Profile-Specific Payload Keys (opens Apple developer website). For more information about custom macOS profiles in Intune, see Use custom settings for macOS devices. Applies to:
Use Wi-Fi networks set up using configuration profiles setting for iOS/iPadOS 14.5 devices and newerWhen creating a device restrictions policy for iOS/iPadOS devices, there's a new setting available (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile):
To see the settings you can currently configure, go to iOS and iPadOS device settings to allow or restrict features using Intune. Applies to:
New macOS device configuration profile settings, and change to iOS/iPadOS setting nameThere are new settings you can configure on macOS 10.13 devices and newer (Devices > Configuration profiles > Create profile > macOS for platform > Templates > Device restrictions for profile type):
To see the settings you can currently configure, go to macOS device settings to allow or restrict features. Also, the iOS/iPadOS Block Multiplayer Gaming setting name is changing to Block multiplayer gaming in the Game Center (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type). For more information about this setting, go to iOS and iPadOS device settings to allow or restrict features. Applies to:
More iOS/iPadOS home screen layout grid size optionsOn iOS/iPadOS devices, you can configure the grid size on the home screen (Devices > Device Configuration > Create profile > iOS/iPadOS for platform > Device features for profile > Home screen layout). For example, you can set the grid size to 4 columns x 5 rows. The grid size will have more options:
To see the home screen layout settings you can currently configure, go to device settings to use common iOS/iPadOS features in Intune. Applies to:
Add certificate server names to enterprise Wi-Fi profiles on Android Enterprise personally owned devices with a work profileOn Android devices, you can use certificate-based authentication for Wi-Fi networks on personal devices with a work profile (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Personally owned work profile > Wi-Fi). When you use the Enterprise Wi-Fi type, and select the EAP type, there's a new Certificate server names setting. Use this setting to add a list of the certificate server domain names used by your certificate. For example, enter On Android 11 and newer devices, if you use the Enterprise Wi-Fi type, then you must add the certificate server names. If you don't add the certificate server names, users will have connection issues. For more information on the Wi-Fi settings you can configure on Android Enterprise devices, see Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune. Applies to:
Device enrollmentModern authentication method with Apple Setup Assistant is out of preview for automated device enrollmentThe modern authentication method with Apple Setup Assistant is now out of preview and generally available for use for automated device enrollment. For information on how to use this authentication method on iOS/iPadOS devices, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment. For information on how to use this authentication method on macOS devices, see Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager. Device managementEndpoint analytics per device scoringTo help you identify devices that could be impacting user experience, Endpoint analytics shows some scores per device. Reviewing scores per device may help you find and resolve end-user impacting issues before a call is made to the help desk. You'll be able to display and sort by the Endpoint analytics, startup performance, and application reliability scores for each device. For more information, see Per device scores. Device securityChanges to settings in the settings catalog for Microsoft Defender for Endpoint on macOSWe’ve added eight new settings to manage Microsoft Defender for Endpoint on macOS to the Intune settings catalog. The new settings are found as follows under the following four categories in the settings catalog. For information about these settings, see Set preferences for Microsoft Defender for Endpoint on macOS in the Microsoft Defender for Endpoint on Mac documentation.
Confirm Tunnel Gateway servers can access your internal network from within the Microsoft Endpoint Manager admin centerWe've added the capability to the Microsoft Endpoint Manager admin center to confirm that your Tunnel Gateway servers can access your internal network, without someone having to access the servers directly. To enable this, you'll configure a new option called URL for internal network access check in the properties of each Tunnel Gateway site. After adding a URL from your internal network to a Tunnel Gateway site, each server in that site periodically attempts to access it, and then reports on the result. The status for this internal network access check is reported as Internal network accessibility on a server's Health check tab. Status values for this check include:
Your servers will need to upgrade to the latest version of the Tunnel Gateway server software for this feature to work. Compliance setting for SafetyNet hardware-backed key attestation for Android Enterprise personally owned work profileWe’ve added a new device compliance setting for Android Enterprise personally owned work profile devices, [Required SafetyNet evaluation type](../protect/compliance-policy-create-android-for-work.md#google-play-protect---for-personally owned-work-profile). This new setting becomes available after you configure SafetyNet device attestation to either Check basic integrity or Check basic integrity & certified devices. The new setting: Required SafetyNet evaluation type:
For more information about SafetyNet and which devices support hardware-backed key attestation, see Evaluation types in the SafetyNet documentation for Android. Intune appsNewly available protected app for IntuneThe following protected app is now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Monitor and troubleshootExport GPO XML file size increased to 4 MB when using group policy analytics (preview) on Windows client devicesIn Microsoft Endpoint Manager, you can use group policy analytics to analyze your on-premises GPOs, and determine how your GPOs translate in the cloud. To use this feature, you export your GPO as an XML file. The XML file size has increased from 750 KB to 4 MB. For more information on using group policy analytics, see Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Endpoint Manager. Applies to:
Device configuration reporting has been updatedAll device configuration and endpoint security profiles are now merged into one report. You can view all the policies applied to your device in the new single report that contains improved data. For instance, you can see the distinction of profile types in the new Policy type field. Also, selecting a policy will provide additional details about settings applied to the device and status of the device. Role-based access control (RBAC) permissions have been applied to filter the list of profiles based on your permissions. In Microsoft Endpoint Manger admin center, you will select Devices > All devices > select a device > Device configuration to see this report when it is available. For more information, see Microsoft Intune reports. New details for the Intune antivirus reportsWe've added two new columns of detail to both the Windows 10 unhealthy endpoints report and the Antivirus agent status report. The new details include:
For more information about these settings, see WindowsAdvancedThreatProtection CSP. Customize health status thresholds for Microsoft Tunnel Gateway serversYou can now customize the thresholds that determine the health status for several metrics of Microsoft Tunnel Gateway. Health status metrics have default values that determine whether the status reports as healthy, warning, or unhealthy. When you customize a metric, you change the performance requirements for the metrics status. You can customize the following metrics:
When you change a threshold value, the change applies to all Tunnel servers in your tenant. You can also select an option to reset all the metrics o their default value. After you update the thresholds, the values in the Health check tab automatically update to reflect status based on the updated thresholds. View health status trends for Microsoft Tunnel Gateway serversYou can view health status trends for several Microsoft Tunnel Gateway health metrics in the form of a chart. The health status trend charts are available for individual servers you select from the Health status page. The metrics that support trend charts include:
Week of August 16, 2021App managementIntune Company Portal for macOS devices is now a universal appWhen you download Intune Company Portal for macOS devices version 2.18.2107 and later, it installs the new universal version of the app that runs natively on Apple Silicon Macs. The same app will install the x64 version of the app on Intel Mac machines. For related information, see Add the Company Portal for macOS app. Device configurationNew version of the Certificate Connector for Microsoft IntuneWe’ve released a new version of the Certificate Connector for Microsoft Intune, version 6.2108.18.0. This update includes:
For more information about the certificate connector, including a list of connector releases and updates, see Certificate Connector for Microsoft Intune. Device managementAdding Windows Hello for Business to Windows 10 DiagnosticsWe've added the information from the Operational Event Viewer for Windows Hello for Business to the data that’s collected for Windows 10 device diagnostics. See Data collected. Week of August 2, 2021Windows 365 now generally availableWindows 365 is a new service from Microsoft that automatically creates Cloud PCs for your end users. Cloud PCs are a new hybrid personal computing category that uses the power of the cloud and the accessing device to provide a full and personalized Windows virtual machine. Admins can use Microsoft Endpoint Manager to define the configurations and applications that are provisioned for each user’s Cloud PC. End users can access their Cloud PC from any device and any location. Windows 365 stores the end user’s Cloud PC and data in the cloud, not on the device, providing a secure experience. For more information about Windows 365, see Windows 365. For documentation on how to manage Windows 365 in your organization, see the Windows 365 documentation. Week of July 26, 2021 (Service release 2107)Device configurationImproved policy support for iPadOS devices enrolled as Shared iPads for Business (public preview)We've added support for user-assigned device configuration policies for Shared iPads for Business. With this change, settings like the home screen layout and most device restrictions assigned to user groups apply to Shared iPad devices while a user from the assigned user groups is active on the device Certificate Connector for Microsoft Intune combines separate certificate connectorsWe’ve released the Certificate Connector for Microsoft Intune. This new connector replaces the use of separate certificate connectors for SCEP and PKCS, and includes the following features:
The previous connectors remain in support but are no longer available for download. If you need to install or reinstall a connector, install the new Certificate Connector for Microsoft Intune. Windows Autopilot diagnostics page (public preview)Available settings on the Enrollment Status Page are updated from Allow users to collect logs about installation errors to Turn on log collection and diagnostics page for end users to support the Windows Autopilot diagnostics page, available in Windows 11. For more information, see Windows Autopilot: What's new. Device managementUse filters to assign Windows client update rings in Endpoint Manager admin center - public previewIn the Endpoint Manager admin center, you can create filters, and then use these filters when assigning apps and policies. When assigning Windows client update ring policies, you can use filters (Devices > Windows > Windows 10 Update Rings). You can filter the devices that get the update rings policy based on a device property, such as the OS version, device manufacturer, and more. After you create the filter, use the filter when you assign the update rings policy.
Applies to:
Collect diagnostics remote action moved to general availabilityThe Collect diagnostics remote action lets you collect diagnostics from corporate devices without interrupting or waiting for the end user. Collected diagnostics include MDM, Autopilot, event viewers, registry key, Configuration Manager client, networking, and other critical troubleshooting diagnostics. For more information see Collect diagnostics from a Windows device. Autopilot support for Microsoft HoloLens is now generally availableFor more information, see Windows Autopilot for HoloLens 2. Device securityWork from anywhere reportEndpoint analytics has a new report named Work from anywhere. The Work from anywhere report is an evolution of the Recommended software report. The new report contains metrics for Windows 10, cloud management, cloud identity, and cloud provisioning. For more information, see the Work from anywhere report article. Intune appsImprovements to SSO app extension screen for Company Portal for macOSWe've improved the Intune Company Portal authentication screen that prompts macOS users to log in to their account using single sign-on (SSO). Users can now:
Newly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Week of July 5, 2021Device securitySettings catalog support for Microsoft Defender for Endpoint on macOSWe’ve added the settings to manage Microsoft Defender for Endpoint on macOS to the Intune settings catalog to configure Microsoft Defender for Endpoint on macOS. The new settings can be found as follows under the following four categories in the settings catalog. For information about these settings, see Set preferences for Microsoft Defender for Endpoint on macOS in the Microsoft Defender for Endpoint on Mac documentation. Microsoft Defender - Antivirus engine:
Microsoft Defender - Cloud delivered protection preferences:
Microsoft Defender - EDR preferences:
Microsoft Defender - User interface preferences:
Week of June 28, 2021New iOS/iPadOS remote action lets you update the eSIM cellular plan (public preview)The new Update cellular data plan (preview) action lets you remotely activate the eSIM cellular plan on iOS/iPadOS devices that support it. This feature is currently in public preview. For more information, see Update cellular data plan. Week of June 21, 2021 (Service release 2106)App managementImprovements for viewing managed apps statusWe've added some improvements to how Intune displays status information about the managed apps that have deployed to users or devices. Intune now displays only the apps that are specific to the platform of the device you’re viewing. We’ve also introduced performance enhancements and additional support for the Android and Windows platforms. Updated default license type for Apple VPP appsWhen you create a new assignment for an Apple Volume Purchase Program (VPP) app, the default license type is now "device". Existing assignments remain unchanged. For more information about Apple VPP apps, see How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune. Newly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Device configurationManage cookies and cross site tracking in Safari on iOS/iPadOS devicesWhen creating a device restriction policy for iOS/iPadOS devices, you can manage cookies in the Safari app (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile > Built-in Apps). The Safari cookies setting is updated to help manage cookies and cross site tracking. For more information on this setting, see Built-in Apps for iOS/iPadOS devices. Applies to:
Device enrollmentBrowser access automatically enabled during corporate Android enrollmentBrowser access is now automatically turned on during new enrollments of the following devices:
Compliant devices can use the browser to access resources protected by conditional access. This change has no impact on devices that are already enrolled. Intune support for Android Enterprise corporate-owned devices with a work profileIntune support for Android Enterprise corporate-owned devices with a work profile is now generally available. For more information, see Announcing general availability of Android Enterprise corporate-owned devices with a work profile Device managementUse filters on Settings Catalog configuration profiles, and Risk Score and Threat Level compliance policy settingsWhen you use filters to assign your policies, you can:
For more information on what you can do, see List of platforms, policies, and app types supported by filters. Applies to:
Use the EnrollmentProfileName property when creating a filter for Android EnterpriseIn Endpoint Manager, you can create filters to target devices based on different properties, including device name, manufacturer, and more. On iOS/iPadOS and Windows 10/11 devices, you can create a filter using the enrollment profile name. The enrollment profile name property is available for Android Enterprise devices. To see the filter properties you can configure, go to Device properties, operators, and rule editing when creating filters. Applies to:
Monitor and troubleshootExport option for Proactive remediationsProactive remediations are script packages that can detect and fix common support issues on a
user's device before they even realize there's a problem. To help you easily analyze returned outputs, an Export option was added that allows you to save the output as a Updated certificates reportThe Certificates report, which shows the current device certificates in use, has been updated to include better capabilities to search, page, sort, and export the report. In the Microsoft Endpoint Manager admin center, select Devices > Monitor > Certificates. For more information about reports in Intune, see Intune reports. Week of June 14, 2021Device securityMicrosoft Defender for Endpoint for Microsoft Tunnel on Android is out of previewThe Microsoft Defender for Endpoint app that supports Microsoft Tunnel functionality on Android is now out of preview and generally available for use. With this change:
Plan to download and use the updated Microsoft Defender for Endpoint app for Microsoft Tunnel app for Android. If you participated in the preview, update your devices with the new version of Defender for Endpoint from the Google Play store. If you are still using the standalone tunnel app, plan to migrate to the Microsoft Defender for Endpoint app before support for the standalone app ends. The standalone tunnel app for iOS remains in preview. Device managementTenant attach: OffboardingWhile we know customers get enormous value by enabling tenant attach, there are rare cases where you might need to offboard a hierarchy. For example, you may need to offboard following a disaster recovery scenario where the on-premises environment was removed. To remove your Configuration Manager hierarchy from the Microsoft Endpoint Manager admin center, select Tenant administration, Connectors and tokens then Microsoft Endpoint Configuration Manager. Choose the name of the site you would like to offboard, then select Delete. For more information, see Enable tenant attach. Week of June 7, 2021App managementAndroid Company Portal app and Intune app now include Portugal Portuguese supportThe Android Company Portal app and the Android Intune app now support Portuguese from Portugal (language code pt-PT). Intune already supports Portuguese from Brazil. Week of May 24, 2021 (Service release 2105)Device securityNew Microsoft Tunnel Gateway versionWe’ve released a new version of the Microsoft Tunnel Gateway. It includes the following changes:
For sites that are configured to update automatically, the Tunnel Gateway server will automatically update to the new version. For sites that are configured to update manually, you'll need to approve the update. App managementNew tiles provided app install failure countThe Home, Dashboard, and Apps Overview panes now provide updated tiles to show the number of app installation failures for the tenant. In the Microsoft Endpoint Manager admin center, select Home to view the Home pane, or Dashboard to view the Dashboard pane. Select Apps > Overview to view the Apps Overview pane. For related information, see Intune reports. Device configurationPer setting status report in Settings CatalogWhen you create a Settings Catalog profile, you can see how many devices are in each state, including success, conflict, and error (Devices > Configuration profiles > select the policy). This report includes a Per setting status that:
For more information on the settings catalog, see Use the settings catalog to configure settings on Windows and macOS devices. New settings for iOS/iPadOS 14.5 devices and newerWhen creating a device restrictions policy for iOS/iPadOS devices, there are new settings available (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile):
To see these settings, go to iOS and iPadOS device settings to allow or restrict features using Intune. Applies to:
Device managementSupport has ended for Restart remote action on Android Enterprise corporate-owned devices with a work profileSupport has ended for the Restart remote action on corporate-owned devices with a work profile. The Restart button has been removed from the Device page for corporate-owned devices with a work profile. If you try to restart devices using bulk device actions, the corporate-owned work profile devices won't restart and those device actions will be marked report as Not supported. Other device types that are included in the bulk device action will restart as normal for that action. Windows 10/11 Enterprise multi-session support (public preview)Windows 10/11 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Azure Virtual Desktop on Azure which allows multiple concurrent user sessions. This gives users a familiar Windows client experience while IT can benefit from the cost advantages of multi-session and use existing per-user Microsoft 365 licensing. Microsoft Intune lets you manage multi-session remote desktops with device-based configurations like a shared, user-less Windows client. You can now enroll Hybrid Azure AD joined VMs in Intune automatically and target with OS scope policies and apps. You can:
For more information, see Windows 10/11 Enterprise multi-session remote desktops. Device securityConditional access on Jamf-managed macOS devices for Government Cloud now availableYou can now use Intune's compliance engine to evaluate Jamf-managed macOS devices for Government Cloud. To do so, activate the compliance connector for Jamf. For more information, see Integrate Jamf Pro with Intune for compliance. Changes for the Microsoft Tunnel GatewayWe have a pair of updates to announce for the Microsoft Tunnel Gateway this month:
Monitor and troubleshootNew operational report providing app install statusThe new App Install Status report provides a list of apps with versions and installation details. App installation details are included as separate columns in the list. Additionally, the installation details provide the app install and failure totals for devices and users. You have the ability to sort and search this report as well. In the Microsoft Endpoint Manager admin center, select Apps > Monitor > App Install Status. For more information about reports in Intune, see Intune reports. New operational report providing app install status based on deviceBased on a selected app, the new Device Install Status report provides a list of devices and status information related to the specific app. App installation details related to the device includes UPN, Platform, Version, Status, Status details, and Last check-in. You have the ability to sort, filter, and search this report as well. In the Microsoft Endpoint Manager admin center, select Apps > All Apps > Select an app > Device Install status. For more information about reports in Intune, see Intune reports. New operational report providing app install status based on userBased on a selected app, the new User Install Status report provides a list of users and status information related to the specific app. App installation details related to the user include Name, UPN, Failures, Installs, Pending, Not Installed, and Not Applicable. You have the ability to sort, filter, and search this report as well. In the Microsoft Endpoint Manager admin center, select Apps > All apps > Select an app > User Install Status. For more information about reports in Intune, see Intune reports. Export Intune reports using Graph API v1.0 or betaIntune reporting export API now is available in Graph v1.0, and continues to be available in Graph beta. For related information, see Intune reports and Export Intune reports using Graph APIs. ScriptsNew property value supported for Android Open Source Project devicesThe Week of May 10, 2021App managementImproved Conditional Access messaging for Android and iOS/iPadOS usersAzure Active Directory has updated the wording on a Conditional Access screen to better explain access and setup requirements to users. Android and iOS/iPadOS users will see this screen when they try to access corporate resources from a device that's not enrolled in Intune management. For more information about this change, see What's new in Azure Active Directory. Device securityWindows Security experience profiles support tri-state settingsFor Windows 10 devices, we’ve updated the bi-state settings to be tri-state settings in the Windows Security experience profile for Endpoint security Antivirus policy. Most settings in the profile previously supported only two options of Yes and Not configured. Moving forward, those same settings now include Yes, Not configured, and a new option of No.
In addition, the following applies to configuration of the Hide the Virus and threat protection area in the Windows Security app setting and its child Hide the Ransomware data recovery option in the Windows Security app setting:
Device managementUse filters to assign policies in Endpoint Manager admin centerThere's a new Filters option that can be used when assigning apps or policies to groups. To create a filter, go to:
You can filter the scope of affected devices using device properties. For example, you can filter on the OS version, device manufacturer, and more. After you create the filter, you can use the filter when you assign a policy or profile. For more information, see Use filters when assigning your apps, policies, and profiles in Microsoft Endpoint Manager. Applies to:
Use Intune policy to expedite installation of Windows 10/11 security updatesIn public preview, you can use Intune’s Windows 10 quality updates policy to expedite the install of the most recent Windows 10/11 security updates to devices you manage with Intune. When you expedite an update, devices can start the download and install of the update as soon as possible, without having to wait for the device to check in for updates. Other than expediting the install of the update, use of this policy leaves your existing update deployment policies and processes untouched. To help monitor expedited updates, you can use the following options:
Week of April 26, 2021 (Service release 2104)App managementUpdated privacy screen in Company Portal for iOSWe added additional text to the Company Portal privacy screen to clarify how Company Portal uses collected data. It assures users that the collected data is only used to verify that devices are compliant with their organization's policies. Installation status for device-assigned required appsFrom the Installed apps page of the Windows Company Portal or the Company Portal website, end users can view the installation status and details for device-assigned required apps. This functionality is provided in addition to the installation status and details of user-assigned required apps. For more information about the Company Portal, see How to configure the Intune Company Portal apps, Company Portal website, and Intune app. Win32 app version displayed in consoleThe version of your Win32 app is now displayed in the Microsoft Endpoint Manager admin center. The app version is provided in the All apps list, where you can filter by Win32 apps and select the optional version column. In the Microsoft Endpoint Manager admin center, select Apps > All apps > Columns > Version to display the app version in the app list. For related information, see Win32 app management in Microsoft Intune. Maximum OS version setting for app conditional launch on iOS devicesUsing Intune app protection policies, you can add a new conditional launch setting to ensure end users are not using any pre-release or beta OS build to access work or school account data on iOS devices. This setting ensures that you can vet all OS releases before end users are actively using new OS functionality on iOS devices. In Microsoft Endpoint Manager admin center, select Apps > App protection policies. For related information, see How to create and assign app protection policies. Device configurationUpdated OEMConfig policy reporting for Android Enterprise devicesOn Android Enterprise devices, you can create an OEMConfig policy to add, create, and customize OEM-specific settings. Now, the policy reporting is updated to also show success on a user, a device, and for each setting in the policy. For more information, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune. Applies to:
Disable NFC pairing on iOS/iPadOS devices running 14.2 and newerOn supervised iOS/iPadOS devices, you can create a device restrictions profile that disables NFC (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile > Connected devices > Disable near field communication (NFC)). When you disable this feature, it prevents devices from pairing with other NFC-enabled devices, and disables NFC. To see this setting, go to iOS and iPadOS device settings to allow or restrict features using Intune. Applies to:
Device managementLocate device remote action for Windows client devicesYou can now use a new locate device remote action to get the geographical location of a device. Supported devices include:
To see the new action, sign in to the Microsoft Endpoint Manager admin center and choose Devices > Windows > choose a device > Locate device. This action will work in a similar manner as the current Locate device action for Apple devices (but will not include any lost mode functionality). Location services must be enabled on devices for this remote action to work. If Intune is unable to fetch the device's location and the user has set a default location in device settings, it will display the default location. Microsoft Endpoint Manager ending support for Android 5.xMicrosoft Endpoint Manager no longer supports Android 5.x devices. Support to display phone numbers for corporate Android Enterprise devicesFor corporate Android Enterprise devices (Dedicated, Fully Managed, and Fully managed with work profile), the associated device phone numbers are now displayed in the Microsoft Endpoint Manager admin center. If multiple numbers are associated with the device, only one number will be displayed. EID property support for iOS/iPadOS devicesThe eSIM identifier (EID) is a unique identifier for the embedded SIM (eSIM). The EID property now appears on the hardware details page for iOS/iPadOS devices. Intune support for provisioning Azure Active Directory shared devicesThe ability to provision Android Enterprise dedicated devices with Microsoft Authenticator automatically configured into Azure AD shared device mode is now Generally Available. For more info on how to use this enrollment type, see Set up Intune enrollment of Android Enterprise dedicated devices. View end of support details for your feature update profilesTo help you plan for end-of-service for Windows 10 feature updates you deploy with Intune, we’ve added two new columns of information to Feature Updates profiles in the Microsoft Endpoint Manager admin center. The first new column displays a status that identifies when the update in the profile is near or has reached its end of service, and the second column displays that end of service date. When an update reaches its end of service, it is no longer deployed to devices, and the policy can be removed from Intune. The new columns and details include:
For information about end of service dates for Windows 10 releases, see Windows 10 release information in the Windows release health documentation. Device securityUse Antivirus profiles to prevent or allow merger of Antivirus exclusion lists on devicesYou can now configure Defender local admin merge as a setting in a Microsoft Defender Antivirus profile to block merger of local exclusion lists for Microsoft Defender Antivirus on Windows 10 devices. Exclusion lists for Microsoft Defender Antivirus can be configured locally on a device, and specified by Intune Antivirus policy:
For more information about this and related settings, see Microsoft Defender Antivirus Exclusions. Improved flow for conditional access on Surface Duo devicesWe’ve streamlined the conditional access flow on Surface Duo devices. These changes happen automatically and don't require any configuration updates by administrators. (Endpoint security > Conditional access) On a Duo device:
Configure options that apply to Tunnel Gateway server upgradesWe've added options to help you manage the upgrade of your Microsoft Tunnel Gateway servers. The new options apply to the Sites configuration and include:
Intune appsNewly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Monitor and troubleshootNew UI to filter data for new operational reportsNew operational reports will now support a new UI to add data filters. The new filter pill offers an improved experience to help slice, refine, and view report data. For more information about reports in Intune, see Intune reports. Windows restart frequency report in Endpoint analytics is generally availableEndpoint analytics startup performance currently provides IT with insights to measure and optimize PC boot times. However, restart frequency can be just as impactful to the user experience since a device that reboots daily because of blue screens will have a poor user experience even if the boot times are fast. We have now included a report on restart frequencies within your organization to help you identify problematic devices. For more information, see Restart frequency in endpoint analytics. Week of April 12, 2021Device configurationNew modern authentication method with Apple Setup Assistant (public preview)When creating an Automated Device Enrollment profile, you can now choose a new authentication method: Setup Assistant with modern authentication. This method provides all the security from Setup Assistant but avoids the issue of leaving end users stuck on a device they can't use while the Company Portal installs on the device. The user has to authenticate using Azure AD Multi-Factor Authentication during the setup assistant screens. This will require an additional Azure AD login post-enrollment in the Company Portal app to gain access to corporate resources protected by Conditional Access. The correct Company Portal version will automatically be sent down as a required app to the device for iOS/iPadOS. For macOS, here are the options to get the Company Portal on the device - Add the Company Portal for macOS app. Enrollment is completed once the user lands on the home screen, and users can freely use the device for resources not protected by Conditional Access. User affinity is established when the user lands on the home screen after the setup screens, however the device will not be fully registered with Azure AD until the Company Portal login. The device will not show up in a given user's device list in the Azure AD portal until the Company Portal login. If the tenant has multifactor authentication turned on for these devices or users, the users will be asked to complete multifactor authentication during enrollment during Setup Assistant. Multifactor authentication is not required, but it is available for this authentication method within Conditional Access if needed. This method has the following options for installing the Company Portal:
For information on how to use this authentication method on iOS/iPadOS devices, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment. For information on how to use this authentication method on macOS devices, see Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager. Week of March 29, 2021 (Service release 2103)App managementIntune management agent for macOS devices is now a universal appWhen you deploy shell scripts or custom attributes for macOS devices from Microsoft Endpoint Manager, it deploys the new universal version of the Intune management agent app that runs natively on Apple Silicon Mac machines. The same deployment will install the x64 version of the app on Intel Mac machines. Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script in Endpoint Manager. For more information, see Microsoft Intune management agent for macOS. Device securityUpdate for Microsoft TunnelWe’ve released a new version of the Microsoft Tunnel Gateway, which includes the following changes:
The Tunnel Gateway server will automatically update to the new release. Week of March 22, 2021 (Service release 2103)App managementMicrosoft 365 Apps for macOS devices are now universal appsWhen you deploy Microsoft 365 Apps for macOS devices from Microsoft Endpoint Manager, it now deploys the new universal versions of the app that runs natively on Apple Silicon Macs. The same deployment will install the x64 versions of the app on Intel Macs running macOS 10.14 and higher. To add Microsoft 365 Apps for macOS, in the Microsoft Endpoint Manager admin center > Apps > All apps > Add. Select macOS in the App type list under Microsoft 365 Apps. For related information, see Assign Microsoft 365 to macOS devices with Microsoft Intune. Additional configuration keys for the Microsoft Launcher appYou can now set folder configuration settings for Microsoft Launcher on Android Enterprise corporate owned fully managed devices. By using an app configuration policy and configuration key values, you can set values for folder shape, folder opened to full screen, and folder scroll direction. Also, you can position the folder on the home screen in addition to positioning apps and weblinks. Additionally, you can choose to allow end users to modify the folder style values within the app. For more information about Microsoft Launcher, see Configure Microsoft Launcher for Android Enterprise with Intune. Device configurationMore Microsoft Edge settings, and setting categories are removed in Settings Catalog for macOSOn macOS devices, you can use the Settings Catalog to configure Microsoft Edge version 77 and newer (Devices > Configuration profiles > Create profile > macOS for platform > Settings Catalog). In this release:
For more information on the Settings Catalog, see Use the settings catalog to configure settings. Applies to:
Windows 10/11 in cloud configuration is available as a Guided ScenarioWindows 10/11 in cloud configuration is a Microsoft-recommended device configuration for Windows 10/11. Windows 10/11 in cloud configuration is optimized for the cloud and designed for users with focused workflow needs. There's a guided scenario that automatically adds the apps, and creates the policies that configure your Windows 10/11 devices in a cloud configuration. For more information, see Guided scenario for Windows 10/11 in cloud configuration. Applies to:
Device managementIncreasing recommended maximum number of iOS/iPadOS and macOS devices per enrollment tokenPreviously, we recommended that you don't exceed 60,000 iOS/iPadOS or macOS devices per Automated Device Enrollment (ADE) token. This recommended limit is now increased to 200,000 devices per token. For more information about ADE tokens, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment. Update of column names in All devices view and Export reportTo accurately reflect the data in the columns, we've updated the column names in the All devices view and the Export report to be "Primary User UPN", "Primary User email address", and "Primary User display name". End of support for Internet Explorer 11Intune will end support for Internet Explorer 11 admin access to the Admin Portal web app UI on March 31, 2021. Move to Edge or another supported browser before that time to administer any of your Microsoft services built on Azure. Device securityHealth status details for Microsoft Tunnel Gateway serversWe've added the ability to see detailed heath status information for Tunnel Gateway servers within the Microsoft Endpoint Manager admin center. On the new Health check tab, you'll see the following information:
Public preview of Tunnel client functionality in Microsoft Defender for Endpoint app for AndroidAs announced at Ignite, Microsoft Tunnel client functionality is migrating into the Microsoft Defender for Endpoint app. With this preview, you can start to use a preview version of Microsoft Defender for Endpoint as the Tunnel app for supported devices. The existing Tunnel client remains available, but will eventually be phased out in favor of the Defender for Endpoint app. This public preview applies to:
For this preview, you must opt in to gain access to the preview version of Microsoft Defender for Endpoint, and then migrate supported devices from the standalone Tunnel client app to the preview app. For details, see Migrate to the Microsoft Defender for Endpoint app. Intune appsMicrosoft Launcher configuration keysFor Android Enterprise fully managed devices, the Microsoft Launcher for Intune app now provides additional customization. In Launcher, you can configure the set of displayed apps and weblinks, as well as the order of these apps and weblinks. The displayed app list and position (order) of app configurations have been merged together to simplify home screen customization. For more information, see Configure Microsoft Launcher. Microsoft Edge for macOS devices will be a universal appWhen you deploy the Microsoft Edge app for macOS devices from Microsoft Endpoint Manager, it now deploys the new universal version of the app that runs natively on Apple Silicon Macs. The same deployment will install the x64 version of the app on Intel Macs. To add Microsoft Edge for macOS, in the Microsoft Endpoint Manager admin center > Apps > All apps > Add. Select macOS in the App type list under Microsoft Edge, version 77 and later. For related information, see Add Microsoft Edge to macOS devices using Microsoft Intune. Newly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. Improved notification experience in the iOS/iPadOS Company Portal appThe Company Portal app can now store, as well as display, push notifications sent to your users' iOS/iPadOS devices from the Microsoft Endpoint Manager admin center. Users who have opted in to receive Company Portal push notifications can view and manage the customized stored messages that you send to their devices in the Notifications tab of the Company Portal. For related information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app. ScriptingExport localized Intune report data using Graph APIsYou can now specify that the report data that you export using the Microsoft Endpoint Manager reporting export API can contain localized columns only, or localized and non-localized columns. The localized and non-localized columns option will be selected by default for most reports, which will prevent breaking changes. For related information about reports, see Export Intune reports using Graph APIs and Intune reports and properties available using Graph API. Week of March 8, 2021Device configurationNew version of the PFX Certificate ConnectorWe’ve released a new version of the PFX Certificate Connector, version 6.2101.16.0. This update adds improvements to the PFX Create flow to prevent duplication of Certificate Request files on on-premises servers that host the connector. For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors. Week of March 1, 2021 (Service release 2102)App managementSupport for Win32 app supersedence in IntuneWe've enabled a public preview of app supersedence in Intune. You can now create supersedence relationships between apps, which allows you to update and replace existing Win32 apps with newer versions of the same app, or entirely different Win32 apps. For more information, see Win32 app supersedence. Maximum OS version setting for app conditional launch on Android devicesUsing Intune app protection policies, you can add a new conditional launch setting to ensure end users are not using any pre-release or beta OS build to access work or school account data on Android devices. This setting ensures that you can vet all OS releases before end users are actively using new OS functionality on Android devices. In Microsoft Endpoint Manager admin center, you will be able to find this setting by selecting Apps > App protection policies. For related information, see How to create and assign app protection policies. Device configurationUse Cisco AnyConnect as a VPN connection type for Windows 10/11 and Windows Holographic for BusinessYou can create VPN profiles using Cisco AnyConnect as a connection type (Devices > Device configuration > Create profile > Windows 10 and later for platform > VPN for profile > Cisco AnyConnect for connection type) without needing to use custom profiles. This policy uses the Cisco AnyConnect app available in the Microsoft store. It doesn't use the Cisco AnyConnect desktop application. For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers. Applies to:
Run Microsoft Edge version 87 and newer in single app kiosk mode on Windows 10/11 devicesOn Windows client devices, you configure a device to run as a kiosk that runs one app, or runs many apps (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Kiosk). When you select single app mode, you can:
For more information on the settings you can configure in kiosk mode, see Kiosk settings for Windows client devices. Applies to:
Administrative Templates is available in Settings Catalog, and has more settingsIn Intune, you can use Administrative Templates to create policies (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Administrative Templates for profile). In the Settings Catalog, Administrative Templates are also available, and have more settings (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Settings Catalog for profile). With this release, admins can configure additional settings that only existed in on-premises group policy, and weren't available in cloud-based MDM. These settings are available for Windows Insider client endpoint builds, and may be backported to in-market Windows versions, such as 1909, 2004, or 2010. If you want to create Administrative Templates, and use all the available settings exposed by Windows, then use the Settings Catalog. For more information, see:
Applies to:
Device enrollmentSync status of enrollment program tokensThe sync status for automated device enrollment tokens listed on the Enrollment program tokens pane has been removed to minimize confusion. The per-token information continues to be displayed. Enrollment program tokens are used to manage automated device enrollment with Apple Business Manager and Apple School Manager. In Microsoft Endpoint Manager admin center you can find the token list for iOS/iPadOS devices by selecting Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens. To find the token list for macOS devices, select Devices > macOS > macOS enrollment > Enrollment program tokens. For related information, see Automatically enroll iOS/iPadOS devices and Automatically enroll macOS devices. Device managementCollect diagnostics remote actionA new remote action, Collect diagnostics, lets you collect the logs from corporate devices without interrupting or waiting for the end user. Collected logs include MDM, Autopilot, event viewers, key, Configuration Manager client, networking, and other critical troubleshooting logs. For more information see Collect diagnostics from a Windows device. New options for export device dataThe following new options are available when exporting device data:
Device securityUse the variable CN={{UserPrincipalName}} in the subject and SAN of SCEP and PKCS certificate profiles for Android Enterprise devicesYou can now use the User attribute CN={{UserPrincipalName}} variable in the subject or SAN of a PKCS certificate profile or SCEP certificate profile for Android devices. This support requires the device have a user, such as devices enrolled as:
User attributes are not supported for devices that don’t have user associations, such as devices that are enrolled as Android Enterprise dedicated. For example, a profile that uses CN={{UserPrincipalName}} in the subject or SAN won’t be able to get the user principal name when there is no user on the device. Use app protection policies for Defender for Endpoint on Android and iOSYou can now use Microsoft Defender for Endpoint in app protection policies for devices that run Android or iOS.
When configured, end users are prompted to install and set up the Microsoft Defender for Endpoint app from the applicable app store. As a prerequisite, you must set up your Microsoft Defender for Endpoint connector and switch on the toggle to send risk data to your app protection policies. For related information, see App protection policies overview, and Use Microsoft Defender for Endpoint in Microsoft Intune. Configure Attack surface reduction rules to block malware from gaining persistence through WMIYou can now configure the rule named Block persistence through WMI event subscription as part of an Attack surface reduction rules profile in Endpoint security. This rule prevents malware from abusing WMI to attain persistence on a device. Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. When configured as setting for Attack surface reduction policy for Endpoint security, the following options are available:
This rule doesn’t support the Warn option, and is also available as a Device configuration setting from the Settings catalog. Intune appsCompany Portal website improved load performanceTo improve page load performance, app icons will now load in batches. End users may see a placeholder icon for some of their applications when visiting the Company Portal website. The related icons will load shortly after. For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app and Manage apps from the Company Portal website. Monitor and troubleshootEndpoint analytics in Microsoft Productivity ScoreThere's a new Endpoint Analytics page in Microsoft Productivity Score that shares organizational level insights with the other roles outside of Microsoft Endpoint Manager. Understanding how your devices contribute to your end-users' experience is critical to enabling users to reach their goals. For more information, see Endpoint analytics in Microsoft Productivity Score. Endpoint analytics Application Reliability reportA new Application Reliability report will be available in Endpoint analytics. This report provides insight into potential issues for desktop applications on managed PCs. You can quickly identify the top applications that are impacting end user productivity, as well as see aggregate app usage and app failure metrics for these applications. You'll be able to troubleshoot by drilling into a specific device and viewing a timeline of app reliability events. This report is expected to be available in public preview during March 2021. For more information, see Endpoint analytics application reliability. Restart frequency (preview) in Endpoint analyticsEndpoint analytics startup performance currently provides IT with insights to measure and optimize PC boot times. However, restart frequency can be just as impactful to the user experience since a device that reboots daily because of blue screens will have a poor user experience even if the boot times are fast. We have now included a preview report on restart frequencies within your organization to help you identify problematic devices. For more information, see Restart frequency (preview) in endpoint analytics. Role-based access controlRole-based access permissions update for Microsoft Tunnel GatewayTo help control who has rights to manage the Microsoft Tunnel, we've added Microsoft Tunnel Gateway as a new permissions group to Intune role-based access control. This new group includes the following permissions:
By default, Intune Administrators and Azure Active Directory administrators have these permissions. You can also add these permissions to custom roles you create for your Intune tenant. Scope tag support for customization policies for Intune for Government and 21VianetYou can now assign scope tags to Customization policies for Intune for Government and Intune operated by 21Vianet. To do so, go to Microsoft Endpoint Manager admin center > Tenant administration > Customization where you will see Scope tags configuration options. Week of February 22, 2021Device configurationNew version of the PFX Certificate ConnectorWe’ve released a new version of the PFX Certificate Connector, version 6.2101.13.0. This new connector version adds improvements for logging to the PFX Connector:
For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors. Week of February 8, 2021App managementEnd users can restart an app install from the Windows Company PortalUsing the Windows Company Portal, end users can restart an app installation if the progress seems to have stalled or is frozen. This functionality is allowed if the app installation progress has not changed in two hours. For related information, see Add apps to Microsoft Intune. Device configurationGoogle’s compliance screens are automatically shown on Android Enterprise 9.0+ dedicated devices running in kiosk modeIn Intune, you can create a device configuration password policy and a device compliance password policy on Android Enterprise devices. When you create the policies, Android Enterprise dedicated devices running in kiosk mode automatically use Google’s compliance screens. These screens guide and force users to set a password that meets your policy rules. For more information on creating password and kiosk policies, see:
Applies to:
Week of February 1, 2021 (2101 Service release)App managementConfigure whether a required iOS/iPadOS app is removableYou can now configure whether a required iOS/iPadOS app is installed as a removable app by end users. This new setting applies to iOS store, LOB and built-in apps. You can find this setting in the Microsoft Endpoint Manager admin center by selecting Apps > iOS/iPadOS > Add. When setting the app assignments, you can select Install as removable. The default value is Yes, which means the app is removable. Existing required installs on iOS 14 have been updated to the default (removable) setting value. For more information about iOS/iPadOS apps, see Microsoft Intune app management. Line-of-business apps supported on Shared iPad devicesYou can now deploy line-of-business (LOB) apps to Shared iPad devices. The line-of-business app must be assigned as required to a device group containing Shared iPad devices from the Microsoft Endpoint Manager admin center. In the Microsoft Endpoint Manager admin center, select Apps > All apps > Add. For related information, see Add an iOS/iPadOS line-of-business app to Microsoft Intune. Microsoft Endpoint Configuration Manager connectorThe connector for Microsoft Endpoint Configuration Manager now displays in the admin center. To review the connector, go to Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager. Select a Configuration Manager hierarchy running version 2006, or later to display additional information about it. Device configurationNew version of the PFX Certificate ConnectorWe’ve released a new version of the PFX Certificate Connector, version 6.2009.2.0. This new connector version:
For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors. Use device configuration to create folders and set the grid size on the Managed Home ScreenOn Android Enterprise dedicated devices, you can configure the Managed Home Screen settings (Devices > Device configuration > Create profile > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device restrictions for profile > Device experience). When using the Managed Home Screen in multi-app kiosk mode, there's a Custom app layout setting. With this setting, you can:
Previously, you had to use an app configuration policy. For more information, see Android Enterprise dedicate devices device experience settings. Applies to:
Use the settings catalog to configure Microsoft Edge browser on macOS devicesCurrently on macOS devices, you configure the Microsoft Edge browser using a There's an updated UI to configure the Microsoft Edge browser: Devices > Configuration profiles > Create profile > macOS for platform > Settings catalog for profile. Select the Microsoft Edge settings you want, and then configure them. In your profile, you can also add settings, or remove existing settings. To see a list of the settings you can configure, go to Microsoft Edge - Policies. Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then it's recommended to continue using the preference file only. For more information, see:
To see the policies you have configured, open Microsoft Edge, and go to Applies to:
Use NetMotion Mobility as a VPN connection type for Android Enterprise devicesWhen you create a VPN profile, NetMotion Mobility is available as a VPN connection type for Android Enterprise:
For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers. Applies to:
Settings catalog and Templates when creating device configuration profiles for macOS and Windows client devicesThere are UI updates when creating device configuration profiles for macOS and Windows 10/11 devices (Devices > Configuration profiles > Create profile > macOS or Windows 10 and later for platform). The profile shows Settings catalog and Templates:
This is only a UI change, and doesn't impact existing profiles. For more information, see Settings catalog. Applies to:
Home screen layout updates on supervised iOS/iPadOS devicesOn iOS/iPadOS devices, you can configure the Home Screen layout (Devices > Device Configuration > Create profile > iOS/iPadOS for platform > Device features for profile > Home screen layout). In Intune, the Home Screen Layout feature is updated: - The home screen layout has a new design. This feature allows admins to see in real time how the apps and app icons look on pages, the dock, and within folders. When adding apps in this new designer, you can't add separate pages. But, when you add nine or more apps to a folder, then those apps automatically go on the next page. Existing policies are not impacted, and don't need to be changed. The setting values are transferred to the new UI without any negative effects. The setting behavior on devices is the same. - Add a web link (web app) to a page, or to the dock. Be sure you add a specific URL of the web link only once. Existing policies are not impacted, and don't need to be changed. For more information on the settings you can configure, including the home screen layout, see iOS/iPadOS device settings to use common iOS/iPadOS features in Intune. Applies to:
Limit Apple's personalized advertising on iOS/iPadOS devicesOn iOS/iPadOS devices, you can configure Apple's personalized advertising. When enabled, personalized ads are limited in the App Store, Apple News, and Stocks apps (Devices > Device Configuration > Create profile > iOS/iPadOS for platform > Device restrictions for profile > General > Limit Apple personalized advertising). This setting only impacts personalized ads. Configuring this setting sets Settings > Privacy > Apple Advertising to off. It doesn't impact non-personalized ads in the App Store, Apple News, and Stocks apps. For more information on Apple's advertising policy, see Apple Advertising & Privacy (opens Apple's web site). To see the current settings you can configure in Intune, go to iOS and iPadOS device settings to allow or restrict features. Applies to:
Administrative templates includes new policies for Microsoft Edge version 88You can configure and deploy new ADMX settings that apply to Microsoft Edge version 88. To see the new policies, go to Microsoft Edge release notes. For more information on this feature in Intune, see Configure Microsoft Edge policy settings. Applies to:
Locale support in email notifications for non-complianceCompliance policies now support Notification message templates that include separate messages for different locales. Support for multiple languages no longer requires you to create separate templates and policies for each locale. When you configure locale-specific messages in a template, non-compliant end-users receive the appropriate localized email notification message based on their O365 preferred language. You also designate one localized message in the template as the default message. The default message is sent to users that haven’t set a preferred language or when the template doesn’t include a specific message for their locale. Device enrollmentHide more screens for the Apple Automated Device Enrollment Setup AssistantYou can now set Automated Device Enrollment (ADE) profiles to hide these Setup Assistant Screens for iOS/iPadOS 14.0+ and macOS 11+ devices:
Device managementMigrate device security policies from Basic Mobility and Security to IntuneThe policy migration tool lets you permanently move Mobile Device Management (MDM) device security policies deployed by Basic Mobility and Security (formerly MDM for Office 365 or Office MDM) to standard Intune MDM configuration profiles and compliance policies. Using this tool will disable all future policy creation and edits in Basic Mobility and Security device security policies. To use the tool, you must:
For more information, see Migrate your mobile device management from Basic Mobility and Security to Intune. Subnet ID and IP addresses on Properties page for corporate-owned Windows devicesSubnet ID and IP addresses are now displayed on the Properties page for corporate-owned Windows devices. To see them, go to Endpoint Manager admin center > Devices > All devices > choose a corporate-owned Windows device > Properties. Device securityIntune support for Microsoft Defender Application Guard now includes isolated Windows environmentsWhen you configure Turn on Application Guard in an Intune App and browser isolation profile in Endpoint security Attack surface reduction policy, you can choose from the following options when you enable Application Guard:
Before this release, the setting was named Turn on Application Guard for Edge (Options). The new options for this setting expand Application Guard support beyond just URL’s for Edge. You can now enable Application Guard to help protect devices by opening potential threats in a hardware isolated Windows VM environment (container). For example, with support for isolated Windows environments, Application Guard can open untrusted Office documents in an isolated Windows VM. With this change:
New Application Guard settings in Attack surface reduction policyWe’ve added two new settings to the App and browser isolation profile of Intune’s Endpoint security Attack surface reduction policy:
For more information, see the settings for App and browser isolation. Updates for Security BaselinesWe have new versions available for the following security baselines:
Updated baseline versions bring support for recent settings to help you maintain the best-practice configurations recommended by the respective product teams. To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes. Endpoint Security Firewall reportsWe’ve added two new reports that are dedicated to Firewall policies in Endpoint Security:
Summary view for Defender Antivirus reportsWe’ve updated the view for the Microsoft Defender Antivirus reports found in the Reports node of the Microsoft Endpoint Manager admin center. Now, when you select Microsoft Defender Antivirus in the Reports node, you’ll see the default view of the Summary tab, and a second tab for Reports. The Reports tab is where you’ll find the previously available Antivirus agent status and Detected malware organizational reports. The new Summary tab displays the following information:
App protection policy support on Android and iOS/iPadOS for additional Mobile Threat Defense partnersIn October of 2019, Intune app protection policy added the capability to use data from our Microsoft Threat Defense partners. With this update, we're expanding this support to the following partner for using an app protection policy to block or selectively wipe a user’s corporate data based on the health of the device:
For more information, see Create Mobile Threat Defense app protection policy with Intune. Increased certificate validity period for SCEP and PKCS profilesIntune now supports a Certificate validity period of up to 24 months in certificate profiles for Simple Certificate Enrollment Protocol (SCEP) and Public Key Cryptography Standards (PKCS). This is an increase from the previous support period of up to 12 months. This support applies to Windows and Android. Certificate validity periods are ignored by iOS/iPadOS and macOS. Monitor and troubleshootNew co-management eligibility organizational reportThe Co-management eligibility report provides an eligibility evaluation for devices that can be co-managed. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. You will be able to view a summary for this report in the Microsoft Endpoint Manager admin center by selecting Reports > Cloud attached devices > Reports tab > Co-management eligibility. For related report information, see Intune reports. New co-managed workloads organizational reportThe Co-Managed Workloads report provides a report of devices that are currently co-managed. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. You can view this report in the Microsoft Endpoint Manager admin center by selecting Reports > Cloud attached devices > Reports tab > Co-Managed Workloads. For more information, see Intune reports. Log Analytics includes device details logIntune device detail logs are now available. In Microsoft Endpoint Manager admin center, select Reports > Log analytics. You can correlate a set of device details to build custom queries and Azure workbooks. For more information, see Azure Monitor integration reports (Specialist). Role-based access controlScope tag support for the Enrollment Status PageYou can now assign scope tags to the Enrollment Status Page so only the roles you define will be able to see it. For more information, see Create Enrollment Status Page profile and assign to a group. ScriptsAdditional Data Warehouse beta propertiesAdditional properties are now available using the Intune Data Warehouse beta API. The following properties are exposed via the devices entity in the beta API:
For related information, see Microsoft Intune Data Warehouse API. Week of January 25, 2021App managementApplication icon update for iOS, macOS, and web Company PortalWe've updated the app icon for the Company Portal for iOS, macOS, and web. This icon is also used by the Company Portal for Windows. End users will see the new icon in their device's application launcher and home screen, in Apple's App Store, and in experiences within the Company Portal apps. Android Enterprise system app support in personally owned work profilesYou can now deploy Android Enterprise system apps to Android Enterprise personally owned work profile devices. System apps are apps that do not appear in the Managed Google Play Store and often come pre-installed on the device. Once a system app is deployed, you will be unable to uninstall, hide, or otherwise remove the system app. For related information about system apps, see Add Android Enterprise system apps to Microsoft Intune. Monitor and troubleshootUpdate when exporting Intune reports using the Graph APIWhen
you use the Week of January 18, 2021Device configurationMicrosoft Tunnel now supports Red Hat Enterprise Linux 8You can now use Red Hat Enterprise Linux (RHEL) 8 with the Microsoft Tunnel. To make use of for RHEL 8 you won't need to take any actions. Support has been added to the Docker containers which update automatically. In addition, this update also suppresses some extraneous logging. Week of January 11, 2021App managementDeleting Win32 apps in a dependency relationshipWin32 apps added to Intune cannot be removed if they are in a dependency relationship. These apps can only be deleted after the dependency relationship is removed. This requirement is applied to both parent and child apps in a dependency relationship. Also, this requirement ensures that dependencies are enforced properly and that dependency behavior is more predictable. For more information, see Win32 app management in Microsoft Intune. Scope tag support for customization policiesYou can now assign scope tags to Customization policies. To do so, go to Microsoft Endpoint Manager admin center > Tenant administration > Customization where you will see Scope tags configuration options. This feature is now available for Intune for Government or Intune operated by 21Vianet. Device configurationNew version of the PFX Certificate ConnectorWe’ve released a new version of the PFX Certificate Connector, version 6.2009.1.9. This new connector version:
For more information about certificate connectors, including a list of connector releases for both certificate connectors, see Certificate connectors. Week of January 4, 2021App managementBrowser access enabled automatically during Android work profile enrollmentDuring new Android Enterprise personally owned work profile enrollments, browser access is now automatically enabled on the device. With this change, compliant devices can use the browser to access resources that are protected by conditional access without needing to take additional actions. Before this change, users had to launch the Company Portal and select Settings > Enable Browser Access, and then click Enable. This change has no impact on devices that are already enrolled. Win32 app download progress barEnd users will now see a progress bar in the Windows Company Portal while a Win32 app is being downloaded. This feature will help customers better understand the app installation progress. Update to Company Portal for Android app iconWe've updated the Company Portal for Android app icon to create a more modern look and feel for device users. To see what the new icon looks like, go to the Intune Company Portal listing on Google Play. Week of December 7, 2020Intune appsNewly available protected apps for IntuneThe following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps. What's New archiveFor previous months, see the What's New archive. NoticesThese notices provide important information that can help you prepare for future Intune changes and features. Plan for Change: Ending support for Company Portal authentication method for iOS/iPadOS ADE enrollmentAs we continue to invest in Setup Assistant with modern authentication, which is the Apple supported path to require enrollment during Setup Assistant with optional multi-factor authentication, we plan to remove the Company Portal authentication method from new and existing iOS/iPadOS ADE enrollment profiles in Q1 2023. This will include removing the Run Company Portal in Single App Mode until authentication setting. How does this affect you or your users?In November, new enrollments (new devices that are targeted with an existing enrollment profile or devices re-enrolling) that are targeted with an existing enrollment profile with the Company Portal authentication method, will not be able to enroll. This will not impact existing enrolled devices unless the device is re-enrolled after this change. The device will not be able to re-enroll until the authentication method is switched in the enrollment profile to Setup Assistant with modern authentication. New iOS/iPadOS enrollment profiles will not have the option to select Company Portal as the authentication method. If you have not already, you will need to move to use Setup Assistant with modern authentication. Within the Microsoft Endpoint Manager admin center, you will want to either create a new ADE enrollment profile, or edit your existing enrollment profile to use the “Setup assistant with modern authentication.” User experience: The Setup Assistant with modern authentication enrollment flow does change the enrollment screen order where authentication will occur prior to accessing the home screen. If you have user guides that share screenshots, you will want to update those so the guides match the experience of Setup Assistant with modern authentication. How can you prepare?To enroll new devices (or re-enroll) after this change, you will either need to update existing profiles to move to Setup Assistant with modern authentication or create a new enrollment profile with this method. For related information, see:
Plan for Change: Ending support for Windows Information ProtectionMicrosoft Windows announced they are ending support for Windows Information Protection (WIP), Microsoft Endpoint Manager will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we will remove support for WIP without enrollment scenario by the end of calendar year 2022. How does this affect you or your users?If you have enabled WIP policies, you should turn off or disable these policies. How can you prepare?We recommend that you take action to disable WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices. Plan for Change: Ending support for Windows 8.1Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022. Additionally, the sideloading key scenario for line-of-business apps will stop being supported since it is only applicable to Windows 8.1 devices. Microsoft strongly recommends that you move to a supported version of Windows 10 or Windows 11, to avoid a scenario where you need service or support that is no longer available. How does this affect you or your users?If you are managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There is no impact to existing devices and policies, however, you will not be able to enroll new devices if they are running Windows 8.1. How can you prepare?Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are running Windows 8.1 navigate to Microsoft Endpoint Manager admin center > Devices > Windows > Windows devices, and filter by OS. Additional information
Update your certificate connector for Microsoft IntuneAs of June 1, 2022, Intune certificate connectors earlier than version 6.2101.13.0 may no longer work as expected and stop connecting to the Intune service. See Certificate Connectors for Microsoft Intune for additional information on the certificate connector lifecycle and support. How does this affect you or your users?If you're impacted by this change, see MC393815 in the Message center. How can you prepare?Download, install, and configure the latest certificate connector. For more information see, Install the Certificate Connector for Microsoft Intune. To check which version of the certificate connector you are using, follow these steps:
Plan for Change: New APP biometrics settings and authorization requirements for Android devicesCurrently, our biometric settings do not distinguish between Class 2 and Class 3 Biometrics. Expected with Intune’s July (2207) service release, we are modifying fingerprint and biometric settings for Intune app protection policies (APP) that apply to Android devices to accommodate Class 3 Biometrics. When you create or modify an app protection policy, you will see the following changes on the Access requirements page:
Note Support for Class 3 Biometrics depends on the device, so you may need to contact your device manufacturers to understand device-specific limitations. How does this affect you or your users?Existing policies that allow fingerprints or biometrics for authentication will be migrated with no user impact. After this change, if you configure the policy to require Class 3 Biometrics (Android 9.0+), the following will occur:
If Override Biometrics with PIN after biometric updates is also required, users who update their stored Class 3 Biometrics will be prompted to enter their APP PIN the next time they sign in to the APP-protected app. How can you prepare?Admins should be aware of the combined settings for fingerprints and Class 2 Biometrics. If your existing policy allows for fingerprint authentication but not other biometrics, it will allow for both once migrated. Also, if you had previously required an APP PIN after fingerprint timeout, this timeout setting will apply to all biometrics. Note If you are using the Microsoft Graph API’s FingerprintBlocked and BiometricAuthenticationBlocked, plan to update your APIs to use the new combined FingerprintAndBiometricEnabled API. The current APIs will retain their values for existing policies and the new FingerprintAndBiometricEnabled API will be defaulted to Null for these policies, until the policy has been updated. Plan for change: Intune is moving to support macOS 11.6 and higher later this yearApple is expected to release macOS 13 (Ventura) later this year, Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 11.6 (Big Sur) and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS 16. How does this affect you or your users?This change will affect you only if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Big Sur is compatible with these computers. Note Devices that are currently enrolled on macOS 10.15 or earlier will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 10.15 or earlier. How can you prepare?Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 10.15 or earlier. Ask your users to upgrade their devices to a supported OS version. Plan for change: Intune is moving to support iOS/iPadOS 14 and laterLater this year, we expect iOS 16 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 14/iPadOS 14 and higher shortly after iOS 16’s release. How does this affect you or your users?If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 14). Because Office 365 mobile apps are supported on iOS/iPadOS 14.0 and later, this change might not affect you. You've likely already upgraded your OS or devices. To check which devices support iOS 14 or iPadOS 14 (if applicable), see the following Apple documentation:
Note Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. See https://aka.ms/ADE_userless_support for more information. How can you prepare?Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management, go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status > App Protection report: iOS, Android. To manage the supported OS version in your organization, you can use Microsoft Endpoint Manager controls for both mobile device management and APP. For more information, see Manage operating system versions with Intune. Plan for Change: Deploy macOS LOB apps by uploading PKG-type installer filesWe recently announced the general availability to deploy macOS line-of-business (LOB) apps by uploading PKG-type installer files directly in the Microsoft Endpoint Manager admin center. This process no longer requires the use of the Intune App Wrapping Tool for macOS to convert .pkg files to .intunemac format. In August 2022, we removed the ability to upload wrapped .intunemac files in the Microsoft Endpoint Manager admin center. How does this affect you or your users?There is no impact to apps previously uploaded with .intunemac files. You can upgrade previously uploaded apps by uploading the .pkg file type. How can you prepare?Moving forward, deploy macOS LOB apps by uploading and deploying PKG-type installer files in the Microsoft Endpoint Manager admin center. Plan for change: Intune is moving to support Android 8.0 and later in January 2022Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for mobile device management (MDM) enrolled devices on or shortly after January 7, 2022. How does this affect you or your users?After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will no longer receive updates to the Android Company Portal or the Intune App. Enrolled devices will continue to have Intune policies applied but are no longer supported for any Intune scenarios. Company Portal and the Intune App will not be available for devices running Android 7.x and lower beginning mid-February; however, these devices will not be blocked from completing enrollment if the requisite app has been installed prior to this change. If you have MDM enrolled devices running Android 7.x or below, update them to Android version 8.0 (Oreo) or higher or replace them with a device on Android version 8.0 or higher. Note Microsoft Teams devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version. How can you prepare?Notify your helpdesk, if applicable, of this upcoming change in support. You can identify how many devices are currently running Android 7.x or below by navigating to Devices > All devices > Filter. Then filter by OS and sort by OS version. There are two admin options to help inform your users or block enrollment. Here's how you can warn users:
Here's how you can block devices running on versions earlier than Android 8.0:
Note Intune app protection policies are supported on devices running Android 9.0 and later. See MC282986 for more details. Plan for change: Intune APP/MAM is moving to support Android 9 and higherWith the upcoming release of Android 12, Intune app protection policies (APP, also known as mobile application management) for Android will move to support Android 9 (Pie) and later on October 1, 2021. This change will align with Office mobile apps for Android support of the last four major versions of Android. Based on your feedback, we've updated our support statement. We're doing our best to keep your organization secure and protect your users and devices, while aligning with Microsoft app lifecycles. How does this affect you or your users?If you're using app protection policies (APP) on any device that's running Android version 8.x or earlier, or you decide to enroll any device that's running Android version 8.x or earlier, these devices will no longer be supported for APP. APP policies will continue to be applied to devices running Android 6.x to Android 8.x. But if you have problems with an Office app and APP, support will request that you update to a supported Office version for troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or later, or replace them with a device on Android version 9.0 or later before October 1, 2021. How can you prepare?Notify your helpdesk, if applicable, about this updated support statement. You also have two admin options to warn users:
Take action: Update to the latest version of the Android Company Portal appStarting with the October (2110) service release, Intune will no longer support new Android device administrator enrollments that use Company Portal version 5.04993.0 or earlier. The reason is a change in the integration of Intune with Samsung devices. How does this affect you or your users?Users who need to enroll Samsung devices in an Android device administrator by using an older version of the Company Portal app (any version earlier than 5.04993.0) will no longer be successful. They'll need to update the Company Portal app to successfully enroll. How can you prepare?Update any older version of the Company Portal staged in your environment to support Android device administrator enrollments before the Intune October (2110) service release. Inform your users that they'll need to update to the latest version of the Android Company Portal to enroll their Samsung device. If applicable, inform your helpdesk in case users don't update the app before enrolling. We also recommend that you keep the Company Portal app updated to ensure that the latest fixes are available on your devices. More information
Upgrade to the Microsoft Intune Management ExtensionWe've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices. The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features. For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center. How does this affect you or your users?No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade. Update to Endpoint Security antivirus Windows 10 profilesWe've made a minor change to improve the antivirus profile experience for Windows 10. There's no user effect, because this change affects only what you'll see in the UI. How does this affect you or your users?Previously, when you configured a Windows security profile for the Endpoint Security antivirus policy, you had two options for most settings: Yes and Not configured. Those settings now include Yes, Not configured, and a new option of No. Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now explicitly specify No. In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting is set to Not configured and the child setting is set to Yes, both the parent and child settings will be set to Not configured. That change will take effect when you edit the profile. How can you prepare?No action is needed. However, you might want to notify your helpdesk about this change. Plan for change: Intune is ending Company Portal support for unsupported versions of WindowsIntune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy. How does this affect you or your users?Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change will affect you only if you're still managing unsupported Windows 10 versions. Windows and Company Portal versions that this change affects include:
We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them. If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune. How can you prepare?In the Microsoft Endpoint Manager admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version. FeedbackSubmit and view feedback for Which of the following is an example of an embedded OS?Everyday examples of embedded operating systems include ATMs and Satellite Navigation systems.
What is embedded operating system with example?An embedded system is a computer that supports a machine. It performs one task in the bigger machine. Examples include computer systems in cars, traffic lights, digital televisions, ATMs, airplane controls, point of sale (POS) terminals, digital cameras, GPS navigation systems, elevators and Smart meters.
What are the types of embedded operating system?What are the Types of Embedded Operating System?. Single System Control Loop.. Multi-tasking Operating System.. Real-Time Operating System.. Rate Monotonic Operating System.. What operating system is used in embedded software?Linux and Android are two powerful operating systems used in most of the embedded systems today.
|