What's new in Microsoft Intune

Learn what's new each week in Microsoft Intune.

You can also read:

Note

Each monthly update can take up to three days to rollout and will be in the following order:

  • Day 1: Asia Pacific (APAC)
  • Day 2: Europe, Middle East, Africa (EMEA)
  • Day 3: North America
  • Day 4+: Intune for Government

Some features roll out over several weeks and might not be available to all customers in the first week.

For a list of upcoming Intune feature releases, see In development for Microsoft Intune.

For new information about Windows Autopilot solutions, see:

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Week of June 17, 2024 (Service release 2406)

Microsoft Intune Suite

Endpoint Privilege Management support for MSI and PowerShell file types

Endpoint Privilege Management (EPM) elevation rules now support the elevation of Windows Installer and PowerShell files in addition to executable files that were previously supported. The new file extensions that EPM supports include:

  • .msi
  • .ps1

For information about using EPM, see Endpoint Privilege Management.

View the certification authority key type in Microsoft Cloud PKI properties

A new Microsoft Cloud PKI property called CA keys is available in the admin center and shows the type of certification authority keys used for signing and encryption. The property will display one of the following values:

  • HSM: Indicates the use of a hardware security module-backed key.
  • SW: Indicates the use of a software-backed key.

Certification authorities created with a licensed Intune Suite or Cloud PKI standalone add-on use HSM signing and encryption keys. Certification authorities created during a trial period use software-backed signing and encryption keys. For more information about Microsoft Cloud PKI, see Overview of Microsoft Cloud PKI for Microsoft Intune.

App management

US GCC and GCC High support for Managed Home Screen

Managed Home Screen (MHS) now supports sign-in for the US Government Community (GCC), US Government Community (GCC) High, and U.S. Department of Defense (DoD) environments. For more information, see Configure the Managed Home Screen and Microsoft Intune for US Government GCC service description.

Applies to:

  • Android Enterprise

Updates to the Managed Apps report

The Managed Apps report now provides details about Enterprise App Catalog apps for a specific device. For more information about this report, see Managed Apps report.

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Restrictions:

  • Allow Web Distribution App Installation

System Configuration > Font:

  • Font
  • Name
macOS

Privacy > Privacy Preferences Policy Control:

  • Bluetooth Always

Applies to:

  • iOS/iPadOS
  • macOS

OS Version picker available for configuring managed iOS/iPadOS DDM software updates using the settings catalog

Using the Intune settings catalog, you can configure Apple's declarative device management (DDM) feature to manage software updates on iOS/iPadOS devices.

When you configure a managed software update policy using the settings catalog, you can:

  • Select a target OS version from a list of updates made available by Apple.
  • Manually enter the target OS version, if needed.

For more information about configuring managed software update profiles in Intune, see Use the settings catalog to configure managed software updates.

Applies to:

  • iOS/iPadOS

Intune admin center UI updates at Devices > By platform

In the Intune admin center, you can select Devices > By platform, and view the policy options for the platform you select. These platform-specific pages are updated and include tabs for navigation.

For a walkthrough of the Intune admin center, see Tutorial: Walkthrough Microsoft Intune admin center.

Device enrollment

RBAC changes to enrollment platform restrictions for Windows

We've updated role-based access controls (RBAC) for all enrollment platform restrictions in the Microsoft Intune admin center. The Global Administrator and Intune Service Administrator roles can create, edit, delete, and reprioritize enrollment platform restrictions. For all other built-in Intune roles, restrictions are read-only.

Applies to:

  • Android
  • Apple
  • Windows 10/11

It's important to know that with these changes:

  • Scope tag behavior doesn't change. You can apply and use scope tags as usual.
  • If an assigned role or permission is currently preventing a user from viewing enrollment platform restrictions, nothing changes. The user will still be unable to view enrollment platform restrictions in the admin center.

For more information, see Create device platform restrictions.

Device management

Updates to replace Wandera with Jamf is complete in the Intune admin center

We've completed rebranding in the Microsoft Intune admin center to support replacing Wandera with Jamf. This includes updates to the name of the Mobile Threat Defense connector, which is now Jamf, and changes to the minimum required platforms to use the Jamf connector:

  • Android 11 and later
  • iOS / iPadOS 15.6 and later

For information about Jamf and other Mobile Threat Defense (MTD) vendors that Intune supports, see Mobile Threat Defense partners.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Atom Edge (iOS) by Arlanto GmbH
  • HP Advance for Intune by HP Inc.
  • IntraActive by Fellowmind
  • Microsoft Azure (Android) by Microsoft Corporation
  • Mobile Helix Link for Intune by Mobile Helix
  • VPSX Print for Intune by Levi, Ray & Shoup, Inc.

For more information about protected apps, see Microsoft Intune protected apps

Monitor and troubleshoot

View BitLocker recovery key in Company Portal apps for iOS and macOS

End users can view the BitLocker recovery key for an enrolled Windows device and the FileVault recovery key for an enrolled Mac in the Company Portal app for iOS and Company Portal app for macOS. This capability will reduce helpdesk calls in the event the end user gets locked out of their corporate machines. End users can access the recovery key for an enrolled device by signing into the Company Portal app and selecting Get recovery key. This experience is similar to the recovery process on the Company Portal website, which also allows end users to see recovery keys.

You can prevent end users within your organization from accessing BitLocker recovery keys by configuring the Restrict non-admin users from recovering the BitLocker keys for their owned device setting in Microsoft Entra ID.

Applies to:

  • macOS
  • Windows 10/11

For more information, see:

Role-based access control

New granular RBAC controls for Intune endpoint security

We’ve begun to replace the role-based access control (RBAC) rights to endpoint security policies that are granted by the Security baselines permission with a series of more granular permissions for specific endpoint security tasks. This change can help you assign the specific rights your Intune admins require to do specific jobs instead of relying on either the built-in Endpoint Security Manager role or a custom role that includes the Security baseline permission. Prior to this change, the Security baseline permission grants rights across all endpoint security policies.

The following new RBAC permissions are available for endpoint security workloads:

  • App Control for Business
  • Attack surface reduction
  • Endpoint detection and response

Each new permission supports the following rights for the related policy:

  • Assign
  • Create
  • Delete
  • Read
  • Update
  • View Reports

Each time we add a new granular permission for an endpoint security policy to Intune, those same rights are removed from the Security baselines permission. If you use custom roles with the Security baselines permission, the new RBAC permission is assigned automatically to your custom roles with the same rights that were granted through the Security baseline permission. This auto-assignment ensures your admins continue to have the same permissions they have today.

For more information about current RBAC permissions and built-in roles, see:

Important

With this release, the granular permission of Antivirus for endpoint security policies might be temporarily visible in some Tenants. This permission is not released and isn't supported for use. Configurations of the Antivirus permission are ignored by Intune. When Antivirus becomes available to use as a granular permission, it's availability will be announced in this What's new in Microsoft Intune article.

Week of June 3, 2024

Device enrollment

New enrollment time grouping feature for devices

Enrollment time grouping is a new, faster way to group devices during enrollment. When it's configured, Intune adds devices to the appropriate group without requiring inventory discovery and dynamic membership evaluations. To set up enrollment time grouping, you must configure a static Microsoft Entra security group in each enrollment profile. After a device enrolls, Intune adds it to the static security group and delivers assigned apps and policies.

This feature is available for Windows 11 devices enrolling via Windows Autopilot device preparation. For more information, see Enrollment time grouping in Microsoft Intune.

Week of May 27, 2024

Microsoft Intune Suite

New primary endpoint for Remote Help

To improve the experience for Remote Help on Windows, Web, and macOS devices, we have updated the primary endpoint for Remote Help:

  • Old primary endpoint: https://remoteassistance.support.services.microsoft.com
  • New primary endpoint: https://remotehelp.microsoft.com

If you use Remote Help and have firewall rules that block the new primary endpoint, admins and users might experience connectivity issues or disruptions when using Remove Help.

To support the new primary endpoint on Windows devices, upgrade Remote Help to version 5.1.124.0. Web and macOS devices don't require an updated version of Remote Help to make use of the new primary endpoint.

Applies to:

  • macOS 11, 12, 13 and 14
  • Windows 10/11
  • Windows 11 on ARM64 devices
  • Windows 10 on ARM64 devices
  • Windows 365

For information on the newest version of Remote Help, see the March 13, 2024 entry for What's New for Remote Help. For information about Intune endpoints for Remote Help, see Remote Help in Network endpoints for Microsoft Intune.

Device management

Evaluate compliance of Windows Subsystem for Linux (public preview)

Now in a public preview, Microsoft Intune supports compliance checks for instances of Windows Subsystem for Linux (WSL) running on a Windows host device.

With this preview you can create a custom compliance script that evaluates the required distribution and version of WSL. WSL compliance results are included in the overall compliance state of the host device.

Applies to:

  • Windows 10
  • Windows 11

For information about this capability, see Evaluate compliance of Windows Subsystem for Linux (public preview).

Week of May 20, 2024 (Service release 2405)

Device configuration

New settings available in the macOS settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the macOS Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

Microsoft AutoUpdate (MAU):

  • Microsoft Teams (work or school)
  • Microsoft Teams classic

Microsoft Defender > Features:

  • Use Data Loss Prevention
  • Use System Extensions

For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

  • macOS

Device enrollment

Stage Android device enrollment to reduce end-user steps

To reduce the enrollment time for end users, Microsoft Intune supports device staging for Android Enterprise devices. With device staging, you can stage an enrollment profile and complete all related enrollment steps for workers receiving these devices:

  • Corporate-owned fully managed devices
  • Corporate-owned devices with a work profile

When frontline workers receive the devices, all they have to do is connect to Wi-Fi and sign in to their work account. A new device staging token is required to enable this feature. For more information, see Device staging overview.

Device management

End user access to BitLocker Recovery Keys for enrolled Windows devices

End users can now view the BitLocker Recovery Key for enrolled Windows devices from the Company Portal website. This capability can reduce helpdesk calls in the event the end user gets locked out of their corporate machines. End users can access the recovery key for an enrolled device by signing into the Company Portal website and selecting Show recovery key. This experience is similar to the MyAccount website, which also allows end users to see recovery keys.

You can prevent end users within your organization from accessing BitLocker recovery keys by configuring the Entra ID toggle Restrict non-admin users from recovering the BitLocker key(s) for their owned device.

For more information, see:

New version of Windows hardware attestation report

We've released a new version of the Windows hardware attestation report that shows the value of settings attested by Device Health Attestation and Microsoft Azure Attestation for Windows 10/11. The Windows hardware attestation report is built on a new reporting infrastructure, and reports on new settings added to Microsoft Azure Attestation. The report is available in the admin center under Reports > Device Compliance > Reports.

For more information, see Intune reports.

The Windows health attestation report previously available under Devices > Monitor has been retired.

Applies to:

  • Windows 10
  • Windows 11

Monitor device delete actions

You can now monitor and track device delete actions in the Device Action report of Intune. You can determine when a device delete action has been triggered, who initiated it, and the status of the action. Status for a device delete action is either completed, pending, or failed. This device information is valuable to help maintain compliance, ensure security, and streamline your audit processes. You can find the report in the Microsoft Intune admin center by selecting Devices > Monitor > Device actions.

For more information about reports, see Intune Reports.

Optional Feature updates

Feature updates can now be made available to end users as Optional updates, with the introduction of Optional Feature updates. End users will see the update in the Windows Update settings page in the same way that it's shown for consumer devices.

End users can easily opt-in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a Required update, then admins can change the setting on the policy, and update the rollout settings so that the update is deployed as a Required update to devices that do not yet have it installed.

For more information on Optional Feature updates, see Feature updates for Windows 10 and later policy in Intune.

Applies to:

  • Windows 10
  • Windows 11

Device security

Updated security baseline for Microsoft Defender for Endpoint

You can now deploy the Intune security baseline for Microsoft Defender for Endpoint. The new baseline, version 24H1, uses the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.

Use of Intune security baselines can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.

As with all baselines, the default baseline represents the recommended configurations for each setting, which you can modify to meet the requirements of your organization.

Applies to:

  • Windows 10
  • Windows 11

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Fellow.app by Fellow Insights Inc
  • Unique Moments by Unique AG

For more information about protected apps, see Microsoft Intune protected apps.

Week of May 6, 2024

Device management

Intune and the macOS Company Portal app support Platform SSO (public preview)

On Apple devices, you can use Microsoft Intune and the Microsoft Enterprise SSO plug-in to configure single sign-on (SSO) for apps and websites that support Microsoft Entra authentication, including Microsoft 365.

On macOS devices, Platform SSO is available in public preview. Platform SSO expands the SSO app extension by allowing you to configure different authentication methods, simplify the sign-in process for users, and reduce the number of passwords they need to remember.

Platform SSO is included in the Company Portal app version 5.2404.0 and newer.

For more information on Platform SSO and to get started, see:

Applies to:

  • macOS 13 and later

Tenant administration

Customize your Intune admin center experience

You can now customize your Intune admin center experience by using collapsible navigation and favorites. The left navigation menus in the Microsoft Intune admin center are updated to support expanding and collapsing each subsection of the menu. In addition, you can set admin center pages as favorites. This portal capability will gradually roll out over the next week.

By default, menu sections are expanded. You can choose your portal menu behavior by selecting the Settings gear icon at the top right to display the Portal settings. Then, select Appearance + startup views and set the Service menu behavior to Collapsed or Expanded as the default portal option. Each menu section retains the expanded or collapsed state that you choose. Additionally, selecting the star icon next to a page on the left navigation adds the page to a Favorites section near the top of the menu.

For related information, see Change the Portal settings.

Week of April 29, 2024

App management

Updates to the Managed Home Screen experience

We recently released and improved the Managed Home Screen experience, which is now Generally Available. The app has been redesigned to improve the core workflows throughout the application. The updated design offers a more usable and supportable experience.

With the release, we stop investing in previous Managed Home Screen workflows. New features and fixes for Managed Home Screen are only added to the new experience. During August 2024, the new experience will automatically be enabled for all devices.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Require end users to enter PIN to resume activity on Managed Home Screen

In Intune, you can require end users to enter their session PIN to resume activity on Managed Home Screen after the device is inactive for a specified period of time. Set the Minimum inactive time before session PIN is required setting to the number of seconds the device is inactive before the end user must input their session PIN.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Device IPv4 and IPv6 details available from Managed Home Screen

IPv4 and IPv6 connectivity details are now both available from the Device Information page of the Managed Home Screen app. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Updates to Managed Home Screen sign-in support

Managed Home Screen now supports domainless sign-in. Admins can configure a domain name, which will be automatically appended to usernames upon sign-in. Also, Managed Home Screen supports a custom login hint text to be displayed to users during the sign-in process.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise and Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Allow end users to control Android Enterprise device auto-rotation

In Intune, you can now expose a setting in the Managed Home Screen app that allows the end user to turn on and off the device's auto-rotation. For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Allow end users to adjust Android Enterprise device screen brightness

In Intune, you can expose settings in the Managed Home Screen app to adjust screen brightness for Android Enterprise devices. You can choose to expose a setting in the app to allow end users to access a brightness slider to adjust the device screen brightness. Also, you can expose a setting to allow end users to toggle adaptive brightness.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Migrated to .NET MAUI from Xamarin

Xamarin.Forms has evolved into .NET Multi-platform App UI (MAUI). Existing Xamarin projects should be migrated to .NET MAUI. For more information about upgrading Xamarin projects to .NET, see the Upgrade from Xamarin to .NET & .NET MAUI documentation.

Xamarin support ended as of May 1, 2024 for all Xamarin SDKs including Xamarin.Forms and Intune App SDK Xamarin Bindings. For Intune support on Android and iOS platforms, see Intune App SDK for .NET MAUI - Androidand Microsoft Intune App SDK for MAUI.iOS.

Week of April 22, 2024 (Service release 2404)

App management

Auto update available with Win32 app supersedence

Win32 app supersedence provides the capability to supersede apps deployed as available with auto-update intent. For example, if you deploy a Win32 app (app A) as available and installed by users on their device, you can create a new Win32 app (app B) to supersede app A using auto-update. All targeted devices and users with app A installed as available from the Company Portal are superseded with app B. Also, only app B shows in the Company Portal. You can find the auto-update feature for available app supersedence as a toggle under the Available assignment in the Assignments tab.

For more information about app supersedence, see Add Win32 app supersedence.

Device configuration

Error message is shown when OEMConfig policy exceeds 500 KB on Android Enterprise devices

On Android Enterprise devices, you can use an OEMConfig device configuration profile to add, create and/or customize OEM specific settings.

When you create an OEMConfig policy that exceeds 500 KB, then the following error is shown in the Intune admin center:

Profile is larger than 500KB. Adjust profile settings to decrease the size.

Previously, OEMConfig policies that exceeded 500 KB were shown as pending.

For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise

Device security

Windows Firewall CSP changes for processing Firewall Rules

Windows changed how the Firewall configuration service provider (CSP) enforces rules from Atomic blocks of firewall rules. The Windows Firewall CSP on a device implements the firewall rule settings from your Intune endpoint security Firewall policies. The change of CSP behavior now enforces an all-or-nothing application of firewall rules from each Atomic block of rules.

  • Previously, the CSP on a device would go through the firewall rules in an Atomic block of rules - one rule (or setting) at a time with the goal of applying all the rules in that Atomic block, or none of them. If the CSP encountered any issue with applying any rule from the block to the device, the CSP wouldn't only stop that rule, but also cease to process subsequent rules without trying to apply them. However, rules that applied successfully before a rule failed, would remain applied to the device. This behavior can lead to a partial deployment of firewall rules on a device, since the rules that were applied before a rule failed to apply aren't reversed.

  • With the change to the Firewall CSP, when any rule in the block is unsuccessful in applying to the device, all the rules from that same Atomic block that were applied successfully are rolled back. This behavior ensures the desired all-or-nothing behavior is implemented and prevents a partial deployment of firewall rules from that block. For example, if a device receives an Atomic block of firewall rules that has a misconfigured rule that can't apply, or has a rule that isn't compatible with the devices operating system, then the CSP fails all the rules from that block, And, it rolls back any rules that applied to that device.

This change of Firewall CSP behavior is available on devices that run the following Windows versions or later:

  • Windows 11 21H2
  • Windows 11 22H2
  • Windows 10 21H2

For more information on the subject of how the Windows Firewall CSP uses Atomic blocks to contain firewall rules, see the note near the top of Firewall CSP in the Windows documentation.

For troubleshooting guidance, see the Intune support blog How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation process.

CrowdStrike – New mobile threat defense partner

We added CrowdStrike Falcon as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the CrowdStrike connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment in your compliance policies.

With the Intune 2404 service release, the CrowdStrike connector is now available in the admin center. However, it isn't useable until CrowdStrike publishes the required App Configuration profile details necessary to support iOS and Android devices. The profile details are expected sometime after second week of May.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Asana: Work in one place by Asana, Inc.
  • Freshservice for Intune by Freshworks, Inc.
  • Kofax Power PDF Mobile by Tungsten Automation Corporation
  • Remote Desktop by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Windows update distribution report

The Windows update distribution report in Intune provides a summarized report. This report shows:

  • The number of devices that are on each quality update level.
  • The percentage of coverage for each update across Intune managed devices, including co-managed devices.

You can drill down further in the report for each quality update that aggregates devices based on the Windows 10/11 feature version and the update statuses.

Finally, the admins can get the list of devices that aggregate to the numbers shown in the previous two reports, which can also be exported and used for troubleshooting and analysis along with the Windows Update for business reports.

For more information on Windows update distribution reports, see Windows Update reports on Intune.

Applies to:

  • Windows 10
  • Windows 11

Intune support of Microsoft 365 remote application diagnostics

The Microsoft 365 remote application diagnostics allows Intune admins to request Intune app protection logs and Microsoft 365 application logs (where applicable) directly from the Intune console. You can find this report in the Microsoft Intune admin center by selecting Troubleshooting + support > Troubleshoot > select a user > Summary > App protection*. This feature is exclusive to applications that are under Intune app protection management. If supported, the application specific logs are gathered and stored within dedicated storage solutions for each application.

For more information, see Collect diagnostics from an Intune managed device.

Remote Help supports full control of a macOS device

Remote Help now supports helpdesk connecting to a user's device and requesting full control of the macOS device.

For more information, see:

Applies to:

  • macOS 12, 13 and 14

Week of April 15, 2024

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Atom Edge by Arlanto Apps

For more information about protected apps, see Microsoft Intune protected apps.

Week of April 1, 2024

Device management

Copilot in Intune is available in the Intune admin center (public preview)

Copilot in Intune is integrated in the Intune admin center, and can help you get information quickly. You can use Copilot in Intune for the following tasks:

Copilot can help you manage your settings and policies

  • Copilot tooltip on settings: When you add settings to a policy or review settings in an existing policy, there's a new Copilot tooltip. When you select the tooltip, you get AI generated guidance based on Microsoft content and recommendations. You can see what each setting does, how the setting works, any recommended values, if the setting is configured in another policy, and more.

  • Policy summarizer: On existing policies, you get a Copilot summary of the policy. The summary describes what the policy does, the users and groups assigned to the policy, and the settings in the policy. This feature can help you understand the impact of a policy and its settings on your users and devices.

Copilot shows device details and can help troubleshoot

  • All about a device: On a device, you can use Copilot to get key information about the device, including its properties, configuration, and status information.

  • Device compare: Use Copilot to compare the hardware properties and device configurations of two devices. This feature helps you determine what's different between two devices with similar configurations, especially when troubleshooting.

  • Error code analyzer: Use Copilot in the device view to analyze an error code. This feature helps you understand what the error means and provides a potential resolution.

Intune capabilities in Copilot for Security

Intune has capabilities available in the Copilot for Security portal. SOC Analysts and IT admins can use these capabilities to get more information on policies, devices, group membership, and more. On a single device, you can get more specific information that's unique to Intune, like compliance status, device type, and more.

You can also ask Copilot to tell you about a user's devices and get a quick summary of critical information. For example, the output shows links to the user's devices in Intune, device ID, enrollment date, last check-in date, and compliance status. If you're an IT admin and reviewing a user, then this data provides a quick summary.

As a SOC analyst that's investigating a suspicious or potentially compromised user or device, information like enrollment date and last check-in can help you make informed decisions.

For more information on these features, see:

Applies to:

  • Android
  • iOS/iPadOS
  • macOS
  • Windows

GCC customers can use Remote Help for Windows and Android devices

The Microsoft Intune Suite includes advanced endpoint management and security features, including Remote Help.

On Windows and enrolled Android Enterprise dedicated devices, you can use remote help on US Government GCC environments.

For more information on these features, see:

Applies to:

  • Windows 10/11
  • Windows 10/11 on ARM64 devices
  • Windows 365
  • Samsung and Zebra devices enrolled as Android Enterprise dedicated devices

Device configuration

New BIOS device configuration profile for OEMs

There's a new BIOS configuration and other settings device configuration policy for OEMs. Admins can use this new policy to enable or disable different BIOS features that secure device. In the Intune device configuration policy, you add the BIOS configuration file, deploy a Win32 app, and then assign the policy to your devices.

For example, admins can use the Dell Command tool (opens Dell's website) to create the BIOS configuration file. Then, they add this file to the new Intune policy.

For more information on this feature, see Use BIOS configuration profiles on Windows devices in Microsoft Intune.

Applies to

  • Windows 10 and later

Week of March 25, 2024 (Service release 2403)

Microsoft Intune Suite

New elevation type for Endpoint Privilege Management

Endpoint Privilege Management has a new file elevation type, support approved. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone Intune add-on.

A support-approved elevation gives you a third option for both the default elevation response and the elevation type for each rule. Unlike automatic or user confirmed, a support-approved elevation request requires Intune administrators to manage which files can run as elevated on a case-by-case basis.

With support approved elevations, users can request approval to elevate an application that isn't explicitly allowed for elevation by automatic or user approved rules. This takes the form of an elevation request that must be reviewed by an Intune administrator who can approve or deny the elevation request.

When the request is approved, users are notified that the application can now be run as elevated, and they have 24 hours from the time of approval to do so before the elevation approval expires.

Applies to:

  • Windows 10
  • Windows 11

For more information on this new capability, see Support approved elevation requests.

App management

Extended capabilities for Managed Google Play apps on personally owned Android devices with a work profile

There are new capabilities extended to work profile devices. The following capabilities were previously available only on corporate-owned devices:

  • Available apps for device groups: You can use Intune to make apps available for device groups through the Managed Google Play store. Previously, apps could only be made available to user groups.

  • Update priority setting: You can use Intune to configure the app update priority on devices with a work profile. To learn more about this setting, see Update a Managed Google Play app.

  • Required apps display as available in Managed Google Play: You can use Intune to make required apps available for users through the Managed Google Play store. Apps that are part of existing policies now display as available.

These new capabilities will follow a phased rollout over multiple months.

Applies to:

  • Android Enterprise personally owned devices with a work profile

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Passcode:

  • Maximum Passcode Age In Days
  • Minimum Complex Characters
  • Require Alphanumeric Passcode

Restrictions:

  • Allow Marketplace App Installation
macOS

Declarative Device Management (DDM) > Passcode:

  • Change At Next Auth
  • Custom Regex
  • Failed Attempts Reset In Minutes
  • Maximum Passcode Age In Days
  • Minimum Complex Characters
  • Require Alphanumeric Passcode

Full Disk Encryption > FileVault:

  • Recovery Key Rotation In Months

New settings available in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.

  • Delivery optimization:

    • DO Disallow Cache Server Downloads On VPN - This setting blocks downloads from Microsoft Connected Cache servers when the device connects using VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected using VPN.

    • DO Set Hours To Limit Background Download Bandwidth - This setting specifies the maximum background download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

    • DO Set Hours To Limit Foreground Download Bandwidth - This setting specifies the maximum foreground download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

    • DO Vpn Keywords - This policy allows you to set one or more keywords used to recognize VPN connections.

  • Messaging:

    • Allow Message Sync - This policy setting allows the backup and restore of cellular text messages to Microsoft's cloud services.
  • Microsoft Defender Antivirus:

    • Specify the maximum depth to scan archive files
    • Specify the maximum size of archive files to be scanned

For more information on these settings, see:

Applies to:

  • Windows 10 and later

New archive file scan settings added to Antivirus policy for Windows devices

We added the following two settings to the Microsoft Defender Antivirus profile for endpoint security Antivirus policy that apply to Windows 10 and Windows 11 devices:

With Antivirus policy, you can manage these settings on devices enrolled by Intune and on devices managed through the Defender for Endpoint security settings management scenario.

Both settings are also available in the settings catalog at Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type > Defender.

Applies to:

  • Windows 10
  • Windows 11

Updates to assignment filters

You can use Intune assignment filters to assign a policy based on rules you create.

Now, you can:

  • Use managed app assignment filters for Window MAM app protection policies and app configuration policies.
  • Filter your existing assignment filters by Platform, and by the Managed apps or Managed devices filter type. When you have many filters, this feature makes it easier to find specific filters you created.

For more information on these features, see:

This feature applies to:

  • Managed devices on the following platforms:

    • Android device administrator
    • Android Enterprise
    • Android (AOSP)
    • iOS/iPadOS
    • macOS
    • Windows 10/11
  • Managed apps on the following platforms:

    • Android
    • iOS/iPadOS
    • Windows

Device management

New compliance setting lets you verify device integrity using hardware-backed security features

A new compliance setting called Check strong integrity using hardware-backed security features lets you verify device integrity using hardware-backed key attestation. If you configure this setting, strong integrity attestation is added to Google Play's integrity verdict evaluation. Devices must meet device integrity to remain compliant. Microsoft Intune marks devices that don't support this type of integrity check as noncompliant.

This setting is available in profiles for Android Enterprise fully managed, dedicated, and corporate-owned work profile, under Device Health > Google Play Protect. It only becomes available when the Play integrity verdict policy in your profile is set to Check basic integrity or Check basic integrity & device integrity.

Applies to:

  • Android Enterprise

For more information, see Device compliance - Google Play Protect.

New compliance settings for Android work profile, personal devices

Now you can add compliance requirements for work profile passwords without impacting device passwords. All new Microsoft Intune settings are available in compliance profiles for Android Enterprise personally owned work profiles under System Security > Work Profile Security, and include:

  • Require a password to unlock work profile
  • Number of days until password expires
  • Number of previous passwords to prevent reuse
  • Maximum minutes of inactivity before password is required
  • Password complexity
  • Required password type
  • Minimum password length

If a work profile password fails to meet requirements, Company Portal marks the device as noncompliant. Intune compliance settings take precedence over the respective settings in an Intune device configuration profile. For example, the password complexity in your compliance profile is set to medium. The password complexity in a device configuration profile is set to high. Intune prioritizes and enforces the compliance policy.

Applies to:

  • Android Enterprise personally owned devices with a work profile

For more information, see Compliance settings - Android Enterprise.

Windows quality updates support for expediting non-security updates

Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.

Applies to:

  • Windows 11 devices

For more information about installing an expedited update, see Expedite Windows quality updates in Microsoft Intune.

Introducing a remote action to pause the config refresh enforcement interval

In the Windows Settings Catalog, you can configure Configuration Refresh. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune. The device will replay and re-enforce settings based on previously received policy to minimize the chance for configuration drift.

To support this feature, a remote action is added to allow a pause in action. If an admin needs to make changes or run remediation on a device for troubleshooting or maintenance, they can issue a pause from Intune for a specified period. When the period expires, settings are enforced again.

The remote action Pause configuration refresh can be accessed from the device summary page.

For more information, see:

Device security

Updated security baseline for Windows version 23H2

You can now deploy the Intune security baseline for Windows version 23H2. This new baseline is based on the version 23H2 of the Group Policy security baseline found in the Security Compliance Toolkit and Baselines from the Microsoft Download Center, and includes only the settings that are applicable to devices managed through Intune. Use of this updated baseline can help you maintain best-practice configurations for your Windows devices.

This baseline uses the unified settings platform seen in the Settings Catalog. It features an improved user interface and reporting experience, consistency and accuracy improvements related to setting tattooing, and can support assignment filters for profiles.

Use of Intune security baselines can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations, which you can modify to meet the requirements of your organization.

Applies to:

  • Windows 10
  • Windows 11

To view the new baselines included settings with their default configurations, see, Windows MDM security baseline version 23H2.

Use a rootless implementation of Podman to host Microsoft Tunnel

When prerequisites are met, you can use a rootless Podman container to host a Microsoft Tunnel server. This capability is available when you use Podman for Red Hat Enterprise Linux (RHEL) version 8.8 or later, to host Microsoft Tunnel.

When using a rootless Podman container, the mstunnel services run under a non-privileged service user. This implementation can help limit impact from a container escape. To use a rootless Podman container, you must start the tunnel installation script using a modified command line.

For more information about this Microsoft Tunnel install option, see Use a rootless Podman container.

Improvements for Intune deployments of Microsoft Defender for Endpoint

We improved and simplified the experience, workflow, and report details for onboarding devices to Microsoft Defender when using Intune's endpoint detection and response (EDR) policy. These changes apply for Windows devices managed by Intune and by the tenant-attach scenario. These improvements include:

  • Changes to the EDR node, dashboards, and reports to improve the visibility of your Defender EDR deployment numbers. See About the endpoint detection and response node.

  • A new tenant-wide option to deploy a preconfigured EDR policy that streamlines the deployment of Defender for Endpoint to applicable Windows devices. See Use a preconfigured EDR policy.

  • Changes to Intune's the Overview page of the endpoint security node. These changes provide a consolidated view of reports for the device signals from Defender for Endpoint on your managed devices. See Use a preconfigured EDR policy.

These changes apply to the Endpoint security and endpoint detection and response nodes of the admin center, and the following device platforms:

  • Windows 10
  • Windows 11

Windows quality updates support expediting non-security updates

Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.

Applies to:

  • Windows 11 devices

For more information about installing an expedited update, see Expedite Windows quality updates in Microsoft Intune.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Cerby by Cerby, Inc.
  • OfficeMail Go by 9Folders, Inc.
  • DealCloud by Intapp, Inc.
  • Intapp 2.0 by Intapp, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Week of March 3, 2024

Device enrollment

Role-based access control changes to enrollment settings for Windows Hello for Business

We updated Role-based access control (RBAC) in the enrollment area for Windows Hello for Business. Enrollment settings related to Windows Hello for Business are read-only for all roles except the Intune Service Administrator. The Intune Service Administrator can create and edit Windows Hello for Business enrollment settings.

For more information, see Role-based access control in the Windows Hello at device enrollment article.

Device security

New enrollment configuration for Windows Hello for Business

A new Windows Hello for Business enrollment setting, Enable enhanced sign in security is available in the Intune admin center. Enhanced sign-in security is a Windows Hello feature that prevents malicious users from gaining access to a user's biometrics through external peripherals.

For more information about this setting, see Create a Windows Hello for Business policy.

HTML formatting supported in noncompliance email notifications

Intune now supports HTML formatting in noncompliance email notifications for all platforms. You can use supported HTML tags to add formatting such as italics, URL links, and bulleted lists to your organization's messages.

For more information, see Create a notification message template.

Week of February 26, 2024

Microsoft Intune Suite

New Microsoft Cloud PKI service

Use the Microsoft Cloud PKI service to simplify and automate certificate lifecycle management for Intune-managed devices. ​Microsoft Cloud PKI is a feature component of the Microsoft Intune Suite and is also available as a standalone Intune add-on. The cloud-based service provides a dedicated PKI infrastructure for your organization, and doesn't require on-premises servers, connectors, or hardware. Microsoft Cloud PKI automatically issues, renews, and revokes certificates for all OS platforms supporting the SCEP certificate device configuration profile. Issued certificates can be used for certificate-based authentication for Wi-Fi, VPN, and other services supporting certificate-based authentication. For more information, see Overview of Microsoft Cloud PKI.

Applies to:

  • Windows
  • Android
  • iOS/iPadOS
  • macOS

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Cinebody by Super 6 LLC

For more information about protected apps, see Microsoft Intune protected apps.

Week of February 19, 2024 (Service release 2402)

App management

More app configuration permissions for Android apps

There are six new permissions that can be configured for an Android app using an app configuration policy. They are:

  • Allow background body sensor data
  • Media Video (read)
  • Media Images (read)
  • Media Audio (read)
  • Nearby Wifi Devices
  • Nearby Devices

For more information about how to use app config policies for Android apps, see Add app configuration policies for managed Android Enterprise devices.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Bob HR by Hi Bob Ltd
  • ePRINTit SaaS by ePRINTit USA LLC
  • Microsoft Copilot by Microsoft Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Update to Intune Management Extension on Windows

To support expanded functionality and bug fixes, use .NET Framework 4.7.2 or higher with the Intune Management Extension on Windows clients. If a Windows client continues to use an earlier version of the .NET Framework, the Intune Management Extension continues to function. The .NET Framework 4.7.2 is available from Windows Update as of July 10, 2018, which is included in Windows 10 1809 (RS5) and newer. Multiple versions of the .NET Framework can coexist on a device.

Applies to:

  • Windows 10
  • Windows 11

Device configuration

Use assignment filters on Endpoint Privilege Management (EPM) policies

You can use assignment filters to assign a policy based on rules you create. A filter allows you to narrow the assignment scope of a policy, like targeting devices with a specific OS version or a specific manufacturer.

You can use filters on Endpoint Privilege Management (EPM) policies.

For more information, see:

Applies to:

  • Windows 10
  • Windows 11

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS
  • Restrictions

    • Allow Live Voicemail
    • Force Classroom Unprompted Screen Observation
    • Force Preserve ESIM On Erase
macOS
  • Full Disk Encryption > FileVault > Force Enable In Setup Assistant
  • Restrictions > Force Classroom Unprompted Screen Observation

For more information, see:

Import up to 20 custom ADMX and ADML administrative templates

You can import custom ADMX and ADML administrative templates in Microsoft Intune. Previously, you could import up to 10 files. Now, you can upload up to 20 files.

Applies to:

  • Windows 10
  • Windows 11

For more information on this feature, see Import custom ADMX and ADML administrative templates into Microsoft Intune (public preview).

New setting for updating MAC address randomization on Android Enterprise devices

There's a new MAC address randomization setting on Android Enterprise devices (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Wi-Fi for profile type).

Starting with Android 10, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Using randomized MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address. However, randomized MAC addresses break functionality that relies on a static MAC address, including network access control (NAC).

Your options:

  • Use device default: Intune doesn't change or update this setting. By default, when connecting to a network, devices present a randomized MAC address instead of the physical MAC address. Any updates made by the user to the setting persist.

  • Use randomized MAC: Enables MAC address randomization on devices. When devices connect to a new network, devices present a randomized MAC address, instead of the physical MAC address. If the user changes this value on their device, it resets to Use randomized MAC on the next Intune sync.

  • Use device MAC: Forces devices to present their actual Wi-Fi MAC address instead of a random MAC address. This setting allows devices to be tracked by their MAC address. Only use this value when necessary, such as for network access control (NAC) support. If the user changes this value on their device, it resets to Use device MAC on the next Intune sync.

Applies to:

  • Android 13 and newer

For more information on the Wi-Fi settings you can configure, see Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune.

Turn Off Copilot in Windows setting in the Windows settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There's a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows for platform > Settings catalog for profile type.

  • Windows AI > Turn Off Copilot in Windows (User)

    • If you enable this policy setting, users can't use Copilot. The Copilot icon won't appear on the taskbar.
    • If you disable or don't configure this policy setting, users can use Copilot when it's available to them.

This setting uses the Policy CSP - WindowsAI.

For more information about configuring Settings Catalog policies in Intune, including user scope vs. device scope, see Create a policy using settings catalog.

Applies to:

  • Windows 10 and later

Windows Autopilot self-deploying mode is now generally available

Windows Autopilot self-deploying mode is now generally available and out of preview. Windows Autopilot self-deploying mode enables you to deploy Windows devices with little to no user interaction. Once the device connects to network, the device provisioning process starts automatically: the device joins Microsoft Entra ID, enrolls in Intune, and syncs all device-based configurations targeted to the device. Self-deploying mode ensures that the user can't access desktop until all device-based configuration is applied. The Enrollment Status Page (ESP) is displayed during OOBE so users can track the status of the deployment. For more information, see:

This information is also published in Windows Autopilot: What's new.

Windows Autopilot for pre-provisioned deployment is now generally available

Windows Autopilot for pre-provisioned deployment is now generally available and out of preview. Windows Autopilot for pre-provisioned deployment is used by organizations that want to ensure devices are business-ready before the user accesses them. With pre-provisioning, admins, partners, or OEMs can access a technician flow from the Out-of-box experience (OOBE) and kick off device setup. Next, the device is sent to the user who completes provisioning in the user phase. Pre-provisioning delivers most the configuration in advance so the end user can get to the desktop faster. For more information, see:

This information is also published in Windows Autopilot: What's new.

Device enrollment

ESP setting to install required apps during Windows Autopilot pre-provisioning

The setting Only fail selected blocking apps in technician phase is now generally available to configure in Enrollment Status Page (ESP) profiles. This setting only appears in ESP profiles that have blocking apps selected.

For more information, see Set up the Enrollment Status Page.

New local primary account configuration for macOS automated device enrollment

Configure local primary account settings for Macs enrolling in Intune via Apple automated device enrollment. These settings, supported on devices running macOS 10.11 and later, are available in new and existing enrollment profiles under the new Account Settings tab. For this feature to work, the enrollment profile must be configured with user-device affinity and one of the following authentication methods:

  • Setup Assistant with modern authentication
  • Setup Assistant (legacy)

Applies to:

  • macOS 10.11 and later

For more information about macOS account settings, see Create an Apple enrollment profile in Intune.

Await final configuration for macOS automated device enrollment now generally available

Now generally available, await final configuration enables a locked experience at the end of Setup Assistant to ensure that critical device configuration policies are installed on devices. The locked experience works on devices targeted with new and existing enrollment profiles, enrolling via one of these authentication methods:

  • Setup Assistant with modern authentication
  • Setup Assistant (legacy)
  • Without user device affinity

Applies to:

  • macOS 10.11 and later

For information about how to enable await final configuration, see Create an Apple enrollment profile.

Device management

AOSP devices check for new tasks and notifications approximately every 15 minutes

On devices enrolled with Android (AOSP) management, Intune attempts to check for new tasks and notifications approximately every 15 minutes. To use this feature, devices must be using the Intune app version 24.02.4 or newer.

Applies to:

  • Android (AOSP)

For more information, see:

New device management experience for Government clouds in Microsoft Intune

In government clouds, there's a new device management experience in the Intune admin center. The Devices area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster.

If you want to try the new experience before your tenant is updated, go to Devices > Overview, select the Preview upcoming changes to Devices and provide feedback notification banner, and select Try it now.

Bulk approval of drivers

Bulk actions are now available for Windows Driver update policies. With bulk actions, multiple driver updates can be approved, paused, or declined at the same time, saving time and effort.

When you bulk approve drivers, the date for when the drivers become available to applicable devices can also be set, enabling drivers to be installed together.

Applies to:

  • Windows 10
  • Windows 11

For more information, see Bulk driver updates.

App Control for Business policy limitation is resolved

A previously documented limitation for App Control for Business policy (WDAC), that limited the number of active policies per device to 32, is resolved by Windows. The issue involves a potential Boot stop failure when more than 32 policies are active on a device.

This issue is resolved for devices that run Windows 10 1903 or later with a Windows security update released on or after March 12, 2024. Older versions of Windows can expect to receive this fix in future Windows security updates.

Applies to:

  • Windows 10 version 1903 and later

To learn more about App Control for Business policy for Intune, see Manage approved apps for Windows devices with App Control for Business policy and Managed Installers for Microsoft Intune.

Tenant administration

Customization pane support for excluding groups

The Customization pane now supports selecting groups to exclude when assigning policies. You can find this setting in the Microsoft Intune admin center by selecting Tenant administration > Customization.

For more information, see Assign policies in Microsoft Intune.

Week of January 29, 2024

Microsoft Intune Suite

Microsoft Intune Enterprise Application Management

Enterprise Application Management provides an Enterprise App Catalog of Win32 applications that are easily accessible in Intune. You can add these applications to your tenant by selecting them from the Enterprise App Catalog. When you add an Enterprise App Catalog app to your Intune tenant, default installation, requirements, and detection settings are automatically provided. You can modify these settings as well. Intune hosts Enterprise App Catalog apps in Microsoft storage.

For more information, see:

Microsoft Intune Advanced Analytics

Intune Advanced Analytics provides comprehensive visibility of the end-user experience in your organization and optimizes it with data driven insights. It includes near real-time data about your devices with Device query, increased visibility with custom device scopes, a battery health report and a detailed device timeline for troubleshooting device issues, and anomaly detection to help identify potential vulnerabilities or risks across your device estate.

  • Battery health report

    The battery health report provides visibility into the health of batteries in your organization's devices and its influence on user experience. The scores and insights in this report are aimed to help IT admins with asset management and purchase decisions that improve user experience while balancing hardware costs.

  • Run on-demand device queries on single devices

    Intune allows you to quickly gain on-demand information about the state of your device. When you enter a query on a selected device, Intune runs a query in real time.

    The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.

    Applies to:

    • Windows devices

Intune Advanced Analytics is part of the Microsoft Intune Suite. For added flexibility, this new set of capabilities, together with the existing Advanced Analytics features, is also now available as an individual add-on to Microsoft subscriptions that include Intune.

To use Device query and battery health report in your tenant, or any of the existing Advanced Analytics capabilities, you must have a license for either:

  • The Intune Advanced Analytics add-on
  • The Microsoft Intune Suite add-on

For more information, see:

Week of January 22, 2024 (Service release 2401)

App management

Install DMG and PKG apps up to 8 GB in size on managed Macs

The size-limit of DMG and PKG apps that can be installed using Intune on managed Macs has been increased. The new limit is 8 GB and is applicable to apps (DMG and unmanaged PKG) that are installed using the Microsoft Intune management agent for macOS.

For more information about DMG and PKG apps, see Add a macOS DMG app to Microsoft Intune and Add an unmanaged macOS PKG app to Microsoft Intune.

Intune support of store-signed LOB apps for Surface Hub devices

Intune now supports the deployment of store-signed LOB apps (single file .appx, .msix, .appxbundle, and .msixbundle) to Surface Hub devices. The support for store-signed LOB apps enables offline store apps to be deployed to Surface Hub devices following the retirement of the Microsoft Store for Business.

Route SMS/MMS messages to specific app

You can configure an app protection policy to determine which SMS/MMS app must be used when the end user intends to send a SMS/MMS message after getting redirected from a policy managed app. When the end user selects on a number with the intent of sending an SMS/MMS message, the app protection settings are used to redirect to the configured SMS/MMS app. This capability relates to the Transfer messaging data to setting and applies to both iOS/iPadOS and Android platforms.

For more information, see iOS app protection policy settings and Android app protection policy settings.

End user app PIN reset

For managed apps that require a PIN to access, allowed end users can now reset the app PIN at any time. You can require an app PIN in Intune by selecting the PIN for access setting in iOS/iPadOS and Android app protection policies.

For more information about app protection policies, see App protection policies overview.

Maximum app package size

The maximum package size for uploading apps to Intune is changed from 8 GB to 30 GB for paid customers. Trial tenants are still restricted to 8 GB.

For more information, see Win32 app management in Microsoft Intune.

Device configuration

New setting that disables location on Android Enterprise devices

On Android Enterprise devices, there's a new setting that allows admins to control the location (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions for profile type > General):

  • Location: Block disables the Location setting on the device and prevents users from turning it on. When this setting is disabled, then any other setting that depends on the device location is affected, including the Locate device remote action. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using location on the device.

Applies to:

  • Android Enterprise

For more information on the settings you can configure, see Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune.

Date and time picker for managed software updates in the settings catalog on iOS/iPadOS and macOS devices

Using the settings catalog, you can enforce managed updates on iOS/iPadOS and macOS devices by entering a date and time (Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative Device Management > Software Update).

Previously, you had to manually type the date and time. Now, there's a date and time picker for the Target Local Date Time setting:

Declarative Device Management (DDM) > Software Update:

  • Target Local Date Time

Important

If you create a policy using this setting before the January 2024 release, then this setting shows Invalid Date for the value. The updates are still scheduled correctly and use the values you originally configured, even though it shows Invalid Date.

To configure a new date and time, you can delete the Invalid Date values, and select a new date and time using the date time picker. Or, you can create a new policy.

Applies to:

  • iOS/iPadOS
  • macOS

For more information about configuring Managed software updates in Intune, see Use the settings catalog to configure managed software updates.

Device management

New device management experience in Microsoft Intune

We're rolling out an update to the device management experience in the Intune admin center. The Devices area now has a more consistent UI, with more capable controls and an improved navigation structure so you can find what you need faster. The new experience, previously in public preview, will gradually roll out for general availability over the coming weeks. The public preview experience continues to be available until your tenant receives the update.

The availability of this new admin center experience varies tenant by tenant. While a few will see this update immediately, many might not see the new experience for several weeks. For Government clouds, the availability of this experience is estimated around late February 2024.

Due to the rollout timelines, we're updating our documentation to the new experience as soon as possible to help ease the transition to the new admin center layout. We're unable to provide a side-by-side content experience during this transition and believe providing documentation that aligns to the newer experience brings more value to more customers. If you want to try the new experience and align with doc procedures before your tenant is updated, go to Devices > Overview, select the notification banner that reads Preview upcoming changes to Devices and provide feedback, and select Try it now.

BlackBerry Protect Mobile now supports app protection policies

You can now use Intune app protection policies with BlackBerry Protect Mobile (powered by Cylance AI). With this change, Intune supports BlackBerry Protect Mobile for mobile application management (MAM) scenarios for unenrolled devices. This support includes the use of risk assessment with Conditional access and configuration of Conditional Launch settings for unenrolled devices.

While configuring the CylancePROTECT Mobile connector (formerly BlackBerry Mobile), you now can select options to turn on App protection policy evaluation for both Android and iOS/iPadOS devices.

For more information, see Set up BlackBerry Protect Mobile, and Create Mobile Threat Defense app protection policy with Intune.

Device security

Support for Intune Defender Update control policies for devices managed by Microsoft Defender for Endpoint

You can now use the endpoint security policy for Defender Update control (Antivirus policy) from the Microsoft Intune admin center with the devices you manage through the Microsoft Defender for Endpoint security settings management capability.

  • Defender Update control policies are part of endpoint security Antivirus policy.

Applies to the following when you use the Windows 10, Windows 11, and Windows Server platform:

  • Windows 10
  • Windows 11

With this support available, devices that are assigned this policy while managed by Defender for Endpoint but not enrolled with Intune, will now apply the settings from the policy. Check your policy to make sure only the devices you intend to receive the policy will get it.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • PrinterOn Print by PrinterOn, Inc. (iOS/iPadOS)
  • Align for Intune by MFB Technologies, Inc. (iOS/iPadOS)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Monitoring reports for devices

In Intune, you can view a new list of all device monitoring reports. You can find these reports in Microsoft Intune admin center by selecting Devices > Monitor. The Monitor pane provides reports related to configuration, compliance, enrollment, and software updates. Additionally, there are other reports that you can view, such as Device actions.

For more information, see Intune reports.

Exported report data maintains search results

Intune can now maintain your report search and filter results when exporting report data. For example, when you use the Noncompliant devices and settings report, set the OS filter to "Windows", and search for "PC", the exported data will only contain Windows devices with "PC" in their name. This capability is also available when calling the ExportJobs API directly.

Easy upload of diagnostic logs for Microsoft Tunnel servers

You can now use a single click within the Intune admin center to have Intune enable, collect, and submit eight hours of verbose logs for a Tunnel Gateway Server to Microsoft. The verbose logs can then be referenced while working with Microsoft to identify or resolve issues with a Tunnel server.

In contrast, the collection of verbose logs previously required you to sign on to the server, run manual tasks and scripts to enable and collect verbose logs, and then copy them to a location from which you can transfer them to Microsoft.

To find this new capability, in the admin center go to Tenant administration > Microsoft Tunnel Gateway > select a server > select the Logs tab. On this tab, is a new section named Send verbose server logs with button labeled Send logs, and a list view that displays the various log sets that have been collected and submitted to Microsoft.

When you select the Send logs button:

  • Intune captures and submits the current server logs as a baseline, prior to collecting verbose logs.
  • Verbose logging is automatically enabled at level 4, and runs for eight hours to provide time to reproduce an issue for capture in those logs.
  • After eight hours, Intune submits the verbose logs and then restores the server to its default verbosity level of zero (0), for normal operations. If you previously set logs to run at a higher verbosity level, you can restore your custom verbosity level after log collection and upload is complete.
  • Each time Intune collects and submits logs, it updates the list view below the button.
  • Below the button is a list of past log submissions, displaying their verbosity level and an Incident ID that you can use when working with Microsoft to reference a specific set of logs.

For more information about this capability, see Easy upload of diagnostic logs for Tunnel servers.

What's new archive

For previous months, see the What's new archive.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Intune is moving to support iOS/iPadOS 16 and later

Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 16/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).

Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this may not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 16/iPadOS 16 while the allowed OS version will change to iOS 13/iPadOS 13 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 13 and higher later this year

Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Ventura is compatible with these computers.

Note

Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 12.x or below.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Update to Intune endpoint for Remote Help

Starting on May 30, 2024, or soon after, to improve the experience for Remote Help on Windows, Web, and macOS, we're updating the primary network endpoint for Remote Help from https://remoteassistance.support.services.microsoft.com to https://remotehelp.microsoft.com.

How does this affect you or your users?

If you're using Remote Help and you have firewall rules that don't permit the new endpoint https://remotehelp.microsoft.com, admins and users may experience connectivity issues or disruptions with Remote Help.

Additionally, the Remote Help app on Windows will need to be updated to the newest version. No action is needed for the Remote Help app for macOS and the Remote Help Web app.

How can you prepare?

Update your firewall rules to include the new Remote Help endpoint: https://remotehelp.microsoft.com. For Remote Help on Windows, users will need to update to the newest version (5.1.124.0). Most users have opted in for automatic updates and will be updated automatically without any action from the user. To learn more, review Install and update Remote Help for Windows.

Additional information:

Update to the latest Company Portal for Android, Intune App SDK for iOS, and Intune App Wrapper for iOS

Starting June 1, 2024, we're making updates to improve the Intune mobile application management (MAM) service. This update will require iOS wrapped apps, iOS SDK integrated apps, and the Company Portal for Android to be updated to the latest versions to ensure applications stay secure and run smoothly.

Important

If you don't update to the latest versions, users will be blocked from launching your app.

Ahead of this change, for Microsoft apps that need to be updated, when a user opens the app, they'll receive a blocking message to update the app.

Note that the way Android updates, once one Microsoft application with the updated SDK is on the device and the Company Portal is updated to the latest version, Android apps will update. So, this message is focused on iOS SDK/app wrapper updates. We recommend always updating your Android and iOS apps to the latest SDK or app wrapper to ensure that your app continues to run smoothly.

How does this affect you or your users?

If your users haven't updated to the latest Microsoft or third-party app protection supported apps, they'll be blocked from launching their apps. If you have iOS line-of-business (LOB) applications that are using the Intune wrapper or Intune SDK, you must be on Wrapper/SDK version 17.7.0 or later to avoid your users being blocked.

How can you prepare?

Plan to make the changes below before June 1, 2024:

  • Any of your iOS line-of-business (LOB) apps using older versions of the Intune SDK or wrapper must be updated to v17.7.0 or later.
  • For tenants with policies targeted to iOS apps:
    • Notify your users that they need to upgrade to the latest version of the Microsoft apps. You can find the latest version of the apps in the App store. For example, you can find the latest version of Microsoft Teams here and Microsoft Outlook here.
    • Additionally, you have the option to enable the following conditional launch settings:
      • The Min OS version setting to warn users using iOS 15 or older so that they can download the latest apps.
      • The Min SDK version setting to block users if the app is using Intune SDK for iOS older than 17.7.0.
      • The Min app version setting to warn users on older Microsoft apps. Note that this setting must be in a policy targeted to only the targeted app.
  • For tenants with policies targeted to Android apps:
    • Notify your users that they need to upgrade to the latest version (v5.0.6198.0) of the Company Portal app.
    • Additionally, you have the option to enable the following conditional launch device condition setting:
      • The Min Company Portal version setting to warn users using a Company Portal app version older than 5.0.6198.0.

Plan for Change: Ending support for Intune App SDK Xamarin Bindings in May 2024

With the end of support for Xamarin Bindings, Intune will end support for Xamarin apps and the Intune App SDK Xamarin Bindings beginning on May 1, 2024.

How does this affect you or your users?

If you you have iOS and/or Android apps built with Xamarin and are using the Intune App SDK Xamarin Bindings to enable app protection policies, upgrade your apps to .NET MAUI.

How can you prepare?

Upgrade your Xamarin based apps to .NET MAUI. Review the following documentation for more information on Xamarin support and upgrading your apps:

Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID

Last year we announced a new Microsoft Intune GitHub repository based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, in May 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed.

How does this affect you or your users?

If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.

How can you prepare?

Update your PowerShell scripts by:

  1. Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform.
  2. Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.

For detailed step-by-step instructions visit powershell-intune-samples/Updating App Registration (github.com).

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:

  • Android Enterprise personally-owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

  • Intune technical support won't be provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

  • Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
  • Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
  • Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

Wrapped iOS apps and iOS apps using the Intune App SDK will require Azure AD app registration

We're making updates to improve the security of the Intune mobile application management (MAM) service. This update will require iOS wrapped apps and SDK integrated apps to be registered with Microsoft Entra ID (formerly Azure Active Directory (Azure AD)) by March 31, 2024 to continue receiving MAM policy.

How does this affect you or your users?

If you have wrapped apps or SDK integrated apps that aren't registered with Azure AD, these apps will be unable to connect to the MAM service to receive policy and your users won't be able to access apps that aren't registered.

How can you prepare?

Prior to this change, you will need to register the apps with Azure AD. See below for detailed instructions.

  1. Register your apps with Azure AD by following these instructions: Register an application with the Microsoft identity platform.
  2. Add the custom redirect URL to your app settings as documented here.
  3. Give your app access to the Intune MAM service, for instructions see here.
  4. Once the above changes are completed, configure your apps for Microsoft Authentication Library (MSAL):
    1. For wrapped apps: Add the Azure AD application client ID into the command-line parameters with the Intune App Wrapping Tool as outlined in the documentation: Wrap iOS apps with the Intune App Wrapping Tool | Microsoft Learn -ac and -ar are required parameters. Each app will need a unique set of these parameters. -aa is only required for single tenant applications.
    2. For SDK integrated apps see, Microsoft Intune App SDK for iOS developer guide | Microsoft Learn. ADALClientId and ADALRedirectUri/ADALRedirectScheme are now required parameters. ADALAuthority is only required for single tenant applications.
  5. Deploy the app.
  6. To validate the above steps:
    1. Target "com.microsoft.intune.mam.IntuneMAMOnly.RequireAADRegistration" application configuration policy and set it to Enabled - Configuration policies for Intune App SDK managed apps - Microsoft Intune | Microsoft Learn
    2. Target App Protection Policy to the application. Enable the 'Work or school account credentials for access' policy and set 'Recheck the access requirements after (minutes of inactivity)' setting to a low number like 1.
  7. Then launch the application on a device and verify if the sign-in (which should be required every minute on app launch) happens successfully with the configured parameters.
  8. Note that if you only do step #6 and #7 before doing the other steps, you might be blocked on application launch. You will also notice the same behavior if some of the parameters are incorrect.
  9. Once you’ve completed the validation steps, you can undo the changes made in step #6.

Note

Intune will soon require an Azure AD device registration for iOS devices using MAM. If you have Conditional Access policies enabled, your devices should already be registered, and you won't notice any change. For more information see, Microsoft Entra registered devices - Microsoft Entra | Microsoft Learn.

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.

Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Update to the latest Intune App SDK and Intune App Wrapper for iOS to support iOS/iPadOS 17

To support the upcoming release of iOS/iPadOS 17, update to the latest versions of the Intune App SDK and the App Wrapping Tool for iOS to ensure applications stay secure and run smoothly. Additionally, for organizations using the Conditional Access grant “Require app protection policy”, users should update their apps to the latest version prior to upgrading to iOS 17. You can learn more by reading the blog: Update Intune App SDK, Wrapper, and iOS apps using MAM policies to support iOS/iPadOS 17.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in December 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning December 31, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

  1. Users won't be able to enroll devices with Android device administrator.
  2. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
  3. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

Plan for Change: Ending support for Microsoft Store for Business and Education apps

In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune

How does this affect you or your users?

If you're using Microsoft Store for Business and Education apps:

  1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.
  2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users might still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data.
  3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later.

The retirement of Microsoft Store for Business and Education was announced in 2021. When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals.

How can you prepare?

We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles:

Related information

Plan for Change: Ending support for Windows Information Protection

Microsoft Windows announced they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP without enrollment scenario at the end of calendar year 2022.

How does this affect you or your users?

If you have enabled WIP policies, you should turn off or disable these policies.

How can you prepare?

We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog Support tip: End of support guidance for Windows Information Protection for more details and options for removing WIP from your devices.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change only affects you if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Intune admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.