0% found this document useful (0 votes)

5K views645 pages

What Is Microsoft Intune-ALL

Uploaded by

ion

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

5K views645 pages

What Is Microsoft Intune-ALL

Uploaded by

ion

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 645

Microsoft Intune fundamentals

Overview
Microsoft Intune overview
Device management overview
What's new
What's new in the app UI
Features in development
Important notices
Quickstarts
Try Intune for free
Create a user
Create a group
Create and assign a custom role
Tutorials
Walkthrough Intune in Microsoft Endpoint Manager
Walkthrough Intune in the Azure portal
Concepts
What is Intune for Education?
What is Intune for US Government?
High-level architecture
Device lifecycle
App lifecycle
Guided scenarios
Guided scenarios overview
Deploy Microsoft Edge for Mobile
Cloud-managed Modern Desktop
Secure Microsoft Office mobile apps
Common scenarios
Technology decisions for BYOD with EMS
Manage operating system versions
Manage Windows Holographic
How-to guides
Plan deployment
Planning guide
Determine goals and objectives
Identify scenarios
Determine requirements
Develop a rollout plan
Develop a communication plan
Develop a support plan
Design
Implement
Test and validate
Additional resources
Migration guide
Prepare Intune
Basic setup
Configure device and app management policies
Configure app protection policies
Migration considerations
Migration campaign
Plan communications
Drive adoption
Typical migration cycle
Plan communications
Educate users
How to educate your end users
Company Portal messages
App protection on Android
App protection on iOS
How to get Android apps
How to get iOS/iPadOS apps
How to get Windows apps
Data Intune sends to Apple
Data Intune sends to Google
Data Apple sends to Intune
Data Google sends to Intune
Set up Intune
Steps to set up Intune
Supported configurations
Network configuration
Using Windows 10 VMs with Intune
Intune endpoints
Intune US government endpoints
China endpoints
Intune operated by 21Vianet in China
Sign in to Intune
Unlicensed admins
Configure domains
Add users
Add groups
Assign licenses
Intune licenses
Set the MDM authority
Manage roles
Role-based access control
Assign a role to a user
Create a custom role
Use scope tags
Enroll devices
Remotely manage devices
Create compliance rules
Control device features and settings
Protect devices and data
Manage and protect apps
Use policy sets
Developer guidance
Get help and support
Tenant status
Help users troubleshoot problems
Using the Intune docs
Get support
Reports
Intune reports
Audit logs for Intune activities
Review logs with Azure Monitor
Reference
Error codes and descriptions
Troubleshoot company resource access problems
Resources
Archive
What's new archive
What's new archive (Azure portal)
What's new archive (classic portal)
Intune classic features in Azure
Intune classic groups
iOS/iPadOS education settings
iPad
Shared iPads
Legacy Intune PC client
Manage PCs with software agent
Compare PC management
Install the PC client
Common PC management tasks
PC policies
View inventory
Retire PCs
Link PCs to users
Remote assistance
Policies to protect Windows PCs
Software updates
Windows Firewall
Endpoint Protection
Add apps for Intune client PCs
Manage license agreements
Resolve policy conflicts
Troubleshoot software updates
Endpoint protection common errors
Intune end-user documentation
Microsoft Intune is an MDM and MAM provider for
your devices
9/4/2020 • 5 minutes to read • Edit Online

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile
application management (MAM). You control how your organization’s devices are used, including mobile phones,
tablets, and laptops. You can also configure specific policies to control applications. For example, you can prevent
emails from being sent to people outside your organization. Intune also allows people in your organization to use
their personal devices for school or work. On personal devices, Intune helps make sure your organization data
stays protected, and can isolate organization data from personal data.
Intune is part of Microsoft's Enterprise Mobility + Security (EMS) suite. Intune integrates with Azure Active
Directory (Azure AD) to control who has access, and what they can access. It also integrates with Azure Information
Protection for data protection. It can be used with the Microsoft 365 suite of products. For example, you can deploy
Microsoft Teams, OneNote, and other Microsoft 365 apps to devices. This feature enables people in your
organization to be productive on all of their devices, while keeping your organization’s information protected with
policies you create.

With Intune, you can:

Choose to be 100% cloud with Intune, or be co-managed with Configuration Manager and Intune.
Set rules and configure settings on personal and organization-owned devices to access data and networks.
Deploy and authenticate apps on devices -- on-premises and mobile.
Protect your company information by controlling the way users access and share information.
Be sure devices and apps are compliant with your security requirements.

Manage devices
In Intune, you manage devices using an approach that's right for you. For organization-owned devices, you may
want full control on the devices, including settings, features, and security. In this approach, devices and users of
these devices "enroll" in Intune. Once enrolled, they receive your rules and settings through policies configured in
Intune. For example, you can set password and PIN requirements, create a VPN connection, set up threat
protection, and more.
For personal devices, or bring-your-own devices (BYOD), users may not want their organization administrators to
have full control. In this approach, give users options. For example, users enroll their devices if they want full
access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then use
app protection policies that require multi-factor authentication (MFA) to use these apps.
When devices are enrolled and managed in Intune, administrators can:
See the devices enrolled, and get an inventory of devices accessing organization resources.
Configure devices so they meet your security and health standards. For example, you probably want to block
jailbroken devices.
Push certificates to devices so users can easily access your Wi-Fi network, or use a VPN to connect to your
network.
See reports on users and devices that are compliant, and not compliant.
Remove organization data if a device is lost, stolen, or not used anymore.
Online resources :
What is device enrollment?
Apply features and settings on your devices using device profiles
Protect devices with Microsoft Intune
Try the interactive guide
The Manage devices with Microsoft Endpoint Manager interactive guide steps you through the Microsoft Endpoint
Manager admin center to show you how to manage and protect mobile and desktop applications.

Manage apps
Mobile application management (MAM) in Intune is designed to protect organization data at the application level,
including custom apps and store apps. App management can be used on organization-owned devices, and
personal devices.
When apps are managed in Intune, administrators can:
Add and assign mobile apps to user groups and devices, including users in specific groups, devices in specific
groups, and more.
Configure apps to start or run with specific settings enabled, and update existing apps already on the device.
See reports on which apps are used, and track their usage.
Do a selective wipe by removing only organization data from apps.
One way that Intune provides mobile app security is through app protection policies . App protection policies:
Use Azure AD identity to isolate organization data from personal data. So personal information is isolated from
organizational IT awareness. Data accessed using organization credentials are given additional security
protection.
Help secure access on personal devices by restricting actions users can take, such as copy-and-paste, save, and
view.
Can be created and deployed on devices that are enrolled in Intune, enrolled in another MDM service, or not
enrolled in any MDM service. On enrolled devices, app protection policies can add an extra layer of protection.
For example, a user signs in to a device with their organization credentials. Their organization identity allows
access to data that's denied to their personal identity. As that organization data is used, app protection policies
control how the data is saved and shared. When users sign in with their personal identity, those same protections
aren't applied. In this way, IT has control of organization data, while end users maintain control and privacy over
their personal data.
And, you can use Intune with the other services in EMS. This feature provides your organization mobile app
security beyond what's included with the operating system and any apps. Apps managed with EMS have access to
a broader set of mobile app and data protection features.

Compliance and conditional access

Intune integrates with Azure AD to enable a broad set of access control scenarios. For example, require mobile
devices be compliant with organization standards defined in Intune before accessing network resources, such as
email or SharePoint. Likewise, you can lock down services so they're only available to a specific set of mobile apps.
For example, you can lock down Exchange Online so it's only accessed by Outlook or Outlook Mobile.
Online resources :
Set rules on devices to allow access to your organization resources
Common ways to use Conditional Access with Intune

How to get Intune

Intune is available:
As a stand-alone Azure service
Included with Microsoft 365 and Microsoft 365 government
As Mobile Device Management in Microsoft 365, which consists of some limited Intune features
Intune is used in many sectors, including government, education, kiosk or dedicated device for manufacturing and
retail, and more.

Next steps
Read some of the common business problems that Intune helps solve.
Start with a 30-day trial of Intune.
Plan your migration to Intune.
Using your free trial or subscription, step through the Quickstart: Create an email device profile for iOS.
Device management overview
9/4/2020 • 5 minutes to read • Edit Online

A key task of any Administrator is to protect and secure an organization’s resources and data on user devices in
their organization. This task is device management . Users receive and send email from personal accounts,
browse websites from home and from restaurants, and install apps and games. These users are also employees and
students. On their devices, they want to access work and school resources, such as email and OneNote, and access
them quickly. As an administrator, your goal is to protect these resources, and provide easy access for users across
their many devices, all at the same time.
Device management enables organizations to protect and secure their resources and data, and from different
devices.
Using a device management provider, organization can make sure that only authorized people and devices get
access to proprietary information. Similarly, device users can feel at ease accessing work data from their phone,
because they know their device meet their organization's security requirements. As an organization, you might ask -
What should we use to protect our resources?
The answer is Microsoft Intune. Intune offers mobile device management (MDM) and mobile application
management (MAM). Some key tasks of any MDM or MAM solution are to:
Support a diverse mobile environment and manage iOS/iPadOS, Android, Windows, and macOS devices
securely.
Make sure devices and apps are compliant with your organization's security requirements.
Create policies that help keep your organization data safe on organization-owned and personal devices.
Use a single, unified mobile solution to enforce these policies, and help manage devices, apps, users, and
groups.
Protect your company information by helping to control the way your workforce accesses and shares its data.
Intune is included with Microsoft Azure, Microsoft 365, and integrates with Azure Active Directory (Azure AD).
Azure AD helps control who has access, and what they have access to.

Microsoft Intune
Many organizations, such as Microsoft, use Intune to secure proprietary data that users access from their company-
owned and personal mobile devices. Intune includes device and app configuration policies, software update
policies, and installation statuses (charts, tables, and reports) to help you secure and monitor data access.
It's common for people to have multiple devices that use different platforms. For example, an employee might use
Surface Pro for work, and an Android mobile device in their personal life. And, it's common for a person to access
organizational resources, such as Microsoft Outlook and SharePoint, from these multiple devices.
With Intune, you can manage multiple devices per person, and the different platforms that run on each device,
including iOS/iPadOS, macOS, Android, and Windows. Intune separates policies and settings by device platform. So
it's easy to manage and view devices of a specific platform.
Common scenarios is a great resource to see how Intune answers common questions when working with mobile
devices. You'll find scenarios about:
Protecting email with on-premises Exchange
Accessing Microsoft 365 safely and securely
Using personal devices to access organizational resources
For more information about Intune, see What is Intune.

Co-management
Many organizations use on-premises Configuration Manager to manage devices, including desktops and servers.
You can cloud-attach your on-premises Configuration Manager to Microsoft Intune. When you cloud-attach, you
get the benefits of Intune and the cloud, including conditional access, running remote actions, using Windows
Autopilot, and more.
Microsoft Endpoint Manager is a solution platform that unifies several services. It includes Microsoft Intune for
cloud-based device management, and Configuration Manager + Intune for cloud-attach device management.
If you use Configuration Manager, and you're ready to move some tasks to the cloud, then co-management is your
answer.
For more information about cloud-attaching your Configuration Manager, see What is co-management.

Integration with secure-and-protect services

A key task of any device management solution is to provide security and protection. Intune does a great job of
integrating with other services to achieve this task. For example:
Microsoft 365 is a key component to simplifying common IT tasks. In the Microsoft 365 admin center, you
create users, and manage groups. You also get access to other services, such as Intune, Azure AD, and more.
For example, create an iOS/iPadOS devices group in Microsoft 365. Then, use Intune to push policies to the
iOS/iPadOS devices group that focus on iOS/iPadOS features, such as access to the app store, using AirDrop,
backing up to iCloud, using Apple's web filter, and more.
Windows Defender includes many security features to help protect Windows 10 devices. For example,
using Intune and Windows Defender together, you can:
Enable Windows Defender SmartScreen to look for suspicious activity in files and apps on mobile
devices.
Use Microsoft Defender Advanced Threat Protection (ATP) to help prevent security breaches on mobile
devices. And, help limit the impact of a security breach by blocking a user from corporate resources.
Conditional Access is a feature of Azure Active Directory, and integrates nicely with Intune. Using
Conditional Access, make sure only compliant devices are allowed access to email, SharePoint, and other
apps.

Choose the device management solution that's right for you

There are a couple of ways to approach device management. First, you can manage different aspects of devices
using the features built in to Intune. This approach is called Mobile device management (MDM) . Users "enroll"
their devices, and use certificates to communicate with Intune. As an IT administrator, you push apps on devices,
restrict devices to a specific operating system, block personal devices, and more. If a device is ever lost or stolen,
you can also remove all data from the device.
In the second approach, you manage apps on devices. This approach is called Mobile application management
(MAM) . Users can use their personal devices to access organizational resources. When opening an app, such as
email or SharePoint, users are prompted for additional authentication. If a device is ever lost or stolen, you can
remove all organization data from the Intune Managed applications.
You can also use a combination of MDM and MAM together.
When you set up Intune, you also choose to work solely in the Azure portal to manage devices, or use Intune and
Microsoft 365 together to manage devices. Migrating mobile device management to Intune in the Azure portal is a
Microsoft IT case study. In this case study, see how Microsoft IT chose a modern device management approach, and
read the lessons learned.

Simplify IT tasks using the Device Management admin center

The Microsoft Endpoint Manager admin center is a one-stop shop to manage and complete tasks for your mobile
devices. This workspace includes the services used for device management, including Intune and Azure Active
Directory, and to also manage client apps.
On the Device Management admin center, you can:
Enroll devices
Set device compliance
Manage devices
Manage apps
iOS eBooks
Install Exchange on-premises connector
Manage roles
Manage software updates
Manage Windows 10 updates
Manage iOS/iPadOS updates
Azure active directory
Manage users
Manage groups and members
Troubleshoot

Next steps
When you're ready to get started with an MDM or MAM solution, walk through the different steps to set up Intune,
enroll devices, and start creating policies. Mobile device management for Microsoft 365 is also a great resource.
What's new in Microsoft Intune
9/4/2020 • 88 minutes to read • Edit Online

Learn what's new each week in Microsoft Intune in Microsoft Endpoint Manager admin center. You can also find
important notices, past releases, and information about how Intune service updates are released.

NOTE
Each monthly update may take up to three days to rollout and will be in the following order:
Day 1: Asia Pacific (APAC)
Day 2: Europe, Middle East, Africa (EMEA)
Day 3: North America
Day 4+: Intune for Government
Some features may roll out over several weeks and might not be available to all customers in the first week.
Check the In development page for a list of upcoming features in a release.

RSS feed : Get notified when this page is updated by copying and pasting the following URL into your feed reader:
https://docs.microsoft.com/api/search/rss?search=%22What%27s+new+in+microsoft+intune%3F+-+Azure%22&locale=en-us

Week of August 31, 2020

Device configuration
New version of the PFX Certificate Connector and changes for PKCS certificate profile support
We’ve released a new version of the PFX Certificate Connector, version 6.2008.60.607 . This new connector
version:
Supports PKCS certificate profiles on all supported platforms except Windows 8.1
We’ve consolidated all of the PCKS support in the PFX Certificate Connector. This means if you don’t use
SCEP in your environment, and don’t use NDES for other intents, you can remove the Microsoft Certificate
Connector and uninstall NDES from your environment.
Because the Microsoft Certificate Connector hasn’t had functionality removed, you can continue to use them
to support PKCS certificate profiles.
Supports certificate revocation for Outlook S/MIME
Requires .NET Framework 4.7.2
For more information about certificate connectors, including a list of connector release for both certificate
connectors, see Certificate connectors

Week of August 24, 2020 (2008 Service release)

App management
Associated licenses revoked before deletion of Apple VPP token
When you delete an Apple VPP token in Microsoft Endpoint Manager, all Intune-assigned licenses associated with
that token are automatically revoked before the deletion.
Improvement to Update device settings page in Company Portal app for Android to shows descriptions
In the Company Portal app on Android devices, the Update device settings page lists the settings that need
updated to be compliant. Users expand the issue to see more information, and see the Resolve button.
This user experience is improved. The listed settings are expanded by default to show the description, and show the
Resolve button, when applicable. Previously, the issues were collapsed by default. This new default behavior
reduces the number of clicks, so users can resolve issues more quickly.
Device configuration
Use NetMotion as a VPN connection type for iOS/iPadOS and macOS devices
When you create a VPN profile, NetMotion is available as a VPN connection type (Devices > Device
configuration > Create profile > iOS/iPadOS or macOS for platform > VPN for profile > NetMotion for
connection type).
For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.
Applies to:
iOS/iPadOS
macOS
More Protected Extensible Authentication Protocol (PEAP) options for Windows 10 Wi-Fi profiles
On Windows 10 devices, you can create Wi-Fi profiles using the Extensible Authentication Protocol (EAP) to
authenticate Wi-Fi connections (Devices > Configuration profiles > Create profile > Windows 10 and later
for platform > Wi-Fi for profile > Enterprise ).
When you select Protected EAP (PEAP), there are new settings available:
Perform ser ver validation in PEAP phase 1 : In PEAP negotiation phase 1, the server is verified by the
certificate validation.
Disable user prompts for ser ver validation in PEAP phase 1 : In PEAP negotiation phase 1, user
prompts asking to authorize new PEAP servers for trusted certification authorities aren't shown.
Require cr yptographic binding : Prevents connections to PEAP servers that don't use cryptobinding during
the PEAP negotiation.
To see the settings you can configure, go to Add Wi-Fi settings for Windows 10 and later devices.
Applies to:
Windows 10 and newer
Configure the macOS Microsoft Enterprise SSO plug-in

IMPORTANT
On macOS, the Microsoft Azure AD SSO extension is still being developed. It's listed in the Intune user interface, but doesn't
work as expected. On macOS, don't use Microsoft Azure AD for the SSO app extension type.

The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow macOS 10.15+ users to
gain access to Microsoft apps, organization apps, and websites that support Apple's SSO feature and authenticate
using Azure AD, with one sign-on. With the Microsoft Enterprise SSO plug-in release, you can configure the SSO
extension with the new Microsoft Azure AD app extension type (Devices > Configuration profiles > Create
profile > macOS for platform > Device features for profile > Single sign-on app extension > SSO app
extension type > Microsoft Azure AD ).
To achieve SSO with the Microsoft Azure AD SSO app extension type, users need to install and sign in to the
Company Portal app on their macOS devices.
For more information about macOS SSO app extensions, see Single sign-on app extension.
Applies to:
macOS 10.15 and newer
Prevent users from unlocking Android Enterprise work profile devices using face and iris scanning
You can now prevent users from using face or iris scanning to unlock their work profile managed devices, either at
the device level or the work profile level. This can be set in Devices > Configuration profiles > Create profile >
Android Enterprise for platform > Work profile > Device restrictions for profile > Work profile settings
and Password sections.
For more information, see Android Enterprise device settings to allow or restrict features using Intune.
Applies to:
Android Enterprise work profile
Use SSO app extensions on more iOS/iPadOS apps with the Microsoft Enterprise SSO plug-in
The Microsoft Enterprise SSO plug-in for Apple devices can be used with all apps that support SSO app extensions.
In Intune, this feature means the plug-in works with mobile iOS/iPadOS apps that don't use the Microsoft
Authentication Library (MSAL) for Apple devices. The apps don't need to use MSAL, but they do need to
authenticate with Azure AD endpoints.
To configure your iOS/iPadOS apps to use SSO with the plug-in, add the app bundle identifiers in an iOS/iPadOS
configuration profile (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform >
Device features for profile > Single sign-on app extension > Microsoft Azure AD for SSO app extension
type > App bundle IDs ).
To see the current SSO app extension settings you can configure, go to Single sign-on app extension.
Applies to:
iOS/iPadOS
Device security
Deploy endpoint security Antivirus policy to tenant attached devices (preview)
As a preview, you can deploy endpoint security policy for Antivirus to devices you manage with Configuration
Manager. This scenario requires you to configure a tenant attach between a supported version of Configuration
Manager and your Intune subscription. The following versions of Configuration Manager are supported:
Configuration Manager current branch 2006
For more information, see the requirements for Intune endpoint security policies to support Tenant Attach.
Changes for Endpoint security Antivirus policy exclusions
We’ve introduced two changes for managing the Microsoft Defender Antivirus exclusion lists you configure as part
of an Endpoint Security Antivirus policy. The changes help you to prevent conflicts between different policies and
resolve exclusion list conflicts that might exist in your previously deployed policies.
Both of the changes apply to policy settings for the following Microsoft Defender Antivirus Configuration Service
Providers (CSPs):
Defender/ExcludedPaths
Defender/ExcludedExtensions
Defender/ExcludedProcesses
The changes are:
New profile type: Microsoft Defender Antivirus exclusions - Use this new profile type for Windows 10
and later to define a policy that is focused only on Antivirus exclusions. This profile helps simplify
management of your exclusion lists by separating them from other policy configurations.
The exclusions you can configure include Defender processes, file extensions, and files and folders that you
don’t want Microsoft Defender to scan.
Policy merge – Intune now merges the list of exclusions you’ve defined in separate profiles into a single list
of exclusions to apply to each device or user. For example, if you target a user with three separate policies,
the exclusion lists from those three policies merge into a single superset of Microsoft Defender Antivirus
exclusions, that then apply to that user.
Import and export lists of address ranges for Windows firewall rules
We've added support to Impor t or Expor t a list of address ranges using .csv files to the Microsoft Defender
Firewall rules profile in the Firewall policy for Endpoint security. The following Windows firewall rule settings now
support import and export:
Local address ranges
Remote address ranges
We've also improved validation of both local and remote address range entry to help prevent duplicate or invalid
entries.
For more information about these settings, see the settings for Microsoft Defender Firewall rules.

Week of August 17, 2020

Intune apps
Custom brand image now displayed in the Windows Company Portal profile page
As a Microsoft Intune administrator, you can upload a custom brand image to Intune which will be displayed as a
background image on the user's profile page in the Windows Company Portal app. For more information, see How
to customize the Intune Company Portal apps, Company Portal website, and Intune app.
App management
The Company Portal adds Configuration Manager application support
The Company Portal now supports Configuration Manager applications. This feature allows end users to see both
Configuration Manager and Intune deployed applications in the Company Portal for co-managed customers. This
new version of the Company Portal will display Configuration Manager deployed apps for all co-managed
customers. This support will help administrators consolidate their different end user portal experiences. For more
information, see Use the Company Portal app on co-managed devices.
Device security
Set device compliance state from third-party MDM providers
Intune now supports third-party MDM solutions as a source of device compliance details. This third-party
compliance data can be used to enforce Conditional Access policies for Microsoft 365 apps on iOS and Android
through integration with Microsoft Intune. Intune evaluates the compliance details from the third-party provider to
determine if a device is trusted, and then sets the conditional access attributes in Azure AD. You'll continue to create
your Azure AD Conditional Access policies from within the Microsoft Endpoint Manager admin center or the Azure
AD portal.
The following third-party MDM providers are supported with this release, as a public preview:
VMware Workspace ONE UEM (previously known as AirWatch)
This update is rolling out to customers globally. You should see this capability within the next week.

Week of August 10, 2020

Device management
Tenant attach: Install an application from the admin center
You can now initiate an application install in real time for a tenant attached device from the Microsoft Endpoint
Manager admin center. For more information, see Tenant attach: Install an application from the admin center.

Week of July 27, 2020

Monitor and troubleshoot
Power BI compliance report template V2.0
Power BI template apps enable Power BI partners to build Power BI apps with little or no coding, and deploy them to
any Power BI customer. Admins can update the version of the Power BI compliance report template from V1.0 to
V2.0. V2.0 includes an improved design, as well as changes to the calculations and data that is surfaced as part of
the template. For more information, see Connect to the Data Warehouse with Power BI and Update a template app.
Additionally, see the blog post Announcing a New Version of the Power BI Compliance Report with Intune Data
Warehouse.

Week of July 13, 2020 (2007 Service release)

App management
Exchange On-Premises Connector support
Intune is removing support for the Exchange On-Premises Connector feature from the Intune service beginning in
the 2007 (July) release. Existing customers with an active connector will be able to continue with the current
functionality at this time. New customers and existing customers that do not have an active connector will no longer
be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those customers,
Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to Exchange on-
premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through
Outlook Mobile for Exchange on-premises.
S/MIME for Outlook on iOS and Android devices without enrollment
You can now enable S/MIME for Outlook on iOS and Android devices using an app configuration policy for
managed apps. This allows for policy delivery regardless of device enrollment state. In Microsoft Endpoint Manager
admin center, select Apps > App configuration policies > Add > Managed apps . Additionally, you can choose
whether or not to allow users to change this setting in Outlook. However, to automatically deploy S/MIME
certificates to Outlook for iOS and Android, the device must be enrolled. For general information about S/MIME, see
S/MIME overview to sign and encrypt email in Intune. For more information about Outlook configuration settings,
see Microsoft Outlook configuration settings and Add app configuration policies for managed apps without device
enrollment. For Outlook for iOS and Android S/MIME information, see S/MIME scenarios and Configuration keys -
S/MIME settings.
Device configuration
New VPN settings for Windows 10 and newer devices
When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure (Devices
> Configuration profiles > Create profile > Windows 10 and later for platform > VPN for profile > Base
VPN ):
Device Tunnel : Allows devices to automatically connect to VPN without requiring any user interaction,
including user log on. This feature requires you to enable Always On , and use Machine cer tificates as the
authentication method.
Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations, which
allow you to match client and server settings.
To see the settings you can configure, go to Windows device settings to add VPN connections using Intune.
Applies to:
Windows 10 and newer
Configure more Microsoft Launcher settings in a device restrictions profile on Android Enterprise devices (COBO)
On Android Enterprise Fully Managed devices, you can configure more Microsoft Launcher settings using a device
restrictions profile (Devices > Configuration profiles > Create profile > Android Enterprise for platform >
Device Owner only > Device restrictions > Device experience > Fully managed ).
To see these settings, go to Android Enterprise device settings to allow or restrict features.
You can also configure the Microsoft Launcher settings using an app configuration profile.
Applies to:
Android Enterprise device owner fully managed devices (COBO)
New features for Managed Home Screen on Android Enterprise device owner dedicated devices (COSU)
On Android Enterprise devices, administrators can use device configuration profiles to customize the Managed
Home Screen on dedicated devices using multi-app kiosk mode (Devices > Configuration profiles > Create
profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile > Device
experience > Dedicated device > Multi-app ).
Specifically, you can:
Customize icons, change the screen orientation , and show app notifications on badge icons
Hide the Managed Settings shortcut
Easier access to the debug menu
Create an allowed list of Wi-Fi networks
Easier access to the device information
For more information, see Android Enterprise device settings to allow or restrict features and this blog.
Applies to:
Android Enterprise device owner, dedicated devices (COSU)
Administrative templates updated for Microsoft Edge 84
The ADMX settings available for Microsoft Edge have been updated. End users can now configure and deploy new
ADMX settings added in Edge 84. For more information, see the Edge 84 release notes.
Device enrollment
Corporate-owned, personally enabled devices (preview)
Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8
and above. Corporate-owned devices with a work profile is one of the corporate management scenarios in the
Android Enterprise solution set. This scenario is for single user devices intended for corporate and personal use.
This corporate-owned, personally-enabled (COPE) scenario offers:
work and personal profile containerization
device-level control for admins
a guarantee for end users that their personal data and applications will remain private
The first public preview release will include a subset of the features that will be included in the generally available
release. Additional features will be added on a rolling basis. The features that will be available in the first preview
include:
Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device
enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
Device configuration: A subset of the existing fully managed and dedicated device settings.
Device compliance: The compliance policies that are currently available for fully managed devices.
Device Actions: Delete device (factory reset), reboot device, and lock device.
App management: App assignments, app configuration, and the associated reporting capabilities
Conditional Access
For more information about corporate-owned with work profile preview, see the support blog.
Device management
Updates to the remote lock action for macOS devices
Changes to the remote lock action for macOS devices include:
The recovery pin is displayed for 30 days before deletion (instead of 7 days).
If an admin has a second browser open and tries to trigger the command again from a different tab or browser,
Intune lets the command to go through. But the reporting status is set to failed rather than generating a new pin.
The admin isn't allowed to issue another remote lock command if the previous command is still pending or if the
device hasn’t checked back in. These changes are designed to prevent the correct pin from being overwritten
after multiple remote lock commands.
Device actions report differentiates between wipe and protected wipe
The Device actions report now differentiates between the wipe and protected wipe actions. To see the report, go
to Microsoft Endpoint Manager admin center > Devices > Monitor > Device Actions (under Other ).
Device security
Microsoft Defender Firewall rule migration tool preview
As a public preview, we're working on a PowerShell based tool that will migrate Microsoft Defender Firewall rules.
When you install and run the tool, it automatically creates endpoint security firewall rule policies for Intune that are
based on the current configuration of a Windows 10 client. For more information, see Endpoint security firewall rule
migration tool overview.
Endpoint detection and response policy for onboarding Tenant Attached devices to MDATP is Generally Available
As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies for use with devices
managed by Configuration Manager are no longer in preview and are now Generally Available.
To use EDR policy with devices from a supported version of Configuration Manager, configure Tenant attach for
Configuration Manager. After you complete the tenant attach configuration, you can deploy EDR policies to
onboard devices managed by Configuration Manager to Microsoft Defender Advanced Threat Protection (Microsoft
Defender ATP).
Bluetooth settings are available in Device Control profiles for Endpoint security Attack surface reduction policy
We've added settings to manage Bluetooth on Windows 10 devices to the Device control profile for Endpoint
security Attack surface Reduction policy. These are the same settings as those that have been available in Device
restriction profiles for Device configuration.
Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices
We've added two new settings to the Updates category of endpoint security antivirus policy for Windows 10
devices that can help you manage how devices get update definitions:
Define file shares for downloading definition updates
Define the order of sources for downloading definition updates
With the new settings you can add UNC file shares as download source locations for definition updates, and define
the order in which different source locations are contacted.
Improved security baselines node
We've made some changes to improve the usability of the security baseline node in the Microsoft Endpoint
Manager admin center. Now when you drill in to Endpoint security > Security baselines and then select a
security baseline type like the MDM Security Baseline, your presented with the Profiles pane. On the Profiles pane
you view the profiles you've created for that Baseline type. Previously the console presented an Overview pane
which included an aggregate data roll up that didn't always match the details found in the reports for individual
profiles.
Unchanged, from the Profiles pane you can select a profile to drill-in to view that profiles properties as well as
various reports that are available under Monitor. Similarly, at the same level as Profiles you can still select Versions
to view a the various versions of that profile type that you've deployed. When you drill-in to a version, you also gain
access to reports, similar to the profile reports.
Derived credentials support for Windows
You can now use derived credentials with your Windows devices. This will expand on the existing support for
iOS/iPadOS and Android, and will be available for the same derived credential providers:
Entrust Datacard
Intercede
DISA Purebred
Support for Widows includes use of a derived credential to authenticate to Wi-Fi or VPN profiles. For Windows
devices, the derived credential is issued from the client app that's provided by the derived credential provider that
you use.
Manage FileVault encryption for devices that were encrypted by the device user and not by Intune
Intune can now assume management of FileVault disk encryption on a macOS device that was encrypted by the
device user, and not by Intune policy. This scenario requires:
The device to receive disk encryption policy from Intune that enables FileVault.
The device user to use the Company Portal website to upload their personal recovery key for the encrypted
device to Intune. To upload the key, they select the Store recovery key option for their encrypted macOS device.
After the user uploads their recovery key, Intune rotates the key to confirm it is valid. Intune can now manage the
key and encryption as if it used policy to encrypt the device directly. Should a user need to recover their device, they
can access the recovery key using any device from the following locations:
Company Portal website
Company Portal app for iOS/iPadOS
Company Portal app for Android
Intune app
Hide the personal recovery key from a device user during macOS FileVault disk encryption
When you use endpoint security policy to configure macOS FileVault disk encryption, use the Hide recover y key
setting to prevent display of the personal recovery key to the device user, while the device is being encrypted. By
hiding the key during encryption, you can help keep it secure as users won’t be able to write it down while waiting
for the device to encrypt.
Later, if recovery is needed, a user can always use any device to view their personal recovery key through the Intune
Company Portal website, the iOS/iPadOS Company Portal, the Android Company Portal, or the Intune app.
Improved view of security baseline details for devices
You can now drill-in to the details for a device to view the settings details for security baselines that apply to the
device. The settings appear in a simple, flat list, which includes the setting category, setting name, and status. For
more information, see View Endpoint security configurations per device.
Monitor and troubleshoot
Device compliance logs now in English
The Intune DeviceComplianceOrg logs previously only had enumerations for ComplianceState, OwnerType, and
DeviceHealthThreatLevel. Now, these logs have English information in the columns.
Role -based access control
Assign profile and Update profile permission changes
Role-based access control permissions has changed for Assign profile and Update profile for the Automated Device
Enrollment flow:
Assign profile: Admins with this permission can also assign the profiles to tokens and assign a default profile to a
token for Automated Device Enrollment.
Update profile: Admins with this permission can update existing profiles only for Automated Device Enrollment.
To see these roles, go to Microsoft Endpoint Manager admin center > Tenant administration > Roles > All roles
> Create > Permissions > Roles .
Scripting
Additional Data Warehouse v1.0 properties
Additional properties are available using the Intune Data Warehouse v1.0. The following properties are now
exposed via the devices entity:
ethernetMacAddress - The unique network identifier of this device.
office365Version - The version of Microsoft 365 that is installed on the device.

The following properties are now exposed via the devicePropertyHistories entity:
physicalMemoryInBytes - The physical memory in bytes.
totalStorageSpaceInBytes - Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API.

Week of July 06, 2020

App management
Update to device icons in Company Portal and Intune apps on Android
We have updated the device icons in the Company Portal and Intune apps on Android devices to create a more
modern look and feel and to align with the Microsoft Fluent Design System. For related information, see Update to
icons in Company Portal app for iOS/iPadOS and macOS.
Device enrollment
iOS Company Portal will support Apple's Automated Device Enrollment without user affinity
The iOS Company Portal is now supported on devices enrolled using Apple's Automated Device Enrollment without
requiring an assigned user. An end user can sign in to the iOS Company Portal to establish themselves as the
primary user on an iOS/iPadOS device enrolled without device affinity. For more information about Automated
Device Enrollment, see Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrollment.
Device management
Tenant attach: ConfigMgr client details in the admin center (preview)
You can now see ConfigMgr client details including collections, boundary group membership, and real-time client
information for a specific device in the Microsoft Endpoint Manager admin center. For more information, see Tenant
attach: ConfigMgr client details in the admin center (preview).

Week of June 22, 2020

App management
Newly available protected apps for Intune
The following protected apps are now available:
BlueJeans Video Conferencing
Cisco Jabber for Intune
Tableau Mobile for Intune
ZERO for Intune
For more information about protected apps, see Microsoft Intune protected apps.
Monitor and troubleshoot
Use Endpoint analytics to improve user productivity and reduce IT support costs
During the next week, this feature will be rolled out. Endpoint analytics aims to improve user productivity and
reduce IT support costs by providing insights into the user experience. The insights enable IT to optimize the end-
user experience with proactive support and to detect regressions to the user experience by assessing user impact of
configuration changes. For more information, see Endpoint analytics preview.
Proactively remediate end user device issues using script packages
You can create and run script packages on end user devices to proactively find and fix the top support issues in your
organization. Deploying script packages will help you reduce support calls. Choose to create your own script
packages or deploy one of the script packages we've written and used in our environment to reduce support tickets.
Intune allows you to see the status of your deployed script packages and to monitor the detection and remediation
results. In Microsoft Endpoint Manager admin center, select Repor ts > Endpoint analytics > Proactive
remediations . For more information, see Proactive remediations.
Device security
Use Microsoft Defender ATP in compliance policies for Android
You can now use Intune to onboard Android devices to Microsoft Defender Advanced Threat Protection
(MicrosoftDefender ATP). After your enrolled devices are onboarded, your compliance polices for Android can use
the threat level signals from Microsoft Defender ATP. These are the same signals that you could previously use for
Windows 10 devices.
Configure Defender ATP web protection for Android devices
When you use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android devices, you
can configure Microsoft Defender ATP web protection to disable the phishing scan feature, or prevent the scan from
using VPN.
Depending on how your Android device enrolls with Intune, the following options are available:
Android device administrator - Use custom OMA-URI settings to disable the web protection feature, or disable
only the use of VPNs during scans.
Android Enterprise work profile - Use an app configuration profile and the configuration designer to disable all
web protection capabilities.

Week of June 15, 2020 (2006 Service release)

App management
Telecommunications data transfer protection for managed apps
When a hyperlinked phone number is detected in a protected app, Intune will check whether a protection policy has
been applied that allows the number to be transferred to a dialer app. You can choose how to handle this type of
content transfer when it is initiated from a policy managed app. When creating an app protection policy in
Microsoft Endpoint Manager, select a managed app option from the Send org data to other apps , then select an
option from Transfer telecommunications data to . For more information about this data protection setting, see
Android app protection policy settings in Microsoft Intune and iOS app protection policy settings.
Unified delivery of Azure AD Enterprise and Office Online applications in the Company Portal
On the Customization pane of Intune, you can select to Hide or Show both Azure AD Enterprise applications
and Office Online applications in the Company Portal. Each end-user will see their entire application catalog
from the chosen Microsoft service. By default, each additional app source will be set to Hide . This feature will first
take effect in the Company Portal website, with support in the Windows Company Portal expected to follow. In the
Microsoft Endpoint Manager admin center, select Tenant administration > Customization to find this
configuration setting. For related information, see How to customize the Intune Company Portal apps, Company
Portal website, and Intune app.
Improvements to the Company Portal for macOS enrollment experience
The Company Portal for macOS enrollment experience has a simpler enrollment process that aligns more closely
with the Company Portal for iOS enrollment experience. Device users will see:
A sleeker user interface.
An improved enrollment checklist.
Clearer instructions about how to enroll their devices.
Improved troubleshooting options.
For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company
Portal website, and Intune app.
Improvements to Devices page of iOS/iPadOS and macOS Company Portals
We've made changes to the Company Portal Devices page to improve the app experience for iOS/iPadOS and Mac
users. In addition to creating a more modern look and feel, we reorganized the device details under a a single
column with defined section headers so that it's easier for users to see their device status. We also added clearer
messaging and troubleshooting steps for users whose devices fall out of compliance. For more information about
Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
To manually sync a device, see Sync your iOS device manually.
Cloud setting for iOS/iPadOS Company Portal app
A new Cloud setting for the iOS/iPadOS Company Portal allows users to redirect their authentication towards the
appropriate cloud for your organization. By default, the setting is configured to Automatic , which directs
authentication towards the cloud automatically detected by the user's device. If authentication for your organization
must be redirected towards a cloud other than the cloud that is automatically detected (such as Public or
Government), your users can manually select the appropriate cloud by selecting the Settings app > Company
Por tal > Cloud . Your users should only change the Cloud setting from Automatic if they are signing in from
another device and the appropriate cloud is not automatically detected by their device.
Duplicate Apple VPP tokens
Apple VPP tokens with the same Token Location are now marked as Duplicate and can be synced again when the
duplicate token has been removed. You can still assign and revoke licenses for tokens that are marked as duplicate.
However, licenses for new apps and books purchased may not be reflected once a token is marked as duplicate. To
find Apple VPP tokens for your tenant, from Microsoft Endpoint Manager admin center, select Tenant
administration > Connectors and tokens > Apple VPP Tokens . For more information about VPP tokens, see
How to manage iOS and macOS apps purchased through Apple Volume Purchase Program with Microsoft Intune.
Device configuration
Add multiple root certificates for EAP-TLS authentication in Wi-Fi profiles on macOS devices
On macOS devices, you can create a Wi-Fi profile, and select the Extensible Authentication Protocol (EAP)
authentication type (Devices > Configuration profiles > Create profile > macOS for platform > Wi-Fi for
profile > Wi-Fi type set to Enterprise).
When you set the EAP Type to EAP-TLS , EAP-TTLS , or PEAP authentication, you can add multiple root
certificates. Previously, you could only add one root certificate.
For more information on the settings you can configure, see Add Wi-Fi settings for macOS devices in Microsoft
Intune.
Applies to:
macOS
Use PKCS certificates with Wi-Fi profiles on Windows 10 and newer devices
You can authenticate Windows Wi-Fi profiles with SCEP certificates (Device configuration > Profiles > Create
profile > Windows 10 and later for platform > Wi-Fi for profile type > Enterprise > EAP type ). Now, you can
use PKCS certificates with your Windows Wi-Fi profiles. This feature allows users to authenticate Wi-Fi profiles
using new or existing PKCS certificate profiles in your tenant.
For more information on the Wi-Fi settings you can configure, see Add Wi-Fi settings for Windows 10 and later
devices in Intune.
Applies to:
Windows 10 and newer
Wired network device configuration profiles for macOS devices
A new macOS device configuration profile is available that configures wired networks (Devices > Configuration
profiles > Create profile > macOS for platform > Wired Network for profile). Use this feature to create 802.1x
profiles to manage wired networks, and deploy these wired networks to your macOS devices.
For more information in this feature, see Wired networks on macOS devices.
Applies to:
macOS
Use Microsoft Launcher as the default launcher for fully managed Android Enterprise devices
On Android Enterprise device owner devices, you can set Microsoft Launcher as the default launcher for fully
managed devices (Devices > Configuration profiles > Create profile > Android Enterprise for platform >
Device owner > Device restrictions for profile > Device experience ). To configure all other Microsoft
Launcher settings, use app configuration policies.
Also, there are some other UI updates, including Dedicated devices being renamed to Device experience .
To see all the settings you can restrict, see Android Enterprise device settings to allow or restrict features using
Intune.
Applies to:
Android Enterprise device owner fully managed devices (COBO)
Use Autonomous Single App Mode settings to configure the iOS Company Portal app to be a sign in/sign out app
On iOS/iPadOS devices, you can configure apps to run in autonomous single app mode (ASAM). Now, the Company
Portal app supports ASAM, and can be configured to be a "sign in/sign out" app. In this mode, users must sign in to
the Company Portal app to use other apps and the Home screen button on the device. When they sign out of the
Company Portal app, the device returns to single app mode, and locks on the Company Portal app.
To configure the Company Portal to be in ASAM, go to Devices > Configuration profiles > Create profile >
iOS/iPadOS for platform > Device restrictions for profile > Autonomous Single App Mode .
For more information, see Autonomous single app mode (ASAM) and single app mode (opens Apple's web site).
Applies to:
iOS/iPadOS
Configure content caching on macOS devices
On macOS devices, you can create a configuration profile that configures content caching (Devices >
Configuration profiles > Create profile > macOS for platform > Device features for profile). Use these
settings to delete cache, allow shared cache, set a cache limit on the disk, and more.
For more information on content caching, see ContentCaching (opens Apple's web site).
To see the settings you can configure, go to macOS device feature settings in Intune.
Applies to:
macOS
Add new schema settings, and search for existing schema settings using OEMConfig on Android Enterprise
In Intune, you can use OEMConfig to manage settings on Android Enterprise devices (Devices > Configuration
profiles > Create profile > Android Enterprise for platform > OEMConfig for profile). When you use the
Configuration designer , the properties in the app schema are shown. Now, in the Configuration designer , you
can:
Add new settings to the app schema.
Search for new and existing settings in the app schema.
For more information on OEMConfig profiles in Intune, see Use and manage Android Enterprise devices with
OEMConfig in Microsoft Intune.
Applies to:
Android Enterprise
Block Shared iPad temporary sessions on Shared iPad devices
In Intune, there's a new Block Shared iPad temporar y sessions setting that blocks temporary sessions on
Shared iPad devices (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device
restrictions for profile type > Shared iPad ). When enabled, end users can't use the Guest account. They must sign
in to the device with their Managed Apple ID and password.
For more information, see iOS and iPadOS device settings to allow or restrict features.
Applies to:
Shared iPad devices running iOS/iPadOS 13.4 and newer
Device enrollment
Bring-your-own-devices can use VPN to deploy
The new Autopilot profile Skip Domain Connectivity Check toggle lets you deploy Hybrid Azure AD Join devices
without access to your corporate network using your own 3rd party Win32 VPN client. To see the new toggle, go to
Microsoft Endpoint Manager Admin Center > Devices > Windows > Windows enrollment > Deployment
profiles > Create profile > Out-of-box experience (OOBE) .
Enrollment Status Page profiles can be set to device groups
Previously, Enrollment Status Page (ESP) profiles could only be targeted to user groups. Now you can also set them
to target device groups. For more information, see Set up an Enrollment Status Page.
Automated Device Enrollment sync errors
New errors will be reported for iOS/iPadOS and macOS devices, including
Invalid characters in the phone number or if that field is empty.
Invalid or empty configuration name for the profile.
Invalid/expired cursor value or if no cursor is found.
Rejected or expired token.
The department field is empty or the length is too long.
Profile is not found by Apple and a new one needs to be created.
A count of removed Apple Business Manager devices will be added to the overview page where you see the
status of your devices.
Shared iPads for Business
You can use Intune and Apple Business Manager to easily and securely set up Shared iPad so that multiple
employees can share devices. Apple's Shared iPad provides a personalized experience for multiple users while
preserving user data. Using a Managed Apple ID, users can access their apps, data, and settings after signing into
any Shared iPad in their organization. Shared iPad works with federated identities.
To see this feature, go to Microsoft Endpoint Manager admin center > Devices > iOS > iOS enrollment >
Enrollment program tokens > choose a token > Profiles > Create profile > iOS . On the Management
Settings page, select Enroll without User Affinity and you'll see the Shared iPad option.
Requires: iPadOS 13.4 and later. This release added support for temporary sessions with Shared iPad so that users
can access a device without a Managed Apple ID. Upon logout, the device erases all user data so that the device is
immediately ready for use, eliminating the need for a device wipe.
Updated user interface for Apple's Automated Device Enrollment
The user interface has been updated to replace Apple's Device Enrollment Program to Automated Device Enrollment
to reflect Apple terminology.
Device management
Device remote lock pin available for macOS
The availability for macOS device remote lock pins has been increased from 7 days to 30 days.
Change primary user on co-managed devices
You can change a device's primary user for co-managed Windows devices. For more information on how to find
and change it, see Find the primary user of an Intune device. This feature will be rolling out gradually over the next
few weeks.
Setting the Intune primary user also sets the Azure AD owner property
This new feature automatically sets the owner property on newly-enrolled Hybrid Azure AD joined devices at the
same time that the Intune primary user is set. For more information on the primary user, see Find the primary user
of an Intune device.
This is a change to the enrollment process and only applies to newly enrolled devices. For existing Hybrid Azure AD
Joined devices, you must manually update the Azure AD Owner property. To do this, you can use the Change
primary user feature or a script.
When Windows 10 devices become Hybrid Azure Azure Directory Joined, the first user of the device becomes the
primary user in Endpoint Manager. Currently, the user isn't set on the corresponding Azure AD device object. This
causes an inconsistency when comparing the owner property from an Azure AD portal with the primary user
property in Microsoft Endpoint Manager admin center. The Azure AD owner property is used for securing access to
BitLocker recovery keys. The property isn't populated on Hybrid Azure AD Joined devices. This limitation prevents
set up of self-service of BitLocker recovery from Azure AD. This upcoming feature solves this limitation.
Device security
Hide the recovery key from users during FileVault 2 encryption for macOS devices
We've added a new setting to the FileVault category within the macOS Endpoint Protection template: Hide
recover y key . This setting hides the personal key from the end user during FileVault 2 encryption.
To view the personal recovery key of an encrypted macOS device, the device user can go to any of the following
locations and click on get recovery key for the macOS device:
The iOS/iPadOS company portal app
The Intune app
The company portal website
The Android company portal app
Support for S/MIME signing and encryption certificates with Outlook on Android Fully Managed
You can now use certificates for S/MIME signing and encryption with Outlook on devices that run Android
Enterprise Fully Managed.
This expands on the support added last month for other Android versions (Support for S/MIME signing and
encryption certificates with Outlook on Android). You can provision these certificates by using SCEP and PKCS
imported certificate profiles.
For more information about this support, see Sensitivity labeling and protection in Outlook for iOS and Android in
the Exchange documentation.
Add a link to your company portal support website to emails for noncompliance
When you configure a notification message template for sending email notifications for noncompliance, use the
new setting Company Por tal Website Link to automatically include a link to your Company Portal website. With
this option set to Enable, users with noncompliant devices who receive email based on this template can use the
link to open a website to learn more about why their device isn’t compliant.
Licensing
Admins no longer require an Intune license to access Microsoft Endpoint Manager admin console
You can now set a tenant-wide toggle that removes the Intune license requirement for admins to access the MEM
admin console and query graph APIs. Once you remove the license requirement, you can never reinstate it.
Scripts
Availability of Shell scripts on macOS devices
Shell scripts for macOS devices are now available for Government Cloud and China customers. For more
information about shell scripts, see Use shell scripts on macOS devices in Intune.

Week of June 8, 2020

App management
Updates to informational screen in Company Portal for iOS/iPadOS
An informational screen in Company Portal for iOS/iPadOS has been updated to better explain what an admin can
see and do on devices. These clarifications are only about corporate-owned devices. Only the text has been updated,
no actual modifications have been made to what the admin can see or do on user devices. To see the updated
screens, go to UI updates for Intune end-user apps.
Updated Android APP Conditional Launch end-user experience
The 2006 release of the Android Company Portal has changes that build on the updates from the 2005 release. In
2005, we rolled out an update where end users of Android devices that are issued a warn, block, or wipe by an app
protection policy see a full page message describing the reason for the warn, block, or wipe and the steps to
remediate the issues. In 2006, first-time users of Android apps assigned an app protection policy will be taken
through a guided flow to remediate issues that cause their app access to be blocked.

Week of May 25, 2020

Week of May 18, 2020

App management
Update to icons in Company Portal app for iOS/iPadOS and macOS
We've updated the icons in Company Portal to create a more modern look and feel that's supported on dual screen
devices and aligns with the Microsoft Fluent Design System. To see the updated icons, go to UI updates for Intune
end-user apps.
Device security
Use Endpoint detection and response policy to onboard devices to Defender ATP
Use endpoint security policy for Endpoint detection and response (EDR) to onboard and configure devices for your
deployment of Microsoft Defender Advanced Threat Protection (Defender ATP). EDR supports policy for Windows
devices managed by Intune (MDM), and a separate policy for Windows devices managed by Configuration
Manager.
To use the policy for Configuration Manager devices, you must set up Configuration Manager to support the EDR
policy. Set up includes:
Configure your Configuration manager for tenant attach.
Install an in-console update for Configuration Manager to enable support for the EDR policies. This update
applies only to hierarchies that have enabled tenant attach.
Synchronize your device collections form your hierarchy to the Microsoft Endpoint Manager admin center.

Week of May 11, 2020 (2005 Service release)

App management
Customize self-service device actions in the Company Portal
You can customize the available self-service device actions that are shown to end-users in the Company Portal app
and website. To help prevent unintended device actions, you can configure these settings for the Company Portal
app by selecting Tenant Administration > Customization . The following actions are available:
Hide Remove button on corporate Windows device.
Hide Reset button on corporate Windows devices.
Hide Reset button on corporate iOS devices.
Hide Remove button on corporate iOS devices. For more information, see User self-service device actions from
the Company Portal.
Auto update VPP available apps
Apps that are published as Volume Purchase Program (VPP) available apps will be automatically updated when
Automatic App Updates is enabled for the VPP token. Previously, VPP available apps did not automatically
update. Instead, end-users had to go to the Company Portal and reinstall the app if a newer version was available.
Required apps continue to support automatic updates.
Android Company Portal user experience
In the 2005 release of Android Company Portal, end-users of Android devices that are issued a warn, block, or wipe
by an app protection policy will see a new user experience. Instead of the current dialog experience, end-users will
see a full page message describing the reason for the warn, block, or wipe and the steps to remediate the issue. For
more information, see App protection experience for Android devices and Android app protection policy settings in
Microsoft Intune.
Support for multiple accounts in Company Portal for macOS
The Company Portal on macOS devices now caches user accounts, making sign-in easier. Users no longer need to
sign into the Company Portal every time they launch the application. Additionally, the Company Portal will display
an account picker if multiple user accounts are cached, so that users don't have to enter their user name.
Newly available protected apps
The following protected apps are now available:
Board Papers
Breezy for Intune
Hearsay Relate for Intune
ISEC7 Mobile Exchange Delegate for Intune
Lexmark for Intune
Meetio Enterprise
Microsoft Whiteboard
Now® Mobile - Intune
Qlik Sense Mobile
ServiceNow® Agent - Intune
ServiceNow® Onboarding - Intune
Smartcrypt for Intune
Tact for Intune
Zero - email for attorneys
For more information about protected apps, see Microsoft Intune protected apps.
Search the Intune docs from the Company Portal
You can now search the Intune documentation directly from the Company Portal for macOS app. In the menu bar,
select Help > Search and enter the key words of your search to quickly find answers to your questions.
Device configuration
Improvements to OEMConfig support for Zebra Technologies devices
Intune fully supports all features provided by Zebra OEMConfig. Customers managing Zebra Technologies devices
with Android Enterprise and OEMConfig can deploy multiple OEMConfig profiles to one device. Customers can also
view rich reporting about the status of their Zebra OEMConfig profiles.
For more information, see Deploy multiple OEMConfig profiles to Zebra devices in Microsoft Intune.
There is no change in OEMConfig behavior for other OEMs.
Applies to:
Android Enterprise
Zebra Technologies devices that support OEMConfig. For specific details on support, contact Zebra.
Configure system extensions on macOS devices
On macOS devices, you can create a kernel extensions profile to configure settings at the kernel-level (Devices >
Configuration profiles > macOS for platform > Kernel extensions for profile). Apple is eventually deprecating
kernel extensions, and replacing them with system extensions in a future release.
System extensions run in the user space, and don’t have access to the kernel. The goal is to increase security and
provide more end user control, while limiting attacks at the kernel level. Both kernel extensions and system
extensions allow users to install app extensions that extend the native capabilities of the operating system.
In Intune, you can configure both kernel extensions and system extensions (Devices > Configuration profiles >
macOS for platform > System extensions for profile). Kernel extensions apply to 10.13.2 and newer. System
extensions apply to 10.15 and newer. From macOS 10.15 to macOS 10.15.4, kernel extensions and system
extensions can run side-by-side.
To learn about these extensions on macOS devices, see Add macOS extensions.
Applies to:
macOS 10.15 and newer
Configure app and process privacy preferences on macOS devices
With the release of macOS Catalina 10.15, Apple added new security and privacy enhancements. By default,
applications and processes are unable to access specific data without user consent. If users don't provide consent,
the applications and processes may fail to function. Intune is adding support for settings that enable IT
administrators to allow or disallow data access consent on behalf of end-users on devices running macOS 10.14
and later. These settings will ensure that applications and processes continue to function properly, and reduce the
number of prompts.
For more information on the settings you can manage, see macOS privacy preferences.
Applies to:
macOS 10.14 and newer
Device enrollment
Enrollment restrictions support scope tags
You can now assign scope tags to enrollment restrictions. To do so, go to Microsoft Endpoint Manager admin center
> Devices > Enrollment restrictions > Create restriction . Create either type of restriction and you'll see the
Scope tags page. For more information, see Set enrollment restrictions.
Autopilot support for HoloLens 2 devices
Windows Autopilot now supports HoloLens 2 devices. For more information on using Autopilot for HoloLens, see
Windows Autopilot for HoloLens 2.
Device management
Use sync remote action in bulk for iOS
You can now use the sync remote action on up to 100 iOS devices at a time. To see this feature, go to Microsoft
Endpoint Manager admin center > Devices > All devices > Bulk device actions .
Automated device sync interval down to 12 hours
For Apple's Automated Device Enrollment, the automated device sync interval between Intune and Apple Business
Manager has been reduced from 24 hours to 12 hours. For more information on sync, see Sync managed devices.
Device security
Derived credentials support for DISA Purebred on Android devices
You can now use DISA Purebred as a derived credentials provider on Android Enterprise fully managed devices.
Support includes retrieving a derived credential for DISA Purebred. You can use a derived credential for app
authentication, Wi-Fi, VPN, or S/MIME signing and/or encryption with apps that support it.
Send push notifications as an action for noncompliance
You can now configure an action for noncompliance that sends a push notification to a user when their device fails
to meet conditions of a compliance policy. The new action is Send push notification to end user , and is
supported on Android and iOS devices.
When users select the push notification on their device, the Company Portal or Intune app opens to display details
about why they are noncompliant.
Endpoint security content and new features
The documentation for Intune Endpoint Security is now available. In the endpoint security node of the Microsoft
Endpoint Manager admin center you can:
Create and deploy focused security policies to your managed devices
Configure integration with Microsoft Defender Advanced Threat Protection, and manage security tasks help
remediate risks for at-risk devices as identified by your ATP team
Configure security baselines
Manage device compliance and conditional access policies
View compliance status for all your devices from both Intune and Configuration Manager when Configuration
Manager is configured for client attach.
In addition to the availability of content, the following are new for Endpoint Security this month:
Endpoint security policies are out of preview and are now ready to use in production environments, as
generally available, with two exceptions:
In a new public preview , you can use the Microsoft Defender Firewall rules profile for Windows 10
Firewall policy. With each instance of this profile you can configure up to 150 firewall rules to compliment
your Microsoft Defender Firewall profiles.
Account protection security policy remains in preview.
You can now create a duplicate of endpoint security policies . Duplicates keep the settings
configuration of the original policy, but get a new name. Then new policy instance doesn't include any
assignments to groups until you edit the new policy instance to add them. You can duplicate the following
policies:
Antivirus
Disk encryption
Firewall
Endpoint detection and response
Attack surface reduction
Account protection
You can now create a duplicate of a security baseline . Duplicates keep the settings configuration of the
original baseline, but get a new name. The new baseline instance doesn't include any assignments to groups
until you edit the new baseline instance to add them.
A new report for endpoint security antivirus policy is available: Windows 10 unhealthy endpoints . This
report is a new page you can select when your viewing your endpoint security antivirus policy. The report
displays the antivirus status of your MDM-managed Windows 10 devices.
Support for S/MIME signing and encryption certificates with Outlook on Android
You can now use certificates for S/MIME signing and encryption with Outlook on Android. With this support, you
can provision these certificates by using SCEP, PKCS, and PKCS imported certificate profiles. The following Android
platforms are supported:
Android Enterprise Work Profile
Android Device Administrator
Support for Android Enterprise Fully Managed devices is coming soon.
For more information about this support, see Sensitivity labeling and protection in Outlook for iOS and Android in
the Exchange documentation.
Monitor and troubleshoot
Device reports UI update
The reports overview pane will now provide a Summar y and a Repor ts tab. In the Microsoft Endpoint Manager
admin center, select Repor ts , then select the Repor ts tab to see the available report types. For related information,
see Intune reports.
Scripting
macOS script support
Script support for macOS is now generally available. In addition, we have added support for both user assigned
scripts and macOS devices that have been enrolled with Apple's Automated Device Enrollment (formerly Device
Enrollment Program). For more information, see Use shell scripts on macOS devices in Intune.

Week of May 4, 2020

Company Portal for Android guides users to get apps after work profile enrollment
We've improved the in-app guidance in Company Portal to make it easier for users to find and install apps. After
they enroll in work profile management, users will get a message explaining how to find suggested apps in the
badged version of Google Play. The last step in Enroll device with Android profile has been updated to show the
new message. Users will also see a new Get Apps link in the Company Portal drawer on the left. To make way for
these new and improved experiences, the APPS tab was removed. To see the updated screens, go to UI updates for
Intune end-user apps.

Week of April 20, 2020

Week of April 13, 2020 (2004 Service release)

App management
Manage S/MIME settings for Outlook on Android Enterprise devices
You can use app configuration policies to manage the S/MIME setting for Outlook on devices that run Android
Enterprise. You can also choose whether or not to allow the device users to enable or disable S/MIME in Outlook
settings. To use app configuration policies for Android, in the Microsoft Endpoint Manager admin center go to Apps
> App configuration policies > Add > Managed devices . For more information about configuring settings for
Outlook, see Microsoft Outlook configuration settings.
Pre-release testing for Managed Google Play apps
Organizations that are using Google Play's closed test tracks for app pre-release testing can manage these tracks
with Intune. You can selectively assign apps that are published to Google Play's pre-production tracks to pilot
groups in order to perform testing. In Intune, you can see whether an app has a pre-production build test track
published to it, as well as be able to assign that track to Azure AD user or device groups. This feature is available for
all of our currently supported Android Enterprise scenarios (work profile, fully managed, and dedicated). In the
Microsoft Endpoint Manager admin center, you can add a Managed Google Play app by selecting Apps > Android
> Add . For more information, see Working with Managed Google Play Closed Testing Tracks.
Microsoft Teams is now included in Microsoft 365 for macOS
Users who are assigned Microsoft 365 for macOS in Microsoft Endpoint Manager will now receive Microsoft Teams
in addition to the existing Microsoft 365 apps (Word, Excel, PowerPoint, Outlook, and OneNote). Intune will
recognize the existing Mac devices that have the other Office for macOS apps installed, and will attempt to install
Microsoft Teams the next time the device checks in with Intune. In the Microsoft Endpoint Manager admin center,
you can find the Office 365 Suite for macOS by selecting Apps > macOS > Add . For more information, see
Assign Office 365 to macOS devices with Microsoft Intune.
Update to Android app configuration policies
Android app configuration policies have been updated to allow admins to select the device enrollment type before
creating an app config profile. The functionality is being added to account for certificate profiles that are based on
enrollment type (Work profile or Device Owner). This update provides the following:
1. If a new profile is created and Work Profile and Device Owner Profile are selected for device enrollment type,
you will not be able to associate a certificate profile with the app config policy.
2. If a new profile is created and Work Profile only is selected, Work Profile certificate policies created under Device
Configuration can be utilized.
3. If a new profile is created and Device Owner only is selected, Device Owner certificate policies created under
Device Configuration can be utilized.

IMPORTANT
Existing policies created prior to the release of this feature (April 2020 release - 2004) that do not have any certificate profiles
associated with the policy will default to Work Profile and Device Owner Profile for device enrollment type. Also, existing
policies created prior to the release of this feature that have certificate profiles associated with them will default to Work
Profile only.

Additionally, we are adding Gmail and Nine email configuration profiles that will work for both Work Profile and
Device Owner enrollment types, including the use of certificate profiles on both email configuration types. Any
Gmail or Nine policies that you have created under Device Configuration for Work Profiles will continue to apply to
the device and it is not necessary to move them to app configuration policies.
In the Microsoft Endpoint Manager admin center, you can find app configuration policies by selecting Apps > App
configuration policies . For more information about app configuration policies, see App configuration policies for
Microsoft Intune.
Push notification when device ownership type is changed
You can configure a push notification to send to both your Android and iOS Company Portal users when their
device ownership type has been changed from Personal to Corporate as a privacy courtesy. This push notification is
set to off by default. The setting can be found in the Microsoft Endpoint Manager by selecting Tenant
administration > Customization . To learn more about how device ownership affects your end-users, see Change
device ownership.
Group targeting support for Customization pane
You can target the settings in the Customization pane to user groups. To find these settings in Intune, navigate to
the Microsoft Endpoint Manager admin center, select Tenant administration > Customization . For more
information about customization, see How to customize the Intune Company Portal apps, Company Portal website,
and Intune app.
Device configuration
Multiple "Evaluate each connection attempt" on-demand VPN rules supported on iOS, iPadOS, and macOS
The Intune user experience allows multiple on-demand VPN rules in the same VPN profile with the Evaluate each
connection attempt action (Devices > Configuration profiles > Create profile > iOS/iPadOS or macOS for
platform > VPN for profile > Automatic VPN > On-demand ).
It only honored the first rule in the list. This behavior is fixed, and Intune evaluates all rules in the list. Each rule is
evaluated in the order it appears in the on-demand rules list.

NOTE
If you have existing VPN profiles that use these on-demand VPN rules, the fix applies the next time you change the VPN
profile. For example, make a minor change, such as change the connection the name, and then save the profile.
If you're using SCEP certificates for authentication, this change causes the certificates for this VPN profile to be re-issued.

Applies to:
iOS/iPadOS
macOS
For more information on VPN profiles, see Create VPN profiles.
Additional options in SSO and SSO app extension profiles on iOS/iPadOS devices
On iOS/iPadOS devices, you can:
In SSO profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device
features for profile > Single sign-on ), set the Kerberos principal name to be the Security Account Manager
(SAM) account name in SSO profiles.
In SSO app extension profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for
platform > Device features for profile > Single sign-on app extension ), configure the iOS/iPadOS
Microsoft Azure AD extension with fewer clicks by using a new SSO app extension type. You can enable the
Azure AD extension for devices in shared device mode and send extension-specific data to the extension.
Applies to:
iOS/iPadOS 13.0+
For more information on using single sign-on on iOS/iPadOS devices, see Single sign-on app extension overview
and Single sign-on settings list.
Device enrollment
Delete Apple Automated Device Enrollment token when default profile is present
Previously, you couldn't delete a default profile, which meant that you couldn't delete the Automated Device
Enrollment token associated with it. Now, you can delete the token when:
no devices are assigned to the token
a default profile is present To do so, delete the default profile and then delete the associated token. For more
information, see Delete an ADE token from Intune.
Scaled up support for Apple Automated Device Enrollment and Apple Configurator 2 devices, profiles, and tokens
To help distributed IT departments and organizations, Intune now supports up to 1000 enrollment profiles per
token, 2000 Automated Device Enrollment (formerly known as DEP) tokens per Intune account, and 75,000 devices
per token. There is no specific limit for devices per enrollment profile, below the maximum number of devices per
token.
Intune now supports up to 1000 Apple Configurator 2 profiles.
For more information, see Supported volume.
All devices page column entry changes
On the All devices page, the entries for the Managed by column have changed:
Intune is now displayed instead of MDM
Co-managed is now displayed instead of MDM/ConfigMgr Agent
The export values are unchanged.
Device management
Trusted Platform Manager (TPM) Version information now on Device Hardware page
You can now see the TPM version number on a device's hardware page (Microsoft Endpoint Manager admin center
> Devices > choose a device > Hardware > look under System enclosure ).
Monitor and troubleshoot
Collect logs to better troubleshoot scripts assigned to macOS devices
You can now collect logs for improved troubleshooting of scripts assigned to macOS devices. You can collect logs
up to 60 MB (compressed) or 25 files, whichever occurs first. For more information, see Troubleshoot macOS shell
script policies using log collection.
Security
Derived credentials to provision Android Enterprise Fully Managed devices with certificates
Intune now supports use of derived credentials as an authentication method for Android devices. Derived
credentials are an implementation of the National Institute of Standards and Technology (NIST) 800-157 standard
for deploying certificates to devices. Our support for Android expands on our support for devices that run
iOS/iPadOS.
Derived credentials rely on the use of a Personal Identity Verification (PIV) or Common Access Card (CAC) card, like
a smart card. To get a derived credential for their mobile device, users start in the Microsoft Intune app and follow
an enrollment workflow that is unique to the provider you use. Common to all providers is the requirement to use a
smart card on a computer to authenticate to the derived credential provider. That provider then issues a certificate
to the device that's derived from the user's smart card.
You can use derived credentials as the authentication method for device configuration profiles for VPN and WiFi.
You can also use them for app authentication, and S/MIME signing and encryption for applications that support it.
Intune now supports the following derived credential providers with Android:
Entrust Datacard
Intercede
A third provider, DISA Purebred, will be available for Android in a future release.
Microsoft Edge security baseline is now Generally Available
A new version of the Microsoft Edge security baseline is now available, and is released as generally available (GA).
The previous Edge baseline was in Preview. The new baseline version ins April 2020 (Edge version 80 and later).
With the release of this new baseline, you'll no longer be able to create profiles based on the previous baseline
versions, but you can continue to use profiles you created with those versions. You can also choose to update your
existing profiles to use the latest baseline version.

Week of April 6, 2020

New shell script settings for macOS devices
When configuring shell scripts for macOS devices, you can now configure the following new settings:
Hide script notifications on devices
Script frequency
Maximum number of times to retry if script fails
For more information, see Use shell scripts on macOS devices in Intune.

Week of March 30, 2020

New URL for the Microsoft Endpoint Manager admin center
To align with the announcement of Microsoft Endpoint Manager at Ignite last year, we have changed the URL for the
Microsoft Endpoint Manager admin center (formerly Microsoft 365 Device Management) to
https://endpoint.microsoft.com. The old admin center URL (https://devicemanagement.microsoft.com) will continue
to work, but we recommend you start accessing the Microsoft Endpoint Manager admin center using the new URL.
For more information, see Simplify IT tasks using the Microsoft Endpoint Manager admin center.
App management
Company Portal for iOS supports landscape mode
Users can now enroll their devices, find apps, and get IT support using the screen orientation of their choice. The
app will automatically detect and adjust screens to fit portrait or landscape mode, unless users lock the screen in
portrait mode.
Script support for macOS devices (Public Preview)
You can add and deploy scripts to macOS devices. This support extends your ability to configure macOS devices
beyond what is possible using native MDM capabilities on macOS devices. For more information, see Use shell
scripts on macOS devices in Intune.

Week of March 24, 2020

Improved user interface experience when creating device restrictions profiles on Android and Android
Enterprise devices
When you create a profile for Android or Android Enterprise devices, the experience in the Endpoint Management
admin center is updated. This change impacts the following device configuration profiles (Devices >
Configuration Profiles > Create profile > Android device administrator or Android Enterprise for
platform):
Device restrictions: Android device administrator
Device restrictions: Android Enterprise device owner
Device restrictions: Android Enterprise work profile
For more information on the device restrictions you can configure, see Android device administrator and Android
Enterprise.
Improved user interface experience when creating configuration profiles on iOS/iPadOS and macOS devices
When you create a profile for iOS or macOS devices, the experience in the Endpoint Management admin center is
updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles >
Create profile > iOS/iPadOS or macOS for platform):
Custom: iOS/iPadOS, macOS
Device features: iOS/iPadOS, macOS
Device restrictions: iOS/iPadOS, macOS
Endpoint protection: macOS
Extensions: macOS
Preference file: macOS
Hide from user configuration setting in device features on macOS devices
When you create a device features configuration profile on macOS devices, there's a new Hide from user
configuration setting (Devices > Configuration profiles > Create profile > macOS for platform > Device
features for profile > Login items ).
This feature sets an app's hide checkmark in the Users & Groups login items apps list on macOS devices. Existing
profiles show this setting within the list as unconfigured. To configure this setting, administrators can update
existing profiles.
When set to Hide , the hide checkbox is checked for the app, and users can't change it. It also hides the app from
users after users sign in to their devices.
For more information on the setting you can configure, see macOS device feature settings.
This feature applies to:
macOS

Week of March 16, 2020 (2003 Service release)

App management
macOS and iOS Company Portal updates
The Profile pane of the macOS and iOS Company Portal has been updated to include the sign-out button.
Additionally, UI improvements have been made to the Profile pane in the macOS Company Portal. For more
information about the Company Portal, see How to configure the Microsoft Intune Company Portal app.
Retarget web clips to Microsoft Edge on iOS devices
Newly deployed web clips (pinned web apps) on iOS devices that are required to open in a protected browser, will
open in Microsoft Edge rather than the Intune Managed Browser. You must retarget pre-existing web clips to ensure
they open in Microsoft Edge rather than the Managed Browser. For more information, see Manage web access by
using Microsoft Edge with Microsoft Intune and Add web apps to Microsoft Intune.
Use the Intune diagnostic tool with Microsoft Edge for Android
Microsoft Edge for Android is now integrated with the Intune diagnostic tool. Similarly to the experience on
Microsoft Edge for iOS, entering "about:intunehelp" into the URL bar (the address box) of Microsoft Edge on the
device will start the Intune diagnostic tool. This tool will provide detailed logs. Users can be guided to collect and
send these logs to their IT department, or view MAM logs for specific apps.
Updates to Intune branding and customization
We have updated the Intune pane that was named "Branding and customization" with improvements, including:
Renaming the pane to Customization .
Improving the organization and design of the settings.
Improving the settings text and tooltips.
To find these settings in Intune, navigate to the Microsoft Endpoint Manager admin center, select Tenant
administration > Customization . For information about existing customization, see How to configure the
Microsoft Intune Company Portal app.
User's personal encrypted recovery key
A new Intune feature is available that enables users to retrieve their personal encrypted FileVault recovery key for
Mac devices through the Android Company Portal application or through the Android Intune application. There is a
link in both the Company Portal application and Intune application that will open a Chrome browser to the Web
Company Portal where the user can see the FileVault recovery key needed to access their Mac devices. For more
information about encryption, see Use device Encryption with Intune.
Optimized dedicated device enrollment
We're optimizing the enrollment for Android Enterprise dedicated devices and making it easier for SCEP certificates
associated with Wi-Fi to apply to dedicated devices enrolled prior to November 22, 2019. For new enrollments, the
Intune app will continue to install, but end-users will no longer need to perform the Enable Intune Agent step
during enrollment. Installment will happen in the background automatically and SCEP certificates associated with
Wi-Fi can be deployed and set without end-user interaction.
These changes will be rolling out on a phased basis throughout the month of March as the Intune service backend
deploys. All tenants will have this new behavior by the end of March. For related information, see Support for SCEP
certificates in Android Enterprise dedicated devices.
Device configuration
New user experience when creating administrative templates on Windows devices
Based on customer feedback, and our move to the new Azure full screen experience, we've rebuilt the
Administrative Templates profile experience with a folder view. We haven't made changes to any settings or existing
profiles. So, your existing profiles will stay the same, and will be usable in the new view. You can still navigate all
settings options by selecting All Settings , and using search. The tree view is split by Computer and User
configurations. You will find Windows, Office, and Edge settings in their associated folders.
Applies to:
Windows 10 and newer
VPN profiles with IKEv2 VPN connections can use always on with iOS/iPadOS devices
On iOS/iPadOS devices, you can create a VPN profile that uses an IKEv2 connection (Devices > Configuration
profiles > Create profile > iOS/iPadOS for platform > VPN for profile type). Now, you can configure always-on
with IKEv2. When configured, IKEv2 VPN profiles connect automatically, and stay connected (or quickly reconnect)
to the VPN. It stays connected even when moving between networks or restarting devices.
On iOS/iPadOS, always-on VPN is limited to IKEv2 profiles.
To see the IKEv2 settings you can configure, go to Add VPN settings on iOS devices in Microsoft Intune.
Applies to:
iOS/iPadOS
Delete bundles and bundle arrays in OEMConfig device configuration profiles on Android Enterprise devices
On Android Enterprise devices, you create and update OEMConfig profiles (Devices > Configuration profiles >
Create profile > Android Enterprise for platform > OEMConfig for profile type). Users can now delete bundles
and bundle arrays using the Configuration designer in Intune.
For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig in
Microsoft Intune.
Applies to:
Android Enterprise
Configure the iOS/iPadOS Microsoft Azure AD SSO app extension
The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow iOS/iPadOS 13.0+
users to gain access to Microsoft apps and websites with one sign-on. All apps that previously had brokered
authentication with the Microsoft Authenticator app will continue to get SSO with the new SSO extension. With the
Azure AD SSO app extension release, you can configure the SSO extension with the redirect SSO app extension type
(Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile
type > Single sign-on app extension ).
Applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
For more information about iOS SSO app extensions, see Single sign-on app extension.
Enterprise app trust settings modification setting is removed from iOS/iPadOS device restriction profiles
On iOS/iPadOS devices, you create a device restrictions profile (Devices > Configuration profiles > Create
profile > iOS/iPadOS for platform > Device restrictions for profile type). The Enterprise app trust settings
modification setting is removed by Apple, and is removed from Intune. If you currently use this setting in a profile,
it has no impact, and is removed from existing profiles. This setting is also removed from any reporting in Intune.
Applies to:
iOS/iPadOS
To see the settings you can restrict, go to iOS and iPadOS device settings to allow or restrict features.
Troubleshooting: Pending MAM policy notification changed to informational icon
The notification icon for a pending MAM policy on the Troubleshooting blade has been change to an informational
icon.
UI update when configuring compliance policy
We've updated the UI for creating compliance policies in Microsoft Endpoint manager (Devices > Compliance
policies > Policies > Create Policy ). We've a new user experience that includes the same settings and details
you've used previously. The new experience follows a wizard-like process to create the compliance policy and
includes a page where you can add Assignments for the policy, and a Review + Create page where you can review
your configuration before creating the policy.
Retire noncompliant devices
We've added a new action for noncompliant devices that you can add to any policy, to retire the noncompliant
device. The new action, Retire the noncompliant device , results in removal of all company data from the device,
and also removes the device from being managed by Intune. This action runs when the configured value in days is
reached and at that point the device becomes eligible to be retired. The minimum value is 30 days. Explicit IT admin
approval will be required to retire the devices by using the Retire Non-compliant devices section, where admins can
retire all eligible devices.
Support for WPA and WPA2 in iOS Enterprise Wi-Fi profiles
Enterprise Wi-Fi profiles for iOS now support the Security type field. For Security type, you can select either of WPA
Enterprise or WPA/WPA2 Enterprise , and then specify a selection for the EAP type. (Devices > Configuration
profiles > Create profile and select iOS/iPadOS for Platform and then Wi-Fi for Profile).
The new Enterprise options are like those that have been available for a Basic Wi-Fi profile for iOS.
New user experience for certificate, email, VPN, and Wi-Fi, VPN profiles
We've updated the user experience in the Endpoint Management Admin Center (Devices > Configuration
profiles > Create profile ) for creating and modifying the following profile types. The new experience presents the
same settings as before, but uses a wizard-like experience that doesn't require as much horizontal scrolling. You
won't need to modify existing configurations with the new experience.
Derived credential
Email
PKCS certificate
PKCS imported certificate
SCEP certificate
Trusted certificate
VPN
Wi-Fi
Device enrollment
Configure if enrollment is available in Company Portal for Android and iOS
You can configure whether device enrollment in the Company Portal on Android and iOS devices is available with
prompts, available without prompts, or unavailable to users. To find these settings in Intune, navigate to the
Microsoft Endpoint Manager admin center and, select Tenant administration > Customization > Edit > Device
enrollment .
Support for the device enrollment setting requires end users have these Company Portal versions:
Company Portal on iOS: version 4.4 or later
Company Portal on Android: version 5.0.4715.0 or later
For more information about existing Company Portal customization, see How to configure the Microsoft Intune
Company Portal app.
Device management
New Android report on Android Devices overview page
We've added a report to the Microsoft Endpoint Manager admin console in the Android Devices overview page that
displays how many Android devices have been enrolled in each device management solution. This chart (like the
same chart already in the Azure console) shows work profile, fully managed, dedicated, and device administrator
enrolled device counts. To see the report, choose Devices > Android > Over view .
Guide users from Android device administrator management to work profile management
We're releasing a new compliance setting for the Android device administrator platform. This setting lets you make
a device non-compliant if it's managed with device administrator.
On these non-compliant devices, on the Update device settings page users will see the Move to new device
management setup message. If they tap the Resolve button, they'll be guided through:
1. Unenrolling from device administrator management
2. Enrolling in work profile management
3. Resolving compliance issues
Google is decreasing device administrator support in new Android releases in an effort to move to modern, richer,
and more secure device management with Android Enterprise. Intune can only provide full support for device
administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-
managed devices (except Samsung) that are running Android 10 or later after this time won't be able to be entirely
managed. In particular, impacted devices won't receive new password requirements.
For more information about this setting, see Move Android devices from device administrator to work profile
management.
Monitor and troubleshoot
The Data Warehouse now provides the MAC address
The Intune Data Warehouse provides the MAC address as a new property ( EthernetMacAddress ) in the device
entity to allow admins to correlate between the user and host mac address. This property helps to reach specific
users and troubleshoot incidents occurring on the network. Admins can also use this property in Power BI reports
to build richer reports. For more information, see the Intune Data Warehouse device entity.
Additional Data Warehouse device inventory properties
Additional device inventory properties are available using the Intune Data Warehouse. The following properties are
now exposed via the devices beta collection:
ethernetMacAddress - The unique network identifier of this device.
model - The device model.
office365Version - The version of Microsoft 365 that is installed on the device.
windowsOsEdition - The Operating System version.

The following properties are now exposed via the devicePropertyHistory beta collection:
physicalMemoryInBytes - The physical memory in bytes.
totalStorageSpaceInBytes - Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API.

Help and support workflow update to support additional services
We've updated the Help and support page in the Microsoft Endpoint Manager admin center where you now choose
the management type you use. With this change you'll be able to select from the following management types:
Configuration Manager (includes Desktop Analytics)
Intune
Co-management
Security
Use a preview of security administrator focused policies as part of Endpoint security
As a public preview, we've added several new policy groups under the Endpoint security node in the Microsoft
Endpoint Management admin center. As a security admin you can use these new policies to focus on specific
aspects of device security to manage discrete groups of related settings without the overhead of the larger Device
Configuration policy body.
With the exception of the new Antivirus policy for Microsoft Defender Antivirus (see below), the settings in each
new of these new preview policies and profiles are the same settings that you might already configure through
Device configuration profiles today.
The following are the new policy types that are all in preview, and their available profile types:
Antivirus (Preview) :
macOS:
Antivirus - Manage Antivirus policy settings for macOS to manage Microsoft Defender ATP for
Mac.
Windows 10 and later:
Microsoft Defender Antivirus - Manage Antivirus policy settings for cloud protection,
Antivirus exclusions, remediation, scan options, and more.
The Antivirus profile for Microsoft Defender Antivirus is an exception that introduces a new
instance of settings that are found as part of a device restriction profile. These new Antivirus
settings:
Are the same settings as found in device restrictions, but support a third option for
configuration that's not available when configured as a device restriction.
Apply to devices that are co-managed with Configuration Manager, when the co-
management workload slider for Endpoint Protection is set to Intune.
Plan to use the new Antivirus > Microsoft Defender Antivirus profile in place of configuring them
through a device restriction profile.
Windows Security experience - Manage the Windows Security settings that end users can view in
the Microsoft Defender Security center and the notifications they receive. These settings are
unchanged from those available as a Device configuration Endpoint Protection profile.
Disk encr yption (Preview) :
macOS:
FileVault
Windows 10 and later:
BitLocker
Firewall (Preview) :
macOS:
macOS firewall
Windows 10 and later:
Microsoft Defender Firewall
Endpoint detection and response (Preview) :
Windows 10 and later: -Windows 10 Intune
Attack surface reduction (Preview) :
Windows 10 and later:
App and browser isolation
Web protection
Application control
Attack surface reduction rules
Device control
Exploit protection
Account protection (Preview) :
Windows 10 and later:
Account protection

Week of March 9, 2020

App management
Configure Delivery Optimization agent when downloading Win32 app content
You can configure the Delivery Optimization agent to download Win32 app content either in background or
foreground mode based on assignment. For existing Win32 apps, content will continue to download in background
mode. In the Microsoft Endpoint Manager admin center, select Apps > All apps > select the Win32 app >
Proper ties . Select Edit next to Assignments . Edit the assignment by selecting Include under Mode in the
Required section. You will find the new setting in the App settings section. For more information about Delivery
Optimization, see Win32 app management - Delivery Optimization.
Device management
Change Primary User for Windows devices
You can change the Primary User for Windows hybrid and Azure AD Joined devices. To do so, go to Intune >
Devices > All devices > choose a device > Proper ties > Primar y User . For more information, see Change a
device's primary user.
A new RBAC permission (Managed Devices / Set primary user) has also been created for this task. The permission
has been added to built-in roles including Helpdesk Operator, School Administrator, and Endpoint Security Manager.
This feature is rolling out to customers globally under preview. You should see the feature within the next few
weeks.

Week of March 2, 2020

Device management
Microsoft Endpoint Manager tenant attach: Device sync and device actions
Microsoft Endpoint Manager is bringing together Configuration Manager and Intune into a single console. Starting
in Configuration Manager technical preview version 2002.2, you can upload your Configuration Manager devices to
the cloud service and take actions on them in the admin center. For more information, see Features in Configuration
Manager technical preview version 2002.2.
Review the Configuration Manager technical preview article before installing this update. This article familiarizes
you with the general requirements and limitations for using a technical preview, how to update between versions,
and how to provide feedback.
Bulk remote actions
You can now issue bulk commands for the following remote actions: restart, rename, Autopilot reset, wipe, and
delete. To see the new bulk actions, go to Microsoft Endpoint Manager admin center > Devices > All devices >
Bulk actions .
All devices list improved search, sort, and filter
The All devices list has been improved for better performance, searching, sorting, and filtering. For more
information, see this Support Tip.
App management
Improved sign-in experience in Company Portal for Android
We've updated the layout of several sign-in screens in the Company Portal app for Android to make the experience
more modern, simple, and clean for users. For a look at the improvements, see What's New in the app UI.

Week of February 24, 2020

App management
macOS Company Portal user experience improvements
We have made improvements to the macOS device enrollment experience and the Company Portal app for Mac.
You will see the following improvements:
A better Microsoft AutoUpdate experience during enrollment that will ensure your users have the latest version
of the Company Portal.
An enhanced compliance check step during enrollment.
Support for copied Incident IDs, so your users can send errors from their devices to your company support team
faster.
For more information about enrollment and the Company Portal app for Mac, see Enroll your macOS device using
the Company Portal app.
App protection policies for Better Mobile now supports iOS and iPadOS
In October of 2019, Intune app protection policy added the capability to use data from our Microsoft Threat Defense
partners. With this update, you can now use an app protection policy to block, or selectively wipe the users
corporate data based on the health of a device using Better Mobile on iOS and iPadOS. For more information, see
Create Mobile Threat Defense app protection policy with Intune.
Device management
Exports from the All devices list now in zipped CSV format
Exports from the Devices > All devices page are now in zipped CSV format.

Week of February 17, 2020 (2002 Service release)

App management
Microsoft Defender Advanced Threat Protection (ATP) app for macOS
Intune provides an easy way to deploy the Microsoft Defender Advanced Threat Protection (ATP) app for macOS to
managed Mac devices. For more information, see Add Microsoft Defender ATP to macOS devices using Microsoft
Intune and Microsoft Defender Advanced Threat Protection for Mac.
Device configuration
Enable network access control (NAC) with Cisco AnyConnect VPN on iOS devices
On iOS devices, you can create a VPN profile, and use different connection types, including Cisco AnyConnect
(Device configuration > Profiles > Create profile > iOS for platform > VPN for profile type > Cisco
AnyConnect for connection type).
You can enable network access control (NAC) with Cisco AnyConnect. To use this feature:
1. At Cisco Identity Services Engine Administrator Guide, use the steps in Configuring Microsoft Intune as an
MDM Ser ver to configure the Cisco Identity Services Engine (ISE) in Azure.
2. In the Intune device configuration profile, select the Enable Network Access Control (NAC) setting.
To see all the available VPN settings, go to Configure VPN settings on iOS devices.
Device enrollment
Serial number on the Apple MDM Push certificate page
The Apple MDM Push certificate page now shows the serial number. The serial number is needed to regain access
to the Apple MDM Push certificate if access to the Apple ID that created the certificate is lost. To see the serial
number, go to Devices > iOS > iOS enrollment > Apple MDM Push cer tificate .
Device management
New update schedule options for pushing OS updates to enrolled iOS/iPadOS devices
You can choose from the following options when scheduling operating system updates for iOS/iPadOS devices.
These options apply to devices that that used the Apple Business Manager or Apple School Manager enrollment
types.
Update at next check-in
Update during scheduled time
Update outside of scheduled time
For the latter two options, you can create multiple time windows.
To see the new options, go to MEM > Devices > iOS > Update policies for iOS/iPadOS > Create profile .
Choose which iOS/iPadOS updates to push to enrolled devices
You can choose a specific iOS/iPadOS update (except for the most recent update) to push to devices that have
enrolled by using either Apple Business Manager or Apple School Manager. Such devices must have a device
configuration policy set to delay software update visibility for some number of days. To see this feature, go to MEM
> Devices > iOS > Update policies for iOS/iPadOS > Create profile .
Device security
Improved Intune reporting experience
Intune now provides an improved reporting experience, including new report types, better report organization,
more focused views, improved report functionality, as well as more consistent and timely data. The reporting
experience will move from public preview to GA (general availability). Additionally, the GA release will provide
localization support, bug fixes, design improvements, and aggregate device compliance data on tiles in the
Microsoft Endpoint Manager admin center.
New report types focus on the following information:
Operational - Provides fresh records with a negative health focus.
Organizational - Provides a broader summary of the overall state.
Historical - Provides patterns and trends over a period of time.
Specialist - Allows you to use raw data to create your own custom reports.
The first set of new reports focuses on device compliance. For more information, see Blog - Microsoft Intune
reporting framework and Intune reports.
Consolidated the location of security baselines in the UI
We've consolidated the paths to find security baselines in the Microsoft Endpoint Manager admin center by
removing Security baselines from several UI locations. To find Security baselines, you now use the following path:
Endpoint security > Security baselines .
Expanded support for imported PKCS certificates
We've expanded support for using imported PKCS certificates to support Android Enterprise fully managed devices.
Generally, importing PFX certificates is used for S/MIME encryption scenarios, where a user's encryption certificates
are required on all of their devices so that email decryption can occur.
The following platforms support import of PFX certificates:
Android - Device Administrator
Android Enterprise - Fully Managed
Android Enterprise - Work profile
iOS
Mac
Windows 10
View the endpoint security configuration for devices
We've updated the name of the option in the Microsoft Endpoint Manager admin center, for viewing endpoint
security configurations that apply to a specific device. This option is renamed to Endpoint security configuration
because it shows applicable security baselines and additional policies created outside of security baselines.
Previously, this option was named Security baselines.
Role -based access control
Intune Roles user interface changes coming
The user interface for Microsoft Endpoint Manager admin center > Tenant administration > Roles has been
improved to a more user-friendly and intuitive design. This experience provides the same settings and details that
you use now, however the new experience employs a wizard-like process.

Week of February 17, 2020

App management
Microsoft's new Office app
Microsoft's new Office app is now generally available for download and use. The Office app is a consolidated
experience where your users can work across Word, Excel, and PowerPoint within a single app. You can target the
app with an app protection policy to ensure the data being accessed is protected.
For more information, see How to enable Intune app protection policies with the Office mobile preview app.

Week of February 10, 2020

Windows 7 ends extended support
Windows 7 reached end of extended support on January 14, 2020. Intune deprecated support for devices running
Windows 7 at the same time. Technical assistance and automatic updates that help protect your PC are no longer
available. You should upgrade to Windows 10. For more information, see the Plan for Change blog post.
App management
Microsoft Edge version 77 and later on Windows 10 devices
Intune now supports uninstalling Microsoft Edge version 77 and later on Windows 10 devices. For more
information, see Add Microsoft Edge for Windows 10 to Microsoft Intune.
Screen removed from Company Portal, Android work profile enrollment
The What's next? screen has been removed from the Android work profile enrollment flow in Company Portal to
streamline the user experience. Go to Enroll with Android work profile to see the updated Android work profile
enrollment flow.
Company Portal app improved performance
The Company Portal app has been updated to support improved performance for devices that use ARM64
processors, such as the Surface Pro X. Previously, the Company Portal operated in an emulated ARM32 mode. Now,
in version 10.4.7080.0 and above, the Company Portal app is natively compiled for ARM64. For more information
about the Company Portal app, see How to configure the Microsoft Intune Company Portal app.

What's New archive

For previous months, see the What's New archive.

Notices
These notices provide important information that can help you prepare for future Intune changes and features.
Updated end-user experience for Android device administrator Wi-Fi profiles
Due to a change made by Google, the end-user experience for new Wi-Fi profiles is significantly different starting in
the October release of the Company Portal app. Users will need to accept additional permissions, and explicitly
accept Wi-Fi configurations when they're deployed. Wi-Fi configurations will not appear in the known Wi-Fi
networks list, but will automatically connect when in range. There are no changes in behavior for existing Wi-Fi
profiles. There are also no changes to the admin experience in the Endpoint Manager admin center.
Applies to:
Android device administrator, Android 10 and later
Microsoft Intune ends support for Windows Phone 8.1 and Windows 10 Mobile
Microsoft mainstream support for Windows Phone 8.1 ended in July 2017 and extended support ended in June
2019. The Company Portal app for Windows Phone 8.1 has been in sustain mode since October 2017. Additionally,
Microsoft Intune has ended support on February 20, 2020 for Windows Phone 8.1.
Microsoft mainstream support for Windows 10 Mobile ended in December 2019. As mentioned in the support
statement, Windows 10 Mobile users will no longer be eligible to receive new security updates, non-security
hotfixes, free assisted support options or online technical content updates from Microsoft. Based on the all-up
Mobile OS support, Microsoft Intune ends support for both the Company Portal for the Windows 10 Mobile app
and the Windows 10 Mobile Operating System on August 10, 2020.
As of August 10, enrollments for Windows Phone 8.1 and Windows 10 Mobile devices will fail and Windows Mobile
profile types are removed from the Intune UI. Devices already enrolled will no longer check into the Intune service
and we will delete device and policy data.
End of support for legacy PC management
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll
them as Mobile Device Management (MDM) devices to keep them managed by Intune.
Learn more
Move to the Microsoft Endpoint Manager admin center for all your Intune management
In MC208118 posted last March, we introduced a new, simple URL for your Microsoft Endpoint Manager – Intune
administration: https://endpoint.microsoft.com. Microsoft Endpoint Manager is a unified platform that includes
Microsoft Intune and Configuration Manager. Star ting August 1, 2020 , we will remove Intune administration at
https://portal.azure.com and recommend you instead use https://endpoint.microsoft.com for all your endpoint
management.
Decreasing support for Android device administrator
Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then
beginning with Android 5, the more modern management framework of Android Enterprise was released (for
devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device
administrator management by decreasing its management support in new Android releases.
How does this affect me?
Because of these changes by Google, in October 2020, you will no longer have as extensive management
capabilities on impacted device administrator-managed devices.

NOTE
This date was previously communicated as fourth quarter of 2020, but it has been moved out based on the latest
information from Google.

Devi c e t ypes t h at w i l l be i m pac t ed

Devices that will be impacted by the decreasing device administrator support are those for which all three
conditions below apply:
Enrolled in device administrator management.
Running Android 10 or later.
Not a Samsung device.
Devices will not be impacted if they are any of the below:
Not enrolled with device administrator management.
Running an Android version below Android 10.
Samsung devices. Samsung Knox devices won't be impacted in this timeframe because extended support is
provided through Intune’s integration with the Knox platform. This gives you additional time to plan the
transition off device administrator management for Samsung devices.
Se t t i n g s t h a t w i l l b e i m p a c t e d

Google's decreased device administrator support prevents configuration of these settings from applying on
impacted devices.
C o n f i g u ra t i o n p ro f i l e d e v i c e re s t ri c t i o n s e t t i n g s

Block Camera
Set Minimum password length
Set Number of sign-in failures before wiping device (will not apply on devices without a password set, but
will apply on devices with a password)
Set Password expiration (days)
Set Required password type
Set Prevent use of previous passwords
Block Smar t Lock and other trust agents
C o mp l i a n c e p o l i c y s e t t i n g s

Set Required password type

Set Minimum password length
Set Number of days until password expires
Set Number of previous passwords to prevent reuse

User experience of impacted settings on impacted devices

Impacted configuration settings:
For already enrolled devices that already had the settings applied, the impacted configuration settings will
continue being enforced.
For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings
will not be enforced (but all other configuration settings will still be enforced).
Impacted compliance settings:
For already enrolled devices that already had the settings applied, the impacted compliance settings will still
show as reasons for noncompliance on the “Update device settings” page, the device will be out of compliance,
and the password requirements will still be enforced in the Settings app.
For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings will
still show as reasons for noncompliance on the “Update device settings” page and the device will be out of
compliance, but stricter password requirements will not be enforced in the Settings app.
Additional user experience change for Wi-Fi profiles
Users will need to accept additional permissions, and explicitly accept Wi-Fi configurations when they're
deployed. Wi-Fi configurations will not appear in the known Wi-Fi networks list, but will automatically connect
when in range. There are no changes in behavior for existing Wi-Fi profiles. There are also no changes to the
admin experience in the Endpoint Manager admin center.
Cause of impact
Devices will begin being impacted in October 2020. At that time, there will be a Company Portal app update that
will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).
At that point, device administrator-managed devices that are not manufactured by Samsung will be impacted once
the user completes both these actions:
Updates to Android 10 or later.
Updates the Company Portal app to the version that targets API level 29.
Additional impacts based on Android OS version
Android 10 :For all device administrator managed devices (including Samsung) running Android 10 and later,
Google has restricted the ability for device administrator management agents like Company Portal to access device
identifier information. This restriction impacts the following Intune features after a device is updated to Android 10
or later:
Network access control for VPN will no longer work
Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as
corporate-owned
The IMEI and serial number will no longer be visible to IT admins in Intune
Android 11 : We continue to test the latest Android 11 beta release to evaluate the impact on device administrator
managed devices. Here’s what we have found:
For device administrator devices (excluding Samsung) running Android 11 and later, Google has removed the
ability for management agents like Company Portal to enforce blocking Camera, even before the October
update to the Company Portal app. Policies blocking camera that are applied to devices before they update to
Android 11 will continue to apply.
With Android 11, trusted root certificates can no longer be deployed to devices enrolled with device
administrator (except on Samsung devices). Users must manually install the trusted root certificate on the
device. With the trusted root certificate manually installed on a device, you can then use SCEP to provision
certificates to the device. In this scenario you must still create and deploy a trusted certificate policy to the
device, and link that policy to the SCEP certificate profile.
If the trusted root certificate is on the device, then the SCEP certificate profile will install successfully.
If the trusted certificate cannot be found, the SCEP certificate profile will fail.
What do I need to do to prepare for this change?
To avoid the reduction in functionality coming in October 2020, we recommend the following:
New enrollments : Onboard new devices into Android Enterprise management (where available) and/or app
protection policies. Avoid onboarding new devices into device administrator management.
Previously enrolled devices : If a device administrator-managed device is running Android 10 or later or may
update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator
management to Android Enterprise management and/or app protection policies. You can leverage the
streamlined flow to move Android devices from device administrator to work profile management.
Configure Password Complexity : For impacted devices running Android 10 and later, a future setting called
Password Complexity lets you continue enforcing password restrictions and compliance. Password Complexity is
a measure of password strength that factors in password type, length, and quality.
What if I have non-Samsung devices that cannot move to Android Enterprise?
Some devices can’t move from device administrator to Android Enterprise management. For example, Google
hasn’t made Android Enterprise available in some markets. You can still use Intune to manage non-Samsung
devices with device administrator, but the changes to functionality mentioned in this post will apply. For guidance
on managing devices when Android Enterprise isn’t available, see How to use Intune in environments without
Google Mobile Services.
Additional information
Move Android devices from device administrator to work profile management
Set up enrollment of Android Enterprise work profile devices
Set up enrollment of Android Enterprise dedicated devices
Set up enrollment of Android Enterprise fully managed devices
How to create an assign app protection policies
How to use Intune in environments without Google Mobile Services
Understanding app protection policies and work profiles on Android Enterprise devices
Google’s blog about what you need to know about Device Admin deprecation
Google's guidance for migration from device administrator to Android Enterprise
Google's documentation of deprecated device administrator APIs
Plan for Change: Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS
In the July Company Portal release, we’ll be changing the iOS/iPadOS enrollment flow for Apple’s Automated
Device Enrollment (formerly known as DEP). The enrollment flow change is only encountered during the “Enroll
with User Affinity” flow. Previously, if you set the “Install Company Portal” to “no” as part of your configuration,
users could still install the Company Portal app from the store which would then trigger enrollment where the user
would add in the appropriate serial number. With this upcoming Company Portal release, we’ll be removing that
serial number confirmation screen. Instead, you’ll want to create a corresponding app configuration policy to send
down alongside the Company Portal to ensure that users can successfully enroll, or set the “Install Company Portal”
to “Yes” as part of your configuration.
See the post here for more info.
UI updates for Intune end-user apps
9/4/2020 • 20 minutes to read • Edit Online

Learn about the most recent updates to the Microsoft Intune apps. We regularly add to and improve the Intune
Company Portal app and website. If you're an Intune administrator or support person, this article provides the
information you need to:
Alert students and employees to app and enrollment changes.
Update your organization's documentation or helpdesk procedures.
If you're an employee or student, be sure to check out the screenshots and links to the Company Portal help
documentation. For more information about how to use the Company Portal app, see the Company Portal user
help documentation.

Week of August 10, 2020

Improvement to Update device settings page in Company Portal app for Android to shows descriptions
In the Company Portal app on Android devices, the Update device settings page lists the settings that need
updated to be compliant. Users expand the issue to see more information, and see the Resolve button.
This user experience is improved. The listed settings are expanded by default to show the description, and
show the Resolve button, when applicable. Previously, the issues were collapsed by default. This new default
behavior reduces the number of clicks, so users can resolve issues more quickly.

Week of June 8, 2020

Updates to informational screen in Company Portal for iOS/iPadOS
We've updated an informational screen in Company Portal for iOS/iPadOS to better explain what an admin can
see and do on devices. These clarifications are only about corporate-owned devices. Only the text has been
updated, no actual modifications have been made to what the admin can see or do on user devices. To learn
more about what's visible to an admin, see What information can my organization see when I enroll my
device?
Week of May 18, 2020
Update to icons in Company Portal app for iOS/iPadOS and macOS
We've updated the icons in Company Portal to create a more modern look and feel that's supported on dual
screen devices and aligns with the Microsoft Fluent Design System.
UP DAT ED F O R IO S/ IPA DO S P REVIO USLY F O R IO S/ IPA DO S
UP DAT ED F O R M A C O S

Week of May 4, 2020

Company Portal for Android guides users to get apps after work profile enrollment
We've improved the in-app guidance in Company Portal to make it easier for users to find and install apps.
After they enroll in work profile management, users will get a message explaining how to find suggested apps
in the badged version of Google Play. The last step in Enroll device with Android profile has been updated to
show the new message.
Users will also see a new Get Apps link in the Company Portal drawer on the left.

To make way for these new and improved experiences, the APPS tab shown in the following image has been
removed.
Week of March 2, 2020
Improved sign-in experience in Company Portal for Android
We've updated the layout of several sign-in screens in the Company Portal app for Android to make the
experience more modern, simple, and clean for users. To see all Company Portal for Android enrollment
instructions, go to Enroll your Android device or Enroll with Android work profile.
UP DAT ED P REVIO US
UP DAT ED P REVIO US

Week of February 3, 2020

Screen removed from Company Portal, Android work profile enrollment
The What's next? screen has been removed from the Android work profile enrollment flow in Company
Portal to streamline the user experience. Go to Enroll with Android work profile to see the updated Android
work profile enrollment flow.

Week of November 11, 2019

Web apps launched from the Windows Company Portal app
End-users can now launch web apps directly from the Windows Company Portal app. End-users can select the
web app and then choose the option Open in browser . The published web URL is opened directly in a web
browser. This functionality will be rolled out over the next week. For more information about Web apps, see
Add web apps to Microsoft Intune.
Improved macOS enrollment experience in Company Portal
The Company Portal for macOS enrollment experience has a simpler enrollment process that aligns more
closely with the Company Portal for iOS enrollment experience. Device users now see:
A sleeker user interface.
An improved enrollment checklist.
Clearer instructions about how to enroll their devices.
Improved troubleshooting options.

Week of October 28, 2019

Improved checklist design in Company Portal app for Android
The setup checklist in the Company Portal app for Android has been updated with a lightweight design and
new icons. The changes align with the recent updates made to the Company Portal app for iOS/iPadOS. For a
look at the updated enrollment steps, see Enroll with Android work profile and Enroll your Android device.
The following screens show the updated checklist for Android work profile enrollment:
UP DAT ED P REVIO US

The following screens show the updated checklist for Android device administrator enrollment:
UP DAT ED P REVIO US

Week of September 9, 2019

Updates to Microsoft Intune app
The Microsoft Intune app for Android has been updated with the following improvements:
Updated and improved the layout to include bottom navigation for the most important actions.
Added an additional page that shows the user's profile.
Added the display of actionable notifications in the app for the user, such as the need to update their
device settings.
Added the display of custom push notifications, aligning the app with the support recently added in the
Company Portal app for iOS and Android. For more information, see Send custom notifications in
Intune.
User profile example:
Notifications and bottom navigation example:

Week of June 24, 2019

View all installed apps from new Company Portal web page
The Company Portal website's new Installed Apps page lists all managed apps (both required and available)
that are installed on a user's devices. In addition to assignment type, users can see the app's publisher, date
published, and current installation status. If you haven't made any apps required or available to your users,
they'll see a message explaining that no company apps have been installed. To see the new page on the web,
go to the Company Portal website and click Installed Apps .

New view lets app users see all managed apps installed on device
The Company Portal app for Windows now lists all managed apps (both required and available) that are
installed on a user's device. Users can also see attempted and pending app installations, and their current
statuses. If you haven't made apps required or available to your users, they'll see a message explaining that no
company apps have been installed. To see the new view, go to the Company Portal navigation pane and select
Apps > Installed Apps .

Week of June 17, 2019

New features in Microsoft Intune app
We've added new features to the Microsoft Intune app (preview) for Android. Users on fully managed Android
devices can now:
View and manage the devices they've enrolled through the Intune Company Portal or Microsoft Intune app.
Contact their organization for support.
Send their feedback to Microsoft.
View terms and conditions, if set by their organization.
Week of April 15, 2019
New end user app (Microsoft Intune app)
There's a new end-user app for Android fully managed devices called Microsoft Intune . This new app is light-
weight and modern, and provides similar functionally as the Company Portal app, but for fully managed,
corporate devices. For more information, see Microsoft Intune app on Google Play.
Example screenshot of the device details screen:

Example screenshot the Setup access screen:

Example screenshot of the app menu:
Example screenshot of the Help screen:
Week of April 1, 2019
Changes to Company Portal enrollment for iOS 12 device users
The Company Portal for iOS enrollment screens and steps have been updated to align with the MDM
enrollment changes released in Apple iOS 12.2. The updated workflow prompts users to:
Allow Safari to open the Company Portal website and download the management profile before returning
to the Company Portal app.
Open the Settings app to install the management profile on their device.
Return to the Company Portal app to complete enrollment.
For updated enrollment steps and screens, see Enroll iOS device in Intune.
User experience update for the Company Portal app for iOS
The home page of the Company Portal app for iOS devices has been redesigned. With this change, the home
page will better follow iOS UI patterns, and also provide improved discoverability for apps and ebooks.

Week of February 19, 2019

New App categories screen in the Company Portal app for Windows 10
A new screen called App categories has been added to improve the app browsing and selection experience in
Company Portal for Windows 10. Users will now see their apps sorted under categories such as Featured ,
Education , and Productivity . This change appears in Company Portal versions 10.3.3451.0 and later. For
more information about installing apps in Company Portal, see Install and share apps on your device.

Week of November 12, 2018

Windows Company Portal keyboard shortcuts
End users will now be able to trigger app and device actions in the Windows Company Portal using keyboard
shortcuts (accelerators).

Week of October 22, 2018

Add custom brand image for Company Portal app
As the Microsoft Intune admin, you can upload a custom brand image which will be displayed as a background
image on the user's profile page in the iOS Company Portal app. For more information about configuring the
Company Portal app, see How to configure the Microsoft Intune Company Portal app.

Week of August 27, 2018

New user experience update for the Company Portal website
We've added new features, based on feedback from customers, to the Company Portal website. You'll
experience a significant improvement in existing functionality and usability from your devices. Specific areas of
the site, such as device details, feedback and support, and device overview, now have a new, modern,
responsive design. The Intune Company Portal website documentation has been updated to reflect these
changes.
Updates you'll see include:
Streamlined workflows across all device platforms
Improved device identification and enrollment flows
More helpful error messages
Friendlier language, less tech jargon
Ability to share direct links to apps
Improved performance for large app catalogs
Increased accessibility for all users

UP DAT ED P REVIO US

Week of July 16, 2018

More opportunities to sync in the Company portal app for Windows
The Company Portal app for Windows now lets you initiate a sync directly from the Windows taskbar and Start
menu. This feature is especially useful if your only task is to sync devices and get access to corporate resources.
To access the new feature, right-click the Company portal icon pinned to your taskbar or Star t menu. In the
menu options (also referred to as a jump list), select Sync this device . The Company Portal will open to the
Settings page and initiate your sync.
New browsing experiences in the Company portal app for Windows
Now when browsing or searching for apps in the Company Portal app for Windows, you can toggle between
the existing Tiles view and the new Details view. This new view lists application details such as name,
publisher, publication date, and installation status.
The Apps page's Installed view lets you see details about completed and in-progress app installations.
Example screenshot showing the Tiles view:

Example screenshot showing the Details view:

Week of April 23, 2018
Updated navigation view in the Company Portal app for Windows 10
The Intune Company Portal app for Windows 10 has been updated with the Fluent Design System's navigation
view. Along the side of the app, you'll notice a static, vertical list of all top-level pages. Click any link to quickly
view and switch between pages. This is the first of several updates you'll see as part of our ongoing effort to
create a more adaptive, empathetic, and familiar experience in Intune.

Week of April 2, 2018

User experience update for the Company Portal app for iOS
We've released a major user experience update to the Company Portal app for iOS/iPadOS. The update
features a complete visual redesign that includes a modernized look and feel. We've maintained the
functionality of the app, but increased its usability and accessibility.
You'll also see:
Support for iPhone X.
Faster app launch and loading responses, to save users time.
Additional progress bars to provide users with the most up-to-date status information.
Improvements to the way users upload logs, so if something goes wrong, it's easier to report.

August 2017
iOS 11 Mail app will support OAuth
Conditional Access with Intune supports more secure authentication on iOS devices with OAuth. To support
this, there will now be a different flow on the Company Portal app for iOS to allow for more secure
authentication. When end users try to sign in to a new Exchange account in the Mail app, they will see a web
view prompt. Upon enrollment in Intune, users will see a prompt to allow the native Mail app to access a
certificate. Most end users will not see any more quarantined emails. Existing mail accounts will continue to
use basic authentication protocol, so these users will still have quarantine emails delivered to them. This sign in
experience for end users is similar to the one on Office mobile apps.
Intune Mobile Application Management (MAM ) dialog boxes will have a modern interface
Intune Mobile Application Management (MAM) dialog boxes will be updated to a modern look and feel. The
dialog boxes will function in the same way as the previous style.
Previous experience
Modern experience

Updates to the "Device Details" page on the Company Portal app for Windows 10
The Company Portal app for Windows 10 is moving the Categor y tag from below the title to a property on
the Device Details page.
July 2017
Apps details pages will display new information for Android devices
The apps details page of the Company Portal app for Android will now display the app categories that the IT
admin has defined for that app.
Improved sign in experience across Company Portal apps for all platforms
We are announcing a change that is coming in the next few months that will improve the sign-in experience
for the Intune Company Portal apps for Android, iOS/iPadOS, and Windows. The new user experience will
automatically appear across all platforms for the Company Portal app when Azure AD makes this change. In
addition, users can now sign in to the Company Portal from another device with a generated, single-use code.
This is especially useful in cases when users need to sign in without credentials.
Below you can see the previous sign-in experience, the new sign-in experience with credentials, and the new
sign-in experience from another device.
Previous sign in experience
New sign in experience
New sign in experience when signing in from another device
Tap the Sign-in from another device link.

Launch a browser and go to https://aka.ms/devicelogin.

Enter the code you saw in the Company Portal app. When you select Continue , you will be able to
authenticate in the using any method that is supported by your company, such as a smartcard.
The Company Portal app will begin signing in.

June 2017
Company Portal app for Android now has a new end-user experience for App Protection Policies
Based on customer feedback, we've modified the Company Portal app for Android to show an Access
Company Content button. The intent is to prevent end users from unnecessarily going through the
enrollment process when they only need to access apps that support App Protection Policies, a feature of
Intune mobile application management.
The user will tap on the Access Company Content button instead of beginning to enroll the device.

The user then is taken to the Company Portal website to authorize the app for use on their device, where the
Company Portal website verifies their credentials.

The device can still be enrolled into full management by tapping on the action menu.
Improvements to app syncing with Windows 10 Creators Update
The Company Portal app for Windows 10 will now automatically initiate a sync for app install requests for
devices with Windows 10 Creators Update (version 1709). This will reduce the issue of app installs stalling
during the "Pending Sync" state. In addition, users will be able to manually initiate a sync from within the app.
New guided experience for Windows 10 Company Portal 
The Company Portal app for Windows 10 will include a guided Intune walkthrough experience for devices that
have not been identified or enrolled. The new experience provides step-by-step instructions that guide the user
through registering into Azure Active Directory (required for Conditional Access features) and MDM
enrollment (required for device management features). The guided experience will be accessible from the
Company Portal home page. Users can continue to use the app if they do not complete registration and
enrollment, but will experience limited functionality.
This update is only visible on devices running Windows 10 Anniversary Update (build 1607) or higher.
New menu action to easily remove Company Portal
Based on user feedback, the Company Portal app for Android has added a new menu action to initiate the
removal of Company Portal from your device. This action removes the device from Intune management so that
the app can be removed from the device by the user.
Improvements to the app tiles in the Company Portal app for iOS
We updated the design of the app tiles on the homepage to reflect the branding color you set for the Company
Portal.
Before

After
Account picker now available for the Company Portal app for iOS
If users have used their work or school account to sign in to other Microsoft apps on their iOS device, then
they may see our new account picker when signing into the Company Portal for the first time.

April 2017
New icons for the Managed Browser and the Company Portal
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new
icon will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility +
Security (EM+S).
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to
improve consistency with other apps in EM+S. These icons will be gradually released across platforms from
April to late May.
Sign in progress indicator in Android Company Portal
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or
resumes the app. The indicator progresses through new statuses, beginning with "Connecting...", then "Signing
in...", then "Checking for security requirements..." before allowing the user to access the app.

Improved app install status for the Windows 10 Company Portal app
The Windows 10 Company Portal app now provides an install progress bar on the app details page. This is
supported for modern apps on devices running the Windows 10 Anniversary Update and up.
Before

After
February 2017
New user experience for the Company Portal app for Android
Beginning in March, the Company Portal app for Android will follow material design guidelines to create a
more modern look and feel. This improved user experience includes:
Colors : tab headers can be colored according to your custom color palette.

Interface : Featured Apps and All Apps buttons have been updated in the Apps tab. The Search button
is now a floating action button.
Navigation : All Apps shows a tabbed view of Featured , All and Categories for easier navigation.
Contact IT has been streamlined for improved readability.

January 2017
Modernizing the Company Portal website
Beginning in February, the Company Portal website will support apps that are targeted to users who do not
have managed devices. The website will align with other Microsoft products and services by using a new
contrasting color scheme, dynamic illustrations, and a "hamburger menu," which will contain helpdesk
contact details and information on existing managed devices. The landing page will be rearranged to
emphasize apps that are available to users, with carousels for Featured and Recently Updated apps.

Coming soon in the UI

These are the plans for ways we will be improving the user experience by updating our user interface.
NOTE
The images below may be previews, and the announced product may differ from the presented versions.

See also
Microsoft Intune Blog
Cloud Platform roadmap
What's new in Intune
In development for Microsoft Intune
9/4/2020 • 29 minutes to read • Edit Online

To help in your readiness and planning, this page lists Intune UI updates and features that are in development but
not yet released. In addition to the information on this page:
If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office
message center.
When a feature enters production, whether it's a preview or generally available, the feature description will
move from this page to What's new.
This page and the What's new page are updated periodically. Check back for additional updates.
Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

NOTE
This page reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features
might change. This page doesn't describe all features in development.

RSS feed : Find out when this page is updated by copying and pasting the following URL into your feed reader:
https://docs.microsoft.com/api/search/rss?search=%22in+development+-+microsoft+intune%22&locale=en-us

This ar ticle was last updated on the date listed under the title above.

App management
Update to device icons in Company Portal and Intune apps on Android
We're updating the device icons in the Company Portal and Intune apps on Android devices to create a more
modern look and feel and to align with the Microsoft Fluent Design System. For related information, see Update to
icons in Company Portal app for iOS/iPadOS and macOS.
iOS Company Portal will support Apple's Automated Device Enrollment without user affinity
iOS Company Portal will be supported on devices enrolled using Apple's Automated Device Enrollment without
requiring an assigned user. An end user can sign in to the iOS Company Portal to establish themselves as the
primary user on an iOS/iPadOS device enrolled without device affinity. For more information about Automated
Device Enrollment, see Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrollment.

Device configuration
Create PKCS certificate profiles for Android Enterprise Fully Managed devices (COBO )
You can create PKCS certificate profiles to deploy certificates to Android Enterprise Device owner and Work profile
devices (Devices > Configuration profiles > Create profile > Android Enterprise > Device owner only ,
or Android Enterprise > Work profile only for platform > PKCS for profile).
Soon you'll be able to create PKCS certificate profiles for Android Enterprise Fully Managed devices. The Intune PFX
certificate connector is required. If you don't use SCEP, and only use PKCS, you can remove the NDES connector
after you install the new PFX connector. The new PFX connector imports PFX files, and deploys PKCS certificates to
all platforms.
For more information on PKCS certificates, see Configure and use PKCS certificates with Intune.
Applies to:
Android Enterprise fully managed (COBO)
Support for certificates with a key size of 4096 on iOS and macOS devices
Intune will soon support use of a key size of 4096 bits for SCEP certificate profiles. (Devices > Configuration
profiles > Create profile > select a platform > Profile = SCEP cer tificate )
Support for 4096-bit keys will be for the following platforms:
iOS 14 and later
macOS 11 and later
New setting for Password complexity for Android 10 and later
To support new options for Android 10 and later, we're adding a new setting called Password complexity to both
Device compliance policy and Device restriction policy. (Devices > Configuration profiles > Create profile >
Device restrictions and Devices > Compliance policies > Create Policy ) With this setting you'll be able to
manage a measure of password strength that factors in password type, length, and quality.
The following complexity levels will be supported:
None - No password
Low - The password satisfies one of the following:
Pattern
PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
Medium - The password satisfies one of the following:
PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4
Alphabetic, length at least 4
Alphanumeric, length at least 4
High - The Password satisfies one of the following:
PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8
Alphabetic, length at least 6
Alphanumeric, length at least 6
Password Complexity doesn’t apply to Samsung Knox devices running Android 10 and later. On these devices,
Password Length and/or Password Type settings override Password Complexity.
COPE preview update: New settings to create requirements for the work profile password for Android
Enterprise corporate -owned devices with a work profile
Future settings will give admins the ability to set requirements for the work profile password for Android
Enterprise corporate-owned devices with a work profile. (Devices > Configuration profiles > Create profile >
Android Enterprise for platform > Fully Managed, Dedicated, and Corporate-Owned Work profile >
Device restrictions for profile > Work profile password ):
Required password type
Minimum password length
Number of days until password expires
Number of passwords required before user can reuse a password
Number of sign-in failures before wiping device
New settings using per-app VPN or on-demand VPN on iOS/iPadOS and macOS devices
Prevent users from disabling automatic VPN : When creating an automatic Per-app VPN or On-demand
VPN connection, you can force users to keep the automatic VPN enabled and running.
Associated domains : When creating an automatic Per-app VPN connection, you can specify associated
domains in the VPN profile that automatically start the VPN connection.
Excluded domains : When creating an automatic Per-app VPN connection, you can create a list of domains
that can bypass the VPN connection when per-app VPN is connected.
You can configure automatic VPN profiles in Devices > Configuration profiles > Create profile >
iOS/iPadOS or macOS for platform > VPN for profile > Automatic VPN .
For more information on associated domains, see Associated domains.
To see the settings you can configure, see Set up per-app Virtual Private Network (VPN) for iOS/iPadOS devices.
Applies to:
iOS/iPadOS 14 and newer
macOS Big Sur (macOS 11)
COPE preview update: New settings to configure the personal profile for Android Enterprise corporate -owned
devices with a work profile
For Android Enterprise corporate-owned devices with a work profile, there are new settings you can configure that
only apply to the personal profile (Devices > Configuration profiles > Create profile > Android Enterprise
for platform > Fully Managed, Dedicated, and Corporate-Owned Work profile > Device restrictions for
profile > Personal profile ):
Camera : Use this setting to block access to the camera during personal usage.
Screen capture : Use this setting to block screen captures during personal usage.
Allow users to enable app installation from unknown sources in the personal profile : Use this
setting to allow users to install apps from unknown sources in the personal profile.
To see the current settings you can configure, go to Android Enterprise device settings to allow or restrict features.
Block App Clips on iOS/iPadOS, and Defer non-OS software updates on macOS devices
When you create a Device Restrictions profiles on iOS/iPadOS and macOS devices, there are some new settings:
iOS/iPadOS 14.0+ Block App Clips
Applies to iOS/iPadOS 14.0 and newer.
Devices must be enrolled with device enrollment or automated device enrollment (supervised devices).
The Block App Clips setting blocks App Clips on managed devices (Devices > Configuration profiles >
Create profile > iOS/iPadOS for platform > Device restrictions for profile > General ). When blocked,
users can't add any App Clips, and any existing App Clips are removed from the device.
macOS 11+ Defer software updates
Applies to macOS 11 and newer. On supervised macOS devices, the device must have user approved device
enrollment, or enrolled through automated device enrollment.
The Defer software updates setting delays user visibility of non-OS software updates (Devices >
Configuration profiles > Create profile > macOS for platform > Device restrictions for profile >
General ). If you defer these updates, newly released updates aren't visible to users until after the deferral
period, which is configured using the Delay visibility of software updates settings. Deferring non-operating
system software updates doesn't impact scheduled updates.
The existing Defer software updates setting is combined with this new setting. Using the new setting, you
can defer OS software updates, and non-OS software updates. You continue to use the Delay visibility of
software updates setting to set the number of days, which will apply to both settings that defer software
updates.
The behavior of existing policies isn't changed, affected, or deleted. Existing policies will automatically migrate to
the new setting with your same configuration.
Disable MAC address randomization on Wi-Fi networks on iOS/iPadOS devices
Starting with iOS/iPadOS 14, by default, devices present a randomized MAC address when connecting to a network
instead of the physical MAC address. This behavior is recommended for privacy, as it's harder to track a device by
its MAC address. This feature also breaks functionality that relies on a static MAC address, including network access
control (NAC).
You can disable MAC address randomization on a per-network basis in Wi-Fi profiles (Devices > Configuration
profiles > Create profile > iOS/iPadOS for platform > Wi-Fi for profile > Basic or Enterprise for Wi-Fi type).
To see the settings you can currently configure, go to Add Wi-Fi settings for iOS and iPadOS devices.
Applies to:
iOS/iPadOS 14 and newer
Set maximum transmission unit for IKEv2 VPN connections on iOS/iPadOS devices
Starting with iOS/iPadOS 14 and newer devices, you can configure a custom maximum transmission unit (MTU)
when using IKEv2 VPN connections (Devices > Configuration profiles > Create profile > iOS/iPadOS for
platform > VPN for profile -> IKEv2 for connection type).
For more information on the settings you can configure, see IKEv2 settings.
Applies to:
iOS/iPadOS 14 and newer
Per-account VPN connection for email profiles on iOS/iPadOS devices
Starting with iOS/iPadOS 14, email traffic for the native Mail app can be routed through a VPN based on the
account the user is using. Now, you can specify a per-app VPN profile to use for this account-based VPN
connection. The per-app VPN connection automatically turns on when users use their organization account in the
Mail app.
To see the settings you can currently configure, go to Add e-mail settings for iOS and iPadOS devices.
Applies to:
iOS/iPadOS 14 and newer
Use NetMotion as a VPN connection type for Android Enterprise work profile devices
When you create a VPN profile, NetMotion is available as a VPN connection type (Devices > Device
configuration > Create profile > Android Enterprise work profile for platform > VPN for profile >
NetMotion for connection type).
For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.
Applies to:
Android Enterprise work profile
Changes for Password settings in Device restriction profiles for Android device administrator
We’re introducing a few changes for password settings for Device restriction and compliance policies for Android
device administrator. (Devices > Configuration profiles > Create profile > Device restrictions and Devices
> Compliance policies > Create Policy ) These changes help Intune accommodate changes in Android version
10 and later, to ensure settings for passwords continue to apply to devices as expected.
Changes include:
Removal of the top-level option for Password .
Settings will be reorganized into sections that are based on which devices they apply to.
The Minimum password length will be disabled for use unless Password type is configured to a value
where the password length applies.
Additional updates to labels and example text.
These changes apply to the UI for settings, and won’t affect existing profiles.

Device enrollment
Ending support for iOS 11
After iOS 14 releases, Intune enrollment and the Company Portal app will support iOS versions 12 and later. Older
versions won't be supported but will continue to receive policies.
Ending support for macOS 10.12
After macOS 11 releases, Intune enrollment and the Company Portal will support macOS versions 10.13 and later.
Older versions won't be supported.

Device management
PowerShell scripts support for BYOD devices
PowerShell scripts will support Azure AD registered devices in Intune. For more information about PowerShell, see
Use PowerShell scripts on Windows 10 devices in Intune. This functionality does not support devices running
Windows 10 Home edition.
Log Analytics will include device details log
Intune device detail logs will be available in Repor ts > Log analytics . You can correlate device details to build
custom queries and Azure workbooks.
Tenant attach: Device timeline in the admin center
When Configuration Manager synchronizes a device to Microsoft Endpoint Manager through tenant attach, you'll
be able to see a timeline of events. This timeline shows past activity on the device that can help you troubleshoot
problems. For more information, see Configuration Manager technical preview 2005.
Tenant attach: Install an application from the admin center
You'll be able to initiate an application install in real time for a tenant attached device from the Microsoft Endpoint
Management admin center. For more information, see Configuration Manager technical preview 2005.
Tenant attach: CMPivot from the admin center
You'll be able to bring the power of CMPivot to the Microsoft Endpoint Manager admin center. Allow additional
personas, like Helpdesk, to be able to initiate real-time queries from the cloud against an individual ConfigMgr
managed device and return the results back to the admin center. This gives all the traditional benefits of CMPivot,
which allows IT Admins and other designated personas the ability to quickly assess the state of devices in their
environment and take action. For more information, see Configuration Manager technical preview 2005.
Tenant attach: Run Scripts from the admin center
You'll be able to bring the power of the Configuration Manager on-premises Run Scripts feature to the Microsoft
Endpoint Manager admin center. Allow additional personas, like Helpdesk, to run PowerShell scripts from the cloud
against an individual Configuration Manager managed device. This gives all the traditional benefits of PowerShell
scripts that have already been defined and approved by the Configuration Manager admin to this new
environment. For more information, see Configuration Manager technical preview 2005.
Deploy Software Updates to macOS devices
You'll be able to deploy Software Updates to groups of macOS devices. This feature includes critical, firmware,
configuration file, and other updates. You'll be able to send updates on the next device check-in or select a weekly
schedule to deploy updates in or out of time windows that you set. This helps when you want to update devices
outside standard work hours or when your help desk is fully staffed. You'll also get a detailed report of all macOS
devices with updates deployed. You can drill into the report on a per-device basis to see the statuses of particular
updates.
COPE preview update: Reset work profile password for Android Enterprise corporate -owned devices with a
work profile
A future admin action will let admins reset the work profile password on Android Enterprise corporate-owned
devices with a work profile.
Rename a co -managed device that is Azure Active Directory joined
You'll be able to rename a co-managed device that is Azure AD joined. To do so, go to MEM > Devices > All
devices > choose a device > ... > Rename device .
Support for PowerPrecision and PowerPrecision+ Batteries for Zebra devices
On a device's hardware details page, you'll be able to see the following information about Zebra devices using
PowerPrecision and PowerPrecision+ batteries:
State-of-Health rating as determined by Zebra (PowerPrecision+ batteries only)
Number of full charge cycles consumed
Date of last check-in for battery last found in the device
Serial number of the battery pack last found in the device

Intune apps
Unified delivery of Azure AD Enterprise and Office Online applications in the Windows Company Portal
In the 2006 release, we announced Unified delivery of Azure AD Enterprise and Office Online applications in the
Company Portal. This feature will be supported in the Windows Company Portal. On the Customization pane of
Intune, you will be able to select to Hide or Show both Azure AD Enterprise applications and Office Online
applications in the Windows Company Portal. Each end-user will see their entire application catalog from the
chosen Microsoft service. By default, each additional app source will be set to Hide . In the Microsoft Endpoint
Manager admin center, you will select Tenant administration > Customization to find this configuration
setting. For related information, see How to customize the Intune Company Portal apps, Company Portal website,
and Intune app.

Monitor and troubleshoot

Power BI compliance report template V2.0
Admins will be able to update the Power BI compliance report template version from V1.0 to V2.0. V2.0 will include
an improved design, as well as changes to the calculations and data that are being surfaced as part of the template.
For related information, see Connect to the Data Warehouse with Power BI.
New and improved Microsoft Defender Antivirus reporting for Windows 10 and newer
We're adding four new reports Microsoft Defender Antivirus on Windows 10, under Endpoint Security >
Antivirus .
Two operational reports, Devices with detected malware and Agent status.
Two organizational reports, Detected malware and Agent status.
As an example, the operational report Agent status will show at a glance the device name, user name, user email
and UPN, and if real-time protection and network protection are enabled. We’ll share more details when these
reports are available for use.
For more information on Endpoint security in Intune, see Manage endpoint security in Microsoft Intune.
Analyze your on-premises GPOs using Group Policy analytics (preview)
In Devices > Group Policy analytics (preview) , you can import your group policy objects (GPOs) in the
Endpoint Manager admin center. When you import, Intune automatically analyzes the GPO, and shows the policies
that have equivalent settings in Intune. It also shows GPOs that are deprecated, or aren't supported anymore.
Applies to:
Windows 10 and newer
New Windows 10 feature update report
The Feature update failures report will provide failure details for devices that are targeted with a Windows 10
feature updates policy and have attempted an update. In the Microsoft Endpoint Manager admin center, you will
select Devices > Monitor > Feature update failures to view this report."
New Windows 10 feature update report
The Windows feature updates report will provide an overall view of compliance for devices that are targeted
with a Windows 10 feature updates policy. In the Microsoft Endpoint Manager admin center, you will select
Repor ts > Windows updates (Preview) > Feature update failures to view the summary for this report. To
see reports for specific policies, select the Repor ts tab and open the Windows Feature Update Repor t .

Security
App protection policy support for Symantec Endpoint Security and Check Point Sandblast
In October of 2019, Intune app protection policy added the capability to use data from some of our Microsoft
Threat Defense partners (MTD partners). We are adding support for the following partners, to use an app
protection policy to block, or selectively wipe the user's corporate data based on the health of a device:
Check Point Sandblast on Android, iOS and iPadOS
Symantec Endpoint Security on Android, iOS and iPadOS
For information about using app protection policy with MTD partners, see Create Mobile Threat Defense app
protection policy with Intune.
Microsoft Defender ATP creates Endpoint Manager Security task with vulnerability details
Threat and Vulnerability Management (TVM) in Microsoft Defender ATP discovers misconfigured security settings
on devices. Administrators use this information to update vulnerable devices.
Soon, Microsoft Defender ATP can raise an Endpoint Manager Security task (Endpoint Manager > Endpoint
Security > Security tasks ) with the vulnerability details, and show the affected devices. IT administrators can
accept the security task, and deploy the required configuration.
For more information on security tasks, see Use Intune to remediate vulnerabilities identified by Microsoft
Defender ATP.
Improved certificate deployment for Android Enterprise
Devices that run Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profiles will soon be
able to use of S/MIME certificates for Outlook without a device user having to allow access. S/MIME certificates are
deployed by using PKCS imported certificate profile for Device configuration. (Devices > Configuration profiles
> Create profile > Android Enterprise > PKCS impor ted cer tificate from the category for Fully Managed,
Dedicated, and Corporate-Owned Work Profile).
Tri-state options for settings are coming to Endpoint Security Firewall policy
We’re adding a third state of configuration for settings in Endpoint security Firewall policies, where the platform
(Windows or macOS) can support the additional option (Endpoint security > Firewall ).
For example, where a setting currently offers Not configured and Yes , if supported by the platform, we’ll be
adding the option No .
New Security baseline for Office
We're adding a new security baseline (Endpoint security > Security baselines ) to manage settings for
Microsoft Office O365. Settings in the baseline will include configurations for Office apps like Add-on
Management, MIME handling, and more.
Improved status details in security baseline reports
We’re improving the status details you’ll see when viewing the results of your deployed security baselines.
(Endpoint security > Security baselines > select a security baseline type, like Windows 10 Security
Baselines > Profiles > select an instance of that profile to view status > select a profile report, like Device
status )
The improvements will revise the common labels and definitions we use for status to better fit the intent of the
status. For example:
Matches baseline will update to Matches default settings , which better describes the intent to identify
when a devices configuration matches the default (unmodified) baseline configuration.
Misconfigured will be broken into more specific details, like Error , Conflict , and Pending . The new states will
bring consistency to other areas of the console.
Expanded RBAC permissions for the Endpoint Security role
The Endpoint Security Manager role for Intune is receiving addition role-based access control (RBAC)
permissions for remote tasks.This role grants access to the Microsoft Endpoint Manager admin center and can be
used by individuals who manage security and compliance features, including security baselines, device compliance,
conditional access, and Microsoft Defender Advanced Threat Protection.
To view the permission for an Intune RBAC role, go to (Tenant admin > Intune roles > select a role >
Permissions ).
Expanded permissions for remote tasks include the following:
Reboot now
Remote lock
Rotate BitLockerKeys (Preview)
Rotate FileVault key
Sync devices
Microsoft Defender
Initiate Configuration Manger action
Updates for Security Baselines
We’ll soon release updates to the following security baselines (Endpoint security > Security baselines ):
MDM Security baseline (Windows 10 Security)
Microsoft Defender ATP baseline
Updated baseline versions bring support for recent settings to help you maintain the best-practice configurations
recommended by the respective product teams.
Use Endpoint security configuration details to identify the source of policy conflicts for devices
To aid in conflict resolution, you’ll soon be able to drill-in through a security baseline profile to view the Endpoint
security configuration for a selected device. From there, you can select settings that show a Conflict or Error and
continue to drill-in further to view a list of details that includes the profiles and policies that are part of the conflict.
If you then select a policy that is a source of a conflict, Intune opens that policies Overview pane from where you
can review or modify the policies configuration. (Devices > select a device > Endpoint security configuration
> select a profile or baseline > Select a setting from the list of settings applied to the device).
The following policy types can be identified as a source of conflict when you drill in through a security baseline:
Device configuration policy
Endpoint security policies
New details in the Endpoint security configuration for a device
We’re adding new details for devices that are available to view as part of a devices Endpoint security configuration.
(Endpoint security > Security baselines > selected baseline > Profiles > selected profile > Device status >
Endpoint security configuration ). The new details:
UPN (User Principle Name): The UPN identifies which endpoint security profile is assigned to a given user on
the device. This is useful to help differentiate between multiple users on a device and multiple entries of a
profile or baseline that’s assigned to the device.
Worst status : This detail identifies the least favorable status condition for the device. When this status is
Success , the device has no policy conflicts or errors.
Android 11 deprecates deployment of trusted root certificates to device administrator enrolled devices
With Android 11, trusted root certificates can no longer be deployed to devices that are enrolled as Android device
administrator. This change doesn’t affect Samsung Knox devices because of Intune’s integration with the Knox
platform. For non-Samsung devices, users must manually install the trusted root certificate on the device.
With the trusted root certificate manually installed on a device, you can then use SCEP to provision certificates to
the device. In this scenario you must still create and deploy a trusted certificate policy to the device and link that
policy to the SCEP certificate profile.
If the trusted root certificate is on the device, then the SCEP certificate profile will install successfully.
If the trusted certificate cannot be found, the SCEP certificate profile will fail.

Notices
These notices provide important information that can help you prepare for future Intune changes and features.
Updated end-user experience for Android device administrator Wi-Fi profiles
Due to a change made by Google, the end-user experience for new Wi-Fi profiles is significantly different starting
in the October release of the Company Portal app. Users will need to accept additional permissions, and explicitly
accept Wi-Fi configurations when they're deployed. Wi-Fi configurations will not appear in the known Wi-Fi
networks list, but will automatically connect when in range. There are no changes in behavior for existing Wi-Fi
profiles. There are also no changes to the admin experience in the Endpoint Manager admin center.
Applies to:
Android device administrator, Android 10 and later
Microsoft Intune ends support for Windows Phone 8.1 and Windows 10 Mobile
Microsoft mainstream support for Windows Phone 8.1 ended in July 2017 and extended support ended in June
2019. The Company Portal app for Windows Phone 8.1 has been in sustain mode since October 2017. Additionally,
Microsoft Intune has ended support on February 20, 2020 for Windows Phone 8.1.
Microsoft mainstream support for Windows 10 Mobile ended in December 2019. As mentioned in the support
statement, Windows 10 Mobile users will no longer be eligible to receive new security updates, non-security
hotfixes, free assisted support options or online technical content updates from Microsoft. Based on the all-up
Mobile OS support, Microsoft Intune ends support for both the Company Portal for the Windows 10 Mobile app
and the Windows 10 Mobile Operating System on August 10, 2020.
As of August 10, enrollments for Windows Phone 8.1 and Windows 10 Mobile devices will fail and Windows
Mobile profile types are removed from the Intune UI. Devices already enrolled will no longer check into the Intune
service and we will delete device and policy data.
End of support for legacy PC management
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and
reenroll them as Mobile Device Management (MDM) devices to keep them managed by Intune.
Learn more
Move to the Microsoft Endpoint Manager admin center for all your Intune management
In MC208118 posted last March, we introduced a new, simple URL for your Microsoft Endpoint Manager – Intune
administration: https://endpoint.microsoft.com. Microsoft Endpoint Manager is a unified platform that includes
Microsoft Intune and Configuration Manager. Star ting August 1, 2020 , we will remove Intune administration at
https://portal.azure.com and recommend you instead use https://endpoint.microsoft.com for all your endpoint
management.
Decreasing support for Android device administrator
Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then
beginning with Android 5, the more modern management framework of Android Enterprise was released (for
devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device
administrator management by decreasing its management support in new Android releases.
How does this affect me?
Because of these changes by Google, in October 2020, you will no longer have as extensive management
capabilities on impacted device administrator-managed devices.

NOTE
This date was previously communicated as fourth quarter of 2020, but it has been moved out based on the latest
information from Google.

Devi c e t ypes t h at w i l l be i m pac t ed

Block Camera
Set Minimum password length
Set Number of sign-in failures before wiping device (will not apply on devices without a password set,
but will apply on devices with a password)
Set Password expiration (days)
Set Required password type
Set Prevent use of previous passwords
Block Smar t Lock and other trust agents
C o mp l i a n c e p o l i c y s e t t i n g s

Set Required password type

Set Minimum password length
Set Number of days until password expires
Set Number of previous passwords to prevent reuse

User experience of impacted settings on impacted devices

Impacted configuration settings:
For already enrolled devices that already had the settings applied, the impacted configuration settings will
continue being enforced.
For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings
will not be enforced (but all other configuration settings will still be enforced).
Impacted compliance settings:
For already enrolled devices that already had the settings applied, the impacted compliance settings will still
show as reasons for noncompliance on the “Update device settings” page, the device will be out of compliance,
and the password requirements will still be enforced in the Settings app.
For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings
will still show as reasons for noncompliance on the “Update device settings” page and the device will be out of
compliance, but stricter password requirements will not be enforced in the Settings app.
Additional user experience change for Wi-Fi profiles
Users will need to accept additional permissions, and explicitly accept Wi-Fi configurations when they're
deployed. Wi-Fi configurations will not appear in the known Wi-Fi networks list, but will automatically connect
when in range. There are no changes in behavior for existing Wi-Fi profiles. There are also no changes to the
admin experience in the Endpoint Manager admin center.
Cause of impact
Devices will begin being impacted in October 2020. At that time, there will be a Company Portal app update that
will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).
At that point, device administrator-managed devices that are not manufactured by Samsung will be impacted once
the user completes both these actions:
Updates to Android 10 or later.
Updates the Company Portal app to the version that targets API level 29.
Additional impacts based on Android OS version
Android 10 :For all device administrator managed devices (including Samsung) running Android 10 and later,
Google has restricted the ability for device administrator management agents like Company Portal to access device
identifier information. This restriction impacts the following Intune features after a device is updated to Android 10
or later:
Network access control for VPN will no longer work
Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as
corporate-owned
The IMEI and serial number will no longer be visible to IT admins in Intune
Android 11 : We continue to test the latest Android 11 beta release to evaluate the impact on device administrator
managed devices. Here’s what we have found:
For device administrator devices (excluding Samsung) running Android 11 and later, Google has removed the
ability for management agents like Company Portal to enforce blocking Camera, even before the October
update to the Company Portal app. Policies blocking camera that are applied to devices before they update to
Android 11 will continue to apply.
With Android 11, trusted root certificates can no longer be deployed to devices enrolled with device
administrator (except on Samsung devices). Users must manually install the trusted root certificate on the
device. With the trusted root certificate manually installed on a device, you can then use SCEP to provision
certificates to the device. In this scenario you must still create and deploy a trusted certificate policy to the
device, and link that policy to the SCEP certificate profile.
If the trusted root certificate is on the device, then the SCEP certificate profile will install successfully.
If the trusted certificate cannot be found, the SCEP certificate profile will fail.
What do I need to do to prepare for this change?
To avoid the reduction in functionality coming in October 2020, we recommend the following:
New enrollments : Onboard new devices into Android Enterprise management (where available) and/or app
protection policies. Avoid onboarding new devices into device administrator management.
Previously enrolled devices : If a device administrator-managed device is running Android 10 or later or may
update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator
management to Android Enterprise management and/or app protection policies. You can leverage the
streamlined flow to move Android devices from device administrator to work profile management.
Configure Password Complexity : For impacted devices running Android 10 and later, a future setting called
Password Complexity lets you continue enforcing password restrictions and compliance. Password Complexity
is a measure of password strength that factors in password type, length, and quality.
What if I have non-Samsung devices that cannot move to Android Enterprise?
Some devices can’t move from device administrator to Android Enterprise management. For example, Google
hasn’t made Android Enterprise available in some markets. You can still use Intune to manage non-Samsung
devices with device administrator, but the changes to functionality mentioned in this post will apply. For guidance
on managing devices when Android Enterprise isn’t available, see How to use Intune in environments without
Google Mobile Services.
Additional information
Move Android devices from device administrator to work profile management
Set up enrollment of Android Enterprise work profile devices
Set up enrollment of Android Enterprise dedicated devices
Set up enrollment of Android Enterprise fully managed devices
How to create an assign app protection policies
How to use Intune in environments without Google Mobile Services
Understanding app protection policies and work profiles on Android Enterprise devices
Google’s blog about what you need to know about Device Admin deprecation
Google's guidance for migration from device administrator to Android Enterprise
Google's documentation of deprecated device administrator APIs
Plan for Change: Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS
In the July Company Portal release, we’ll be changing the iOS/iPadOS enrollment flow for Apple’s Automated
Device Enrollment (formerly known as DEP). The enrollment flow change is only encountered during the “Enroll
with User Affinity” flow. Previously, if you set the “Install Company Portal” to “no” as part of your configuration,
users could still install the Company Portal app from the store which would then trigger enrollment where the user
would add in the appropriate serial number. With this upcoming Company Portal release, we’ll be removing that
serial number confirmation screen. Instead, you’ll want to create a corresponding app configuration policy to send
down alongside the Company Portal to ensure that users can successfully enroll, or set the “Install Company
Portal” to “Yes” as part of your configuration.
See the post here for more info.

See also
For details about recent developments, see What's new in Microsoft Intune.
What's new in Microsoft Intune
9/4/2020 • 88 minutes to read • Edit Online

RSS feed : Get notified when this page is updated by copying and pasting the following URL into your feed
reader:
https://docs.microsoft.com/api/search/rss?search=%22What%27s+new+in+microsoft+intune%3F+-+Azure%22&locale=en-
us

Week of August 31, 2020

Device configuration
New version of the PFX Certificate Connector and changes for PKCS certificate profile support
We’ve released a new version of the PFX Certificate Connector, version 6.2008.60.607 . This new connector
version:
Supports PKCS certificate profiles on all supported platforms except Windows 8.1
We’ve consolidated all of the PCKS support in the PFX Certificate Connector. This means if you don’t use
SCEP in your environment, and don’t use NDES for other intents, you can remove the Microsoft Certificate
Connector and uninstall NDES from your environment.
Because the Microsoft Certificate Connector hasn’t had functionality removed, you can continue to use
them to support PKCS certificate profiles.
Supports certificate revocation for Outlook S/MIME
Requires .NET Framework 4.7.2
For more information about certificate connectors, including a list of connector release for both certificate
connectors, see Certificate connectors

Week of August 24, 2020 (2008 Service release)

App management
Associated licenses revoked before deletion of Apple VPP token
When you delete an Apple VPP token in Microsoft Endpoint Manager, all Intune-assigned licenses associated with
that token are automatically revoked before the deletion.
Improvement to Update device settings page in Company Portal app for Android to shows descriptions
In the Company Portal app on Android devices, the Update device settings page lists the settings that need
updated to be compliant. Users expand the issue to see more information, and see the Resolve button.
This user experience is improved. The listed settings are expanded by default to show the description, and show
the Resolve button, when applicable. Previously, the issues were collapsed by default. This new default behavior
reduces the number of clicks, so users can resolve issues more quickly.
Device configuration
Use NetMotion as a VPN connection type for iOS/iPadOS and macOS devices
When you create a VPN profile, NetMotion is available as a VPN connection type (Devices > Device
configuration > Create profile > iOS/iPadOS or macOS for platform > VPN for profile > NetMotion for
connection type).
For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.
Applies to:
iOS/iPadOS
macOS
More Protected Extensible Authentication Protocol (PEAP) options for Windows 10 Wi-Fi profiles
On Windows 10 devices, you can create Wi-Fi profiles using the Extensible Authentication Protocol (EAP) to
authenticate Wi-Fi connections (Devices > Configuration profiles > Create profile > Windows 10 and
later for platform > Wi-Fi for profile > Enterprise ).
When you select Protected EAP (PEAP), there are new settings available:
Perform ser ver validation in PEAP phase 1 : In PEAP negotiation phase 1, the server is verified by the
certificate validation.
Disable user prompts for ser ver validation in PEAP phase 1 : In PEAP negotiation phase 1, user
prompts asking to authorize new PEAP servers for trusted certification authorities aren't shown.
Require cr yptographic binding : Prevents connections to PEAP servers that don't use cryptobinding during
the PEAP negotiation.
To see the settings you can configure, go to Add Wi-Fi settings for Windows 10 and later devices.
Applies to:
Windows 10 and newer
Configure the macOS Microsoft Enterprise SSO plug-in

IMPORTANT
On macOS, the Microsoft Azure AD SSO extension is still being developed. It's listed in the Intune user interface, but
doesn't work as expected. On macOS, don't use Microsoft Azure AD for the SSO app extension type.

The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow macOS 10.15+ users
to gain access to Microsoft apps, organization apps, and websites that support Apple's SSO feature and
authenticate using Azure AD, with one sign-on. With the Microsoft Enterprise SSO plug-in release, you can
configure the SSO extension with the new Microsoft Azure AD app extension type (Devices > Configuration
profiles > Create profile > macOS for platform > Device features for profile > Single sign-on app
extension > SSO app extension type > Microsoft Azure AD ).
To achieve SSO with the Microsoft Azure AD SSO app extension type, users need to install and sign in to the
Company Portal app on their macOS devices.
For more information about macOS SSO app extensions, see Single sign-on app extension.
Applies to:
macOS 10.15 and newer
Prevent users from unlocking Android Enterprise work profile devices using face and iris scanning
You can now prevent users from using face or iris scanning to unlock their work profile managed devices, either
at the device level or the work profile level. This can be set in Devices > Configuration profiles > Create
profile > Android Enterprise for platform > Work profile > Device restrictions for profile > Work
profile settings and Password sections.
For more information, see Android Enterprise device settings to allow or restrict features using Intune.
Applies to:
Android Enterprise work profile
Use SSO app extensions on more iOS/iPadOS apps with the Microsoft Enterprise SSO plug-in
The Microsoft Enterprise SSO plug-in for Apple devices can be used with all apps that support SSO app
extensions. In Intune, this feature means the plug-in works with mobile iOS/iPadOS apps that don't use the
Microsoft Authentication Library (MSAL) for Apple devices. The apps don't need to use MSAL, but they do need to
authenticate with Azure AD endpoints.
To configure your iOS/iPadOS apps to use SSO with the plug-in, add the app bundle identifiers in an iOS/iPadOS
configuration profile (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform >
Device features for profile > Single sign-on app extension > Microsoft Azure AD for SSO app extension
type > App bundle IDs ).
To see the current SSO app extension settings you can configure, go to Single sign-on app extension.
Applies to:
iOS/iPadOS
Device security
Deploy endpoint security Antivirus policy to tenant attached devices (preview)
As a preview, you can deploy endpoint security policy for Antivirus to devices you manage with Configuration
Manager. This scenario requires you to configure a tenant attach between a supported version of Configuration
Manager and your Intune subscription. The following versions of Configuration Manager are supported:
Configuration Manager current branch 2006
For more information, see the requirements for Intune endpoint security policies to support Tenant Attach.
Changes for Endpoint security Antivirus policy exclusions
We’ve introduced two changes for managing the Microsoft Defender Antivirus exclusion lists you configure as
part of an Endpoint Security Antivirus policy. The changes help you to prevent conflicts between different policies
and resolve exclusion list conflicts that might exist in your previously deployed policies.
Both of the changes apply to policy settings for the following Microsoft Defender Antivirus Configuration Service
Providers (CSPs):
Defender/ExcludedPaths
Defender/ExcludedExtensions
Defender/ExcludedProcesses
The changes are:
New profile type: Microsoft Defender Antivirus exclusions - Use this new profile type for Windows 10
and later to define a policy that is focused only on Antivirus exclusions. This profile helps simplify
management of your exclusion lists by separating them from other policy configurations.
The exclusions you can configure include Defender processes, file extensions, and files and folders that you
don’t want Microsoft Defender to scan.
Policy merge – Intune now merges the list of exclusions you’ve defined in separate profiles into a single
list of exclusions to apply to each device or user. For example, if you target a user with three separate
policies, the exclusion lists from those three policies merge into a single superset of Microsoft Defender
Antivirus exclusions, that then apply to that user.
Import and export lists of address ranges for Windows firewall rules
We've added support to Impor t or Expor t a list of address ranges using .csv files to the Microsoft Defender
Firewall rules profile in the Firewall policy for Endpoint security. The following Windows firewall rule settings now
support import and export:
Local address ranges
Remote address ranges
We've also improved validation of both local and remote address range entry to help prevent duplicate or invalid
entries.
For more information about these settings, see the settings for Microsoft Defender Firewall rules.

Week of August 17, 2020

Intune apps
Custom brand image now displayed in the Windows Company Portal profile page
As a Microsoft Intune administrator, you can upload a custom brand image to Intune which will be displayed as a
background image on the user's profile page in the Windows Company Portal app. For more information, see
How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
App management
The Company Portal adds Configuration Manager application support
The Company Portal now supports Configuration Manager applications. This feature allows end users to see both
Configuration Manager and Intune deployed applications in the Company Portal for co-managed customers. This
new version of the Company Portal will display Configuration Manager deployed apps for all co-managed
customers. This support will help administrators consolidate their different end user portal experiences. For more
information, see Use the Company Portal app on co-managed devices.
Device security
Set device compliance state from third-party MDM providers
Intune now supports third-party MDM solutions as a source of device compliance details. This third-party
compliance data can be used to enforce Conditional Access policies for Microsoft 365 apps on iOS and Android
through integration with Microsoft Intune. Intune evaluates the compliance details from the third-party provider
to determine if a device is trusted, and then sets the conditional access attributes in Azure AD. You'll continue to
create your Azure AD Conditional Access policies from within the Microsoft Endpoint Manager admin center or
the Azure AD portal.
The following third-party MDM providers are supported with this release, as a public preview:
VMware Workspace ONE UEM (previously known as AirWatch)
This update is rolling out to customers globally. You should see this capability within the next week.

Week of August 10, 2020

Week of July 27, 2020

Monitor and troubleshoot
Power BI compliance report template V2.0
Power BI template apps enable Power BI partners to build Power BI apps with little or no coding, and deploy them
to any Power BI customer. Admins can update the version of the Power BI compliance report template from V1.0
to V2.0. V2.0 includes an improved design, as well as changes to the calculations and data that is surfaced as part
of the template. For more information, see Connect to the Data Warehouse with Power BI and Update a template
app. Additionally, see the blog post Announcing a New Version of the Power BI Compliance Report with Intune
Data Warehouse.

Week of July 13, 2020 (2007 Service release)

App management
Exchange On-Premises Connector support
Intune is removing support for the Exchange On-Premises Connector feature from the Intune service beginning
in the 2007 (July) release. Existing customers with an active connector will be able to continue with the current
functionality at this time. New customers and existing customers that do not have an active connector will no
longer be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those
customers, Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to
Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional
Access through Outlook Mobile for Exchange on-premises.
S/MIME for Outlook on iOS and Android devices without enrollment
You can now enable S/MIME for Outlook on iOS and Android devices using an app configuration policy for
managed apps. This allows for policy delivery regardless of device enrollment state. In Microsoft Endpoint
Manager admin center, select Apps > App configuration policies > Add > Managed apps . Additionally, you
can choose whether or not to allow users to change this setting in Outlook. However, to automatically deploy
S/MIME certificates to Outlook for iOS and Android, the device must be enrolled. For general information about
S/MIME, see S/MIME overview to sign and encrypt email in Intune. For more information about Outlook
configuration settings, see Microsoft Outlook configuration settings and Add app configuration policies for
managed apps without device enrollment. For Outlook for iOS and Android S/MIME information, see S/MIME
scenarios and Configuration keys - S/MIME settings.
Device configuration
New VPN settings for Windows 10 and newer devices
When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure
(Devices > Configuration profiles > Create profile > Windows 10 and later for platform > VPN for
profile > Base VPN ):
Device Tunnel : Allows devices to automatically connect to VPN without requiring any user interaction,
including user log on. This feature requires you to enable Always On , and use Machine cer tificates as the
authentication method.
Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations,
which allow you to match client and server settings.
To see the settings you can configure, go to Windows device settings to add VPN connections using Intune.
Applies to:
Windows 10 and newer
Configure more Microsoft Launcher settings in a device restrictions profile on Android Enterprise devices (COBO)
On Android Enterprise Fully Managed devices, you can configure more Microsoft Launcher settings using a
device restrictions profile (Devices > Configuration profiles > Create profile > Android Enterprise for
platform > Device Owner only > Device restrictions > Device experience > Fully managed ).
To see these settings, go to Android Enterprise device settings to allow or restrict features.
You can also configure the Microsoft Launcher settings using an app configuration profile.
Applies to:
Android Enterprise device owner fully managed devices (COBO)
New features for Managed Home Screen on Android Enterprise device owner dedicated devices (COSU)
On Android Enterprise devices, administrators can use device configuration profiles to customize the Managed
Home Screen on dedicated devices using multi-app kiosk mode (Devices > Configuration profiles > Create
profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile >
Device experience > Dedicated device > Multi-app ).
Specifically, you can:
Customize icons, change the screen orientation , and show app notifications on badge icons
Hide the Managed Settings shortcut
Easier access to the debug menu
Create an allowed list of Wi-Fi networks
Easier access to the device information
For more information, see Android Enterprise device settings to allow or restrict features and this blog.
Applies to:
Android Enterprise device owner, dedicated devices (COSU)
Administrative templates updated for Microsoft Edge 84
The ADMX settings available for Microsoft Edge have been updated. End users can now configure and deploy
new ADMX settings added in Edge 84. For more information, see the Edge 84 release notes.
Device enrollment
Corporate-owned, personally enabled devices (preview)
Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8
and above. Corporate-owned devices with a work profile is one of the corporate management scenarios in the
Android Enterprise solution set. This scenario is for single user devices intended for corporate and personal use.
This corporate-owned, personally-enabled (COPE) scenario offers:
work and personal profile containerization
device-level control for admins
a guarantee for end users that their personal data and applications will remain private
The first public preview release will include a subset of the features that will be included in the generally available
release. Additional features will be added on a rolling basis. The features that will be available in the first preview
include:
Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device
enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
Device configuration: A subset of the existing fully managed and dedicated device settings.
Device compliance: The compliance policies that are currently available for fully managed devices.
Device Actions: Delete device (factory reset), reboot device, and lock device.
App management: App assignments, app configuration, and the associated reporting capabilities
Conditional Access
For more information about corporate-owned with work profile preview, see the support blog.
Device management
Updates to the remote lock action for macOS devices
Changes to the remote lock action for macOS devices include:
The recovery pin is displayed for 30 days before deletion (instead of 7 days).
If an admin has a second browser open and tries to trigger the command again from a different tab or
browser, Intune lets the command to go through. But the reporting status is set to failed rather than
generating a new pin.
The admin isn't allowed to issue another remote lock command if the previous command is still pending or if
the device hasn’t checked back in. These changes are designed to prevent the correct pin from being
overwritten after multiple remote lock commands.
Device actions report differentiates between wipe and protected wipe
The Device actions report now differentiates between the wipe and protected wipe actions. To see the report, go
to Microsoft Endpoint Manager admin center > Devices > Monitor > Device Actions (under Other ).
Device security
Microsoft Defender Firewall rule migration tool preview
As a public preview, we're working on a PowerShell based tool that will migrate Microsoft Defender Firewall rules.
When you install and run the tool, it automatically creates endpoint security firewall rule policies for Intune that
are based on the current configuration of a Windows 10 client. For more information, see Endpoint security
firewall rule migration tool overview.
Endpoint detection and response policy for onboarding Tenant Attached devices to MDATP is Generally Available
As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies for use with devices
managed by Configuration Manager are no longer in preview and are now Generally Available.
To use EDR policy with devices from a supported version of Configuration Manager, configure Tenant attach for
Configuration Manager. After you complete the tenant attach configuration, you can deploy EDR policies to
onboard devices managed by Configuration Manager to Microsoft Defender Advanced Threat Protection
(Microsoft Defender ATP).
Bluetooth settings are available in Device Control profiles for Endpoint security Attack surface reduction policy
We've added settings to manage Bluetooth on Windows 10 devices to the Device control profile for Endpoint
security Attack surface Reduction policy. These are the same settings as those that have been available in Device
restriction profiles for Device configuration.
Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices
We've added two new settings to the Updates category of endpoint security antivirus policy for Windows 10
devices that can help you manage how devices get update definitions:
Define file shares for downloading definition updates
Define the order of sources for downloading definition updates
With the new settings you can add UNC file shares as download source locations for definition updates, and
define the order in which different source locations are contacted.
Improved security baselines node
We've made some changes to improve the usability of the security baseline node in the Microsoft Endpoint
Manager admin center. Now when you drill in to Endpoint security > Security baselines and then select a
security baseline type like the MDM Security Baseline, your presented with the Profiles pane. On the Profiles
pane you view the profiles you've created for that Baseline type. Previously the console presented an Overview
pane which included an aggregate data roll up that didn't always match the details found in the reports for
individual profiles.
Unchanged, from the Profiles pane you can select a profile to drill-in to view that profiles properties as well as
various reports that are available under Monitor. Similarly, at the same level as Profiles you can still select
Versions to view a the various versions of that profile type that you've deployed. When you drill-in to a version,
you also gain access to reports, similar to the profile reports.
Derived credentials support for Windows
You can now use derived credentials with your Windows devices. This will expand on the existing support for
iOS/iPadOS and Android, and will be available for the same derived credential providers:
Entrust Datacard
Intercede
DISA Purebred
Support for Widows includes use of a derived credential to authenticate to Wi-Fi or VPN profiles. For Windows
devices, the derived credential is issued from the client app that's provided by the derived credential provider that
you use.
Manage FileVault encryption for devices that were encrypted by the device user and not by Intune
Intune can now assume management of FileVault disk encryption on a macOS device that was encrypted by the
device user, and not by Intune policy. This scenario requires:
The device to receive disk encryption policy from Intune that enables FileVault.
The device user to use the Company Portal website to upload their personal recovery key for the encrypted
device to Intune. To upload the key, they select the Store recovery key option for their encrypted macOS
device.
After the user uploads their recovery key, Intune rotates the key to confirm it is valid. Intune can now manage the
key and encryption as if it used policy to encrypt the device directly. Should a user need to recover their device,
they can access the recovery key using any device from the following locations:
Company Portal website
Company Portal app for iOS/iPadOS
Company Portal app for Android
Intune app
Hide the personal recovery key from a device user during macOS FileVault disk encryption
When you use endpoint security policy to configure macOS FileVault disk encryption, use the Hide recover y
key setting to prevent display of the personal recovery key to the device user, while the device is being
encrypted. By hiding the key during encryption, you can help keep it secure as users won’t be able to write it
down while waiting for the device to encrypt.
Later, if recovery is needed, a user can always use any device to view their personal recovery key through the
Intune Company Portal website, the iOS/iPadOS Company Portal, the Android Company Portal, or the Intune app.
Improved view of security baseline details for devices
You can now drill-in to the details for a device to view the settings details for security baselines that apply to the
device. The settings appear in a simple, flat list, which includes the setting category, setting name, and status. For
more information, see View Endpoint security configurations per device.
Monitor and troubleshoot
Device compliance logs now in English
The Intune DeviceComplianceOrg logs previously only had enumerations for ComplianceState, OwnerType, and
DeviceHealthThreatLevel. Now, these logs have English information in the columns.
Role -based access control
Assign profile and Update profile permission changes
Role-based access control permissions has changed for Assign profile and Update profile for the Automated
Device Enrollment flow:
Assign profile: Admins with this permission can also assign the profiles to tokens and assign a default profile to a
token for Automated Device Enrollment.
Update profile: Admins with this permission can update existing profiles only for Automated Device Enrollment.
To see these roles, go to Microsoft Endpoint Manager admin center > Tenant administration > Roles > All
roles > Create > Permissions > Roles .
Scripting
Additional Data Warehouse v1.0 properties
Additional properties are available using the Intune Data Warehouse v1.0. The following properties are now
exposed via the devices entity:
ethernetMacAddress - The unique network identifier of this device.
office365Version - The version of Microsoft 365 that is installed on the device.
The following properties are now exposed via the devicePropertyHistories entity:
physicalMemoryInBytes - The physical memory in bytes.
totalStorageSpaceInBytes - Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API.

Week of July 06, 2020

App management
Update to device icons in Company Portal and Intune apps on Android
We have updated the device icons in the Company Portal and Intune apps on Android devices to create a more
modern look and feel and to align with the Microsoft Fluent Design System. For related information, see Update
to icons in Company Portal app for iOS/iPadOS and macOS.
Device enrollment
iOS Company Portal will support Apple's Automated Device Enrollment without user affinity
The iOS Company Portal is now supported on devices enrolled using Apple's Automated Device Enrollment
without requiring an assigned user. An end user can sign in to the iOS Company Portal to establish themselves as
the primary user on an iOS/iPadOS device enrolled without device affinity. For more information about
Automated Device Enrollment, see Automatically enroll iOS/iPadOS devices with Apple's Automated Device
Enrollment.
Device management
Tenant attach: ConfigMgr client details in the admin center (preview)
You can now see ConfigMgr client details including collections, boundary group membership, and real-time client
information for a specific device in the Microsoft Endpoint Manager admin center. For more information, see
Tenant attach: ConfigMgr client details in the admin center (preview).

Week of June 22, 2020

App management
Newly available protected apps for Intune
The following protected apps are now available:
BlueJeans Video Conferencing
Cisco Jabber for Intune
Tableau Mobile for Intune
ZERO for Intune
For more information about protected apps, see Microsoft Intune protected apps.
Monitor and troubleshoot
Use Endpoint analytics to improve user productivity and reduce IT support costs
During the next week, this feature will be rolled out. Endpoint analytics aims to improve user productivity and
reduce IT support costs by providing insights into the user experience. The insights enable IT to optimize the end-
user experience with proactive support and to detect regressions to the user experience by assessing user impact
of configuration changes. For more information, see Endpoint analytics preview.
Proactively remediate end user device issues using script packages
You can create and run script packages on end user devices to proactively find and fix the top support issues in
your organization. Deploying script packages will help you reduce support calls. Choose to create your own script
packages or deploy one of the script packages we've written and used in our environment to reduce support
tickets. Intune allows you to see the status of your deployed script packages and to monitor the detection and
remediation results. In Microsoft Endpoint Manager admin center, select Repor ts > Endpoint analytics >
Proactive remediations . For more information, see Proactive remediations.
Device security
Use Microsoft Defender ATP in compliance policies for Android
You can now use Intune to onboard Android devices to Microsoft Defender Advanced Threat Protection
(MicrosoftDefender ATP). After your enrolled devices are onboarded, your compliance polices for Android can use
the threat level signals from Microsoft Defender ATP. These are the same signals that you could previously use for
Windows 10 devices.
Configure Defender ATP web protection for Android devices
When you use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android devices, you
can configure Microsoft Defender ATP web protection to disable the phishing scan feature, or prevent the scan
from using VPN.
Depending on how your Android device enrolls with Intune, the following options are available:
Android device administrator - Use custom OMA-URI settings to disable the web protection feature, or disable
only the use of VPNs during scans.
Android Enterprise work profile - Use an app configuration profile and the configuration designer to disable
all web protection capabilities.

Week of June 15, 2020 (2006 Service release)

App management
Telecommunications data transfer protection for managed apps
When a hyperlinked phone number is detected in a protected app, Intune will check whether a protection policy
has been applied that allows the number to be transferred to a dialer app. You can choose how to handle this type
of content transfer when it is initiated from a policy managed app. When creating an app protection policy in
Microsoft Endpoint Manager, select a managed app option from the Send org data to other apps , then select
an option from Transfer telecommunications data to . For more information about this data protection
setting, see Android app protection policy settings in Microsoft Intune and iOS app protection policy settings.
Unified delivery of Azure AD Enterprise and Office Online applications in the Company Portal
On the Customization pane of Intune, you can select to Hide or Show both Azure AD Enterprise
applications and Office Online applications in the Company Portal. Each end-user will see their entire
application catalog from the chosen Microsoft service. By default, each additional app source will be set to Hide .
This feature will first take effect in the Company Portal website, with support in the Windows Company Portal
expected to follow. In the Microsoft Endpoint Manager admin center, select Tenant administration >
Customization to find this configuration setting. For related information, see How to customize the Intune
Company Portal apps, Company Portal website, and Intune app.
Improvements to the Company Portal for macOS enrollment experience
The Company Portal for macOS enrollment experience has a simpler enrollment process that aligns more closely
with the Company Portal for iOS enrollment experience. Device users will see:
A sleeker user interface.
An improved enrollment checklist.
Clearer instructions about how to enroll their devices.
Improved troubleshooting options.
For more information about the Company Portal, see How to customize the Intune Company Portal apps,
Company Portal website, and Intune app.
Improvements to Devices page of iOS/iPadOS and macOS Company Portals
We've made changes to the Company Portal Devices page to improve the app experience for iOS/iPadOS and
Mac users. In addition to creating a more modern look and feel, we reorganized the device details under a a
single column with defined section headers so that it's easier for users to see their device status. We also added
clearer messaging and troubleshooting steps for users whose devices fall out of compliance. For more
information about Company Portal, see How to customize the Intune Company Portal apps, Company Portal
website, and Intune app. To manually sync a device, see Sync your iOS device manually.
Cloud setting for iOS/iPadOS Company Portal app
A new Cloud setting for the iOS/iPadOS Company Portal allows users to redirect their authentication towards
the appropriate cloud for your organization. By default, the setting is configured to Automatic , which directs
authentication towards the cloud automatically detected by the user's device. If authentication for your
organization must be redirected towards a cloud other than the cloud that is automatically detected (such as
Public or Government), your users can manually select the appropriate cloud by selecting the Settings app >
Company Por tal > Cloud . Your users should only change the Cloud setting from Automatic if they are
signing in from another device and the appropriate cloud is not automatically detected by their device.
Duplicate Apple VPP tokens
Apple VPP tokens with the same Token Location are now marked as Duplicate and can be synced again when
the duplicate token has been removed. You can still assign and revoke licenses for tokens that are marked as
duplicate. However, licenses for new apps and books purchased may not be reflected once a token is marked as
duplicate. To find Apple VPP tokens for your tenant, from Microsoft Endpoint Manager admin center, select
Tenant administration > Connectors and tokens > Apple VPP Tokens . For more information about VPP
tokens, see How to manage iOS and macOS apps purchased through Apple Volume Purchase Program with
Microsoft Intune.
Device configuration
Add multiple root certificates for EAP-TLS authentication in Wi-Fi profiles on macOS devices
On macOS devices, you can create a Wi-Fi profile, and select the Extensible Authentication Protocol (EAP)
authentication type (Devices > Configuration profiles > Create profile > macOS for platform > Wi-Fi for
profile > Wi-Fi type set to Enterprise).
When you set the EAP Type to EAP-TLS , EAP-TTLS , or PEAP authentication, you can add multiple root
certificates. Previously, you could only add one root certificate.
For more information on the settings you can configure, see Add Wi-Fi settings for macOS devices in Microsoft
Intune.
Applies to:
macOS
Use PKCS certificates with Wi-Fi profiles on Windows 10 and newer devices
You can authenticate Windows Wi-Fi profiles with SCEP certificates (Device configuration > Profiles > Create
profile > Windows 10 and later for platform > Wi-Fi for profile type > Enterprise > EAP type ). Now, you
can use PKCS certificates with your Windows Wi-Fi profiles. This feature allows users to authenticate Wi-Fi
profiles using new or existing PKCS certificate profiles in your tenant.
For more information on the Wi-Fi settings you can configure, see Add Wi-Fi settings for Windows 10 and later
devices in Intune.
Applies to:
Windows 10 and newer
Wired network device configuration profiles for macOS devices
A new macOS device configuration profile is available that configures wired networks (Devices >
Configuration profiles > Create profile > macOS for platform > Wired Network for profile). Use this
feature to create 802.1x profiles to manage wired networks, and deploy these wired networks to your macOS
devices.
For more information in this feature, see Wired networks on macOS devices.
Applies to:
macOS
Use Microsoft Launcher as the default launcher for fully managed Android Enterprise devices
On Android Enterprise device owner devices, you can set Microsoft Launcher as the default launcher for fully
managed devices (Devices > Configuration profiles > Create profile > Android Enterprise for platform >
Device owner > Device restrictions for profile > Device experience ). To configure all other Microsoft
Launcher settings, use app configuration policies.
Also, there are some other UI updates, including Dedicated devices being renamed to Device experience .
To see all the settings you can restrict, see Android Enterprise device settings to allow or restrict features using
Intune.
Applies to:
Android Enterprise device owner fully managed devices (COBO)
Use Autonomous Single App Mode settings to configure the iOS Company Portal app to be a sign in/sign out app
On iOS/iPadOS devices, you can configure apps to run in autonomous single app mode (ASAM). Now, the
Company Portal app supports ASAM, and can be configured to be a "sign in/sign out" app. In this mode, users
must sign in to the Company Portal app to use other apps and the Home screen button on the device. When they
sign out of the Company Portal app, the device returns to single app mode, and locks on the Company Portal app.
To configure the Company Portal to be in ASAM, go to Devices > Configuration profiles > Create profile >
iOS/iPadOS for platform > Device restrictions for profile > Autonomous Single App Mode .
For more information, see Autonomous single app mode (ASAM) and single app mode (opens Apple's web site).
Applies to:
iOS/iPadOS
Configure content caching on macOS devices
On macOS devices, you can create a configuration profile that configures content caching (Devices >
Configuration profiles > Create profile > macOS for platform > Device features for profile). Use these
settings to delete cache, allow shared cache, set a cache limit on the disk, and more.
For more information on content caching, see ContentCaching (opens Apple's web site).
To see the settings you can configure, go to macOS device feature settings in Intune.
Applies to:
macOS
Add new schema settings, and search for existing schema settings using OEMConfig on Android Enterprise
In Intune, you can use OEMConfig to manage settings on Android Enterprise devices (Devices > Configuration
profiles > Create profile > Android Enterprise for platform > OEMConfig for profile). When you use the
Configuration designer , the properties in the app schema are shown. Now, in the Configuration designer ,
you can:
Add new settings to the app schema.
Search for new and existing settings in the app schema.
For more information on OEMConfig profiles in Intune, see Use and manage Android Enterprise devices with
OEMConfig in Microsoft Intune.
Applies to:
Android Enterprise
Block Shared iPad temporary sessions on Shared iPad devices
In Intune, there's a new Block Shared iPad temporar y sessions setting that blocks temporary sessions on
Shared iPad devices (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform >
Device restrictions for profile type > Shared iPad ). When enabled, end users can't use the Guest account. They
must sign in to the device with their Managed Apple ID and password.
For more information, see iOS and iPadOS device settings to allow or restrict features.
Applies to:
Shared iPad devices running iOS/iPadOS 13.4 and newer
Device enrollment
Bring-your-own-devices can use VPN to deploy
The new Autopilot profile Skip Domain Connectivity Check toggle lets you deploy Hybrid Azure AD Join
devices without access to your corporate network using your own 3rd party Win32 VPN client. To see the new
toggle, go to Microsoft Endpoint Manager Admin Center > Devices > Windows > Windows enrollment >
Deployment profiles > Create profile > Out-of-box experience (OOBE) .
Enrollment Status Page profiles can be set to device groups
Previously, Enrollment Status Page (ESP) profiles could only be targeted to user groups. Now you can also set
them to target device groups. For more information, see Set up an Enrollment Status Page.
Automated Device Enrollment sync errors
New errors will be reported for iOS/iPadOS and macOS devices, including
Invalid characters in the phone number or if that field is empty.
Invalid or empty configuration name for the profile.
Invalid/expired cursor value or if no cursor is found.
Rejected or expired token.
The department field is empty or the length is too long.
Profile is not found by Apple and a new one needs to be created.
A count of removed Apple Business Manager devices will be added to the overview page where you see the
status of your devices.
Shared iPads for Business
You can use Intune and Apple Business Manager to easily and securely set up Shared iPad so that multiple
employees can share devices. Apple's Shared iPad provides a personalized experience for multiple users while
preserving user data. Using a Managed Apple ID, users can access their apps, data, and settings after signing into
any Shared iPad in their organization. Shared iPad works with federated identities.
To see this feature, go to Microsoft Endpoint Manager admin center > Devices > iOS > iOS enrollment >
Enrollment program tokens > choose a token > Profiles > Create profile > iOS . On the Management
Settings page, select Enroll without User Affinity and you'll see the Shared iPad option.
Requires: iPadOS 13.4 and later. This release added support for temporary sessions with Shared iPad so that
users can access a device without a Managed Apple ID. Upon logout, the device erases all user data so that the
device is immediately ready for use, eliminating the need for a device wipe.
Updated user interface for Apple's Automated Device Enrollment
The user interface has been updated to replace Apple's Device Enrollment Program to Automated Device
Enrollment to reflect Apple terminology.
Device management
Device remote lock pin available for macOS
The availability for macOS device remote lock pins has been increased from 7 days to 30 days.
Change primary user on co-managed devices
You can change a device's primary user for co-managed Windows devices. For more information on how to find
and change it, see Find the primary user of an Intune device. This feature will be rolling out gradually over the
next few weeks.
Setting the Intune primary user also sets the Azure AD owner property
This new feature automatically sets the owner property on newly-enrolled Hybrid Azure AD joined devices at the
same time that the Intune primary user is set. For more information on the primary user, see Find the primary
user of an Intune device.
This is a change to the enrollment process and only applies to newly enrolled devices. For existing Hybrid Azure
AD Joined devices, you must manually update the Azure AD Owner property. To do this, you can use the Change
primary user feature or a script.
When Windows 10 devices become Hybrid Azure Azure Directory Joined, the first user of the device becomes the
primary user in Endpoint Manager. Currently, the user isn't set on the corresponding Azure AD device object. This
causes an inconsistency when comparing the owner property from an Azure AD portal with the primary user
property in Microsoft Endpoint Manager admin center. The Azure AD owner property is used for securing access
to BitLocker recovery keys. The property isn't populated on Hybrid Azure AD Joined devices. This limitation
prevents set up of self-service of BitLocker recovery from Azure AD. This upcoming feature solves this limitation.
Device security
Hide the recovery key from users during FileVault 2 encryption for macOS devices
We've added a new setting to the FileVault category within the macOS Endpoint Protection template: Hide
recover y key . This setting hides the personal key from the end user during FileVault 2 encryption.
To view the personal recovery key of an encrypted macOS device, the device user can go to any of the following
locations and click on get recovery key for the macOS device:
The iOS/iPadOS company portal app
The Intune app
The company portal website
The Android company portal app
Support for S/MIME signing and encryption certificates with Outlook on Android Fully Managed
You can now use certificates for S/MIME signing and encryption with Outlook on devices that run Android
Enterprise Fully Managed.
This expands on the support added last month for other Android versions (Support for S/MIME signing and
encryption certificates with Outlook on Android). You can provision these certificates by using SCEP and PKCS
imported certificate profiles.
For more information about this support, see Sensitivity labeling and protection in Outlook for iOS and Android
in the Exchange documentation.
Add a link to your company portal support website to emails for noncompliance
When you configure a notification message template for sending email notifications for noncompliance, use the
new setting Company Por tal Website Link to automatically include a link to your Company Portal website.
With this option set to Enable, users with noncompliant devices who receive email based on this template can use
the link to open a website to learn more about why their device isn’t compliant.
Licensing
Admins no longer require an Intune license to access Microsoft Endpoint Manager admin console
You can now set a tenant-wide toggle that removes the Intune license requirement for admins to access the MEM
admin console and query graph APIs. Once you remove the license requirement, you can never reinstate it.
Scripts
Availability of Shell scripts on macOS devices
Shell scripts for macOS devices are now available for Government Cloud and China customers. For more
information about shell scripts, see Use shell scripts on macOS devices in Intune.

Week of June 8, 2020

App management
Updates to informational screen in Company Portal for iOS/iPadOS
An informational screen in Company Portal for iOS/iPadOS has been updated to better explain what an admin
can see and do on devices. These clarifications are only about corporate-owned devices. Only the text has been
updated, no actual modifications have been made to what the admin can see or do on user devices. To see the
updated screens, go to UI updates for Intune end-user apps.
Updated Android APP Conditional Launch end-user experience
The 2006 release of the Android Company Portal has changes that build on the updates from the 2005 release. In
2005, we rolled out an update where end users of Android devices that are issued a warn, block, or wipe by an
app protection policy see a full page message describing the reason for the warn, block, or wipe and the steps to
remediate the issues. In 2006, first-time users of Android apps assigned an app protection policy will be taken
through a guided flow to remediate issues that cause their app access to be blocked.

Week of May 25, 2020

App management
Windows 32-bit (x86) apps on ARM64 devices
Windows 32-bit (x86) apps that are deployed as available to ARM64 devices will now be displayed in the
Company Portal. For more information about Windows 32-bit apps, see Win32 app management.
Windows Company Portal app icon
The icon for the Windows Company Portal app has been updated. For more information about the Company
Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
Week of May 18, 2020
App management
Update to icons in Company Portal app for iOS/iPadOS and macOS
We've updated the icons in Company Portal to create a more modern look and feel that's supported on dual
screen devices and aligns with the Microsoft Fluent Design System. To see the updated icons, go to UI updates for
Intune end-user apps.
Device security
Use Endpoint detection and response policy to onboard devices to Defender ATP
Use endpoint security policy for Endpoint detection and response (EDR) to onboard and configure devices for
your deployment of Microsoft Defender Advanced Threat Protection (Defender ATP). EDR supports policy for
Windows devices managed by Intune (MDM), and a separate policy for Windows devices managed by
Configuration Manager.
To use the policy for Configuration Manager devices, you must set up Configuration Manager to support the EDR
policy. Set up includes:
Configure your Configuration manager for tenant attach.
Install an in-console update for Configuration Manager to enable support for the EDR policies. This update
applies only to hierarchies that have enabled tenant attach.
Synchronize your device collections form your hierarchy to the Microsoft Endpoint Manager admin center.

Week of May 11, 2020 (2005 Service release)

App management
Customize self-service device actions in the Company Portal
You can customize the available self-service device actions that are shown to end-users in the Company Portal
app and website. To help prevent unintended device actions, you can configure these settings for the Company
Portal app by selecting Tenant Administration > Customization . The following actions are available:
Hide Remove button on corporate Windows device.
Hide Reset button on corporate Windows devices.
Hide Reset button on corporate iOS devices.
Hide Remove button on corporate iOS devices. For more information, see User self-service device actions
from the Company Portal.
Auto update VPP available apps
Apps that are published as Volume Purchase Program (VPP) available apps will be automatically updated when
Automatic App Updates is enabled for the VPP token. Previously, VPP available apps did not automatically
update. Instead, end-users had to go to the Company Portal and reinstall the app if a newer version was available.
Required apps continue to support automatic updates.
Android Company Portal user experience
In the 2005 release of Android Company Portal, end-users of Android devices that are issued a warn, block, or
wipe by an app protection policy will see a new user experience. Instead of the current dialog experience, end-
users will see a full page message describing the reason for the warn, block, or wipe and the steps to remediate
the issue. For more information, see App protection experience for Android devices and Android app protection
policy settings in Microsoft Intune.
Support for multiple accounts in Company Portal for macOS
The Company Portal on macOS devices now caches user accounts, making sign-in easier. Users no longer need to
sign into the Company Portal every time they launch the application. Additionally, the Company Portal will
display an account picker if multiple user accounts are cached, so that users don't have to enter their user name.
Newly available protected apps
The following protected apps are now available:
Board Papers
Breezy for Intune
Hearsay Relate for Intune
ISEC7 Mobile Exchange Delegate for Intune
Lexmark for Intune
Meetio Enterprise
Microsoft Whiteboard
Now® Mobile - Intune
Qlik Sense Mobile
ServiceNow® Agent - Intune
ServiceNow® Onboarding - Intune
Smartcrypt for Intune
Tact for Intune
Zero - email for attorneys
For more information about protected apps, see Microsoft Intune protected apps.
Search the Intune docs from the Company Portal
You can now search the Intune documentation directly from the Company Portal for macOS app. In the menu bar,
select Help > Search and enter the key words of your search to quickly find answers to your questions.
Device configuration
Improvements to OEMConfig support for Zebra Technologies devices
Intune fully supports all features provided by Zebra OEMConfig. Customers managing Zebra Technologies
devices with Android Enterprise and OEMConfig can deploy multiple OEMConfig profiles to one device.
Customers can also view rich reporting about the status of their Zebra OEMConfig profiles.
For more information, see Deploy multiple OEMConfig profiles to Zebra devices in Microsoft Intune.
There is no change in OEMConfig behavior for other OEMs.
Applies to:
Android Enterprise
Zebra Technologies devices that support OEMConfig. For specific details on support, contact Zebra.
Configure system extensions on macOS devices
On macOS devices, you can create a kernel extensions profile to configure settings at the kernel-level (Devices >
Configuration profiles > macOS for platform > Kernel extensions for profile). Apple is eventually
deprecating kernel extensions, and replacing them with system extensions in a future release.
System extensions run in the user space, and don’t have access to the kernel. The goal is to increase security and
provide more end user control, while limiting attacks at the kernel level. Both kernel extensions and system
extensions allow users to install app extensions that extend the native capabilities of the operating system.
In Intune, you can configure both kernel extensions and system extensions (Devices > Configuration profiles
> macOS for platform > System extensions for profile). Kernel extensions apply to 10.13.2 and newer. System
extensions apply to 10.15 and newer. From macOS 10.15 to macOS 10.15.4, kernel extensions and system
extensions can run side-by-side.
To learn about these extensions on macOS devices, see Add macOS extensions.
Applies to:
macOS 10.15 and newer
Configure app and process privacy preferences on macOS devices
With the release of macOS Catalina 10.15, Apple added new security and privacy enhancements. By default,
applications and processes are unable to access specific data without user consent. If users don't provide consent,
the applications and processes may fail to function. Intune is adding support for settings that enable IT
administrators to allow or disallow data access consent on behalf of end-users on devices running macOS 10.14
and later. These settings will ensure that applications and processes continue to function properly, and reduce the
number of prompts.
For more information on the settings you can manage, see macOS privacy preferences.
Applies to:
macOS 10.14 and newer
Device enrollment
Enrollment restrictions support scope tags
You can now assign scope tags to enrollment restrictions. To do so, go to Microsoft Endpoint Manager admin
center > Devices > Enrollment restrictions > Create restriction . Create either type of restriction and you'll
see the Scope tags page. For more information, see Set enrollment restrictions.
Autopilot support for HoloLens 2 devices
Windows Autopilot now supports HoloLens 2 devices. For more information on using Autopilot for HoloLens, see
Windows Autopilot for HoloLens 2.
Device management
Use sync remote action in bulk for iOS
You can now use the sync remote action on up to 100 iOS devices at a time. To see this feature, go to Microsoft
Endpoint Manager admin center > Devices > All devices > Bulk device actions .
Automated device sync interval down to 12 hours
For Apple's Automated Device Enrollment, the automated device sync interval between Intune and Apple
Business Manager has been reduced from 24 hours to 12 hours. For more information on sync, see Sync
managed devices.
Device security
Derived credentials support for DISA Purebred on Android devices
You can now use DISA Purebred as a derived credentials provider on Android Enterprise fully managed devices.
Support includes retrieving a derived credential for DISA Purebred. You can use a derived credential for app
authentication, Wi-Fi, VPN, or S/MIME signing and/or encryption with apps that support it.
Send push notifications as an action for noncompliance
You can now configure an action for noncompliance that sends a push notification to a user when their device
fails to meet conditions of a compliance policy. The new action is Send push notification to end user , and is
supported on Android and iOS devices.
When users select the push notification on their device, the Company Portal or Intune app opens to display
details about why they are noncompliant.
Endpoint security content and new features
The documentation for Intune Endpoint Security is now available. In the endpoint security node of the Microsoft
Endpoint Manager admin center you can:
Create and deploy focused security policies to your managed devices
Configure integration with Microsoft Defender Advanced Threat Protection, and manage security tasks help
remediate risks for at-risk devices as identified by your ATP team
Configure security baselines
Manage device compliance and conditional access policies
View compliance status for all your devices from both Intune and Configuration Manager when Configuration
Manager is configured for client attach.
In addition to the availability of content, the following are new for Endpoint Security this month:
Endpoint security policies are out of preview and are now ready to use in production environments,
as generally available, with two exceptions:
In a new public preview , you can use the Microsoft Defender Firewall rules profile for Windows 10
Firewall policy. With each instance of this profile you can configure up to 150 firewall rules to
compliment your Microsoft Defender Firewall profiles.
Account protection security policy remains in preview.
You can now create a duplicate of endpoint security policies . Duplicates keep the settings
configuration of the original policy, but get a new name. Then new policy instance doesn't include any
assignments to groups until you edit the new policy instance to add them. You can duplicate the following
policies:
Antivirus
Disk encryption
Firewall
Endpoint detection and response
Attack surface reduction
Account protection
You can now create a duplicate of a security baseline . Duplicates keep the settings configuration of
the original baseline, but get a new name. The new baseline instance doesn't include any assignments to
groups until you edit the new baseline instance to add them.
A new report for endpoint security antivirus policy is available: Windows 10 unhealthy endpoints . This
report is a new page you can select when your viewing your endpoint security antivirus policy. The report
displays the antivirus status of your MDM-managed Windows 10 devices.
Support for S/MIME signing and encryption certificates with Outlook on Android
You can now use certificates for S/MIME signing and encryption with Outlook on Android. With this support, you
can provision these certificates by using SCEP, PKCS, and PKCS imported certificate profiles. The following
Android platforms are supported:
Android Enterprise Work Profile
Android Device Administrator
Support for Android Enterprise Fully Managed devices is coming soon.
For more information about this support, see Sensitivity labeling and protection in Outlook for iOS and Android
in the Exchange documentation.
Monitor and troubleshoot
Device reports UI update
The reports overview pane will now provide a Summar y and a Repor ts tab. In the Microsoft Endpoint Manager
admin center, select Repor ts , then select the Repor ts tab to see the available report types. For related
information, see Intune reports.
Scripting
macOS script support
Script support for macOS is now generally available. In addition, we have added support for both user assigned
scripts and macOS devices that have been enrolled with Apple's Automated Device Enrollment (formerly Device
Enrollment Program). For more information, see Use shell scripts on macOS devices in Intune.

Week of May 4, 2020

Week of April 20, 2020

Week of April 13, 2020 (2004 Service release)

App management
Manage S/MIME settings for Outlook on Android Enterprise devices
You can use app configuration policies to manage the S/MIME setting for Outlook on devices that run Android
Enterprise. You can also choose whether or not to allow the device users to enable or disable S/MIME in Outlook
settings. To use app configuration policies for Android, in the Microsoft Endpoint Manager admin center go to
Apps > App configuration policies > Add > Managed devices . For more information about configuring
settings for Outlook, see Microsoft Outlook configuration settings.
Pre-release testing for Managed Google Play apps
Organizations that are using Google Play's closed test tracks for app pre-release testing can manage these tracks
with Intune. You can selectively assign apps that are published to Google Play's pre-production tracks to pilot
groups in order to perform testing. In Intune, you can see whether an app has a pre-production build test track
published to it, as well as be able to assign that track to Azure AD user or device groups. This feature is available
for all of our currently supported Android Enterprise scenarios (work profile, fully managed, and dedicated). In
the Microsoft Endpoint Manager admin center, you can add a Managed Google Play app by selecting Apps >
Android > Add . For more information, see Working with Managed Google Play Closed Testing Tracks.
Microsoft Teams is now included in Microsoft 365 for macOS
Users who are assigned Microsoft 365 for macOS in Microsoft Endpoint Manager will now receive Microsoft
Teams in addition to the existing Microsoft 365 apps (Word, Excel, PowerPoint, Outlook, and OneNote). Intune will
recognize the existing Mac devices that have the other Office for macOS apps installed, and will attempt to install
Microsoft Teams the next time the device checks in with Intune. In the Microsoft Endpoint Manager admin center,
you can find the Office 365 Suite for macOS by selecting Apps > macOS > Add . For more information, see
Assign Office 365 to macOS devices with Microsoft Intune.
Update to Android app configuration policies
Android app configuration policies have been updated to allow admins to select the device enrollment type
before creating an app config profile. The functionality is being added to account for certificate profiles that are
based on enrollment type (Work profile or Device Owner). This update provides the following:
1. If a new profile is created and Work Profile and Device Owner Profile are selected for device enrollment type,
you will not be able to associate a certificate profile with the app config policy.
2. If a new profile is created and Work Profile only is selected, Work Profile certificate policies created under
Device Configuration can be utilized.
3. If a new profile is created and Device Owner only is selected, Device Owner certificate policies created under
Device Configuration can be utilized.

IMPORTANT
Existing policies created prior to the release of this feature (April 2020 release - 2004) that do not have any certificate
profiles associated with the policy will default to Work Profile and Device Owner Profile for device enrollment type. Also,
existing policies created prior to the release of this feature that have certificate profiles associated with them will default to
Work Profile only.

Additionally, we are adding Gmail and Nine email configuration profiles that will work for both Work Profile and
Device Owner enrollment types, including the use of certificate profiles on both email configuration types. Any
Gmail or Nine policies that you have created under Device Configuration for Work Profiles will continue to apply
to the device and it is not necessary to move them to app configuration policies.
In the Microsoft Endpoint Manager admin center, you can find app configuration policies by selecting Apps >
App configuration policies . For more information about app configuration policies, see App configuration
policies for Microsoft Intune.
Push notification when device ownership type is changed
You can configure a push notification to send to both your Android and iOS Company Portal users when their
device ownership type has been changed from Personal to Corporate as a privacy courtesy. This push notification
is set to off by default. The setting can be found in the Microsoft Endpoint Manager by selecting Tenant
administration > Customization . To learn more about how device ownership affects your end-users, see
Change device ownership.
Group targeting support for Customization pane
You can target the settings in the Customization pane to user groups. To find these settings in Intune, navigate
to the Microsoft Endpoint Manager admin center, select Tenant administration > Customization . For more
information about customization, see How to customize the Intune Company Portal apps, Company Portal
website, and Intune app.
Device configuration
Multiple "Evaluate each connection attempt" on-demand VPN rules supported on iOS, iPadOS, and macOS
The Intune user experience allows multiple on-demand VPN rules in the same VPN profile with the Evaluate
each connection attempt action (Devices > Configuration profiles > Create profile > iOS/iPadOS or
macOS for platform > VPN for profile > Automatic VPN > On-demand ).
It only honored the first rule in the list. This behavior is fixed, and Intune evaluates all rules in the list. Each rule is
evaluated in the order it appears in the on-demand rules list.
NOTE
If you have existing VPN profiles that use these on-demand VPN rules, the fix applies the next time you change the VPN
profile. For example, make a minor change, such as change the connection the name, and then save the profile.
If you're using SCEP certificates for authentication, this change causes the certificates for this VPN profile to be re-issued.

Applies to:
iOS/iPadOS
macOS
For more information on VPN profiles, see Create VPN profiles.
Additional options in SSO and SSO app extension profiles on iOS/iPadOS devices
On iOS/iPadOS devices, you can:
In SSO profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device
features for profile > Single sign-on ), set the Kerberos principal name to be the Security Account Manager
(SAM) account name in SSO profiles.
In SSO app extension profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for
platform > Device features for profile > Single sign-on app extension ), configure the iOS/iPadOS
Microsoft Azure AD extension with fewer clicks by using a new SSO app extension type. You can enable the
Azure AD extension for devices in shared device mode and send extension-specific data to the extension.
Applies to:
iOS/iPadOS 13.0+
For more information on using single sign-on on iOS/iPadOS devices, see Single sign-on app extension overview
and Single sign-on settings list.
Device enrollment
Delete Apple Automated Device Enrollment token when default profile is present
Previously, you couldn't delete a default profile, which meant that you couldn't delete the Automated Device
Enrollment token associated with it. Now, you can delete the token when:
no devices are assigned to the token
a default profile is present To do so, delete the default profile and then delete the associated token. For more
information, see Delete an ADE token from Intune.
Scaled up support for Apple Automated Device Enrollment and Apple Configurator 2 devices, profiles, and tokens
To help distributed IT departments and organizations, Intune now supports up to 1000 enrollment profiles per
token, 2000 Automated Device Enrollment (formerly known as DEP) tokens per Intune account, and 75,000
devices per token. There is no specific limit for devices per enrollment profile, below the maximum number of
devices per token.
Intune now supports up to 1000 Apple Configurator 2 profiles.
For more information, see Supported volume.
All devices page column entry changes
On the All devices page, the entries for the Managed by column have changed:
Intune is now displayed instead of MDM
Co-managed is now displayed instead of MDM/ConfigMgr Agent
The export values are unchanged.
Device management
Trusted Platform Manager (TPM) Version information now on Device Hardware page
You can now see the TPM version number on a device's hardware page (Microsoft Endpoint Manager admin
center > Devices > choose a device > Hardware > look under System enclosure ).
Monitor and troubleshoot
Collect logs to better troubleshoot scripts assigned to macOS devices
You can now collect logs for improved troubleshooting of scripts assigned to macOS devices. You can collect logs
up to 60 MB (compressed) or 25 files, whichever occurs first. For more information, see Troubleshoot macOS
shell script policies using log collection.
Security
Derived credentials to provision Android Enterprise Fully Managed devices with certificates
Intune now supports use of derived credentials as an authentication method for Android devices. Derived
credentials are an implementation of the National Institute of Standards and Technology (NIST) 800-157 standard
for deploying certificates to devices. Our support for Android expands on our support for devices that run
iOS/iPadOS.
Derived credentials rely on the use of a Personal Identity Verification (PIV) or Common Access Card (CAC) card,
like a smart card. To get a derived credential for their mobile device, users start in the Microsoft Intune app and
follow an enrollment workflow that is unique to the provider you use. Common to all providers is the
requirement to use a smart card on a computer to authenticate to the derived credential provider. That provider
then issues a certificate to the device that's derived from the user's smart card.
You can use derived credentials as the authentication method for device configuration profiles for VPN and WiFi.
You can also use them for app authentication, and S/MIME signing and encryption for applications that support it.
Intune now supports the following derived credential providers with Android:
Entrust Datacard
Intercede
A third provider, DISA Purebred, will be available for Android in a future release.
Microsoft Edge security baseline is now Generally Available
A new version of the Microsoft Edge security baseline is now available, and is released as generally available (GA).
The previous Edge baseline was in Preview. The new baseline version ins April 2020 (Edge version 80 and later).
With the release of this new baseline, you'll no longer be able to create profiles based on the previous baseline
versions, but you can continue to use profiles you created with those versions. You can also choose to update
your existing profiles to use the latest baseline version.

Week of April 6, 2020

Week of March 30, 2020

New URL for the Microsoft Endpoint Manager admin center
To align with the announcement of Microsoft Endpoint Manager at Ignite last year, we have changed the URL for
the Microsoft Endpoint Manager admin center (formerly Microsoft 365 Device Management) to
https://endpoint.microsoft.com. The old admin center URL (https://devicemanagement.microsoft.com) will
continue to work, but we recommend you start accessing the Microsoft Endpoint Manager admin center using
the new URL.
For more information, see Simplify IT tasks using the Microsoft Endpoint Manager admin center.
App management
Company Portal for iOS supports landscape mode
Users can now enroll their devices, find apps, and get IT support using the screen orientation of their choice. The
app will automatically detect and adjust screens to fit portrait or landscape mode, unless users lock the screen in
portrait mode.
Script support for macOS devices (Public Preview)
You can add and deploy scripts to macOS devices. This support extends your ability to configure macOS devices
beyond what is possible using native MDM capabilities on macOS devices. For more information, see Use shell
scripts on macOS devices in Intune.

Week of March 24, 2020

Improved user interface experience when creating device restrictions profiles on Android and Android
Enterprise devices
When you create a profile for Android or Android Enterprise devices, the experience in the Endpoint Management
admin center is updated. This change impacts the following device configuration profiles (Devices >
Configuration Profiles > Create profile > Android device administrator or Android Enterprise for
platform):
Device restrictions: Android device administrator
Device restrictions: Android Enterprise device owner
Device restrictions: Android Enterprise work profile
For more information on the device restrictions you can configure, see Android device administrator and Android
Enterprise.
Improved user interface experience when creating configuration profiles on iOS/iPadOS and macOS devices
When you create a profile for iOS or macOS devices, the experience in the Endpoint Management admin center is
updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles >
Create profile > iOS/iPadOS or macOS for platform):
Custom: iOS/iPadOS, macOS
Device features: iOS/iPadOS, macOS
Device restrictions: iOS/iPadOS, macOS
Endpoint protection: macOS
Extensions: macOS
Preference file: macOS
Hide from user configuration setting in device features on macOS devices
When you create a device features configuration profile on macOS devices, there's a new Hide from user
configuration setting (Devices > Configuration profiles > Create profile > macOS for platform > Device
features for profile > Login items ).
This feature sets an app's hide checkmark in the Users & Groups login items apps list on macOS devices.
Existing profiles show this setting within the list as unconfigured. To configure this setting, administrators can
update existing profiles.
When set to Hide , the hide checkbox is checked for the app, and users can't change it. It also hides the app from
users after users sign in to their devices.

For more information on the setting you can configure, see macOS device feature settings.
This feature applies to:
macOS

Week of March 16, 2020 (2003 Service release)

App management
macOS and iOS Company Portal updates
The Profile pane of the macOS and iOS Company Portal has been updated to include the sign-out button.
Additionally, UI improvements have been made to the Profile pane in the macOS Company Portal. For more
information about the Company Portal, see How to configure the Microsoft Intune Company Portal app.
Retarget web clips to Microsoft Edge on iOS devices
Newly deployed web clips (pinned web apps) on iOS devices that are required to open in a protected browser,
will open in Microsoft Edge rather than the Intune Managed Browser. You must retarget pre-existing web clips to
ensure they open in Microsoft Edge rather than the Managed Browser. For more information, see Manage web
access by using Microsoft Edge with Microsoft Intune and Add web apps to Microsoft Intune.
Use the Intune diagnostic tool with Microsoft Edge for Android
Microsoft Edge for Android is now integrated with the Intune diagnostic tool. Similarly to the experience on
Microsoft Edge for iOS, entering "about:intunehelp" into the URL bar (the address box) of Microsoft Edge on the
device will start the Intune diagnostic tool. This tool will provide detailed logs. Users can be guided to collect and
send these logs to their IT department, or view MAM logs for specific apps.
Updates to Intune branding and customization
We have updated the Intune pane that was named "Branding and customization" with improvements, including:
Renaming the pane to Customization .
Improving the organization and design of the settings.
Improving the settings text and tooltips.
To find these settings in Intune, navigate to the Microsoft Endpoint Manager admin center, select Tenant
administration > Customization . For information about existing customization, see How to configure the
Microsoft Intune Company Portal app.
User's personal encrypted recovery key
A new Intune feature is available that enables users to retrieve their personal encrypted FileVault recovery key
for Mac devices through the Android Company Portal application or through the Android Intune application.
There is a link in both the Company Portal application and Intune application that will open a Chrome browser to
the Web Company Portal where the user can see the FileVault recovery key needed to access their Mac devices.
For more information about encryption, see Use device Encryption with Intune.
Optimized dedicated device enrollment
We're optimizing the enrollment for Android Enterprise dedicated devices and making it easier for SCEP
certificates associated with Wi-Fi to apply to dedicated devices enrolled prior to November 22, 2019. For new
enrollments, the Intune app will continue to install, but end-users will no longer need to perform the Enable
Intune Agent step during enrollment. Installment will happen in the background automatically and SCEP
certificates associated with Wi-Fi can be deployed and set without end-user interaction.
These changes will be rolling out on a phased basis throughout the month of March as the Intune service
backend deploys. All tenants will have this new behavior by the end of March. For related information, see
Support for SCEP certificates in Android Enterprise dedicated devices.
Device configuration
New user experience when creating administrative templates on Windows devices
Based on customer feedback, and our move to the new Azure full screen experience, we've rebuilt the
Administrative Templates profile experience with a folder view. We haven't made changes to any settings or
existing profiles. So, your existing profiles will stay the same, and will be usable in the new view. You can still
navigate all settings options by selecting All Settings , and using search. The tree view is split by Computer and
User configurations. You will find Windows, Office, and Edge settings in their associated folders.
Applies to:
Windows 10 and newer
VPN profiles with IKEv2 VPN connections can use always on with iOS/iPadOS devices
On iOS/iPadOS devices, you can create a VPN profile that uses an IKEv2 connection (Devices > Configuration
profiles > Create profile > iOS/iPadOS for platform > VPN for profile type). Now, you can configure always-
on with IKEv2. When configured, IKEv2 VPN profiles connect automatically, and stay connected (or quickly
reconnect) to the VPN. It stays connected even when moving between networks or restarting devices.
On iOS/iPadOS, always-on VPN is limited to IKEv2 profiles.
To see the IKEv2 settings you can configure, go to Add VPN settings on iOS devices in Microsoft Intune.
Applies to:
iOS/iPadOS
Delete bundles and bundle arrays in OEMConfig device configuration profiles on Android Enterprise devices
On Android Enterprise devices, you create and update OEMConfig profiles (Devices > Configuration profiles
> Create profile > Android Enterprise for platform > OEMConfig for profile type). Users can now delete
bundles and bundle arrays using the Configuration designer in Intune.
For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig
in Microsoft Intune.
Applies to:
Android Enterprise
Configure the iOS/iPadOS Microsoft Azure AD SSO app extension
The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow iOS/iPadOS 13.0+
users to gain access to Microsoft apps and websites with one sign-on. All apps that previously had brokered
authentication with the Microsoft Authenticator app will continue to get SSO with the new SSO extension. With
the Azure AD SSO app extension release, you can configure the SSO extension with the redirect SSO app
extension type (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device
features for profile type > Single sign-on app extension ).
Applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
For more information about iOS SSO app extensions, see Single sign-on app extension.
Enterprise app trust settings modification setting is removed from iOS/iPadOS device restriction profiles
On iOS/iPadOS devices, you create a device restrictions profile (Devices > Configuration profiles > Create
profile > iOS/iPadOS for platform > Device restrictions for profile type). The Enterprise app trust
settings modification setting is removed by Apple, and is removed from Intune. If you currently use this setting
in a profile, it has no impact, and is removed from existing profiles. This setting is also removed from any
reporting in Intune.
Applies to:
iOS/iPadOS
To see the settings you can restrict, go to iOS and iPadOS device settings to allow or restrict features.
Troubleshooting: Pending MAM policy notification changed to informational icon
The notification icon for a pending MAM policy on the Troubleshooting blade has been change to an
informational icon.
UI update when configuring compliance policy
We've updated the UI for creating compliance policies in Microsoft Endpoint manager (Devices > Compliance
policies > Policies > Create Policy ). We've a new user experience that includes the same settings and details
you've used previously. The new experience follows a wizard-like process to create the compliance policy and
includes a page where you can add Assignments for the policy, and a Review + Create page where you can
review your configuration before creating the policy.
Retire noncompliant devices
We've added a new action for noncompliant devices that you can add to any policy, to retire the noncompliant
device. The new action, Retire the noncompliant device , results in removal of all company data from the
device, and also removes the device from being managed by Intune. This action runs when the configured value
in days is reached and at that point the device becomes eligible to be retired. The minimum value is 30 days.
Explicit IT admin approval will be required to retire the devices by using the Retire Non-compliant devices section,
where admins can retire all eligible devices.
Support for WPA and WPA2 in iOS Enterprise Wi-Fi profiles
Enterprise Wi-Fi profiles for iOS now support the Security type field. For Security type, you can select either of
WPA Enterprise or WPA/WPA2 Enterprise , and then specify a selection for the EAP type. (Devices >
Configuration profiles > Create profile and select iOS/iPadOS for Platform and then Wi-Fi for Profile).
The new Enterprise options are like those that have been available for a Basic Wi-Fi profile for iOS.
New user experience for certificate, email, VPN, and Wi-Fi, VPN profiles
We've updated the user experience in the Endpoint Management Admin Center (Devices > Configuration
profiles > Create profile ) for creating and modifying the following profile types. The new experience presents
the same settings as before, but uses a wizard-like experience that doesn't require as much horizontal scrolling.
You won't need to modify existing configurations with the new experience.
Derived credential
Email
PKCS certificate
PKCS imported certificate
SCEP certificate
Trusted certificate
VPN
Wi-Fi
Device enrollment
Configure if enrollment is available in Company Portal for Android and iOS
You can configure whether device enrollment in the Company Portal on Android and iOS devices is available with
prompts, available without prompts, or unavailable to users. To find these settings in Intune, navigate to the
Microsoft Endpoint Manager admin center and, select Tenant administration > Customization > Edit >
Device enrollment .
Support for the device enrollment setting requires end users have these Company Portal versions:
Company Portal on iOS: version 4.4 or later
Company Portal on Android: version 5.0.4715.0 or later
For more information about existing Company Portal customization, see How to configure the Microsoft Intune
Company Portal app.
Device management
New Android report on Android Devices overview page
We've added a report to the Microsoft Endpoint Manager admin console in the Android Devices overview page
that displays how many Android devices have been enrolled in each device management solution. This chart (like
the same chart already in the Azure console) shows work profile, fully managed, dedicated, and device
administrator enrolled device counts. To see the report, choose Devices > Android > Over view .
Guide users from Android device administrator management to work profile management
We're releasing a new compliance setting for the Android device administrator platform. This setting lets you
make a device non-compliant if it's managed with device administrator.
On these non-compliant devices, on the Update device settings page users will see the Move to new device
management setup message. If they tap the Resolve button, they'll be guided through:
1. Unenrolling from device administrator management
2. Enrolling in work profile management
3. Resolving compliance issues
Google is decreasing device administrator support in new Android releases in an effort to move to modern,
richer, and more secure device management with Android Enterprise. Intune can only provide full support for
device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device
administrator-managed devices (except Samsung) that are running Android 10 or later after this time won't be
able to be entirely managed. In particular, impacted devices won't receive new password requirements.
For more information about this setting, see Move Android devices from device administrator to work profile
management.
Monitor and troubleshoot
The Data Warehouse now provides the MAC address
The Intune Data Warehouse provides the MAC address as a new property ( EthernetMacAddress ) in the device
entity to allow admins to correlate between the user and host mac address. This property helps to reach specific
users and troubleshoot incidents occurring on the network. Admins can also use this property in Power BI
reports to build richer reports. For more information, see the Intune Data Warehouse device entity.
Additional Data Warehouse device inventory properties
Additional device inventory properties are available using the Intune Data Warehouse. The following properties
are now exposed via the devices beta collection:
ethernetMacAddress - The unique network identifier of this device.
model - The device model.
office365Version - The version of Microsoft 365 that is installed on the device.
windowsOsEdition - The Operating System version.

For more information, see Microsoft Intune Data Warehouse API.

Help and support workflow update to support additional services
We've updated the Help and support page in the Microsoft Endpoint Manager admin center where you now
choose the management type you use. With this change you'll be able to select from the following management
types:
Configuration Manager (includes Desktop Analytics)
Intune
Co-management
Security
Use a preview of security administrator focused policies as part of Endpoint security
As a public preview, we've added several new policy groups under the Endpoint security node in the Microsoft
Endpoint Management admin center. As a security admin you can use these new policies to focus on specific
aspects of device security to manage discrete groups of related settings without the overhead of the larger Device
Configuration policy body.
With the exception of the new Antivirus policy for Microsoft Defender Antivirus (see below), the settings in each
new of these new preview policies and profiles are the same settings that you might already configure through
Device configuration profiles today.
The following are the new policy types that are all in preview, and their available profile types:
Antivirus (Preview) :
macOS:
Antivirus - Manage Antivirus policy settings for macOS to manage Microsoft Defender ATP for
Mac.
Windows 10 and later:
Microsoft Defender Antivirus - Manage Antivirus policy settings for cloud protection,
Antivirus exclusions, remediation, scan options, and more.
The Antivirus profile for Microsoft Defender Antivirus is an exception that introduces a new
instance of settings that are found as part of a device restriction profile. These new Antivirus
settings:
Are the same settings as found in device restrictions, but support a third option for
configuration that's not available when configured as a device restriction.
Apply to devices that are co-managed with Configuration Manager, when the co-
management workload slider for Endpoint Protection is set to Intune.
Plan to use the new Antivirus > Microsoft Defender Antivirus profile in place of configuring them
through a device restriction profile.
Windows Security experience - Manage the Windows Security settings that end users can view
in the Microsoft Defender Security center and the notifications they receive. These settings are
unchanged from those available as a Device configuration Endpoint Protection profile.
Disk encr yption (Preview) :
macOS:
FileVault
Windows 10 and later:
BitLocker
Firewall (Preview) :
macOS:
macOS firewall
Windows 10 and later:
Microsoft Defender Firewall
Endpoint detection and response (Preview) :
Windows 10 and later: -Windows 10 Intune
Attack surface reduction (Preview) :
Windows 10 and later:
App and browser isolation
Web protection
Application control
Attack surface reduction rules
Device control
Exploit protection
Account protection (Preview) :
Windows 10 and later:
Account protection

Week of March 9, 2020

App management
Configure Delivery Optimization agent when downloading Win32 app content
You can configure the Delivery Optimization agent to download Win32 app content either in background or
foreground mode based on assignment. For existing Win32 apps, content will continue to download in
background mode. In the Microsoft Endpoint Manager admin center, select Apps > All apps > select the Win32
app > Proper ties . Select Edit next to Assignments . Edit the assignment by selecting Include under Mode in
the Required section. You will find the new setting in the App settings section. For more information about
Delivery Optimization, see Win32 app management - Delivery Optimization.
Device management
Change Primary User for Windows devices
You can change the Primary User for Windows hybrid and Azure AD Joined devices. To do so, go to Intune >
Devices > All devices > choose a device > Proper ties > Primar y User . For more information, see Change a
device's primary user.
A new RBAC permission (Managed Devices / Set primary user) has also been created for this task. The
permission has been added to built-in roles including Helpdesk Operator, School Administrator, and Endpoint
Security Manager.
This feature is rolling out to customers globally under preview. You should see the feature within the next few
weeks.

Week of March 2, 2020

Device management
Microsoft Endpoint Manager tenant attach: Device sync and device actions
Microsoft Endpoint Manager is bringing together Configuration Manager and Intune into a single console.
Starting in Configuration Manager technical preview version 2002.2, you can upload your Configuration
Manager devices to the cloud service and take actions on them in the admin center. For more information, see
Features in Configuration Manager technical preview version 2002.2.
Review the Configuration Manager technical preview article before installing this update. This article familiarizes
you with the general requirements and limitations for using a technical preview, how to update between versions,
and how to provide feedback.
Bulk remote actions
You can now issue bulk commands for the following remote actions: restart, rename, Autopilot reset, wipe, and
delete. To see the new bulk actions, go to Microsoft Endpoint Manager admin center > Devices > All devices >
Bulk actions .
All devices list improved search, sort, and filter
The All devices list has been improved for better performance, searching, sorting, and filtering. For more
information, see this Support Tip.
App management
Improved sign-in experience in Company Portal for Android
We've updated the layout of several sign-in screens in the Company Portal app for Android to make the
experience more modern, simple, and clean for users. For a look at the improvements, see What's New in the app
UI.

Week of February 24, 2020

App management
macOS Company Portal user experience improvements
We have made improvements to the macOS device enrollment experience and the Company Portal app for Mac.
You will see the following improvements:
A better Microsoft AutoUpdate experience during enrollment that will ensure your users have the latest
version of the Company Portal.
An enhanced compliance check step during enrollment.
Support for copied Incident IDs, so your users can send errors from their devices to your company support
team faster.
For more information about enrollment and the Company Portal app for Mac, see Enroll your macOS device
using the Company Portal app.
App protection policies for Better Mobile now supports iOS and iPadOS
In October of 2019, Intune app protection policy added the capability to use data from our Microsoft Threat
Defense partners. With this update, you can now use an app protection policy to block, or selectively wipe the
users corporate data based on the health of a device using Better Mobile on iOS and iPadOS. For more
information, see Create Mobile Threat Defense app protection policy with Intune.
Device management
Exports from the All devices list now in zipped CSV format
Exports from the Devices > All devices page are now in zipped CSV format.

Week of February 17, 2020 (2002 Service release)

App management
Microsoft Defender Advanced Threat Protection (ATP) app for macOS
Intune provides an easy way to deploy the Microsoft Defender Advanced Threat Protection (ATP) app for macOS
to managed Mac devices. For more information, see Add Microsoft Defender ATP to macOS devices using
Microsoft Intune and Microsoft Defender Advanced Threat Protection for Mac.
Device configuration
Enable network access control (NAC) with Cisco AnyConnect VPN on iOS devices
On iOS devices, you can create a VPN profile, and use different connection types, including Cisco AnyConnect
(Device configuration > Profiles > Create profile > iOS for platform > VPN for profile type > Cisco
AnyConnect for connection type).
You can enable network access control (NAC) with Cisco AnyConnect. To use this feature:
1. At Cisco Identity Services Engine Administrator Guide, use the steps in Configuring Microsoft Intune as
an MDM Ser ver to configure the Cisco Identity Services Engine (ISE) in Azure.
2. In the Intune device configuration profile, select the Enable Network Access Control (NAC) setting.
To see all the available VPN settings, go to Configure VPN settings on iOS devices.
Device enrollment
Serial number on the Apple MDM Push certificate page
The Apple MDM Push certificate page now shows the serial number. The serial number is needed to regain access
to the Apple MDM Push certificate if access to the Apple ID that created the certificate is lost. To see the serial
number, go to Devices > iOS > iOS enrollment > Apple MDM Push cer tificate .
Device management
New update schedule options for pushing OS updates to enrolled iOS/iPadOS devices
You can choose from the following options when scheduling operating system updates for iOS/iPadOS devices.
These options apply to devices that that used the Apple Business Manager or Apple School Manager enrollment
types.
Update at next check-in
Update during scheduled time
Update outside of scheduled time
For the latter two options, you can create multiple time windows.
To see the new options, go to MEM > Devices > iOS > Update policies for iOS/iPadOS > Create profile .
Choose which iOS/iPadOS updates to push to enrolled devices
You can choose a specific iOS/iPadOS update (except for the most recent update) to push to devices that have
enrolled by using either Apple Business Manager or Apple School Manager. Such devices must have a device
configuration policy set to delay software update visibility for some number of days. To see this feature, go to
MEM > Devices > iOS > Update policies for iOS/iPadOS > Create profile .
Device security
Improved Intune reporting experience
Intune now provides an improved reporting experience, including new report types, better report organization,
more focused views, improved report functionality, as well as more consistent and timely data. The reporting
experience will move from public preview to GA (general availability). Additionally, the GA release will provide
localization support, bug fixes, design improvements, and aggregate device compliance data on tiles in the
Microsoft Endpoint Manager admin center.
New report types focus on the following information:
Operational - Provides fresh records with a negative health focus.
Organizational - Provides a broader summary of the overall state.
Historical - Provides patterns and trends over a period of time.
Specialist - Allows you to use raw data to create your own custom reports.
The first set of new reports focuses on device compliance. For more information, see Blog - Microsoft Intune
reporting framework and Intune reports.
Consolidated the location of security baselines in the UI
We've consolidated the paths to find security baselines in the Microsoft Endpoint Manager admin center by
removing Security baselines from several UI locations. To find Security baselines, you now use the following path:
Endpoint security > Security baselines .
Expanded support for imported PKCS certificates
We've expanded support for using imported PKCS certificates to support Android Enterprise fully managed
devices. Generally, importing PFX certificates is used for S/MIME encryption scenarios, where a user's encryption
certificates are required on all of their devices so that email decryption can occur.
The following platforms support import of PFX certificates:
Android - Device Administrator
Android Enterprise - Fully Managed
Android Enterprise - Work profile
iOS
Mac
Windows 10
View the endpoint security configuration for devices
We've updated the name of the option in the Microsoft Endpoint Manager admin center, for viewing endpoint
security configurations that apply to a specific device. This option is renamed to Endpoint security
configuration because it shows applicable security baselines and additional policies created outside of security
baselines. Previously, this option was named Security baselines.
Role -based access control
Intune Roles user interface changes coming
The user interface for Microsoft Endpoint Manager admin center > Tenant administration > Roles has been
improved to a more user-friendly and intuitive design. This experience provides the same settings and details that
you use now, however the new experience employs a wizard-like process.

Week of February 17, 2020

Week of February 10, 2020

Windows 7 ends extended support
Windows 7 reached end of extended support on January 14, 2020. Intune deprecated support for devices
running Windows 7 at the same time. Technical assistance and automatic updates that help protect your PC are
no longer available. You should upgrade to Windows 10. For more information, see the Plan for Change blog
post.
App management
Microsoft Edge version 77 and later on Windows 10 devices
Intune now supports uninstalling Microsoft Edge version 77 and later on Windows 10 devices. For more
information, see Add Microsoft Edge for Windows 10 to Microsoft Intune.
Screen removed from Company Portal, Android work profile enrollment
The What's next? screen has been removed from the Android work profile enrollment flow in Company Portal
to streamline the user experience. Go to Enroll with Android work profile to see the updated Android work profile
enrollment flow.
Company Portal app improved performance
The Company Portal app has been updated to support improved performance for devices that use ARM64
processors, such as the Surface Pro X. Previously, the Company Portal operated in an emulated ARM32 mode.
Now, in version 10.4.7080.0 and above, the Company Portal app is natively compiled for ARM64. For more
information about the Company Portal app, see How to configure the Microsoft Intune Company Portal app.

What's New archive

For previous months, see the What's New archive.

Notices
These notices provide important information that can help you prepare for future Intune changes and features.
Updated end-user experience for Android device administrator Wi-Fi profiles
Due to a change made by Google, the end-user experience for new Wi-Fi profiles is significantly different starting
in the October release of the Company Portal app. Users will need to accept additional permissions, and explicitly
accept Wi-Fi configurations when they're deployed. Wi-Fi configurations will not appear in the known Wi-Fi
networks list, but will automatically connect when in range. There are no changes in behavior for existing Wi-Fi
profiles. There are also no changes to the admin experience in the Endpoint Manager admin center.
Applies to:
Android device administrator, Android 10 and later
Microsoft Intune ends support for Windows Phone 8.1 and Windows 10 Mobile
Microsoft mainstream support for Windows Phone 8.1 ended in July 2017 and extended support ended in June
2019. The Company Portal app for Windows Phone 8.1 has been in sustain mode since October 2017.
Additionally, Microsoft Intune has ended support on February 20, 2020 for Windows Phone 8.1.
Microsoft mainstream support for Windows 10 Mobile ended in December 2019. As mentioned in the support
statement, Windows 10 Mobile users will no longer be eligible to receive new security updates, non-security
hotfixes, free assisted support options or online technical content updates from Microsoft. Based on the all-up
Mobile OS support, Microsoft Intune ends support for both the Company Portal for the Windows 10 Mobile app
and the Windows 10 Mobile Operating System on August 10, 2020.
As of August 10, enrollments for Windows Phone 8.1 and Windows 10 Mobile devices will fail and Windows
Mobile profile types are removed from the Intune UI. Devices already enrolled will no longer check into the
Intune service and we will delete device and policy data.
End of support for legacy PC management
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and
reenroll them as Mobile Device Management (MDM) devices to keep them managed by Intune.
Learn more
Move to the Microsoft Endpoint Manager admin center for all your Intune management
In MC208118 posted last March, we introduced a new, simple URL for your Microsoft Endpoint Manager – Intune
administration: https://endpoint.microsoft.com. Microsoft Endpoint Manager is a unified platform that includes
Microsoft Intune and Configuration Manager. Star ting August 1, 2020 , we will remove Intune administration
at https://portal.azure.com and recommend you instead use https://endpoint.microsoft.com for all your endpoint
management.
Decreasing support for Android device administrator
Android device administrator management was released in Android 2.2 as a way to manage Android devices.
Then beginning with Android 5, the more modern management framework of Android Enterprise was released
(for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device
administrator management by decreasing its management support in new Android releases.
How does this affect me?
Because of these changes by Google, in October 2020, you will no longer have as extensive management
capabilities on impacted device administrator-managed devices.

NOTE
This date was previously communicated as fourth quarter of 2020, but it has been moved out based on the latest
information from Google.

Devi c e t ypes t h at w i l l be i m pac t ed

Block Camera
Set Minimum password length
Set Number of sign-in failures before wiping device (will not apply on devices without a password set,
but will apply on devices with a password)
Set Password expiration (days)
Set Required password type
Set Prevent use of previous passwords
Block Smar t Lock and other trust agents
C o mp l i a n c e p o l i c y s e t t i n g s

Set Required password type

Set Minimum password length
Set Number of days until password expires
Set Number of previous passwords to prevent reuse

User experience of impacted settings on impacted devices

Impacted configuration settings:
For already enrolled devices that already had the settings applied, the impacted configuration settings will
continue being enforced.
For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings
will not be enforced (but all other configuration settings will still be enforced).
Impacted compliance settings:
For already enrolled devices that already had the settings applied, the impacted compliance settings will still
show as reasons for noncompliance on the “Update device settings” page, the device will be out of
compliance, and the password requirements will still be enforced in the Settings app.
For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings
will still show as reasons for noncompliance on the “Update device settings” page and the device will be out of
compliance, but stricter password requirements will not be enforced in the Settings app.
Additional user experience change for Wi-Fi profiles
Users will need to accept additional permissions, and explicitly accept Wi-Fi configurations when they're
deployed. Wi-Fi configurations will not appear in the known Wi-Fi networks list, but will automatically connect
when in range. There are no changes in behavior for existing Wi-Fi profiles. There are also no changes to the
admin experience in the Endpoint Manager admin center.
Cause of impact
Devices will begin being impacted in October 2020. At that time, there will be a Company Portal app update that
will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).
At that point, device administrator-managed devices that are not manufactured by Samsung will be impacted
once the user completes both these actions:
Updates to Android 10 or later.
Updates the Company Portal app to the version that targets API level 29.
Additional impacts based on Android OS version
Android 10 :For all device administrator managed devices (including Samsung) running Android 10 and later,
Google has restricted the ability for device administrator management agents like Company Portal to access
device identifier information. This restriction impacts the following Intune features after a device is updated to
Android 10 or later:
Network access control for VPN will no longer work
Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as
corporate-owned
The IMEI and serial number will no longer be visible to IT admins in Intune
Android 11 : We continue to test the latest Android 11 beta release to evaluate the impact on device
administrator managed devices. Here’s what we have found:
For device administrator devices (excluding Samsung) running Android 11 and later, Google has removed the
ability for management agents like Company Portal to enforce blocking Camera, even before the October
update to the Company Portal app. Policies blocking camera that are applied to devices before they update to
Android 11 will continue to apply.
With Android 11, trusted root certificates can no longer be deployed to devices enrolled with device
administrator (except on Samsung devices). Users must manually install the trusted root certificate on the
device. With the trusted root certificate manually installed on a device, you can then use SCEP to provision
certificates to the device. In this scenario you must still create and deploy a trusted certificate policy to the
device, and link that policy to the SCEP certificate profile.
If the trusted root certificate is on the device, then the SCEP certificate profile will install successfully.
If the trusted certificate cannot be found, the SCEP certificate profile will fail.
What do I need to do to prepare for this change?
To avoid the reduction in functionality coming in October 2020, we recommend the following:
New enrollments : Onboard new devices into Android Enterprise management (where available) and/or app
protection policies. Avoid onboarding new devices into device administrator management.
Previously enrolled devices : If a device administrator-managed device is running Android 10 or later or
may update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator
management to Android Enterprise management and/or app protection policies. You can leverage the
streamlined flow to move Android devices from device administrator to work profile management.
Configure Password Complexity : For impacted devices running Android 10 and later, a future setting
called Password Complexity lets you continue enforcing password restrictions and compliance. Password
Complexity is a measure of password strength that factors in password type, length, and quality.
What if I have non-Samsung devices that cannot move to Android Enterprise?
Some devices can’t move from device administrator to Android Enterprise management. For example, Google
hasn’t made Android Enterprise available in some markets. You can still use Intune to manage non-Samsung
devices with device administrator, but the changes to functionality mentioned in this post will apply. For guidance
on managing devices when Android Enterprise isn’t available, see How to use Intune in environments without
Google Mobile Services.
Additional information
Move Android devices from device administrator to work profile management
Set up enrollment of Android Enterprise work profile devices
Set up enrollment of Android Enterprise dedicated devices
Set up enrollment of Android Enterprise fully managed devices
How to create an assign app protection policies
How to use Intune in environments without Google Mobile Services
Understanding app protection policies and work profiles on Android Enterprise devices
Google’s blog about what you need to know about Device Admin deprecation
Google's guidance for migration from device administrator to Android Enterprise
Google's documentation of deprecated device administrator APIs
Plan for Change: Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS
In the July Company Portal release, we’ll be changing the iOS/iPadOS enrollment flow for Apple’s Automated
Device Enrollment (formerly known as DEP). The enrollment flow change is only encountered during the “Enroll
with User Affinity” flow. Previously, if you set the “Install Company Portal” to “no” as part of your configuration,
users could still install the Company Portal app from the store which would then trigger enrollment where the
user would add in the appropriate serial number. With this upcoming Company Portal release, we’ll be removing
that serial number confirmation screen. Instead, you’ll want to create a corresponding app configuration policy to
send down alongside the Company Portal to ensure that users can successfully enroll, or set the “Install Company
Portal” to “Yes” as part of your configuration.
See the post here for more info.
Quickstart: Try Microsoft Intune for free
9/4/2020 • 4 minutes to read • Edit Online

Microsoft Intune helps you protect your workforce's corporate data by managing devices and apps. In this
quickstart, you will create a free subscription to try Intune in a test environment.
Intune provides mobile device management (MDM) and mobile app management (MAM) from a secure cloud-
based service that is administered using the Microsoft Endpoint Manager admin center. Using Intune, you ensure
your workforce's corporate resources (data, devices, and apps) are correctly configured, accessed, and updated,
meeting your company's compliance policies and requirements.

Prerequisites
Before setting up Microsoft Intune, review the following requirements:
Supported operating systems and browsers
Network configuration requirements and bandwidth

Sign up for a Microsoft Intune free trial

Trying out Intune is free for 30 days. If you already have a work or school account, sign in with that account and
add Intune to your subscription. Otherwise, you can sign up for a new account to use Intune for your
organization.

IMPORTANT
You can't combine an existing work or school account after you sign up for a new account.

1. Go to the Microsoft Intune Trial page and fill out the form.
If most of your IT operations and users are in a different locale than you, you may want to select that locale
under Countr y or region . Azure uses your regional information to deliver the right services. This setting
can't be changed later.
2. Create an account using your company name followed by .onmicrosoft.com .

If your organization has its own custom domain that you want to use without .onmicrosoft.com , you can
change that in the Microsoft 365 admin center described later in this article.
3. View your new account information at the end of the sign-up process.

Sign in to Intune in the Microsoft Endpoint Manager

If you're not already signed in to the portal, complete the following steps:
1. Open a new browser window and enter https://endpoint.microsoft.com in the address bar.
2. Use the user ID that you were given in the steps above to sign in
(*yourID@yourdomain*.onmicrosoft.com).

When you sign up for a trial, you will also receive an email message that contains your account information and
the email address that you provided during the sign-up process. This email confirms your trial is active.

TIP
When working with the Microsoft Endpoint Manager, you may have better results working with a browser in regular mode,
rather than private mode.

Confirm the MDM authority in Intune

By default, the MDM authority is set when you create your free trial. You can confirm that the MDM authority is
set by using the following steps:
1. If you're not already signed in, sign in to the Microsoft Endpoint Manager.
2. Click Tenant administration .
3. View the tenant details. The MDM authority should be set to Microsoft Intune .
If after signing in to the Microsoft Endpoint Manager, you see an orange banner indicating that you haven't yet set
the MDM authority, you can activate it at this time. The mobile device management (MDM) authority setting
determines how you manage your devices. The MDM authority must be set before users can enroll devices for
management.
To set the MDM authority to Intune, follow these steps:
1. Open a new browser window and enter https://por tal.azure.com in the address bar.
2. Choose All ser vices > Microsoft Intune .
3. Select the banner indicating that you haven't enabled device management, or if you don't immediately see
the banner, select Device enrollment . The Choose MDM Authority blade will be displayed if you
haven't enabled device management yet.

NOTE
If you have set the MDM Authority, you will see the MDM authority value on the Device enrollment blade. The
orange banner is only displayed if you haven't yet set the MDM authority.

4. If your MDM Authority is not set, under Choose MDM Authority , set your MDM authority to Intune
MDM Authority .
For more information about the MDM authority, see Set the mobile device management authority.

Configure your custom domain name (Optional)

As mentioned above, if your organization has its own custom domain that you want to use without
.onmicrosoft.com , you can change it in the Microsoft 365 admin center. You can add, verify, and configure your
custom domain name using the following steps.

IMPORTANT
You cannot rename or remove the initial onmicrosoft.com part of the domain name. However, you can add, verify or
remove custom domain names used with Intune to keep your business identity clear. For more information, see Configure a
custom domain name.

1. Go to Microsoft 365 admin center and sign in using your administrator account.
2. In the navigation pane, choose Setup > Domains > Add domain .
3. Type your custom domain name. Then, select Next .

4. Verify that you are the owner of the domain that you entered in the previous step.
Selecting send code via email will send an email to the registered contact of your domain. After you
receive the email, copy the code and enter it in the field labeled Type your verification code here . If the
verification code matches, the domain will be added to your tenant. The email displayed may not look
familiar. Some registrars hide the real email address. Also, the email address may be different then what
was provided when the domain was registered.
NOTE
For TXT record verification details, see Create DNS records at any DNS hosting provider for Microsoft 365.

Admin experiences
There are two portals that you will use most often:
The Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/) is where you can explore the
capabilities of Intune. This is where an admin would work with Intune.
The Microsoft 365 admin center (https://admin.microsoft.com) is where you can add and manage users, if you
are not using Azure Active Directory for this. You can also manage other aspects of your account, including
billing and support.

Next steps
In this quickstart, you've created a free subscription to try Intune in a test environment. For more information
about setting up Intune, see Set up Intune.
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Create a user and assign a license to it
Quickstart: Create a user in Intune and assign the
user a license
9/4/2020 • 2 minutes to read • Edit Online

In this quickstart, you'll create a user and then assign the user an Intune license. When you use Intune, each person
you want to have access to company data must have their own user account. Intune admins can configure users
later to manage access control.

Prerequisites
A Microsoft Intune subscription. Sign up for a free trial account.

Sign in to Intune in Microsoft Endpoint Manager

Sign in to Microsoft Endpoint Manager admin center as a Global administrator or an Intune Service administrator.
If you've created an Intune trial subscription, the account you created the subscription with is the Global
administrator.

Create a user
A user must have a user account to enroll in Intune device management. To create a new user:
1. In Microsoft Endpoint Manager, select Users > All users > New user :

2. In the Name box, enter a name, such as Dewey Kellum:

3. In the User name box, enter a user identifier, such as [email protected].

NOTE
If you haven't configured your customer domain name, use the verified domain name you used to create the Intune
subscription (or free trial).

4. Select Show password and be sure to remember the automatically generated password so that you can
sign in to a test device.
5. Select Create .

Assign a license to the user

After you've created a user, you must use the Microsoft 365 admin center to assign an Intune license to the user. If
you don't assign the user a license, they'll be unable to enroll their device into Intune.
To assign an Intune license to a user:
1. Sign in to the Microsoft 365 admin center with the same credentials you used to sign in to Intune.
2. Select Users > Active Users , and then select the user you just created.
3. Select the Licenses and Apps tab.
4. Under Select location , select a location for the user, if it's not already set.
5. Select the Intune check box in the Licenses section. If another license includes Intune, you can select that
license. The displayed product name is used as the service plan in Azure management.

NOTE
This setting uses one of your licenses for the user. If you're using a trial environment, you'll later reassign this license
to a real user in a live environment.

6. Select Save changes .

The new active Intune user will now show that they're using an Intune license.

Clean up resources
If you don't need this user anymore, you can delete the user by going to the Microsoft 365 admin center and
selecting Users > the user > the delete user icon > Delete user > Close .
Next steps
In this quickstart, you created a user and assigned an Intune license to that user. For more information about
adding users to Intune, see Add users and grant administrative permission to Intune.
To continue this series of Intune quickstarts, go to the next quickstart:
Quickstart: Create a group to manage users
Quickstart: Create a group to manage users
3/9/2020 • 2 minutes to read • Edit Online

In this quickstart, you will use Intune to create a group based on an existing user. Groups are used to manage your
users and control your employees' access to your company resources. These resources can be part of your
company's intranet or can be external resources, such as SharePoint sites, SaaS apps, or web apps.
If you don't have an Intune subscription, sign up for a free trial account.

NOTE
Intune provides pre-created All Users and All Devices groups in the console with built-in optimizations for your
convenience.

Prerequisites
Microsoft Intune subscription - sign up for a free trial account.
To complete this quickstart, you must create a user.

Sign in to Intune in the Microsoft Endpoint Manager

Sign in to Microsoft Endpoint Manager admin center as a Global administrator or an Intune Service administrator.
If you have created an Intune Trial subscription, the account you created the subscription with is the Global
administrator.

Create a group
You will create a group that will be used later in this quickstart series. To create a group:
1. Once you've opened the Microsoft Endpoint Manager , select Groups > New group .
2. In the Group type dropdown box, select Security .
3. In the Group name field, enter the name for the new group (for example, Contoso Testers ).
4. Add a Group description for the group.
5. Set the Membership type to Assigned .
6. Under Members , select the link and add one or more members for the group from the list.
7. Click Select > Create .
Once you have successfully created the group, it will appear in the list of All groups .

Next steps
In this quickstart, you used Intune to create a group based on an existing user. For more information about adding
groups to Intune, see Add groups to organize users and devices.
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Set up automatic enrollment for Windows 10 devices
Quickstart: Create and assign a custom role
4/22/2020 • 2 minutes to read • Edit Online

In this Intune quickstart, you'll create a custom role with specific permissions for a security operations department.
Then you'll assign the role to a group of such operators. There are several default roles that you can use right away.
But by creating custom roles like this one, you have precise access control to all parts of your mobile device
management system.
If you don't have an Intune subscription, sign up for a free trial account.

Prerequisites
To complete this quickstart, you must create a group.

Sign in to Intune
Sign in to Intune as a Global Administrator or an Intune Service Administrator. If you have created an Intune Trial
subscription, the account you created the subscription with is the Global administrator.

Create a custom role

When you create a custom role, you can set permissions for a wide range of actions. For the security operations
role, we'll set a few Read permissions so that the operator can review a device's configurations and policies.
1. In Intune, choose Roles > All roles > Add .

2. Under Add custom role , in the Name box, enter Security operations.
3. In the Description box, enter This role lets a security operator monitor device configuration and compliance
information.
4. Choose Configure > Corporate device identifiers > Yes next to Read > OK .

5. Choose Device compliance policies > Yes next to Read > OK .

6. Choose Device configurations > Yes next to Read > OK .
7. Choose Organization > Yes next to Read > OK .
8. Choose OK > Create .

Assign the role to a group

Before your security operator can use the new permissions, you must assign the role to a group that contains the
security user.
1. In Intune, choose Roles > All roles > Security operations .
2. Under Intune roles , choose Assignments > Assign .
3. In the Assignment name box, enter Sec ops.
4. Choose Member (Groups) > Add .
5. Choose the Contoso Testers group.
6. Choose Select > OK .
7. Choose Scope (Groups) > Select groups to include > Contoso Testers .
8. Choose Select > OK > OK .
Now everyone in the group is a member of the Security operations role and can review the following information
about a device: corporate device identifiers, device compliance policies, device configurations, and organization
information.

Clean up resources
If you don't want to use the new custom role any more, you can delete it. Choose Roles > All roles > choose the
ellipses next to the role > Delete .

Next steps
In this quickstart, you created a custom security operations role and assigned it to a group. For more information
about roles in Intune, see Role-based administration control (RBAC) with Microsoft Intune
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Create an email device profile for iOS/iPadOS
Tutorial: Walkthrough Intune in Microsoft Endpoint
Manager
9/4/2020 • 12 minutes to read • Edit Online

Azure contains over 100 services to assist you with a variety of cloud computing scenarios and possibilities.
Microsoft Intune is one of several services available in Azure. Intune helps you ensure that your company's devices,
apps, and data meet your company's security requirements. You have the control to set which requirements need to
be checked and what happens when those requirements aren't met. The Microsoft Endpoint Manager admin center
is where you can find the Microsoft Intune service, as well as other device management related settings.
Understanding the features available in Intune will help you accomplish various Mobile Device Management
(MDM) and Mobile Application Management (MAM) tasks.

NOTE
Microsoft Endpoint Manager is a single, integrated endpoint management platform for managing all your endpoints. This
Microsoft Endpoint Manager admin center integrates ConfigMgr and Microsoft Intune.

In this tutorial, you will:

Tour the Microsoft Endpoint Manager admin center
Customize your view of the Microsoft Endpoint Manager admin center
If you don't have an Intune subscription, sign up for a free trial account.

Prerequisites
Before setting up Microsoft Intune, review the following requirements:
Supported operating systems and browsers
Network configuration requirements and bandwidth

Sign up for a Microsoft Intune free trial

Trying out Intune is free for 30 days. If you already have a work or school account, sign in with that account and
add Intune to your subscription. Otherwise, you can sign up for a free trial account to use Intune for your
organization.

IMPORTANT
You can't combine an existing work or school account after you sign up for a new account.

Tour Microsoft Intune in the Microsoft Endpoint Manager admin center

Follow the steps below to better understand Intune in the Microsoft Endpoint Manager admin center. Once you
complete the tour, you'll have a better understanding of some of the major areas of Intune.
1. Open a browser and sign in to the Microsoft Endpoint Manager admin center. If you are new to Intune, use
your free trial subscription.
When you open the Microsoft Endpoint Manager or any other service in Azure, the service is displayed in a
pane. Some of the first workloads you may use in Intune include Devices , Apps , Users , and Groups . A
workload is simply a sub-area of a service. When you select the workload, it opens that pane as a full page.
Other panes slide out from the right side of the pane when they open, and close to reveal the previous pane.
By default, when you open the Microsoft Endpoint Manager you'll see the Home page pane. This pane
provides an overall visual snapshot of tenant status and compliance status, as well as other helpful related
links.
2. From the navigation pane, select Dashboard to display overall details about the devices and client apps in
your Intune tenant. If you are starting with a new Intune tenant, you will not have any enrolled devices yet.

Intune lets you manage your workforce's devices and apps, including how they access your company data. To
use this mobile device management (MDM) service, the devices must first be enrolled in Intune. When a
device is enrolled, it is issued an MDM certificate. This certificate is used to communicate with the Intune
service.
There are several methods to enroll your workforce's devices into Intune. Each method depends on the
device's ownership (personal or corporate), device type (iOS/iPadOS, Windows, Android), and management
requirements (resets, affinity, locking). However, before you can enable device enrollment, you must set up
your Intune infrastructure. In particular, device enrollment requires that you set your MDM authority. For
more information about getting your Intune environment (tenant) ready, see Set up Intune. Once you have
your Intune tenant ready, you can enroll devices. For more information about device enrollment, see What is
device enrollment?
3. From the navigation pane, select Devices to display details about the enrolled devices in your Intune tenant.

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Devices .

The Devices - Over view pane has several tabs that allow you to view a summary of the following statuses
and alerts:
Enrollment status - Review details about Intune enrolled devices by platform and enrollment failures.
Enrollment aler ts - Find more details about unassigned devices by platform.
Compliance status - Review compliance status based on device, policy, setting, threats, and protection.
Additionally, this pane provides a list of devices without a compliance policy.
Configuration status - Review configuration status of device profiles, as well as profile deployment.,
and
Software update status - See a visual of the deployment status for all devices and for all users.

4. From the Devices - Over view pane, select Compliance policies to display details about compliance for
devices managed by Intune. You will see details similar to the following image.
TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Device Compliance .

Compliance requirements are essentially rules, such as requiring a device PIN, or requiring device
encryption. Device compliance policies define the rules and settings that a device must follow to be
considered compliant. To use device compliance, you must have:
An Intune and an Azure Active Directory (Azure AD) Premium subscription
Devices running a supported platform
Devices must be enrolled in Intune
Devices that are enrolled to either one user or no primary user.
For more information, see Get started with device compliance policies in Intune.
5. From the Devices - Over view pane, select Conditional Access to display details about access policies.

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Conditional Access .

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Device configuration .

Intune includes settings and features that you can enable or disable on different devices within your
organization. These settings and features are added to "configuration profiles". You can create profiles for
different devices and different platforms, including iOS/iPadOS, Android, macOS, and Windows. Then, you
can use Intune to apply the profile to devices in your organization.
For more information about device configuration, see Apply features settings on your devices using device
profiles in Microsoft Intune.
7. From the navigation pane, select Devices > All devices to display details about your Intune tenant's
enrolled devices. If you are starting with a new Intune enlistment, you will not have any enrolled devices yet.

This list of devices show key details about compliance, OS version, and last check-in date.

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Devices > All devices .

8. From the navigation pane, select Apps to display an overview of app status. This pane provides app
installation status based on the following tabs:
TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Client apps .

The Apps - Over view pane has two tabs that allow you to view a summary of the following statuses:
Installation status - View the top installation failures by device, as well as the apps with installation
failures.
App protection policy status - Find details about assigned users to app protection policies, as well as
flagged users.

As an IT admin, you can use Microsoft Intune to manage the client apps that your company's workforce uses.
This functionality is in addition to managing devices and protecting data. One of an admin's priorities is to
ensure that end users have access to the apps they need to do their work. Additionally, you might want to
assign and manage apps on devices that are not enrolled with Intune. Intune offers a range of capabilities to
help you get the apps you need on the devices you want.

NOTE
The Apps - Over view pane also provides tenant status and account details.

For more information about adding and assigning apps, see Add apps to Microsoft Intune and Assign apps
to groups with Microsoft Intune.
9. From the Apps - Over view pane, select All apps to see a list of apps that have been added to Intune.

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Client apps > Apps .

You can add a variety of different app type based on platform to Intune. Once an app has been added, you
can assign it to groups of users.
For more information, see Add apps to Microsoft Intune.
10. From the navigation pane, select Users to display details about the users that you have included in Intune.
These users are your company's workforce.

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Users .

You can add users directly to Intune or synchronize users from your on-premises Active Directory. Once
added, users can enroll devices and access company resources. You can also give users additional
permissions to access Intune. For more information, see Add users and grant administrative permission to
Intune.
11. From the navigation pane, select Groups to display details about the Azure Active Directory (Azure AD)
groups included in Intune. As an Intune admin, you use groups to manage devices and users.
TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Groups .

You can set up groups to suit your organizational needs. Create groups to organize users or devices by
geographic location, department, or hardware characteristics. Use groups to manage tasks at scale. For
example, you can set policies for many users or deploy apps to a set of devices. For more information about
groups, see Add groups to organize users and devices.
12. From the navigation pane, select Tenant administration to display details about your Intune tenant.

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Tenant status .

The Tenant admin - Tenant status pane provides tabs for Tenant details , Connector status , and
Ser vice health dashboard . If there are any issues with your tenant or Intune itself, you will find details
available from this pane.

For more information, see Intune Tenant Status.

13. From the navigation pane, select Troubleshooting + suppor t > Troubleshoot to check status details on a
specific user.
TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Troubleshoot .

From the Assignments dropdown list, you can choose to view the targeted assignments of client apps,
policies, update rings, and enrollment restrictions. Additionally, this pane provides device details, app
protection status, and enrollment failures for a specific user.

For more information about troubleshooting within Intune, see Use the troubleshooting portal to help users
at your company.
14. From the navigation pane, select Troubleshooting + suppor t > Help and suppor t to request help.

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Help and suppor t .

As an IT admin, you can use the Help and Suppor t option to search and view solutions, as well as file an
on-line support ticket for Intune.

To create a support ticket, your account must be assigned as an administrator role in Azure Active Directory.
Administrator roles include, Intune administrator , Global administrator , and Ser vice administrator .
For more information, see How to get support for Microsoft Intune.
15. From the navigation pane, select Troubleshooting + suppor t > Guided scenarios to display available
Intune guided scenarios.
A guided scenario is a customized series of steps centered around one end-to-end use-case. Common
scenarios are based on the role an admin, user, or device plays in your organization. These roles typically
require a collection of carefully orchestrated profiles, settings, applications, and security controls to provide
the best user experience and security.
If you are not familiar with all the steps and resources needed to implement a particular Intune scenario,
guided scenarios may be used as your starting point.

For more information about guided scenarios, see Guided scenarios overview.

Configure the Microsoft Endpoint Manager admin center

Azure allows you to customize and configure the view of the portal.
Change the Dashboard
The Dashboard to display overall details about the devices and client apps in your Intune tenant. Dashboards
provide a way for you to create a focused and organized view in the Microsoft Endpoint Manager admin center. Use
dashboards as a workspace where you can quickly launch tasks for day-to-day operations and monitor resources.
Build custom dashboards based on projects, tasks, or user roles, for example. The Microsoft Endpoint Manager
admin center provides a default dashboard as a starting point. You can edit the default dashboard, create and
customize additional dashboards, and publish and share dashboards to make them available to other users.
To modify your current dashboard, select Edit . If you don't want to change your default dashboard, you can also
create a New dashboard . Creating a new dashboard gives you an empty, private dashboard with the Tile
Galler y , which lets you add or rearrange tiles. You can find tiles by category or resource type. You can also search
for particular tiles. Select My Dashboard to select any of your existing custom dashboards.
Change the Portal settings
You can customize the Microsoft Endpoint Manager admin center by choosing the default view, the theme, the
credentials timeout period, as well as language and region settings.
Next steps
To get running quickly on Microsoft Intune, step through the Intune Quickstarts by first setting up a free Intune
account.
Quickstart: Try Microsoft Intune for free
Tutorial: Walkthrough of Microsoft Intune in the Azure
portal
9/4/2020 • 8 minutes to read • Edit Online

Azure contains over 100 services to assist you with a variety of cloud computing scenarios and possibilities.
Microsoft Intune is one of several services available in Azure. Intune helps you ensure that your company's devices,
apps, and data meet your company's security requirements. You have the control to set which requirements need to
be checked and what happens when those requirements aren't met. The Azure portal is where you can find the
Microsoft Intune service. Understanding the features available in Intune will help you accomplish various Mobile
Device Management (MDM) and Mobile Application Management (MAM) tasks.
In this tutorial, you will:
Tour Microsoft Intune
Configure the Azure portal
If you don't have an Intune subscription, sign up for a free trial account.

Prerequisites
Before setting up Microsoft Intune, review the following requirements:
Supported operating systems and browsers
Network configuration requirements and bandwidth

Sign up for a Microsoft Intune free trial

IMPORTANT
You can't combine an existing work or school account after you sign up for a new account.

Tour Microsoft Intune

Follow the steps below to better understand Intune in the Azure portal. Once you complete the tour, you'll have a
better understanding of some of the major areas of Intune.
1. Open a browser and sign in to the Intune portal. If you are new to Intune, use your free trial subscription.
When you open Intune or any other service in Azure, the service is displayed in a pane. Some of the first
workloads you may use in Intune include Devices , Client apps , Users , and Groups . A workload is simply a
sub-area of a service. When you select the workload, it opens that pane as a full page. Other panes slide out
from the right side of the pane when they open, and close to reveal the previous pane. A pane is also
referred to as a blade.
By default, when you open Intune you'll see the Over view pane. This pane provides an overall visual
snapshot of device assignment and compliance status, as well as app installation status.
2. From Intune, select Device enrollment to display details about the enrolled devices in your Intune tenant. If
you are starting with a new Intune tenant, you will not have any enrolled devices yet.
Intune lets you manage your workforce's devices and apps, including how they access your company data. To
use this mobile device management (MDM) service, the devices must first be enrolled in Intune. When a
device is enrolled, it is issued an MDM certificate. This certificate is used to communicate with the Intune
service.
There are several methods to enroll your workforce's devices into Intune. Each method depends on the
device's ownership (personal or corporate), device type (iOS/iPadOS, Windows, Android), and management
requirements (resets, affinity, locking). However, before you can enable device enrollment, you must set up
your Intune infrastructure. In particular, device enrollment requires that you set your MDM authority. For
more information about getting your Intune environment (tenant) ready, see Set up Intune. Once you have
your Intune tenant ready, you can enroll devices. For more information about device enrollment, see What is
device enrollment?
3. From Intune, select Device compliance to display details about compliance for devices managed by Intune.
You will see details similar to the following image.
Compliance requirements are essentially rules, such as requiring a device PIN, or requiring device
encryption. Device compliance policies define the rules and settings that a device must follow to be
considered compliant. To use device compliance, you must have:
An Intune and an Azure Active Directory (Azure AD) Premium subscription
Devices running a supported platform
Devices must be enrolled in Intune
Devices that are enrolled to either one user or no primary user.
For more information, see Get started with device compliance policies in Intune.
4. From Intune, select Device configuration to display details about device profiles in Intune.
Intune includes settings and features that you can enable or disable on different devices within your
organization. These settings and features are added to "configuration profiles". You can create profiles for
different devices and different platforms, including iOS/iPadOS, Android, and Windows. Then, you can use
Intune to apply the profile to devices in your organization.
For more information about device configuration, see Apply features settings on your devices using device
profiles in Microsoft Intune.
5. From Intune, select Devices to display details about your Intune tenant's enrolled devices. If you are starting
with a new Intune enlistment, you will not have any enrolled devices yet.
The Devices pane provides details about your tenant's enrolled devices. You can click All devices to display
a list of devices for your Intune tenant.
6. From Intune, select Client apps to display app installation status.
As an IT admin, you can use Microsoft Intune to manage the client apps that your company's workforce uses.
This functionality is in addition to managing devices and protecting data. One of an admin's priorities is to
ensure that end users have access to the apps they need to do their work. Additionally, you might want to
assign and manage apps on devices that are not enrolled with Intune. Intune offers a range of capabilities to
help you get the apps you need on the devices you want. For more information about adding and assigning
apps, see Add apps to Microsoft Intune and Assign apps to groups with Microsoft Intune.
7. From Intune, select Conditional Access to display details about access policies.

Conditional Access refers to ways you can control the devices and apps that are allowed to connect to your
email and company resources. To learn about device-based and app-based Conditional Access, and find
common scenarios for using Conditional Access with Intune, see What's Conditional Access?
8. From Intune, select Users to display details about the users that you have included in Intune. These users are
your company's workforce.
You can add users directly to Intune or synchronize users from your on-premises Active Directory. Once
added, users can enroll devices and access company resources. You can also give users additional
permissions to access Intune. For more information, see Add users and grant administrative permission to
Intune.
9. From Intune, select Groups to display details about the Azure Active Directory (Azure AD) groups included
in Intune. As an Intune admin, you use groups to manage devices and users.

You can set up groups to suit your organizational needs. Create groups to organize users or devices by
geographic location, department, or hardware characteristics. Use groups to manage tasks at scale. For
example, you can set policies for many users or deploy apps to a set of devices. For more information about
groups, see Add groups to organize users and devices.
10. From Intune, select Help and suppor t to request help. As an IT admin, you can use the Help and Suppor t
option to search and view solutions, as well as file an on-line support ticket for Intune.

Tenant status details include connector status, Intune service health, and Intune news. If there are any issues
with your tenant or Intune itself, you will find details in the Tenant Status pane. For more information, see
Intune Tenant Status.
12. From Intune, select Troubleshoot to reach a shortcut on troubleshooting tips, requesting support, or
checking the status of Intune. This information is specific the Intune user you select.

For more information about troubleshooting within Intune, see Use the troubleshooting portal to help users at your
company.

Configure the Azure portal

Azure allows you to customize and configure the view of the portal.
Change the sidebar
The sidebar on the left side of the Azure portal shows you a list of all available Azure services. This comprehensive
list can be changed from the default view so that you can keep a persistent view of the services that matter most to
you. The information below uses Intune as the example of a service to add to the top of the list.

1. Select All ser vices from the sidebar on the left side of the page.
2. Search for Intune in the filter box.
3. Select the star to add Intune to the bottom of the list of your favorite services.
4. Hover over the Intune service. Select and drag Intune using the three ver tical dots on the right side of the
service name.
Change the dashboard
Your default landing page is the dashboard . This page is where you customize your tiles to show information that
is most relevant to you.

To modify your current dashboard, select the Edit dashboard button. If you don't want to change your default
dashboard, you can also create a New dashboard . Creating a new dashboard gives you an empty, private
dashboard with the Tile Galler y , which lets you add or rearrange tiles. You can find tiles by their General
category, Type , through Search , and through a Resource group or Tag .
You can also add tiles directly to your dashboard from any ellipsis button and selecting Pin to dashboard .

This capability will be more relevant after you've added more content, like groups and users, to Intune.

Next steps
To get running quickly on Microsoft Intune, step through the Intune Quickstarts by first setting up a free Intune
account.
Quickstart: Try Microsoft Intune for free
How is Intune for Education different from the full
device management experience in Intune?
9/4/2020 • 2 minutes to read • Edit Online

Intune for Education enables your teachers and students to be productive while protecting your school's data.
Intune for Education is powered by Microsoft’s Intune service, a cloud-based enterprise mobility management
(EMM) service.

Intune for Education lets you manage Windows 10 and iOS/iPadOS devices using the full MDM capabilities
available in Intune. The full device management experience lets you manage Windows, iOS/iPadOS, and Android
devices.
Intune for Education can be used by itself, or in harmony with the full device management experience available in
Intune. It can also be used alongside the rest of the tools available in Microsoft Education, which makes it easy for
you to use Intune for Education with other useful educational tools from Microsoft.

With both Intune and Intune for Education, you can:

Manage the mobile devices your staff and students use to access data.
Manage the mobile apps your users access every day.
Protect your organizational information by helping to control the way your users access and share it.
Ensure devices and apps are compliant with security requirements.

Next steps
Get familiar with the product with a 90 day free trial of Intune. If you already have access, head to
(https://intuneeducation.portal.azure.com) to get started.
Read about the quickest way to start using Intune for Education.
Dive into the technical requirements and capabilities of Intune.
What is Intune for Government?
9/4/2020 • 2 minutes to read • Edit Online

Intune for Government is an application and mobile management platform designed to help ensure security,
privacy and control, compliance, and transparency. It meets federal, state, and local US government needs with
physical and logical network-isolated instances of Azure. These instances are dedicated to US government with all
customer data, applications, and hardware residing in the continental United States.
Intune for Government includes a physically isolated instance of Microsoft Intune that supports security and
compliance requirements critical to US government. Intune is a cloud-based enterprise mobility management
(EMM) service that is the foundation for Intune for Government. Government agencies will have access to the same
features available to commercial customers. These include FedRAMP and DoD compliance certifications, and
Operated by screened US persons.
With Intune for Government you can manage Windows 10, iOS, and Android devices using the full MDM
capabilities available in Intune. For example, you can:
Manage the mobile devices of government employees used to access data.
Manage the mobile apps your users access.
Protect government data by controlling the way users access and share it.
Ensure devices and apps follow security requirements.
Next steps
For more information about Intune for US Government, see Microsoft Intune for US Government GCC High and
DoD service description.
Dive into the technical requirements and capabilities of Intune.
See feature differences between Intune and Intune for US Government.
High-level architecture for Microsoft Intune
3/9/2020 • 2 minutes to read • Edit Online

This reference architecture shows options for integrating Microsoft Intune in your Azure environment with Azure
Active Directory.

Microsoft Azure

Microsoft Intune G ro u p
targetin g

Configure devices Protect data Manage apps Azure Active Directory

Device
co mp lian ce
resu lts Au th en ticatio n
Profiles Configuration App protection Device Apps App Conditional Access
policies policies compliance configuration & au th o rizatio n
policies policies

Data fo r Read device

co mp lian ce co mp lian ce
SaaS apps
calcu latio n in fo rmatio n

Graph API
O ffice 365

App Store

Co n figu ratio n
& rep o rtin g Telecom Mobile Threat Network Access
expense Defense connector Control partner
management
Mo b ile th reat
Data fro m assessmen t
telco o n u sage

Cu sto m LO B ap p s
W eb ap p s
On-premises
network
Web console

Image with dark contrast

Overview of the Microsoft Intune mobile device
management (MDM) lifecycle
9/4/2020 • 3 minutes to read • Edit Online

All devices that you manage have a lifecycle. Intune can help you manage this lifecycle: from enrollment, through
configuration and protection, to retiring the device when it's no longer required. Here’s an example: an iPad bought
by your company first needs to be enrolled with your Microsoft Intune account to allow your company to manage
it; then, it needs to be configured to your company’s liking; then, the data that’s stored on it by a user needs to be
protected; and finally, when that iPad is no longer needed, you must retire or wipe all sensitive data on it.

Enroll
Today's mobile device management (MDM) strategies deal with a variety of phones, tablets, and PCs (iOS/iPadOS,
Android, Windows, and Mac OS X). If you need to be able to manage the device, which is commonly the case for
corporate-owned devices, the first step is to set up device enrollment. You can also manage Windows PCs by
enrolling them with Intune (MDM) or by installing the Intune client software.

Configure
Getting your devices enrolled is just the first step. To take advantage of all that Intune offers and to ensure that your
devices are secure and compliant with company standards, you can choose from a wide range of policies. These let
you configure almost every aspect of how managed devices operate. For example, should users have a password
on devices that have company data? You can require one. Do you have corporate Wi-Fi? You can automatically
configure it. Here are the types of configuration options that are available:
Device configuration . These policies let you configure the features and capabilities of the devices that you
manage. For example, you could require the use of a password on Android phones or disable the use of the
camera on iPhones.
Company resource access . When you let your users access their work on their personal device, this can
present you with challenges. For example, how do you ensure that all devices that need to access company
email are configured correctly? How can you ensure that users can access the company network with a VPN
connection without having to know complex settings? Intune can help to reduce this burden by automatically
configuring the devices that you manage to access common company resources.
Windows PC management policies (with the Intune client software) . While enrolling Windows PCs with
Intune gives you the most device management capabilities, Intune continues to support managing Windows
PCs with the Intune client software. If you need information about some of the tasks that you can perform with
PCs, start here.

Protect
In the modern IT world, protecting devices from unauthorized access is one of the most important tasks that you
perform. In addition to the items in the Configure step of the device lifecycle, Intune provides these capabilities
that help protect devices you manage from unauthorized access or malicious attacks:
Multi-factor authentication . Adding an extra layer of authentication to user sign-ins can help make devices
even more secure. Many devices support multi-factor authentication that requires a second level of
authentication, such as a phone call or text message, before users can gain access.
Windows Hello for Business settings . Windows Hello for Business is an alternative sign-in method that lets
users use a gesture—such as a fingerprint or Windows Hello—to sign in without needing a password.
Policies to protect Windows PCs (with the Intune client software) . When you manage Windows PCs by
using the Intune client software, policies are available that let you control settings for Endpoint Protection,
software updates, and Windows Firewall on PCs that you manage.

Retire
When a device gets lost or stolen, when it needs to be replaced, or when users move to another position, it's usually
time to retire or wipe the device. There are a number of ways you can do this—including resetting the device,
removing it from management, and wiping the corporate data on it.

Next steps
Learn about device management in Microsoft Intune
Overview of the app lifecycle in Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

The Microsoft Intune app lifecycle begins when an app is added and progresses through additional phases until you
remove the app. By understanding these phases, you'll have the details you need to get started with app
management in Intune.

Add
The first step in app deployment is to add the apps, which you want to manage and assign, to Intune. While you can
work with many different app types, the basic procedures are the same. With Intune you can add different app
types, including apps written in-house (line-of-business), apps from the store, apps that are built in, and apps on the
web. For more information about each of these app types, see How to add an app to Microsoft Intune.

Deploy
After you've added the app to Intune, you can then assign it to users and devices that you manage. Intune makes
this process easy, and after the app is deployed, you can monitor the success of the deployment from the Intune
within the Azure portal. Additionally, in some app stores, such as the Apple and Windows app stores, you can
purchase app licenses in bulk for your company. Intune can synchronize data with these stores so that you can
deploy and track license usage for these types of apps right from the Intune administration console.

Configure
As part of the app lifecycle, new versions of apps are regularly released. Intune provides tools to easily update apps
that you have deployed to a newer version. Additionally, you can configure extra functionality for some apps, for
example:
iOS/iPadOS app configuration policies supply settings for compatible iOS/iPadOS apps that are used when the
app is run. For example, an app might require specific branding settings or the name of a server to which it must
connect.
Managed browser policies help you to configure settings for the Microsoft Edge, which replaces the default
device browser and lets you restrict the websites that your users can visit.

Protect
Intune gives you many ways to help protect the data in your apps. The main methods are:
Conditional Access, which controls access to email and other services based on conditions that you specify.
Conditions include device types or compliance with a device compliance policy that you deployed.
App protection policies works with individual apps to help protect the company data that they use. For example,
you can restrict copying data between unmanaged apps and apps that you manage, or you can prevent apps
from running on devices that have been jailbroken or rooted.

Retire
Eventually, it's likely that apps that you deployed become outdated and need to be removed. Intune makes it easy to
uninstall apps. For more information, see Uninstall an app.

Next steps
Learn about app management in Microsoft Intune
Intune guided scenarios overview
9/4/2020 • 3 minutes to read • Edit Online

A guided scenario is a customized series of steps centered around one end-to-end use-case. Common scenarios
are based on the role an admin, user, or device plays in your organization. These roles typically require a collection
of carefully orchestrated profiles, settings, applications, and security controls to provide the best user experience
and security.
If you are not familiar with all the steps and resources needed to implement a particular Intune scenario, guided
scenarios may be used as your starting point. The guided scenario will assemble policies, apps, assignments, and
other management configurations automatically. Additionally, the guided scenarios may deliberately omit certain
options not applicable or uncommon for the given scenario.
Guided scenarios are not a different management space from Intune's normal workflows. These workflows are
intended to be used in conjunction with Intune's existing workflows for profiles, apps, and policies. Upon
completing a guided scenario, all future management of the scenario must take place in the existing menus for
policies, apps, and profiles. A guided scenario does not save a "guided scenario" resource type or track future
changes made to the resources. Every resource created by a guided scenario will appear in its respective workload.
All options, even those options omitted in the guided scenario, will be available for editing in the existing menus.

Types of guided scenarios

For the sake of simplicity, all guided scenarios omit complex scoping features such Scope Tags, exclusion groups
and virtual group assignments. All resources created by a guided scenario will inherit every scope tag of the admin
that completes the scenario. Certain scenarios offer some level of customization for common setting to cover
closely related scenarios. These scenarios, support group assignment to inclusion groups only. For other guided
scenarios, the entire scenario guarantees one consistent experience by offering no customization and automatically
generates a new group to receive all assignments. Once the guided scenario completes, you are free to use more
sophisticated assignments directly through existing policy, app and profile workloads.
The following scenarios are guided:
Deploy Microsoft Edge for mobile
Try out a cloud managed PC
Secure Microsoft Office for mobile

Guided scenario functionality

Guided scenarios offer specific functionality. The following details help explain what you can and cannot do while
following a guided scenario.
Launching
All guided scenarios are available from Device Management por tal > Troubleshooting + suppor t > Guided
scenarios .
The guided scenario begins with an introduction explaining the purpose of the scenario and any prerequisites
required to complete the setup. At this point, your admin permissions are checked to verify you have all the
necessary privileges to complete the scenario.
After all prerequisite checks pass, the scenario offers appropriate settings for customization. Guided scenarios aim
to only require input for the minimal number of settings and hide uncommon or advanced settings until needed,
or based on special circumstances. Each guided scenario links to documentation that provides additional details.
After all mandatory settings are entered, the guided scenario presents a summary of the settings entered and the
resources the scenario requires. At this point, nothing has been saved unless explicitly noted.
The next step is to deploy the scenario. Deploying a scenario creates and saves all necessary resources and
selected settings. The time it takes to complete a deployment varies by scenario. Once the deployment is complete,
the guided scenario presents a list of the created resources with links to each resource's management view, the
resource's normal workload, and documentation.

IMPORTANT
The list presented at the end of the guided scenario is not saved and is only viewable while the guided scenario is open.
If there is an error deploying the scenario, all changes will be reverted.

Editing
Guided scenarios cannot be used to edit existing resources. Once created, all resources, groups, and assignments
must be edited using the existing workloads.
Monitoring
Guided scenarios cannot be used to monitor existing resources apart from the initial creation process. Once
created, all resources, groups, and assignments must be monitored using the existing workloads.
Retiring
Guided scenarios cannot be used to retire existing resources, apart from the automated cleanup during an error in
the initial deployment. Once created, all resources, groups, and assignments must be retired using the existing
workloads.
Updating
As technology evolves, Intune may from time to time update a guided scenario to improve the user experience,
security, or other aspects of the scenario. This update will only affect new deployments made by the guided
scenario. Intune will not update existing resources previously generated by the guided scenario to match new best
practices or recommendations.

Next steps
To get running quickly on Microsoft Intune, step through the Intune guided scenarios. If you are new to Intune, set
up your Intune tenant by following the free trial quickstart.
Guided scenario - Deploy Microsoft Edge for Mobile
9/4/2020 • 4 minutes to read • Edit Online

By following this guided scenario, you can assign the Microsoft Edge app to your users on iOS/iPadOS or Android
devices at your organization. Assigning this app will allow your users to seamlessly browse content using their
corporate devices.
Microsoft Edge lets users cut through the clutter of the web with built-in features that help them consolidate,
arrange and manage work content. Users of iOS/iPadOS and Android devices who sign in with their corporate
Azure AD accounts in the Microsoft Edge application will find their browser pre-loaded with workplace Favorites
and website filters you define.

NOTE
If you have blocked users from enrolling either iOS/iPadOS or Android devices, this scenario will not enable enrollment, and
the users will need to install Edge for themselves. The following Microsoft Edge enterprise features that are enabled by Intune
policies include:

Dual-Identity - Users can add both a work account, as well as a personal account, for browsing. There is
complete separation between the two identities, which is similar to the architecture and experience in Microsoft
365 and Outlook. Intune admins will be able to set the desired policies for a protected browsing experience
within the work account.
Intune app protection policy integration - Admins can now target app protection policies to Microsoft
Edge, including the control of cut, copy, and paste, preventing screen captures, and ensuring that user-selected
links open only in other managed apps.
Azure Application Proxy integration - Admins can control access to SaaS apps and web apps, helping
ensure browser-based apps only run in the secure Microsoft Edge browser, whether end users connect from the
corporate network or connect from the Internet.
Managed Favorites and Home Page shor tcuts - For ease of access, admins can set URLs to appear under
favorites when end users are in their corporate context. Admins can set a homepage shortcut, which will show
as the primary shortcut when the corporate user opens a new page or a new tab in Microsoft Edge.

Prerequisites
Set the MDM authority to Intune - The mobile device management (MDM) authority setting determines how
you manage your devices. As an IT admin, you must set an MDM authority before users can enroll devices for
management.
Intune Admin permissions needed:
Managed apps read, create, delete, and assign permissions
Mobile apps read, create, and assign permissions
Policy sets read, create, and assign permissions
Organization read, update permission

Step 1 - Introduction
By following the Deploy Microsoft Edge for Mobile guided scenario, you will set up a basic deployment of
Microsoft Edge for a selected group of iOS/iPadOS and Android users. This deployment will implement Dual-
Identity and Managed Favorites and Home Page shor tcuts . In addition, devices enrolled by the selected users
will automatically have the Microsoft Edge app installed by Intune. This automatic installation will occur on all user-
driven enrollment types, which include:
iOS/iPadOS enrollment through the Company Portal app
iOS/iPadOS user-affinity enrollment through Apple Business Manager
Legacy Android enrollment through the Company Portal App
This guided scenario will automatically enable MyApps to appear in the Microsoft Edge favorites and configure the
browser with the same branding you have set for the Intune Company Portal app.
What you will need to continue
We'll ask you about the workplace favorites your users need, and the filters you require for web browsing. Make
sure you complete the following tasks before you continue:
Add users to Azure AD groups. For more information, see Create a basic group and add members using Azure
Active Directory.
Enroll iOS/iPadOS or Android devices in Intune. For more information, see Device enrollment.
Gather a list of workplace favorites to add in Microsoft Edge.
Gather a list of website filters to enforce in Microsoft Edge.

Step 2 - Basics
In this step, you must enter a name and description for your new Microsoft Edge policies. These policies can be
referenced later if you need to change the assignments and configurations. The guided scenario will add and assign
both an Microsoft Edge iOS/iPadOS app for your iOS/iPadOS devices and an Microsoft Edge Android app for your
Android devices. Also, this step will create configuration policies for these apps.

Step 3 - Configuration
In this step, the guided scenario will configure Microsoft Edge to show all the other apps assigned to users through
Intune and share the same branding as the Microsoft Intune Company Portal app. You may further configure
Microsoft Edge with a Home page shor tcut URL , a list of Managed Bookmarks , and a list of Blocked URLs .
The Home page shor tcut URL will appear to users as the first icon beneath the search bar when they open a new
tab in Microsoft Edge on their device. The Managed Bookmarks are a list of favorite URLs for your users to have
available when using Microsoft Edge in their work context. The Blocked URLs specify the sites that are blocked for
your users while in their work context. All other sites will be allowed.

Step 4 - Assignments
In this step, you can choose the user groups that you want to include to have Microsoft Edge mobile configured for
work. Microsoft Edge will also be installed on all iOS/iPadOS and Android devices enrolled by these users.

Step 5 - Review + create

The final step allows you to review a summary of the settings you configured. Once you have reviewed your
choices click Create to complete the guided scenario.

NOTE
Edge may take up to 12 hours to receive configuration. For more information, see App configuration policies for Microsoft
Intune.
IMPORTANT
Once the guided scenario is complete it will display a summary. You can modify the resources listed in the summary later,
however the table displaying these resources will not be saved.

Next steps
Enhance the security of using Microsoft Edge by setting up Intune app protection policy integration. For more
information, see Create Intune app protection policies.
If you have intranet sites to include, explore protecting access with Azure Application Proxy integration. For
more information, see Manage proxy configuration.
Guided scenario - Cloud-managed Modern Desktop
9/4/2020 • 6 minutes to read • Edit Online

The modern desktop is the state-of-the-art productivity platform for the Information Worker. Microsoft 365 Apps
and Windows 10 are the core components of the modern desktop along with the latest security baselines for
Windows 10 and Microsoft Defender Advanced Threat Protection.
Managing the modern desktop from the cloud brings the added benefit of internet-wide remote actions. Cloud-
management utilizes the in-built Windows Mobile Device Management policies and removes dependencies on
local Active Directory group policy.
If you want to evaluate a cloud-managed modern desktop in your own organization, this guided scenario
predefines all the necessary configurations for a basic deployment. In this guided scenario, you will create a secure
environment where you can try out Intune device management capabilities.

Prerequisites
Set the MDM authority to Intune - The mobile device management (MDM) authority setting determines how
you manage your devices. As an IT admin, you must set an MDM authority before users can enroll devices for
management.
M365 E3 minimum (or M365 E5 for best security)
Windows 10 1903 device (registered with Windows Autopilot for best end-user experience)
Intune administrator permissions required to complete this guided scenario:
Device configuration Read, Create, Delete, Assign and Update
Enrollment Programs Read device, Read profile, Create profile, Assign profile, Delete profile
Mobile apps Read, Create, Delete, Assign and Update
Organization Read and Update
Security Baselines Read, Create, Delete, Assign and Update
Policy Sets Read, Create, Delete, Assign and Update

Step 1 - Introduction
Using this guided scenario, you'll set up a test user, enroll a device in Intune, and deploy the device with Intune-
recommended settings, as well as Windows 10 and Microsoft 365 Apps. Your device will also be configured for
Microsoft Defender Advanced Threat Protection, if you choose to enable this protection in Intune. The user you set
up and the device that you enroll will be added to a new security groups and will be configured with the
recommended settings for security and productivity.
What you will need to continue
You must supply your test device and test user in this guided scenario. Make sure you complete the following tasks:
Set up a test user account in Azure Active Directory.
Create a test device running Windows 10, version 1903 or later.
(Optional) Register the test device with Windows Autopilot.
(Optional) Enable branding to your organization's Azure Active Directory sign-in page.

Step 2 - User
Choose a user to set up on the device. This person will be the primary user of the device.
If you want to add more users or devices to this configuration, simply add the users and devices to the Azure AD
security groups generated by the wizard. Unlike other Guided Scenarios, you don't need to run the wizard more
than once since the configuration is not customizable. Just add more users and devices to the Azure AD groups
created. After completing the wizard you will be able to view the group generated with the recommended polices
deployed.

Step 3 - Device
Make sure your device is running Windows 10, version 1903 or later. The primary user will need to set up the
device when they receive it. There are two setup options available to the user.
Option A – Windows Autopilot
Windows Autopilot automates the configuration of new devices so that users can set up them up out of box,
without IT assistance. If your device is already registered with Windows Autopilot, select it by its serial number. For
more information about using Windows Autopilot, see Register device with Windows Auto pilot (Optional).
Option B – Manual device enrollment
Users will manually set up and enroll their new devices in mobile device management. After you complete this
scenario, reset the device and give the primary user the enrollment instructions for Windows devices. For more
information, see Join a Windows 10 device to Azure AD during the first-run experience.

Step 4 - Review + create

The final step allows you to review a summary of the settings you configured. Once you have reviewed your
choices click Deploy to complete the guided scenario. Once the guided scenario is complete, a table of resources is
displayed. You can edit these resources later, however once you leave the summary view, the table will not be
saved.

IMPORTANT
Once the guided scenario is complete it will display a summary. You can modify the resources listed in the summary later,
however the table displaying these resources will not be saved.

Verification
1. Verify that the selected is assigned MDM user scope
Ensure MDM User scope is:
Set to All for the Microsoft Intune app or,
Set to Some . Also, add the user group created by this guided scenario.
2. Verify that the selected user is able to join devices to Azure Active Directory.
Ensure Azure AD join is:
Set to All or,
Set to Some . Also add the user group created by this guided scenario.
3. Follow the appropriate steps on the device to join it to Azure AD based on the following:
With Autopilot. For more information, see Windows Autopilot user-driven mode.
Without Autopilot: For more information, see Join a Windows 10 device to Azure AD during the first-run
experience.
What happens when I click Deploy?
The user and device will be added to new security groups. They'll also be configured with Intune-recommended
settings for security and productivity at work or school. After the user joins the device to Azure AD, additional apps
and settings will be added to the device. To learn more about these additional configurations, see Quickstart: Enroll
your Windows 10 device.
Additional information
Register device with Windows Autopilot (Optional)
You can optionally choose to use a registered Autopilot device. For Autopilot, this guided scenario will assign an
Autopilot deployment profile and enrollment status page profile. The Autopilot deployment profile will be
configured as follows:
User-driven mode – i.e. require the end user to enter username and password during Windows setup.
Azure AD join.
Customize Windows setup:
Hide the Microsoft Software licensing terms screen
Hide Privacy settings
Create the user's local profile without local admin privileges
Hide the Change Account options on the corporate sign-in page
The Enrollment status page will be configured to be enabled only for Autopilot devices and will not block waiting
for all apps to be installed.
The guided scenario will also assign the user to the selected Autopilot device for a personalized setup experience.
Post-requisites
Once the user joins the device to Azure Active Directory, the following configurations will be applied to the device:
1. Microsoft 365 Apps will be automatically installed on the Cloud-managed PC. It includes the applications that
you're familiar with, including Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, and
Word. You can use these applications to connect with Microsoft 365 services such as SharePoint Online,
Exchange Online, and Skype for Business Online. Microsoft 365 Apps is updated regularly with new features,
unlike non-subscription versions of Office. For a list of new features, see What's new in Microsoft 365.
2. Windows security baselines will be installed on the Cloud-managed PC. If you have setup Microsoft Defender
Advanced Threat Protection, the guided scenario will also configure baseline settings for Defender. Defender
Advanced Threat Protection provides a new post-breach layer of protection to the Windows 10 security stack.
With a combination of client technology built into Windows 10 and a robust cloud service, it will help detect
threats that have made it past other defenses.

Next steps
If you are using Microsoft Defender Advanced Threat Detection, create an Intune Compliance policy to require
Defender threat analysis to meet compliance.
Create a Device-based Conditional Access policy to block access if the device does not meet Intune compliance.
Guided scenario - Secure Microsoft Office mobile
apps
9/4/2020 • 5 minutes to read • Edit Online

By following this guided scenario in the Device Management portal, you can enable basic Intune app protection on
iOS/iPadOS and Android devices.
The app protection that you enable will enforce the following actions:
Encrypt work files.
Require a PIN to access work files.
Require the PIN to be reset after five failed attempts.
Block work files from being backed up in iTunes, iCloud, or Android backup services.
Require work files to only be saved to OneDrive or SharePoint.
Prevent protected apps from loading work files on jailbroken or rooted devices.
Block access to work files if the device is offline for 720 minutes.
Remove work files if device is offline for 90 days.

Background
Office mobile apps, as well as Microsoft Edge for Mobile, support dual identity. Dual identity allows the apps to
manage work files separately from personal files.

Intune app protection policies help protect your work files on devices that are enrolled into Intune. You can also use
app protection policies on employee owned devices that are not enrolled for management in Intune. In this case,
even though your company doesn't manage the device, you still need to make sure that work files and resources
are protected.
You can use App protection policies to prevent users from saving work files in unprotected locations. You can also
restrict data movement to other apps that aren't protected by App protection policies. App protection policy
settings include:
Data relocation policies like Save copies of org data , and Restrict cut, copy, and paste .
Access policy settings to require simple PIN for access, and block managed apps from running on jailbroken or
rooted devices.
App-based conditional access and client app management add a security layer by making sure only client apps that
support Intune app protection policies can access Exchange online and other Microsoft 365 services.
You can block the built-in mail apps on iOS/iPadOS and Android when you allow only the Microsoft Outlook app to
access Exchange Online. Additionally, you can block apps that don't have Intune app protection policies applied
from accessing SharePoint Online.
In this example, the admin has applied app protection policies to the Outlook app followed by a conditional access
rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate e-mail.

Prerequisites
You'll need the follow Intune admin permissions:
Managed apps read, create, delete, and assign permissions
Policy sets read, create, and assign permissions
Organization read permission

Step 1 - Introduction
By following the Intune App Protection guided scenario, you will prevent data from being shared or leaked
outside of your organization.
Assigned iOS/iPadOS and Android users must enter a PIN each time they open an Office app. After 5 failed PIN
attempts, users must reset their PIN. If you already require a device PIN, users won't be impacted.
What you will need to continue
We'll ask you about the apps your users need, and what's needed to access them. Make sure you have the following
information handy:
List of Office apps approved for corporate use.
Any PIN requirements for launching approved apps on nonmanaged devices.

Step 2 - Basics
In this step, you must enter a Prefix and Description for your new App protection policy. As you add the Prefix ,
the details related to the resources that the guided scenario creates will be updated. These details will make it easy
to find your policies later if you need to change the assignments and configuration.

TIP
Consider making a note of the resources that will be created, so that you can refer to them later.

Step 3 - Apps
To help you get started, this guided scenario pre-selects the following mobile apps to protect on iOS/iPadOS and
Android devices:
Microsoft Excel
Microsoft Word
Microsoft Teams
Microsoft Edge
Microsoft PowerPoint
Microsoft Outlook
Microsoft OneDrive
This guided scenario will also configure these apps to open weblinks in Microsoft Edge to guarantee work sites are
opened in a protected browser.
Modify the list of policy-managed apps that you want to protect. Add or remove apps from this list.
When you've selected the apps, click Next .

Step 4 - Configuration
In this step, you must configure the requirements for accessing and sharing the corporate files and emails in these
apps. By default, users can save data to your organization's OneDrive and SharePoint accounts.

SET T IN G DESC RIP T IO N DEFA ULT VA L UE

PIN type Numeric PINs are made up of all Numeric

numbers. Passcodes are made up of
alphanumeric characters and special
characters. On iOS/iPadOS, to configure
"Passcode" type, it requires the app to
have Intune SDK version 7.1.12 or
above. Numeric type has no Intune SDK
version restriction.

Select minimum PIN length Specify the minimum number of digits 6

in a PIN sequence.

Recheck the access requirements after If the policy-managed app is inactive for 30
(minutes of inactivity) longer than the number of minutes of
inactivity specified, the app will prompt
the access requirements (i.e PIN,
conditional launch settings) to be
rechecked after the app is launched.
SET T IN G DESC RIP T IO N DEFA ULT VA L UE

Printing org data If blocked, the app cannot print Block

protected data.

Open policy-managed app links in If blocked, policy-managed app links Block

unmanaged browsers must be opened a managed browser.

Copy data to unmanaged apps If blocked, managed data will remain in Allow
managed apps.

Step 5 - Assignments
In this step, you can choose the user groups that you want to include to ensure that they have access to your
corporate data. App protection is assigned to users, and not devices, so your corporate data will be secure
regardless of the device used and its enrollment status.
Users without app protection policies and conditional access settings assigned will be able to save data from their
corporate profile to personal apps and nonmanged local storage on their mobile devices. They could also connect
to corporate data services, such as Microsoft Exchange, with personal apps.

Step 6 - Review + create

The final step allows you to review a summary of the settings you configured. Once you have reviewed your
choices click Create to complete the guided scenario. Once the guided scenario is complete, a table of resources is
displayed. You can edit these resources later, however once you leave the summary view, the table will not be
saved.

IMPORTANT
Once the guided scenario is complete it will display a summary. You can modify the resources listed in the summary later,
however the table displaying these resources will not be saved.

Next steps
Enhance the security of work files by assigning users an App-based conditional access policy to protect cloud
services from sending work files to unprotected apps. For more information, see Set up app-based Conditional
Access policies with Intune.
Common ways to use Microsoft Intune
9/4/2020 • 6 minutes to read • Edit Online

Before diving into implementation tasks, it's important to align your company's enterprise mobility stakeholders
around the business goals of using Intune. Stakeholder alignment is important, whether you are new to enterprise
mobility or migrating from another product.
The needs around enterprise mobility are dynamically evolving, and Microsoft's approach to addressing them is
sometimes different from other solutions in the market. The best way to align around business goals is to express
your goals in terms of the scenarios you want to enable for your employees, partners, and IT department.
Following are short introductions to the six most common scenarios that rely on Intune, accompanied with links to
more information about how to plan and deploy each of them.

NOTE
Do you want to know how Microsoft IT uses Intune to give Microsoft access to corporate resources on their mobile devices
while also keeping corporate data protected? Read this technical case study to see in detail how Microsoft IT uses Intune and
other services to manage identity, devices, and apps, and data.

IMPORTANT
We want to ensure that mobile devices are up-to-date In light of the recent "Trident" malware attacks on iOS/iPadOS
devices. So we've published a blog post that's called Ensuring mobile devices are up-to-date using Microsoft Intune. It
provides information about the different ways that Intune can help keep your devices secure and up-to-date.

Protecting your on-premises email and data so it can be safely

accessed by mobile devices
Most enterprise mobility strategies begin with a plan to enable secure access to email for employees with mobile
devices that connect to the Internet. Many organizations still have on-premises data and application servers, such
as Microsoft Exchange, that are hosted on their corporate network.
Intune and Microsoft Enterprise Mobility + Security (EMS) provide a uniquely integrated Conditional Access
solution for Exchange Server, which ensures that no mobile app can access email until that device is enrolled with
Intune. You can implement this type of email access without deploying another gateway machine to the edge of
your corporate network.
Intune also supports enabling access to mobile apps that require secure access to on-premises data, such as line-
of-business app servers. This type of access is typically done using Intune-managed certificates for access control,
combined with a standard VPN gateway or proxy in the perimeter such as Microsoft Azure Active Directory
Application Proxy.
In these cases, the only way to access corporate data is to enroll the device into management. Once the devices are
enrolled, the management system ensures that they are compliant with your policies before they can access
corporate data. Additionally, Intune's App Wrapping Tool and App SDK can help contain the accessed data within
your line-of-business app, so that it can't pass corporate data to consumer apps or services.

Protecting your Microsoft 365 email and data so it can be safely

accessed by mobile devices
Protecting corporate data in Microsoft 365 (email, documents, instant messages, contacts) could not be easier for
you or more seamless for your users.
Intune and Microsoft Enterprise Mobility + Security provide a uniquely integrated Conditional Access solution that
ensures no users, apps, or devices can access Microsoft 365 data unless they meet your company's compliance
requirements (performed multi-factor authentication, enrolled with Intune, using managed app, supported OS
version, device pin, low user risk profile, etc.).
The Office mobile apps in their respective app stores are ready to go with data containment policies that you can
configure via Intune. This enables you to prevent data from being shared with apps (for example, with native email
apps) and storage locations (for example, Dropbox) that aren't managed by IT. All this functionality is built into
Microsoft 365 and EMS. You don't have to deploy additional infrastructure to get this value.
A common Microsoft 365 deployment practice is to require devices to enroll into management if they need to be
fully set up with corporate apps, certs, Wi-Fi, or VPN configurations, a common scenario for corporate-owned
devices.
However, if your user simply needs to access corporate email and documents, which is often the case for
personally owned devices, then you can require the user to use the Office mobile apps (to which you have applied
app protection policies and skip enrolling the device altogether.
Either way, the Microsoft 365 data will be secured by policies you've defined.

Offer a bring your own device program to all employees

Bring your own device (BYOD) continues to grow in popularity among organizations as a means to reduce
hardware expenditures or increase mobile productivity choices for employees. Just about everyone has a personal
phone these days so why put another one in their pocket? The main challenge has always been to convince
employees to enroll their personal device into management, as they are fearful of what their IT department will be
able to see and do with their device.
When device enrollment is not a viable option, Intune offers an alternative BYOD approach of simply managing the
apps that contain corporate data. Intune protects the corporate data even if the app in question accesses both
corporate and personal data, as is the case for Office mobile apps.
As an administrator, you can require users to access Microsoft 365 from the Office mobile apps and configure the
apps with policies that keep the data protected (such as encrypting it, protecting it with a pin, and so on). These
app protection policies prevent data loss from unmanaged apps and storage locations -- inside or outside of those
apps. For example, the policies prevent a user from copying text from a corporate email profile into a consumer
email profile even if both profiles are configured within Outlook Mobile. Similar configurations can be deployed
for other services and applications that are required by your BYOD users.

Issue corporate-owned phones to your employees

Many employees are mobile these days, making productivity on mobile devices an imperative to be competitive.
These employees need seamless access to all corporate apps and data, at any time, wherever they are. You need to
ensure that corporate data is secure and administrative costs are low.
Intune offers bulk provisioning and management solutions that are integrated with the major corporate device
management platforms on the market today, including the Apple Device Enrollment Program and the Samsung
Knox mobile security platform. Centralized authoring of device configurations with Intune helps make provisioning
of corporate devices something that can be highly automated.
Picture this: hand an employee an unopened iPhone box. The employee powers it on and is walked through a
corporate-branded setup flow where they must authenticate themselves. The iPhone is seamlessly configured with
security policies.
Then the employee launches the Intune Company Portal app to access the optional corporate apps that are
available to them.

Issue limited-use shared tablets to your employees

Employees are increasingly making use of mobile technologies. For example, shared tablets are now commonly
used by retail store employees. Whether they're used to process a sale or instantly check inventory, tablets help
create great customer interactions.
Simplicity of the user experience is critical in this case. For this reason, tablets are usually provided to employees in
a limited-use mode, such that a single line-of-business app is the only thing that the employee can interact with.
Intune enables you to bulk provision, secure, and centrally manage these shared iOS and Android devices that can
be configured to run in this limited-use mode.

Enable your employees to securely access Microsoft 365 from an

unmanaged public kiosk
Sometimes your employees need to use devices, apps, or browsers that you can't manage, such as the public
computers at trade shows and in hotel lobbies.
Should you allow your employees to access corporate email from them? With Intune and Microsoft Enterprise
Mobility + Security, the answer can simply be "no", by limiting email access to devices that are managed by your
organization. This ensures that your strongly authenticated employee doesn't accidentally leave corporate data on
the untrusted computer.
Technology decisions for enabling BYOD with
Microsoft Enterprise Mobility + Security (EMS)
9/4/2020 • 3 minutes to read • Edit Online

As you develop your strategy to enable employees to work remotely on their own devices (BYOD), you need to
make key decisions in the scenarios to enable BYOD and how to protect your corporate data. Fortunately, EMS
offers all of the capabilities you need in a comprehensive set of solutions.
In this topic, we examine the simple use case of enabling BYOD access to corporate email. We'll focus on whether
or not you need to manage the entire device or just the applications, both of which are completely valid choices.

Assumptions
You have basic knowledge of Azure Active Directory and Microsoft Intune
Your email accounts are hosted in Exchange Online

Common reasons to manage the device (MDM)

You can easily drive users to enroll their devices into device management by deploying a Conditional Access policy
on Exchange Online. Here are the reasons you might want to manage personal devices:
WiFi/VPN – If your users need a corporate connectivity profile to be productive, this can be seamlessly configured.
Applications – If your users need a set of apps to be pushed to their device, these can be seamlessly delivered.
This includes applications that you might require for security purposes, like a Mobile Threat Defense app.
Compliance – Some organizations need to comply with regulatory or other policies that call out specific MDM
controls. For example, you need MDM to encrypt the entire device or to produce a report of all apps on the device.

Common reasons to only manage the apps (MAM)

MAM without MDM is very popular for organizations that support BYOD. You can drive users to access email from
Outlook Mobile (which supports MAM protections) by deploying a Conditional Access policy on Exchange Online.
Here are the reasons you might want to only manage apps on personal devices:
User experience – MDM enrollment includes many warning prompts (enforced by the platform) that often result
in the user deciding they would rather not access their email on their personal device after all. MAM is much less
alarming to users, as they simply get a pop-up one time to let them know MAM protections are in place.
Compliance – Some organizations need to comply with policies that require less management capabilities on
personal devices. For example, MAM is only able to remove corporate data from the apps, as opposed to MDM
which is able to remove all data from the device.
Learn more about device management and app management lifecycles.

MDM vs MAM capability comparison

As already mentioned, Conditional Access can drive a user to enroll their device or use a managed app like Outlook
Mobile. Many other conditions can be applied in either case, including:
Which user is attempting the access
Whether the location is trusted or untrusted
Sign-in risk level
Device platform
Still, many organizations often have specific risks they're concerned about. The table below lists the common
concerns and MDM vs MAM response to that concern.

C O N C ERN M DM MAM

Unauthorized data access Require group membership Require group membership

Unauthorized data access Require device enrollment Require protected app

Unauthorized data access Require specific location Require specific location

Compromised user account Require MFA Require MFA

Compromised user account Block high risk users Block high risk users

Compromised user account Device PIN App PIN

Compromised device or app Require a compliant device Jailbreak/root check on app launch
C O N C ERN M DM MAM

Compromised device or app Encrypt device data Encrypt app data

Lost or stolen device Remove all device data Remove all app data

Accidental data sharing or saving to Restrict device data backups Restrict backups of org data
unsecured locations

Accidental data sharing or saving to Restrict save-as Restrict save-as

unsecured locations

Accidental data sharing or saving to Disable printing Disable printing of org data
unsecured locations

Next steps
Now it's time to decide if you are going to enable BYOD in your organization by focusing on device management,
app management, or a combination of the two. The implementation choice is yours, where you can rest assured
that the identity and security features available with Azure AD will be available regardless.
Use the Intune Planning Guide to map out your next level of planning.
Manage operating system versions with Intune
9/4/2020 • 4 minutes to read • Edit Online

On modern mobile and desktop platforms, major updates, patches, and new versions release at a rapid pace. You
have controls to fully manage updates and patches on Windows, but other platforms like iOS/iPadOS and Android
require your end users to participate in the process. Microsoft Intune has the capabilities to help you structure your
operating system version management across different platforms.
Intune can help you address these common scenarios:
Determine which operating system versions are on your end-user devices
Control access to organizational data on devices while you validate a new operating system release
Encourage/require end users to upgrade to the latest operating system version approved by your organization
Manage an organization-wide rollout to a new operating system version

Operating system version control using Intune mobile device

management (MDM) enrollment restrictions
Intune MDM enrollment restrictions let you define the client device requirements before you allow enrollment of
the device. The goal is to require that your end users enroll only compliant devices before gaining access
organizational resources. Device requirements include both minimum and maximum allowed operating system
versions for supported platforms.

In practice
Organizations are using device type restrictions to control access to organizational resources by using the following
settings:
1. Use minimum operating system version to keep end users on current and supported platforms in your
organization.
2. Leave maximum operating system unspecified (no limit) or set it to the last validated version in your
organization to allow time for internal testing of new operating system releases.
For details, see Set device type restrictions.

Operating system version reporting and compliance with Intune MDM

device compliance policies
Intune MDM device compliance policies provide you the following tools:
Specify compliance rules
View compliance status via reporting
Act on noncompliance via device quarantine and Conditional Access
Like enrollment restrictions, device compliance policies include both minimum and maximum operating system
versions. Policies also have a compliance timeline to provide your users a grace period to get compliant. Device
compliance policies keep your enrolled end-user devices compliant with organizational policy.

In practice
Organizations are using device compliance policies for the same scenarios as enrollment restrictions. These policies
keep users on current, validated operating system versions in your organization. When end-user devices fall out of
compliance, access to organizational resources can be blocked via Conditional Access until end users are within the
supported operating system range for your organization. End users are notified that they are out of compliance and
they are provided the steps to regain access.
For details, see Get started with device compliance.

Operating system version controls using Intune app protection policies

Intune app protection policies and mobile application management (MAM) access settings let you to specify the
minimum operating system version at the app layer. This lets you inform and encourage, or require, your end users
to update their operating system to a specified minimum version.
You have two different options:
Warn - Warn informs the end user that they should upgrade if they open an app with an application
protection policy or MAM access settings on a device with an operating system version below the specified
version. Access is allowed for the app and organizational data.
Block - Block informs the end user that they must upgrade when they open an app with an application
protection policy or MAM access settings on a device with an operating system version below the specified

version. Access is not allowed for app and organizational data.

In practice
Organizations are using app protection policy settings today when apps are opened or resumed as a way to
educate end users about the need to keep their apps current. An example configuration is that end users are
warned on current version minus one and blocked on current version minus two.
For details, see How to create and assign app protection policies.
Managing a new operating system version rollout
You can use the Intune capabilities described in this article to help you move your organization to a new operating
system version within the timeline you define. The following steps provide a sample deployment model to move
your users from operating system v1 to operating system v2 in seven days.
Step 1 : Use enrollment restrictions to require operating system v2 as the minimum version to enroll the device.
This ensures new end-user devices are compliant at enrollment time.
Step 2a : Use Intune app protection policies to warn users when the app opens or resumes that operating
system v2 is required.
Step 2b . Use device compliance policies to require operating system v2 as the minimum version for a device to
be compliant. Use Actions for noncompliance to allow a seven-day grace period and to send end users an email
notification with your timeline and requirements.
These policies will inform end users that existing devices need to be updated through email, the Intune
Company Portal, and when the app is opened for apps enabled with an app protection policy.
You can run a compliance report to identify users that are out of compliance.
Step 3a : Use Intune app protection policies to block users when an app opens or resumes if the device is not
running operating system v2.
Step 3b : Use device compliance policies to require operating system v2 as the minimum version for a device to
be compliant.
These policies require devices to be updated for them to continue to access organizational data. Protected
services are blocked when used with device Conditional Access. Apps enabled with an app protection
policy are blocked when opened or when they access organizational data.

Next steps
Use the following resources to manage operating system versions in your organization:
Set device type restrictions
Get started with device compliance
How to create and assign app protection policies
Manage and use different device management
features on Windows Holographic and HoloLens
devices with Intune
9/4/2020 • 7 minutes to read • Edit Online

Microsoft Intune includes many features to help manage devices that run Windows Holographic for Business, such
as the Microsoft HoloLens. Using Intune, you can confirm that devices are compliant with your organization's rules,
and you can customize the device by adding a VPN or WiFi profile. Another key feature is to use the device as a
Kiosk, and run a specific app, or a specific set of apps.
The tasks in this article help you manage, customize, and secure your devices running Windows Holographic for
Business, including software updates and using Windows Hello for Business.
To use Windows Holographic devices with Intune, create an Edition Upgrade profile. This upgrade profile upgrades
the devices from Windows Holographic to Windows Holographic for Business. For the Microsoft HoloLens, you can
buy the Commercial Suite to get the required license for the upgrade. For more information, see Upgrade devices
running Windows Holographic to Windows Holographic for Business.

Azure Active Directory

Azure Active Directory (AD) is a great resource to help manage and control your devices running Windows
Holographic for Business. Using Intune and Azure AD, you can:
Join devices to Azure Active Director y : In Azure Active Directory (AD), you can add your work-owned
Windows 10 devices, including devices running Windows Holographic for Business. This feature allows
Azure AD to control the device. It helps confirm that users are accessing the company resources from
devices that meet your security and compliance standards.
Device management in Azure AD provides more details.
Bulk enrollment for Windows devices : You can join large numbers of new Windows devices to Azure
Active Directory (AD) and Intune. This feature is called bulk enrollment, and uses provisioning packages.
These packages join the devices running Windows Holographic for Business to your Azure AD tenant, and
enrolls them in Intune.

Company Portal
Configure the Company Por tal app
Intune provides the Company Portal app for users to access company data, enroll devices, install apps, contact their
IT department, and more. You can customize the Company Portal app for your devices running Windows
Holographic for Business.
Using the Company Portal app, you can also run the following actions:
Remove a device from Intune using the Settings app or the Company Portal app
Rename a device
Install apps on a device
Sync devices manually from the Settings app or the Company Portal app
Compliance policy
Create a device compliance policy
Compliance policies are rules and settings that devices must meet to be compliant. Use these policies with
Conditional Access to block access to company resources for devices that are not-compliant. In Intune, create
compliance policies to allow or block access for devices running Windows Holographic for Business. For example,
you can create a policy that requires BitLocker be enabled.
See also Get star ted with compliance policies .

Deploy and manage apps

Add apps to Intune
Using Intune, you can add apps to your devices running Windows Holographic for Business. There are many ways
to deploy apps, including:
Add Microsoft Store apps
Add apps you create
Assign apps to groups
Microsoft Intune can deploy Universal Windows Apps to Microsoft HoloLens devices running Windows
Holographic for Business. You can directly upload your app packages in the Intune Azure portal, or deploy them
from the Microsoft Store for Business. For more information about related areas, see the following articles:
To deploy Line-of-Business (LOB) apps using the Intune Azure portal, see How to add Windows line-of-
business apps to Microsoft Intune.

NOTE
Intune allows a maximum package size to 8 GB. This package size is only available for the LOB apps uploaded to
Intune.

To deploy apps using the Microsoft Store for Business, see How to manage apps you purchased from the
Microsoft Store for Business with Microsoft Intune.
To learn about app management with Microsoft Intune, see What is app management in Microsoft Intune.
To learn more about developing apps for Microsoft HoloLens, see Mixed reality apps for Microsoft HoloLens.

NOTE
HoloLens devices running Windows 10 Holographic for Business 1607 don't support online-licensed apps from the Microsoft
Store for Business. To learn more, see Install apps on HoloLens.

Device actions
Intune has some built-in actions that allow IT administrators to do different tasks, locally on the device, or remotely
using Intune in the Azure portal. Users can also issue a remote command from the Intune Company Portal to
personally owned devices that are enrolled in Intune.
When using devices running Windows Holographic for Business, the following actions can be used:
Wipe : The Wipe action removes the device from Intune, and restores the device back to its factory default
settings. Use this action before giving the device to a new user, or when the device is lost or stolen.
Retire : The Retire action removes the device from Intune. It also removes managed app data, settings, and
email profiles assigned by Intune. The user's personal data stays on the device.
Sync devices to get the latest policies and actions : The Sync action forces the device to immediately
check in with Intune. When a device checks in, the device immediately receives any pending actions or
policies that are assigned. This feature helps you validate and troubleshoot policies you've assigned, without
waiting for the next scheduled check-in.
What is Microsoft Intune device management? is a good resource to learn about managing devices using the
Azure portal.

Device categories and groups

Categorize devices into groups
Using Intune, you can create device categories to automatically add devices to groups based on categories that you
create, such as Sales, Accounting, Human Resources, and so on. The idea is to make it easier to manage your
devices running Windows Holographic for Business.

Device configuration profiles

Get star ted with configuration profiles , and profile over view
Intune includes settings and features that you can enable or disable on different devices within your organization.
These settings and features are managed using profiles. For example, you can create a profile that enables Cortana,
or uses Microsoft Defender Smart Screen on your devices running Windows Holographic for Business.
In your profiles, you can use OMA-URI to customize some settings, create device restrictions, and configure a
virtual private network (VPN) and Wi-Fi.
Custom device settings
To configure OMA-URI (Open Mobile Alliance Uniform Resource Identifier) settings, you can create a custom profile
in Intune. Use the OMA-URI settings to control different features on your Windows Holographic for Business
devices, such as enabling VPN, or checking for updates on Microsoft Update.
See an example that uses the Windows Defender Application Control (WDAC) CSP to allow or block apps from
opening on HoloLens 2 devices.
Configure kiosk mode
Using the shared or guest PC features available in Intune, you can configure Windows Holographic for Business
devices to run as a kiosk. These devices can run one app (single-app kiosk mode), or run multiple apps (multi-app
kiosk mode).
Device restrictions
Device restrictions let you control different settings and features on your devices, including requiring a password,
installing apps from Microsoft Store, enabling Bluetooth, and more. These restrictions are created in an Intune
profile. This profile can be applied to multiple devices running Windows Holographic for Business.
Configure VPN
Virtual private networks (VPNs) give your users secure remote access to your company network. In Intune, you can
create a VPN profile that includes specific settings for your devices running Windows Holographic for Business. For
example, you can create a VPN profile so all Windows Holographic for Business devices use Citrix VPN as the
connection type.
Configure Wi-Fi
You can also create a Wi-Fi profile in Intune to assign wireless network settings to your Windows Holographic for
Business devices. When you assign a Wi-Fi profile, your end users get corporate network access, without any
network configuration. For example, you can create a Wi-Fi network dedicated to only your Windows Holographic
for Business devices.

Shared multi-user devices

Shared devices
Devices that run Windows Holographic for Business, such as the Microsoft HoloLens, can have multiple users.
Intune includes settings to control different features on these shared devices, such as power management, using
the local storage, and account management. The configuration profiles can also be applied to devices with different
operating systems. For example, the devices group can have devices that run RS2 and RS3 in the same group.

Software updates
Manage software updates
Intune includes a feature called update rings for Windows 10 devices. These update rings include a group of
settings that determine how updates are installed. For example, you can create a maintenance window to install
updates, or choose to restart after updates are installed. An update ring can be applied to multiple devices running
Windows Holographic for Business.

Terms and conditions

Set your company's terms and conditions for user access
Before users enroll devices and access your company apps, including email, you can require that users accept your
company's terms and conditions. In Intune, define how the terms and conditions are shown in the Company Portal,
and also assign these terms and conditions to devices running Windows Holographic for Business.

Windows Hello for Business

Use Windows Hello for Business
Hello for Business is an alternative sign-in method that uses an Azure Active Directory account to replace a
password, smart card, or a virtual smart card. With Hello for Business, your Windows Holographic for Business
devices can sign in with a PIN with a minimum length set by you.

Next steps
Set up Intune.
Intune deployment planning, design, and
implementation guide
5/5/2020 • 2 minutes to read • Edit Online

A successful Microsoft Intune deployment starts with having a good plan and design. The purpose of this guide is
to step you through the process of developing a deployment plan, creating a design, onboarding Intune, and
conducting a production rollout.

What's included in this guide?

This guide includes sections that will walk you through the end-to-end process of deploying Intune. Start with
Section 1 to clarify your goals, objectives, and challenges. Then move on to Sections 2 – 7 in the order that best
meets your needs. You don't need to work through these sections sequentially; you can complete them in parallel.
Section 1: Determine deployment goals, objectives, and challenges
Section 2: Identify use case scenarios
Section 3: Determine use case requirements
Section 4: Develop a rollout plan
Section 5: Develop a rollout communication plan
Section 6: Develop a support plan
Section 7: Create an Intune design
Section 8: Intune implementation
Section 9: Testing and validation
This guide also provides additional technical information and table templates that can be used to assist you with
the Intune deployment planning, design, and implementation process.
Additional resources
Microsoft Endpoint Manager Proof of Concept (PoC) guide: this is intended to provide a framework and
technical guidance on how to run a successful PoC within your organization.
Links and table templates

Assumptions
You've already evaluated Intune in a proof of concept (PoC) environment, and have decided to use it as the
mobile device management solution in your organization.
You're already familiar with Intune and its features.

Next steps
Let's get started with the first section: Determine deployment goals, objectives, and challenges.
Determine deployment goals, objectives, and
challenges
9/4/2020 • 3 minutes to read • Edit Online

Having a good deployment plan begins with first identifying your organization's deployment goals and objectives,
along with potential challenges. Let's discuss each area in more detail.

Deployment goals
Deployment goals are the long-term achievements you intend to gain by deploying Intune in your organization.
Listed below are some examples of such goals along with the description and business value for each.
Integrate with Microsoft 365 and suppor t the use of Office mobile apps
Description: Provide tight integration with Microsoft 365 and the use of Office mobile apps with
app protection.
Business value: Secure and improved user experience by allowing users to use apps they are
familiar with and prefer.
Enable access to internal corporate ser vices on mobile devices
Description: Enable employees to be productive wherever they need to work from, and with
whichever device is most appropriate for them. This project should look to enable mobile
productivity and access to corporate data in a safe manner.
Business value: Enabling employees to be agile and work from where they need allows the
business to be more competitive and to provide a more rewarding working environment.
Provide data protection on mobile devices
Description: When data is stored on a mobile device, it should be protected from malicious and
accidental loss or sharing.
Business value: Data protection is vital to ensure that we remain competitive, and that we treat our
clients and their data with the utmost diligence.
Reduce costs
Description: When possible, the project reduces deployment and operating costs.
Business value: The efficient use of resources enables the business to invest in other areas,
compete more effectively, and provide better service to clients.

Deployment objectives
Deployment objectives are the actions your organization can take to reach its Intune deployment goals. Below are
listed some examples of deployment objectives, and how each would be accomplished.
Reduce the number of device management solutions
Implementation: Consolidate to a single mobile device management solution: Microsoft Intune for
corporate data protection of apps and devices.
Provide secure access to Exchange and SharePoint Online
Implementation: Apply Conditional Access for Exchange and SharePoint Online.
Prevent corporate data from being stored or for warded to non-corporate ser vices on the
mobile device
Implementation: Apply Intune app protection policies for Microsoft Office and line-of-business apps.
Provide capability to wipe corporate data from the device
Implementation: Enroll devices into Intune. This gives you the capability to perform a remote wipe of
corporate data and resources when appropriate.

Deployment challenges
Deployment challenges are issues that are top of mind for an organization and that may have a negative impact on
deployment. Sometimes they are related to past issues from previous projects that you would like to avoid or new
issues related to the current deployment effort. Listed below are some examples of Intune deployment challenges
along with potential mitigations.
Support readiness and end-user experience are not included in an initial project scope. This leads to poor
end-user adoption and challenges for your support organization.
Mitigation: Incorporate support training. Validate the end-user experience with success metrics in your
deployment plan.
Lack of clearly defined goals and success metrics leads to intangible results. It may also shift your
organization into reactive mode when issues arise.
Mitigation: Define your goals and success metrics early in your project scope, and use these data points
to flesh out your other rollout phases. Make sure goals are SMART (Specific, Measurable, Attainable,
Realistic, and Timely). Plan to measure against your goals at each phase and to ensure your rollout
project stays on track.
You neglect to create, validate, and aggressively share a clear value proposition that resonates for your
organization. This often leads to limited adoption and a lack of return on investment (ROI).
Mitigation: While you may be excited to jump into your project, ensure you have clearly-defined your
goals and objectives. Include these in all awareness and training activities to help ensure users
understand why your organization selected Intune.

Next steps
Now that you have identified your deployment goals, objectives, and potential challenges, let's move to the next
section: Identify use case scenarios.
Identify mobile device management use-case
scenarios
9/4/2020 • 2 minutes to read • Edit Online

Identifying your use-case scenarios is an important part of the planning process for a successful Intune
deployment. Use-case scenarios are helpful because they let you segment your users into manageable groups by
user type or role, and the ownership of the user's device (for example, company or personal).
Let's discuss a few examples to help your organization identify Intune use-case scenarios, as well as organizational
groups, and mobile device platforms associated with each use case.

Device ownership
You can begin by referring to your organization's Intune deployment goals and objectives to help identity the main
use-case scenarios for your deployment. Within the scope of your Intune deployment plan, answer the following
questions:
Are you planning to support corporate owned devices?
Are you planning to support personally owned devices (BYOD)?
These are not either/or options. You may find you need to support both forms of device ownership to meet your
organizational goals. The sub-use-cases will help clarify where to apply the different device management policies.
User type or device role
Determine if each use-case scenario also includes sub-use-cases. For example, your organization may have
identified requirements to support a corporate use-case scenario that includes additional sub-use-cases based on
user type or device role, such as:
Information worker
Executive
Kiosk
Here are a few examples of use-case and sub-use-case scenarios:

USE C A SES SUB - USE C A SES

Corporate Information worker

Corporate Executives

Corporate Kiosk

BYOD Information worker

BYOD Executives

Organizational groups for your scenarios

Now you need to identify the organizational groups that are associated with each use-case and sub-use-case
scenario. For example:

USE C A SES SUB - USE C A SES O RGA N IZ AT IO N A L GRO UP S

Corporate Information worker HR, Finance

Corporate Executive HR, Finance

Corporate Kiosk Retail

BYOD Information worker Marketing, Sales

BYOD Executive Marketing, Sales

Mobile device platforms for your scenarios

The next step is to identify the mobile device platforms associated with each use-case scenario. There may be more
than one.
For example, your corporate use-case scenario may support iOS/iPadOS and Android Samsung Knox device
platforms. Your BYOD policy may include support for additional mobile device platforms like Android (non-
Samsung Knox) and Windows 10 Mobile. Building on the preceding examples, we've associated mobile device
platforms with each use-case scenario.

USE C A SES SUB - USE C A SES GRO UP S DEVIC E P L AT F O RM S

Corporate Information worker HR, Finance iOS/iPadOS

Corporate Executives HR, Finance iOS/iPadOS

Corporate Kiosk Retail Android

BYOD Information worker Marketing, Sales iOS/iPadOS

BYOD Executives Marketing, Sales iOS/iPadOS

Next steps
The next section provides guidance on how to identify the Intune requirements for each use case scenario.
Determine use-case scenario requirements
9/4/2020 • 2 minutes to read • Edit Online

In this section, you determine the requirements for each organizational group within each use-case scenario. This
process helps you prepare for the other Intune deployment planning areas like architecture and design,
onboarding, and rollout. It can also help identify potential gaps and challenges related to your Intune deployment
project.
You might have different sets of requirements for each of your use-case and sub-use-case scenarios, and their
associated organizational groups and mobile device platforms. For example, your corporate use-case scenario
requirements might require devices to enroll into Intune with a more restrictive set of device settings, like a PIN of
6 characters or disabled cloud backup. Your "bring your own device" (BYOD) use-case scenario, may be less
restrictive and allow a 4-character PIN and cloud backup.
You may also have organizational groups for the corporate use-case scenario that have different sets of
requirements (for example, PIN settings, Wi-Fi or VPN profile, apps deployed). Your requirements may also be
determined by the capabilities of the mobile device platform (for example, finger print reader, email profile).
Here are a few examples of an organization's use-case requirements showing different sets of requirements for
each use-case and sub-use-case scenario, organizational group, and mobile device platform. You can also use the
following table to enter your organization's use-case requirements:

USE C A SES SUB - USE C A SES GRO UP S DEVIC E P L AT F O RM S REQ UIREM EN T S

Rollout phases
Organizations commonly choose to start the Intune rollout with an initial pilot, targeting a small group of users in
the IT department. The pilot can be expanded to include a broader set of IT users and may include participation
from other organizational groups.
Pilot
The first phase to rollout should be to pilot users. The pilot users should understand they are the first users in a
new solution. They must be willing to provide feedback to help improve configuration, documentation,
notifications, and ease the way for all other users in later rollout phases. These users should not be executives or
VIPs.
The pilot is a good opportunity for you to test the challenges and refine requirements you gathered earlier.
Include your communication plan, support plan, and testing and validation to work out any problems while the
impact to users is still small.
Production rollout
After a successful pilot, you're ready to start a full production rollout, targeting the rest of your organization's
groups. Some examples of different rollout groups and phases are:
Depar tments
Each department can be a rollout phase. You target an entire department at a time. In this type of rollout,
users in each department tend to use the mobile device in the same way and access the same applications.
Users will likely have the same types of policies.
Geography
In this approach, you deploy to all users in a specific geography whether it's the same continent,
country/region, or same company's building. This type of phased deployment lets you focus on the specific
location of users. This could let you provide more of a white glove approach because the number of
locations deploying Intune at the same time is reduced. Because there are chances of different departments
or use cases being at the same location, different use cases might be deployed at the same time.
Platform
This type of deployment consists of deploying similar platforms at the same time. An example might be all
iOS/iPadOS devices the first month, followed by Android, followed by Windows. This type of phased
deployment helps simplify helpdesk support because helpdesk would only have to support a single
platform at a time.
Here's an example of an Intune rollout plan that includes targeted groups and timelines:

RO L LO UT P H A SE JULY A UGUST SEP T EM B ER O C TO B ER

Limited Pilot IT (50 users)

Expanded Pilot IT (200 users), IT

Executives (10 users)

Production rollout Sales and Marketing

phase 1 (2000 users)

Production rollout Retail (1000 users)

phase 2

Production rollout HR (50 users), Finance

phase 3 (40 users), Executives
(30 users)

You can download a template of the above table to enter your organization's rollout phases.

Match rollout groups to enrollment approaches

Now that you have determined the targeted groups and time frames for your Intune rollout, the next step is to
choose the most appropriate Intune enrollment approach for each group. There are different enrollment
approaches you can use including:
User self-service
User assisted-enrollment
IT tech fair
User self-service
In this case, the user is responsible for enrolling their own device, usually following enrollment instructions
provided by their IT organization. This approach is most commonly used in organizations and is more scalable
than user-assisted enrollment.
User-assisted enrollment
This is known as a "white glove" approach. An IT team member helps the user through the enrollment process, in
person or with Skype. This approach is commonly used with executive staff and other groups that might need
more assistance during the enrollment process.
IT tech fair
Another option for Intune user enrollment is to have an IT technical fair. At this event, the IT group sets up an
Intune enrollment assistance booth where users could receive information on Intune enrollment, ask questions,
and receive assistance with the enrollment process. This option can be beneficial for both the IT group and users,
especially during early phases of Intune rollout.
Here's an updated example of the above Intune rollout plan to include enrollment approaches:

RO L LO UT P H A SE JULY A UGUST SEP T EM B ER O C TO B ER

Limited Pilot

Self-service IT

Expanded Pilot

Self-service IT

White glove IT Executives

Production rollout Sales, Marketing

phase 1

Self-service Sales and Marketing

Production rollout Retail

phase 2

Self-service Retail

Production rollout Executives, HR,

phase 3 Finance

Self-service HR, Finance

White glove Executives

Next steps
The next section provides guidance on developing an Intune rollout communication plan.
Develop a rollout communication plan
4/22/2020 • 2 minutes to read • Edit Online

Good change management relies on clear and helpful communications about the upcoming changes. To smooth
the path of your Intune deployment, your rollout communication plan should include four areas:
What information is to be communicated
The delivery method used for the communications
Who receives the communications
The timeline for communications
Let's review each area in more detail.

What needs to be communicated?

Determining what information to be communicated depends on when in the Intune rollout process you are
communicating. You might decide to communicate in waves to your organizational groups and users, starting with
an Intune rollout kickoff, followed by pre-enrollment, and follow up with post-enrollment. Let's discuss the type of
information that could be communicated in each wave.
Kickoff wave
Broad communications that introduce the Intune project itself. It should answer questions like what is Intune, why
the organization is adopting Intune (benefits to the organization and users), and provide a high-level plan of the
deployment and rollout.
Pre-enrollment wave
Broad communications that include additional information about Intune and complementary offerings (for
example, Office, Outlook, OneDrive), user resources, and specific timelines for when organization groups and
users are scheduled to receive Intune.
Enrollment wave
Communications targeting organization groups and users that are scheduled to receive Intune. These should
inform the users that they are ready to receive Intune and provide enrollment instructions along with contact
information for getting assistance or asking questions.
Post enrollment wave
Communications targeting organization groups and users that have enrolled in Intune. These should provide
additional resources that might be helpful to the user, and collect feedback about their experience during and after
enrollment.
You may find this Intune Adoption Kit helpful. You can use it as-is or modify for your organization.

Communication delivery methods

There are several delivery methods you can use to communicate Intune rollout information to your targeted
organizational groups and users. The following list shows some examples and the wave you can use the method
with:
Organizational-wide in-person or Microsoft Teams meetings used for kickoff wave
Email used for pre-enrollment, enrollment, and post-enrollment waves
Organization web sites used for all waves
Yammer, posters, and flyers used for kickoff and pre-enrollment waves

Communications timeline
After determining what you need to communicate and the methods you will use, determine the timeline for your
communications that includes when and who would receive the communications.
For example, the initial Intune project kickoff communications can target the entire organization or just a subset,
and take place over several weeks before the Intune rollout begins. After that, information could be communicated
in waves to organizational groups and users, aligned with their Intune rollout schedule. The following example is a
sample high-level Intune rollout communications plan:

C O M M UN IC AT IO N
PLAN JULY A UGUST SEP T EM B ER O C TO B ER

Wave 1 All

Kickoff meeting First week

Wave 2 IT Sales and Marketing Retail HR, Finance, and

Executives

Pre-rollout Email 1 First week First week First week First week

Wave 3 IT Sales and Marketing Retail HR, Finance, and

Executives

Pre-rollout Email 2 Second week Second week Second week Second week

Wave 4 IT Sales and Marketing Retail HR, Finance, and

Executives

Enrollment email Third week Third week Third week Third week

Wave 5 IT Sales and Marketing Retail HR, Finance, and

Executives

Post-enrollment email Fourth week Fourth week Fourth week Fourth week

You can download a template of the above table to develop your communication plan.

Next step
The next section provides guidance on developing a support plan.
Develop a support plan
4/22/2020 • 2 minutes to read • Edit Online

Having an Intune support plan can help you identify and resolve Intune related issues more effectively. This, in
turn, improves your users' overall Intune experience. Here are some questions to consider as you develop your
Intune support plan:
Which teams will be responsible for providing Intune support?
What process will be used to provide Intune support?
How you plan to provide Intune support training?
What are the opportunities to involve the support team early in the Intune deployment process?
Let's review each area in more detail.

Which teams are responsible for providing support?

Organizations may have different tiers or levels (1-3) of support. For example, tier 1 and 2 may be part of the
support team, and tier 3 include members of the MDM team responsible for the deployment of Intune.
Tier 1 is normally the first level of support and typically the first tier to be contacted by the user for support
requests. If tier 1 is unable to resolve the end user's issue, they escalate it to tier 2. Tier 2 escalates it to tier 3 if
needed. In addition, Microsoft support may be considered as tier 4.
Learn more about Intune support.

What is the support process?

For the initial production rollout phases, you could have all three tiers participating in a bridge or Skype call. Here's
one example of how an organization could implement their IT support or helpdesk work-flows:
1. End-user contacts IT support or helpdesk tier 1 with an enrollment issue.
2. IT support or helpdesk tier 1 is unable to determine the root cause and escalates to tier 2.
3. IT support or helpdesk tier 2 investigates, but is unable to resolve the issue and escalates to tier 3, providing
additional information to assist with the investigation.
4. IT support or helpdesk tier 3 investigates further, determines the root cause, and communicates the
resolution to tier 2 and 1.
5. IT support/helpdesk tier 1 then contacts the customer and resolves their issue.
This type of approach, especially in early stages of the Intune rollout, adds many benefits, including:
Assisting in technology learning and ramp up.
Quickly identifying issues and resolution.
Improving the overall user experience.

How you plan to provide Intune support training?

It's important to provide Intune technical training for your IT support or helpdesk staff so that the training is at an
appropriate level and applies to the specific support tier and their responsibilities. You could have the Intune MDM
team conduct this training to the support leads (training the trainer), then have the leads provide this training to
their support team members. This training can typically be provided in 2-3 hours, and it includes lecture and labs.
An example of an Intune support training agenda is provided below.
Intune support plan review
Intune overview
Troubleshooting common issues
Tools and resources
Q&A
The Intune documentation provides an Intune overview, detailed feature descriptions, and some troubleshooting
information. The Intune forum is a community-based resource for questions and topics not covered in the Intune
documentation.

What opportunities are there to involve the support team earlier?

Involving your IT support/helpdesk staff in early stages of Intune deployment planning and pilot efforts can
improve your Intune deployment and end-user adoption. Early involvement provides your support staff with
exposure to Intune and valuable experience from the beginning. This helps prepare your IT support/helpdesk staff
for supporting the organization's full production rollout.

Next step
The next section provides guidance on designing Intune.
Create a design
9/4/2020 • 13 minutes to read • Edit Online

Your Intune design is based on the information you collect and decisions you make when completing other
sections of this guide. It helps you bring together:
The current environment
Intune deployment options
Identity requirements for external dependencies
Device platform considerations
Requirements to be delivered
Although there's minimal on-premises infrastructure requirements, a design plan is still helpful to make sure you
have the right mobile device management solution that meets your goals, objectives, and requirements.
Let's review each of these areas in more detail.

Record your current environment

Additionally, it's common to have design changes during the implementation and testing phases. Use your design
plan to document these changes and the rationale behind them as they occur.
Your current environment can influence design decisions and should be documented and referenced when you
make other Intune design decisions. Below are few examples of how to record the current environment:
Identity in the cloud
Do you use DirSync or Azure Active Directory (Azure AD) Connect?
Is your environment federated?
Is multi-factor authentication (MFA) enabled?
Email environment
Do you use Exchange? Is it on-premises or in the cloud?
Are you in the middle of a project to migrate Exchange to the cloud?
Current mobile device management (MDM) solution
Are you currently using other MDM solutions?
What MDM solutions are you using for corporate and BYOD use-case scenarios?
What capabilities are you using (for example: app device settings, Wi-Fi configurations)?
What device platforms are supported?
What groups and how many users are using the MDM solution?
Cer tificate solution
Have you implemented a certificate solution?
What type of certificates do you use?
Systems management
How are you managing your PC and server environment?
Are you using Microsoft Endpoint Configuration Manager? Are you using a third-party system
management platform?
VPN solution
What is your VPN solution?
Do you use it for both corporate and BYOD use-case scenarios?
Make sure to note any projects or any other plans in place that could affect your environment when recording the
current MDM environment. Below is an example of a way to record the current environment when creating your
Intune design:

SO L UT IO N A REA C URREN T EN VIRO N M EN T C O M M EN T S

Identity Azure AD, Azure AD Connect, not Project in place to enable MFA by end
federated, no MFA of year

Email environment Exchange on-premises, Exchange online Currently migrating from Exchange on-
premises to Exchange online. 75% of
mailboxes migrated. Last 25% will be
migrated before Intune Pilot begins.

SharePoint SharePoint on-premises No plans to move to SharePoint online

Current MDM Exchange ActiveSync

Cer tificate solution Microsoft Server 2012 R2, AD Only use PKI for Web Site Servers
Certificate Services

System Management Configuration Manager current branch Would like to investigate co-
management solution

VPN solution Cisco AnyConnect

You can download a template of the above table to develop your Intune design plan.

Intune tenant location

If your organization has global presence, make sure to plan where your tenant resides when you subscribe to the
service. The country/region is defined when you sign up for an Intune subscription for the first time, and map to
countries/regions around the world, which are listed below:
North America
Europe, Middle East, and Africa
Asia and Pacific
IMPORTANT
It's not possible to change the country/region and tenant location later.

External dependencies
External dependencies are services and products that are separate from Intune, but are either a requirement of
Intune, or might integrate with Intune. It's important to identify requirements for any external dependencies and
how to configure them. Some examples of common external dependencies are:
Identity
User and device groups
Public key infrastructure (PKI)
In the following, we explore these common external dependencies in more detail.
Identity
Identity is how we identify the users who belong to your organization and are enrolling a device. Intune requires
Azure Active Directory (Azure AD) as the user identity provider. If you already use this service, you can use your
existing identity already in the cloud. In addition, Azure AD Connect is the recommended tool to synchronize your
on-premises user identities with Microsoft cloud services. If your organization is already using Microsoft 365, it's
important for Intune to use the same Azure AD environment.
Learn more about the following Intune identity requirements:
Identity requirements.
Directory synchronization requirements.
Multi-factor authentication requirements.
User and device groups
User and device groups determine the target of a deployment, including policies, applications, and profiles. You
need to determine what user and device groups will be required.
We recommend that you create all groups in the on-premises Active Directory, then synchronize to Azure AD.
Learn more about user and device group planning and creation:
Plan your user and device groups.
Create user and device groups.
Public key infrastructure (PKI )
Public key infrastructure supplies certificates to devices or users to securely authenticate to a service. Intune
supports a Microsoft PKI infrastructure. Device and user certificates can be issued to a mobile device to satisfy
certificate-based authentication requirements. Before you use certificates, you need to determine if you need them,
if the network infrastructure can support certificate-based authentication, and if certificates are currently used in
the existing environment.
If you're planning to use certificates with VPN, Wi-Fi, or e-mail profiles with Intune, make sure you have a
supported PKI infrastructure in place, ready to create and deploy certificate profiles.
In addition, if SCEP certificate profiles will be used, you need to determine which server will host the Network
Device Enrollment Service (NDES) feature, and how the communication will happen.
Learn more about:
How to configure Intune certificate profiles
How to configure the certificate infrastructure for SCEP
How to configure the certificate infrastructure for PFX

Device platform considerations

Take a closer look at the following aspects of your devices to understand how to manage them correctly.
Supported device platforms
Devices
Device ownership
Bulk enrollment
Let's review these areas in more detail.
Determine supported device platforms
You need to know what devices will be in the environment and verify whether they are supported or not by Intune
when creating your design. Intune supports iOS/iPadOS, Android, and Windows platforms.
Complete list of Intune supported devices.
Devices
Intune manages mobile devices to secure corporate data and allow end users to work from more locations. Intune
supports many device platforms, so we recommend that you document the devices and the OS platforms and the
versions that will be supported in your organization's design. For example:

DEVIC E P L AT F O RM O S VERSIO N S

iOS - iPhone 10.0+

iOS - iPad 10.0+

Android – Samsung Knox Standard 4.0+

Windows 10 tablet 10+

You can download a template of the above table to develop your list of devices.
Device ownership
Intune supports both corporate-owned devices and personal devices. A device is considered corporate-owned if
your enroll it by a device enrollment manager, or device enrollment program. For example, a device is enrolled
with the Apple Device Enrollment Program (DEP), marked as corporate, and placed in a device group that receives
targeted corporate policies and apps.
Refer to Section 3: Determine use case scenario requirements for more information about corporate and BYOD use
cases.
Bulk enrollment
You can enroll devices in bulk in different ways depending on the platform. If you require bulk enrollment, first
determine the bulk enrollment method and incorporate it in to your design.

Feature requirements
In these sections, we review the following features and capabilities that are aligned with your use case scenario
requirements:
Terms and conditions policies
Configuration policies
Resource profiles
Apps
Compliance policy
Conditional Access
Let's review each of these areas in more detail.
Terms and conditions policies
You can use terms and conditions to explain policies or conditions that an end user must accept before they can
enroll their device. Intune supports the ability to add and deploy multiple terms and conditions policies to user
groups.
You need to determine if terms and condition policies are needed. If so, who will be responsible for providing this
information in the organization. An example of how to document the terms and conditions policy is below.

T ERM S A N D C O N DIT IO N S N A M E USE C A SE TA RGET ED GRO UP

Corporate T&C Corporate Corporate users

BYOD T&C BYOD BYOD users

You can download a template of the above table to map your terms and conditions to your user groups.
Configuration policies
Use configuration policies to manage security settings and features on a device. When designing your
configuration policies, refer to the use case requirements section to determine the configurations required for
Intune devices. Document the settings and how they should be configured. Also document which user or device
groups they will be targeted to.
You should create at least one configuration policy per platform. You can create several configuration policies per
platform if needed. Below is an example of designing four different configuration policies for different platforms
and use-case scenarios.

P O L IC Y N A M E DEVIC E P L AT F O RM SET T IN GS TA RGET GRO UP

Corporate - iOS iOS PIN is required, Length: 6, Corporate Devices

Restrict Cloud Backup

Corporate - Android Android PIN is required, Length: 6, Corporate Devices

Restrict Cloud Backup

BYOD – iOS iOS PIN is required, Length: 4 BYOD devices

BYOD – Android Android PIN is required, Length: 4 BYOD devices

You can download a template of the above table to identify your configuration policy needs.
Profiles
Use profiles to help the end user connect to company data. Intune supports many types of profiles. Refer to the use
cases and requirements to determine when the profiles will be configured. All device profiles are categorized by
platform type and should be included in the design documentation.
Certificate profiles
Wi-Fi profile
VPN profile
Email profile
Let's review each type of profile in more detail.
Certificate profiles
Certificate profiles allow Intune to issue a certificate to a user or device. Intune supports the following:
Simple Certificate Enrollment Protocol (SCEP)
Trusted Root Certificate
PFX certificate.
We recommend that you document which user group needs a certificate, how many certificate profiles you need,
and which user groups to deploy them to.

NOTE
Remember that the trusted root certificate is required for the SCEP certificate profile, so make sure all users targeted for the
SCEP certificate profile also receive a trusted root certificate. If you need SCEP certificates, design and document what SCEP
certificate templates you need.

Here's an example how you can document the certificates during the design:

TYPE P RO F IL E N A M E DEVIC E P L AT F O RM USE C A SES

Root CA Corporate Root CA Android, iOS/iPadOS Corporate, BYOD

SCEP User Certificate Android, iOS/iPadOS Corporate, BYOD

You can download a template of the above table to identify your certificate profile needs.
Wi-Fi profile
Wi-Fi profiles are used to automatically connect a mobile device to a wireless network. Intune supports deploying
Wi-Fi profiles to all supported platforms. Learn more about how Intune supports Wi-Fi profiles.
Below is an example of a design for a Wi-Fi profile:

TYPE P RO F IL E N A M E DEVIC E P L AT F O RM USE C A SES

Wi-Fi Asia Wi-Fi profile Android Corporate, BYOD Asia region

Wi-Fi North America Wi-Fi profile Android, iOS/iPadOS Corporate, BYOD North
America region

You can download a template of the above table to identify your Wi-Fi profile needs.
VPN profile
VPN profiles let users securely access your network from remote locations. Intune supports VPN profiles from
native mobile VPN connections and third-party vendors. Learn more about VPN profiles and vendors supported
by Intune.
Below is an example of documenting the design of a VPN profile.

TYPE P RO F IL E N A M E DEVIC E P L AT F O RM USE C A SES

VPN VPN Cisco any connect Android, iOS/iPadOS Corporate, BYOD North
Profile America and Germany

VPN Pulse Secure Android Corporate, BYOD Asia region

You can download a template of the above table to identify your VPN profile needs.
Email profile
Email profiles allow an email client to be automatically set up with connection information and email configuration.
Intune supports email profiles on some devices. Learn more about email profiles and what platforms are
supported.
Below is an example of documenting the design of email profiles:

TYPE P RO F IL E N A M E DEVIC E P L AT F O RM USE C A SES

Email profile iOS email profile iOS Corporate – Information

worker BYOD

Email profile Android Knox email profile Android Knox BYOD

You can download a template of the above table to identify your email profile needs.
Apps
You can use Intune to deliver apps to the users or devices in several ways. The type of application includes software
installer apps, apps from a public app store, external links, or managed iOS apps. In addition to individual app
deployments, you can manage and deploy volume-purchased apps obtained through the volume-purchase
programs for iOS and Windows. Learn more about:
The types of apps you can deliver
iOS Volume Purchase Program for Business (VPP)
Microsoft Store for Business apps
App type requirements
Since apps can be deployed to users and devices, we recommend that you decide which applications will be
managed by Intune. While gathering the list, try to answer the following questions:
Do the apps require integration with cloud services?
Will all apps be available to BYOD users?
What are the deployment options available for these apps?
Does your company need to provide access to Software-as-a-service (SaaS) apps data for their partners?
Do the apps require internet access from user's devices?
Are the apps publicly available in an app store, or are they custom line-of-business (LOB) apps?
App protection policies
App protection policies minimize data loss by defining how the application manages the corporate data. Intune
supports app protection policies for any application built to function with mobile app management. When you
design the app protection policy, you need to decide what restrictions you want to place on corporate data in a
given app. We recommend that you review how app protection policies work. Below is an example of how to
document the existing applications and what protection is needed.

A P P P ROT EC T IO N
A P P L IC AT IO N P URP O SE P L AT F O RM S USE C A SE P O L IC Y

Outlook mobile Available iOS Corporate - Cannot be jail broken,

Executives encrypt files

Word Available iOS/iPadOS, Android - Corporate, BYOD Cannot be jail broken,

Samsung Knox, non- encrypt files
Knox

You can download a template of the above table to identify your app protection policy needs.
Compliance policies
Compliance policies determine whether a device conforms to certain requirements. Intune uses compliance
policies to determine if a device is considered compliant or noncompliant. The compliance status can then be used
to restrict or allow access to company resources. If Conditional Access is required, we recommend that you design
a device compliance policy.
Refer to requirements and use cases to determine how many device compliance policies you need and which user
groups are the target user groups. Additionally, you need to decide how long a device can be offline without
checking in before it's considered noncompliant.
Below is an example of how to design a compliance policy:

P O L IC Y N A M E DEVIC E P L AT F O RM SET T IN GS TA RGET GRO UP

Compliance policy iOS/iPadOS, Android - PIN - required, cannot be jail Corporate, BYOD
Samsung Knox, non-Knox broken

You can download a template of the above table to identify your compliance policy needs.
Conditional Access policies
Conditional Access is used to allow only compliant devices to access email and other company resources. Intune
works with Enterprise Mobility + Security (EMS) to control access to company resources. Decide if you require
Conditional Access, and what must be secured. Learn more about Conditional Access.
For online access, decide what platforms and user groups you'll target by Conditional Access policies. Also,
determine whether you need to install or configure the Intune connector for Exchange on-premises:
Exchange on-premises
Here's an example of how to document Conditional Access policies:

P L AT F O RM S F O R M O DERN
SERVIC E A UT H EN T IC AT IO N B A SIC A UT H EN T IC AT IO N USE C A SES

Exchange online iOS/iPadOS, Android Block noncompliant devices Corporate, BYOD

on platforms supported by
Intune

SharePoint online iOS/iPadOS, Android Corporate, BYOD

You can download a template of the above table to identify your Conditional Access policy needs.

Next steps
The next section provides guidance on the Intune implementation process.
Implement your Microsoft Intune plan
9/4/2020 • 4 minutes to read • Edit Online

During the onboarding phase, you deploy Intune into your production environment. The implementation process
consists of setting up and configuring Intune and external dependencies (if required) based on your use-case
requirements.
The following section provides an overview of the Intune implementation process that includes requirements and
high-level tasks.

Intune requirements
The main Intune standalone requirements are:
Enterprise Mobility + Security (EMS)/Intune subscription
Microsoft 365 subscription (for Office apps and app-protection-policy managed apps)
Apple APNs Certificate (to enable iOS/iPadOS device platform management)
Azure AD Connect (for directory synchronization)
Intune On-Premises Connector for Exchange (for Conditional Access for Exchange On-Premises, if needed)
Intune Certificate Connector (for SCEP certificate deployment, if needed)

TIP
See the list of supported devices for a complete list of devices you can manage with Intune.

Intune implementation process

We've identified 13 discrete tasks for implementing an Intune deployment. Depending on your business
requirements, existing infrastructure, and device management strategy, some of these tasks may already be
finished. Others may not apply to your plan.
Task 1: Get an Intune subscription
As indicated in the Intune requirements section above, you need an EMS or Intune subscription. If your
organization does not have one, contact Microsoft or your Microsoft account team regarding your interest in
purchasing Enterprise Mobility + Security (EMS) or Intune.
Learn more about how to buy Microsoft Intune.
Task 2: Add Microsoft 365 subscription
This step is optional. You need a Microsoft 365 subscription if you plan to use Exchange Online and manage Office
mobile apps with app protection policies. If your organization does not have a Microsoft 365 subscription, contact
Microsoft or your Microsoft account team regarding your interest in purchasing Microsoft 365.
Learn more about how to buy Microsoft 365.
Task 3: Add users groups in Azure AD
You may need to add users or security groups in Active Directory or Azure Active Directory based on your Intune
deployment use-case scenarios and requirements. Review your current users and security groups in Active
Directory or Azure Active Directory and determine if they fully meet your needs. When adding new users and
security groups, we recommend adding them in Active Directory and synchronizing with Azure Active Directory
using Azure AD Connect.
Learn more about how to add users/groups in Intune.
Task 4: Assign Intune and Microsoft 365 user licenses
All users you target for EMS/Intune and Microsoft 365 rollout need to have a license assigned to them. You can
assign EMS/Intune and Microsoft 365 licenses in the Microsoft 365 admin center.
Learn more about how to assign Intune licenses.
Task 5: Set mobile device management authority to Intune
Before you can begin to set up, configure, manage and enroll devices using Intune, you must set the device
management authority to Intune.
Learn more about how to set the device management authority.
Task 6: Enable device platforms
By default, most device platforms are enabled except for Apple devices (iOS/iPadOS and Mac). Before iOS/iPadOS
devices can be enrolled and managed in Intune, the device platform must be enabled. To do so, you need to create
an MDM Push certificate, and add it to Intune.
Learn more about how to enable Apple devices for enrollment.
Task 7: Add and deploy terms and conditions policies
Intune supports terms and conditions policies. Add terms and conditions policies as appropriate and deploy them
to targeted groups based on your Intune deployment use cases and requirements.
Learn more about how to add and deploy terms and condition policies.
Task 8: Add and deploy configuration policies
Intune supports two types of configuration policies, general and custom. Add the configuration policies as
appropriate and deploy them to targeted groups based on your Intune deployment use cases and requirements.
Learn more about how to add and deploy configuration policies.
Task 9: Add and deploy resource profiles
Intune supports email, Wi-Fi, and VPN profiles. Add these profiles as appropriate and deploy them to targeted
groups based on your Intune deployment use cases and requirements.
Learn more about how to enable access to company resources with Intune.
Task 10: Add and deploy apps
Intune supports the deployment of web, line-of-business, and public Store apps. You can also manage apps that
have integrated the Intune SDK by associating them with app protection policies. Add apps as appropriate and
deploy them to targeted groups based on your Intune deployment use cases and requirements.
Learn more about adding and deploying apps.
Task 11: Add and deploy compliance policies
Intune supports compliance policies. Add compliance policies as appropriate and deploy them to targeted groups
based on your Intune deployment use cases and requirements.
Learn more about compliance policies.
Task 12: Enable Conditional Access policies
Intune supports Conditional Access for Exchange Online, Exchange on-premises, SharePoint Online, Skype for
Business Online, and Dynamics CRM Online. Enable and configure Conditional Access as appropriate based on
your Intune deployment use cases and requirements.
Learn more about Conditional Access.
Task 13: Enroll devices
Intune supports iOS/iPadOS, macOS, Android, and Windows desktop device platforms. Enroll mobile device
platforms as appropriate based on your Intune deployment use cases and requirements.
Learn more about how to enroll devices.

Next steps
See guidance on testing and validating your Intune deployment.
Intune testing and validation
9/4/2020 • 2 minutes to read • Edit Online

When testing the implementation of Microsoft Intune, consider functional validation and use-case validation.
Functional validation consists of testing each component and configuration to determine if it is working correctly.
Use-case validation involves testing to verify that the scenarios involving a series of tasks work as expected.
We recommend that you incorporate your IT support and helpdesk staff in the testing phase so that support
documentation is created, and the IT support and helpdesk staff become comfortable supporting the product. If a
component or scenario does not function based on the use cases, make sure to document the necessary changes,
and include the reason a change was made.

Before you begin

We recommend that you document the following:
Test criteria: Identify the benchmarks to be measured against.
Design components: Must exist in at least one testing criteria.
If a design component does not exist in at least one test criteria that aligns to a requirement or scenario, consider
whether the design component is required or not. In addition, make sure to have the following items:
Accounts: Test accounts that are licensed for EMS and Microsoft 365 to test all use-case scenarios.
Devices: Test devices that can be wiped or reset to factory defaults.
Integration components: All integration components (certificate connectors, and the Intune Exchange
on-premises connector) should be installed and configured if needed.
You may need design changes to accommodate unforeseen difficulties. In addition, all design changes should be
fully documented with the reason for each change. Here's an example to illustrate what a change could be:

You realize that you don't meet the requirements of Network Device Enrollment Service (NDES), and you also
learn that the VPN and Wi-Fi profiles can be configured with a root CA satisfying the same requirements without
an NDES implementation.

You might experience challenges or issues that require technical guidance or specialized troubleshooting during
the testing and validation process. We recommend that you seek assistance through the Microsoft support
channels.
Learn how to get Intune support
Contact assisted phone support for Microsoft Intune

Functional validation testing

Functional validation consists of testing each component and configuration to determine if it is working correctly.
An example of validation testing is in the table below.
Use-case validation testing
Perform use-case validation testing to verify the scenarios are complete and functional. There are two types of use-
case scenarios: IT admin and end user.
IT admin
Perform IT admin validation testing to validate that administrative actions performed on a device or user function
correctly. Below is an example of an IT admin end-to-end validation scenario.

End user
Perform end-user validation testing to validate that the end-user experience is as expected and presented correctly
in all user communications. It is important to validate that the end-user experience is correct. If you fail to validate,
it can lead to lower adoption rates and higher volumes of helpdesk calls.
Next steps
Now that you have tested and validated your Intune functional and use-case scenarios, you're ready for your
Intune production rollout.
See additional resources for more planning templates and information.
Additional resources for planning your Intune
deployment
9/4/2020 • 2 minutes to read • Edit Online

Templates
Microsoft Excel templates for the tables used in the planning guide are available for download.
Here's a list of table templates for each section.

DEP LO Y M EN T P L A N N IN G DESIGN & IM P L EM EN TAT IO N T EST & VA L IDAT IO N

Deployment goals Current environment Functional validation testing

Deployment objectives Devices IT admin scenario validation testing

Deployment challenges Terms & conditions End-user scenario validation testing

Use-case scenarios Configuration policy

Use-case scenario requirements Certificate profile

Rollout plan Wi-Fi profile

Rollout communication plan VPN profile

Email Profile

Applications

Compliance policy

Conditional Access policy -

Further reading
Check out these resources for additional information that may be helpful during the Intune deployment planning,
design, and implementation process.
Microsoft Intune documentation - The full set of Intune documentation.
Microsoft Trust Center - Learn Microsoft's approach to security, privacy, compliance, and transparency in all
Microsoft cloud products and services.
Intune User Voice - Want to request a feature or vote with other customers for features? Provide feedback
on Intune through User Voice. We're listening.
Plan communication - The communication plan is a key element to an Intune adoption. In this article, you
can download the Intune Adoption Kit that includes email templates, an Intune Enrollment guide, and links
to instructional videos to assist you in educating your end users on enrollment.
Intune migration guide
4/22/2020 • 2 minutes to read • Edit Online

A successful migration to Microsoft Intune starts with a solid plan that factors in your current mobile device
management (MDM) environment, business goals, and technical requirements. Additionally, you need to include
the key stakeholders who will support and collaborate with your migration plan.
This guide walks you through the various details involved in migrating from a third-party MDM provider to Intune.

What's included in this guide?

This guide breaks down the migration into two phases, both of which include tasks, strategies, and tactical
guidance that will help you step through the end-to-end process of migrating to Intune MDM.
Phase 1: Prepare Intune for mobile device management
Assess your MDM migration requirements
Basic setup
Configure device and app management policies
Configure app protection policies
Special migration considerations
Phase 2: Migration campaign
Communication plan
Drive end-user adoption with Conditional Access
Typical migration cycle
Monitoring migration
Post migration

Assumptions
You've already evaluated Intune in a proof of concept (PoC) environment, and have decided to use it as the
MDM solution in your organization.
You are already familiar with Intune and its features.
Before you begin
It's important to recognize that your new Intune deployment might be different from your old MDM deployment.
Unlike traditional MDM services, Intune centers on identity-driven access control, and so does not require a
network proxy appliance to control access to corporate data from mobile devices outside the organization's
network perimeter. Microsoft offers solutions to secure data services within the cloud itself through a suite of
tightly integrated cloud services, collectively referred to as the Enterprise Client + Security offering.
Review the common ways to use Intune.

Next steps
Phase 1: Prepare Intune for mobile device management
Phase 1: Prepare Microsoft Intune for mobile device
management (MDM)
4/22/2020 • 2 minutes to read • Edit Online

Before diving into the details of setting up Intune, let's review the mobile device management requirements of
your organization. It might be helpful to run reports of active users in your current MDM provider to identify the
critical user groups. Then you can begin addressing the questions in the Assess MDM requirements section.

Assess MDM requirements

What kinds of devices do you need to manage?
Which platforms do you need to support?
Are the devices you need to support corporate-owned or personal devices?
What kind of connectivity do you use? Wi-Fi, cellular, VPN?
What do your users need to do on managed devices?
Do you need to provision apps to your end-users?
Do you use custom line-of-business apps? Or do you only need public store apps?
Do you need to provision email accounts?
What kinds of users?
How many users will use a single device?
What terms of use do you need?
Make sure to involve your legal department early in this.
What localization is required?
Are the users familiar with technology and IT in general?
What is your device security policy?
Do you need device-level encryption?
What are your current device passcode/pin code lengths?
Do you need to disable device features, or restrict certain device behaviors? You can control a variety of
platform-specific settings with device configuration profiles, for example:
Disable camera
Lock to single-app mode
What kinds of authentication must you support? If you need certificate-based authentication, what kinds of
certificates must be provisioned?
Intune can provision certificates with resource access profiles for enrolled devices.
What kind of Public Key Infrastructure (PKI) infra do you need to support?
Do you need to support Virtual Private Network (VPN) at the device or app level?
Intune can provision VPN configurations for third-party VPN providers.
Can temporary exceptions be made for certain requirements to avoid downtime? Or must devices with
access always comply with all security requirements?

Next steps
Read these case studies from different industry sectors to see how organizations assessed their requirements for
mobile device management.
Review the basic Intune setup.
Basic setup
9/4/2020 • 2 minutes to read • Edit Online

After you assess your environment, it's time to set up Microsoft Intune.

External dependencies for an Intune deployment

Identity
Intune requires Azure Active Directory (Azure AD) as the identity and user grouping provider. Learn more about:
Identity requirements
Directory synchronization requirements
Multi-factor authentication (MFA)
Planning your user and device groups
How to create user and device groups
If your organization is already using Microsoft 365, Intune must use the same Azure Active Directory environment.
PKI (optional)
If you're planning to use certificate-based authentication for VPN, Wi-Fi, or e-mail profiles with Intune, you'll need
to make sure that you have a supported PKI infrastructure in place, ready to create and deploy certificate profiles.
Learn more about configuring certificates in Intune:
How to configure the certificate infrastructure for SCEP
How to configure the certificate infrastructure for PFX.

Task list for an Intune setup

Task 1: Intune subscription
Before you can migrate to Intune, you first need an Intune subscription.
Task 2: Assign Intune user licenses
Learn how to assign Intune user licenses.
If you have created a new Azure Active Directory tenant, learn how to create new users or sync user from
your on-premises Active Directory (AD).
Task 3: Set your MDM authority to Intune
We recommend that you manage Intune using the Microsoft Endpoint Manager admin center.
Set your MDM authority to Intune . Using a different MDM authority allows Intune to transfer MDM management
to alternate Microsoft management consoles. These cases are uncommon.

IMPORTANT
If you are transferring your mobile device management to Intune for the first time, you should set the MDM authority to
Intune.
Learn how to set the mobile management authority.

Next step
Configure device and app management policies.
Configure device compliance and app management
policies when migrating to Microsoft Intune
4/22/2020 • 2 minutes to read • Edit Online

The main goal when migrating to Intune is to have all devices enrolled in Intune and compliant with its policies.
Device policies not only help you to manage corporate-owned single-user devices, but also personal (BYOD), and
shared devices such as kiosks, point-of-sales machines, tablets shared by multiple students in a classroom, or user-
less devices (iOS only).
Each device platform may offer different settings, but Intune device policies work with each device platform by
providing the following mobile device management capabilities:
Regulate numbers of devices each user enrolls.
Manage devices settings (for example, device-level encryption, password length, camera usage).
Deliver apps, email profiles, VPN profiles, and so on.
Evaluate device-level criteria for security compliance policies.

IMPORTANT
Device management policies are not assigned directly to individual devices or users, but instead are assigned to user groups.
The policies may be directly applied to a user group, and thereby to the user's device, or the policies may be applied to a
device group, and thereby to group members.

Task list for device compliance policies

Task 1: Add device groups (optional)
You can create device groups when you need to perform administrative tasks based on device identity instead of
user identity.
Device groups are useful for managing devices that do not have dedicated users, such as kiosk devices, devices
shared by shift workers, or devices assigned to a specific location.
By configuring device groups ahead of device enrollment, you can use device categories to automatically join
devices to groups upon enrollment. Then they will receive their group's device policies automatically. Get started
with groups.
Task 2: Use resource access profiles (Wi-Fi, VPN, and email certificates)
Resource access profiles supply certificates and access configurations to enrolled devices. If you are using
certificate-based authentication, configure certificates.
Task 3: Create and deploy device configuration profiles
You need to create a device configuration profile to enforce device-level settings, for example: disable camera, app-
store, configure single-app mode, home screen, and so on. Learn about device profiles.
Directly import iOS/iPadOS configuration profiles (optional)
Apple Configurator iOS profiles (iOS 7.1 and later): If your existing MDM solution uses Apple
Configurator profiles (.mobileconfig files), Intune can directly import them as custom configuration policies.
iOS Mobile Application Configuration policies: If your existing MDM solution uses iOS/iPadOS Mobile
Application Configuration policies, Intune can directly import them as long as they meet the XML format
specified by Apple for property lists.
Learn how to add a custom policy for iOS.
Task 4: Create and deploy device compliance policies (optional)
Device compliance policies evaluate security-oriented settings, and provide reporting that shows whether the
devices are compliant with corporate standards or not. Such settings include:
PIN length
Jail-broken status
OS version
See additional resources for device compliance settings:
Learn about device compliance policies.
Task 5: Publish and deploy apps
When using Intune MDM, you can supply apps by either requiring their automatic installation, or making them
available in the Company Portal.
How to add apps.
How to deploy apps.
Task 6: Enable device enrollment
Device enrollment is necessary to manage the device. Learn how to get ready to enroll corporate-owned and user
personal's devices.

Next steps
Configure app protection policies (optional).
Configure app protection policies (optional)
9/4/2020 • 2 minutes to read • Edit Online

App protection policies allow you to:

Encrypt apps
Define a PIN when the app is accessed
Block apps from running on jail-broken or rooted devices, and many other protections.
If the user's phone is lost or stolen, you can selectively wipe the corporate data remotely while leaving the personal
data intact.
App protection policies apply security at the app level and do not require device enrollment. You can use them with
devices enrolled into Intune or not. Additionally, you can apply them to devices enrolled into a third-party MDM
provider.

App protection policies with LOB apps

You can also extend the mobile app protection policies to your line-of-business (LOB) apps by using the Microsoft
Intune App SDK or the Microsoft Intune App Wrapping Tool for both iOS/iPadOS and Android platforms. For more
information, see App Wrapping Tool for iOS and App Wrapping Tool for Android. In addition, see Prepare LOB apps
for app protection.

How do app protection policies help during migration?

In a migration, you must remove devices from the old MDM provider and enroll them into Intune. You should plan
for this and encourage your end-users to leave the old MDM provider and immediately enroll into Intune. However,
during the migration there may be users who delay completing the enrollment process and whose devices are not
managed by either MDM provider.
This period can leave your organization more vulnerable to device theft and corporate data loss if corporate
resource access is still allowed. It may also lead to lower user productivity if corporate resource access is blocked.
Intune can offer corporate data protections during the migration so you can still have security coverage for your
corporate data when there's no device-level management.
As you disable Conditional Access in the old MDM provider, users can still be productive while you on-board them
into Intune.

Task list for app protection policies

How to create and assign app protection policies

Next steps
Special migration considerations
Special migration considerations
3/9/2020 • 2 minutes to read • Edit Online

There are special migration considerations that may apply depending on your existing MDM provider
environment.

Wipe for Apple's Device Enrollment Program (DEP)

The Apple Device Enrollment Program (DEP) sets device configurations that cannot be removed by the end user. To
retain the advanced management features of DEP, the device must be returned to the out-of-box (new) state by
wiping it to enroll it into Intune.
To continue using DEP to manage the devices in Intune, set up iOS/iPadOS device enrollment with Device
Enrollment Program.

Next steps
Phase 2: Migration campaign
Phase 2: Migration campaign
4/22/2020 • 2 minutes to read • Edit Online

Choose a migration approach that is most suitable for your organization's needs and adjust implementation tactics
based on your specific requirements. The remainder of this guide will equip you with the tools you need to achieve
the goal of getting your users' devices enrolled into Intune.

Keys to a successful migration

These are the keys to migrating successfully from a third-party MDM provider to Intune:
Clear and helpful communication can minimize end-user downtime and dissatisfaction.
Be sure to have specific and concrete migration instructions.
All managed devices must be unenrolled from your existing MDM provider before they can be enrolled in
Intune.
Provide guidance from your existing MDM provider to end-users for how to unenroll their devices.
Use a phased approach. Start with a small group of pilot users and incrementally add more groups of users
until you reach full scale deployment.
Monitor the helpdesk load and enrollment success of each cycle. Leave time in the schedule to ensure
success criteria can be evaluated for each group before migrating the next. Your pilot deployment should
validate the following:
Enrollment success and failure rates are within expectations.
User productivity:
Corporate resources such as VPN, Wi-Fi, email, and certificates are working.
Provisioned apps are accessible.
Data security:
Compliance reporting is occurring.
Mobile app protections are enforced.
When you are satisfied with the first phase of migrations, repeat the migration cycle for the next phase.
Repeat phased cycles until all users are migrated to Intune.
Ensure the helpdesk team is ready to support end users throughout the migration campaign. Run a
voluntary migration until you can estimate support call workload.
Don't set deadlines for enrollment until the remaining population can be handled by your helpdesk

IMPORTANT
Do not configure both Intune and your existing third party MDM solution to apply access controls to resources such as
Exchange or SharePoint Online. Additionally, devices should only be enrolled in one solution at a time.
Next steps
Create your communication plan.
Plan communications
4/22/2020 • 2 minutes to read • Edit Online

The communication plan is a key element to an Intune migration. The following tools and templates are provided to
assist you in educating end users. The Intune Adoption Kit includes email templates, an Intune Enrollment guide,
and links to instructional videos for end user enrollment.
Download: Intune Adoption Kit

Email templates
We recommend the following email communication plan. You may edit the text to align to your users' operating
system and environment. We've provided templates for you to adapt for your communication plan:
Email #1 : Explain the benefits, expectations, and schedule. Take this opportunity to showcase any other new
services whose access will be granted on devices managed by Intune.
Email #2 : Announce that services are now ready for access through Intune. Tell users to enroll now. Give
users a timeline before their access is affected. Remind users of benefits and strategic reasons for migration.
After a certain period, you can begin enforcing compliance through Conditional Access policies and use it as criteria
to access corporate data, as explained in Drive end-user adoption with Conditional Access.

Intune Enrollment Guide

We provide both PDF and Word versions of the Intune Enrollment Guide. You can provide the PDF to your users as-
is, or customize the Word version to include your internal resources and contact information. You are encouraged to
edit the Enrollment Guide to reflect the appropriate operating systems that are applicable to your users'
environment.
The End User Enrollment Guide includes links to more detailed instructions associated with each operating system,
and the videos mentioned below.

Instructional videos
We have created short, step-by-step videos to aid your users in easily enrolling their devices in Intune.
Enroll your Android device
Enroll your Android Work Profile device
Enroll your iOS/iPadOS device
Enroll your macOS device
Enroll your Windows

Next steps
Intune has additional resources you can use to promote device enrollment with your users:
How to educate your end users about Microsoft Intune breaks out enrollment steps by mobile OS platform.
The Intune device enrollment for IT administrators explains how to enroll Android, iOS/iPadOS, and Mac devices
in Intune.
Share the Company Portal app with your Android, iOS/iPadOS, and Windows users.
Drive end-user adoption with Conditional Access in
Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

Enabling Conditional Access features with Intune, such as blocking email for unenrolled devices, can help drive
enrollment and compliance but they are not required for a migration to be successful. Your migration adoption
goals and security requirements should dictate the success.

Migration campaign with Conditional Access

Here is a typical approach to enhancing a migration campaign with Conditional Access:
1. Set Conditional Access rules to be enforced for all users but specifically exclude the users who need to
migrate from the old MDM provider. You can create an Azure AD user group with all Conditional Access
excluded users.
2. As users migrate, remove them from the Conditional Access exclusion group.
3. After migration completes, configure all Conditional Access policies to block by default unless Intune allows
access.
Advantages
Provides access control for new user accounts or user account who were not managed by the previous
solution.
Provides grace period for users of previous solution to migration.
Minimizes loss of productivity
Disadvantages
Users of previous solution could potentially access resources using unmanaged devices until Conditional
Access is enabled for those users.
This is one approach among many. You may choose a simpler process that defers all Conditional Access until after
every phase has been instructed to enroll, or a stricter process that enforces Conditional Access from the very
beginning and requires full compliance for all access.
Learn more about Conditional Access.

Task list for Conditional Access

Task 1: Decide how you are going to implement Conditional Access
Common ways to use Conditional Access.
Task 2: Set up Intune Conditional Access
Choose one of the following options:
Configure Conditional Access in Azure Active Directory
Configure Hybrid Modern Authentication
Set up app-based Conditional Access policies for Exchange Online
Set up app-based Conditional Access policies for SharePoint Online
Block apps that do not use modern authentication (ADAL or MSAL)

Next steps
Learn about the typical migration cycle.
Typical migration cycle
4/22/2020 • 2 minutes to read • Edit Online

It's common for an organization to start their Intune migration with a small pilot by targeting a subset of their
users in the IT department. Additionally, your organization may need to discuss such factors as the group's
willingness for change, number of users, complexity, requirements, location, and business risk to assist in
determining the migration time-frame.
Here's an example of how your target groups could be scheduled:

M IGRAT IO N
TA RGET ED
GRO UP S T IM E P ERIO D 1 T IM E P ERIO D 2 T IM E P ERIO D 3 T IM E P ERIO D 4 ...

Limited Pilot IT Announce Plan Instruct to enroll Give deadline Enforce

org (50 users) Conditional
Access

Expanded Pilot IT Announce Plan Instruct to enroll Give deadline Enforce

org (200 users) Conditional
Access

Migration phase Announce Plan Instruct to enroll Give deadline

1 Tech-savvy
users (2000)

Migration phase Announce Plan Instruct to enroll

2 Eastern US

All Regions Announce Plan

Customer migration case study

Adatum Corporation
Check out how Adatum Corporation went through the process of migration from a third-party MDM provider to
Intune.

Monitoring migration
Intune provides several ways that you can monitor your migration:
Intune user group views
Set of built-in reports
In-console alerts
Track how many users have enrolled devices after each phase so that you can:
Evaluate the effectiveness of your communication plan.
Estimate the impact of enforcing Conditional Access.
Post-migration
Retire the previous MDM provider and unsubscribe from the service after migrating to Intune. Additionally,
remove any unneeded infrastructure requirements by following the MDM provider's instructions.
Plan communications
4/22/2020 • 2 minutes to read • Edit Online

The communication plan is a key element to an Intune migration. The following tools and templates are provided
to assist you in educating end users. The Intune Adoption Kit includes email templates, an Intune Enrollment guide,
and links to instructional videos for end user enrollment.
Download: Intune Adoption Kit

Email templates
We recommend the following email communication plan. You may edit the text to align to your users' operating
system and environment. We've provided templates for you to adapt for your communication plan:
Email #1 : Explain the benefits, expectations, and schedule. Take this opportunity to showcase any other
new services whose access will be granted on devices managed by Intune.
Email #2 : Announce that services are now ready for access through Intune. Tell users to enroll now. Give
users a timeline before their access is affected. Remind users of benefits and strategic reasons for
migration.
After a certain period, you can begin enforcing compliance through Conditional Access policies and use it as
criteria to access corporate data, as explained in Drive end-user adoption with Conditional Access.

Intune Enrollment Guide

We provide both PDF and Word versions of the Intune Enrollment Guide. You can provide the PDF to your users
as-is, or customize the Word version to include your internal resources and contact information. You are
encouraged to edit the Enrollment Guide to reflect the appropriate operating systems that are applicable to your
users' environment.
The End User Enrollment Guide includes links to more detailed instructions associated with each operating system,
and the videos mentioned below.

Next steps
Intune has additional resources you can use to promote device enrollment with your users:
How to educate your end users about Microsoft Intune breaks out enrollment steps by mobile OS platform.
The Intune device enrollment for IT administrators explains how to enroll Android, iOS/iPadOS, and Mac
devices in Intune.
Share the Company Portal app with your Android, iOS/iPadOS, and Windows users.
How to educate your end users about Microsoft
Intune
3/12/2020 • 3 minutes to read • Edit Online

Microsoft Intune helps you enable your workforce with mobile devices while protecting your corporate data. To
test out the Intune deployment in your organization, you can try a free trial.
As you implement Microsoft Intune, it's important that employees understand the need for device management
and enterprise mobility. Without an explanation from you, some users might feel that you're infringing on their
privacy. User concern for privacy increases when you deploy Intune as a BYOD solution.

IMPORTANT
Understanding and proactively addressing user concerns about why your company needs to manage devices is critical to a
successful rollout.

Successful adoption isn't just about distributing new, functional technology throughout your workforce. It's also
about getting users to understand and embrace the new technology. That's why it's important for users to
understand and embrace the data security that Intune provides.

Things to consider about your users

What level of technology experience do users have? Your users' knowledge and experiences with
technology may range. These experiences could be positive, such as photographing family vacations; or they could
be negative, such as unexpectedly dropping a device in the kitchen sink. Experiences influence how users approach
technology for personal and business use.
What does mobility management mean to users? Users may not fully understand the access you have--or
don't have--to their devices and information. Users likely have concern about IT and leadership potentially tracking
their actions. Less experienced device users may believe all activity on their devices is private.
How could Intune inconvenience users? Recognize and be respectful of the time it takes users to install apps,
enroll devices, and maintain compliance. The top priority of all Intune deployments is to secure corporate data.
However, user attitudes toward device management may be affected negatively if you push policies that, for
example:
Require unreasonable passcodes on personal devices
Send required app updates in the middle of critical business calls
These policies could also negatively affect employee productivity.

Things you should do

Read the following list of tips to make your organization's Intune deployment easier for device users.
Be resourceful. The Intune documentation helps users complete Intune-specific tasks, such as enrolling
and troubleshooting devices. Users can click and access some articles directly from the Company Portal.
These specific articles help explain the Company Portal app installation, Intune enrollment, general tasks
that users can do on their devices, and troubleshooting. A list of this documentation is also found in the
article, Use managed devices to get work done.
Be accessible. Tell users where they can seek help for their device problems. When you customize the
Company Portal, be sure to include your IT administrator's contact information.
Be personal. Provide instructions that are specific to your organization's deployment. This action
demonstrates to users that you care about their experience. Use this customizable Intune Adoption Kit to
create your own enrollment instructions for your users.
Find different ways to communicate. Users have different learning styles and preferred ways to
consume information. For visual learners, Intune provides video versions of how to enroll various device
types on Channel 9. Videos can be embedded directly into your own SharePoint site. You can also download
local copies of the video or audio track.
Be aware. The Intune user experience impacts your productivity too. Understanding the users experience
makes it easier for you to troubleshoot device and user problems. For example, you can learn and
understand how your users acquire their apps. Knowing this information ahead of time will make it easier
and faster to diagnose and fix problems.
Android
Using an Android device with Intune
How your Android users get their apps
iOS
Using an iOS/iPadOS device with Intune
How your iOS/iPadOS users get their apps
Windows
Using a Windows device with Intune
How your Windows users get their apps
Be for thcoming. Be clear about what you're going to manage on user devices. Tell users what kind of data
you're collecting and why you're collecting it. Inform them of how you're planning to use all data. Microsoft
believes that you have a right to as much information as possible about how we handle your customer data
in the cloud, and believes that this philosophy can greatly increase user satisfaction with Intune.

NOTE
Transparency, wherever possible, is fundamental to the success of your deployment.

It's important to combine trust with well-crafted compliance policies. Users should know that even if you could
look at certain types of personal data, that you don't want to. Help them understand that there is liability that you
could incur for invading their privacy. Creating a statement with your legal and HR departments may further
alleviate employee concerns about privacy.
Help end users understand Company Portal app
messages
9/4/2020 • 5 minutes to read • Edit Online

NOTE
The following information applies only on devices with Android 6.0+ and iOS 10+.

Understand the different app messages that end users may see in the Company Portal. These app messages are
commonly displayed at different points in the enrollment process. Learn where the messages appear, what the
messages mean, and what happens if users deny access. Additionally, learn how to best explain the messages to
users.
Allow Company Por tal to make and manage phone calls?
Allow Company Por tal to access photos, media, and files on your device?

NOTE
We do not sell any data collected by our service to any third parties for any reason.

Allow Company Portal to make and manage phone calls?

Where it appears
The message Allow Company Por tal to make and manage phone calls? appears when users tap Enroll in
the Company Portal app while they are enrolling their device.
What it means
By accepting this prompt, users allow their device's phone and IMEI numbers to be sent to the Intune service. These
will appear on the admin console on the Hardware page.

NOTE
The Company Por tal app never makes or manages phone calls! The message text is controlled by Google and
cannot be changed.

To see the Hardware page, you must go to Groups > All mobile devices > Devices . Select the user's device,
and go to View Proper ties > Hardware .
What happens if users deny access
If users deny access, they can continue to use the Company Portal app and enroll their device. However, the device
phone number and IMEI number will be blank on the Hardware page in the admin console. The second time that
users sign-in to the Company Portal app after denying access, the message displays a Never ask again check box
that users can select which stops the prompt.
If users allow, but then later deny access, the message appears the next time users sign-in to the Company Portal
app after enrollment.
If users later decide to allow access, they can go to Settings > Apps > Company Por tal > Permissions >
Phone , and turn it on.
How to explain this to your users
Send your users to Enroll your Android device in Intune for more information.

Allow Company Portal to access your contacts?

Where it appears
The message Allow Company Por tal to access your contacts? appears when users tap Enroll in the Company
Portal app while they are enrolling their device.
What it means
By accepting this prompt, users allow Intune to create their work account and manage the Azure Active Directory
identity that is registered for the user on that device.

NOTE
Microsoft never accesses your contacts! The message text is controlled by Google and cannot be changed.

What happens if users deny access

If users deny access, their device will not be enrolled in Intune and can't be managed. The second time that users
sign in to the Company Portal app after denying access, the message displays a Never ask again check box that
users can select to stop the prompt.
If users allow, but then later deny access, the message appears the next time users sign in to the Company Portal
app after enrollment.
If users later decide to allow access, they can go to Settings > Apps > Company Por tal > Permissions >
Phone , and turn it on.
How to explain this to your users
Send your users to Enroll your Android device in Intune for more information.

Allow Company Portal to access photos, media, and files on your

device?
Where it appears
The message Allow Company Por tal to access photos, media, and files on your device? appears when
users tap Send Data to send logs to their IT admin.
What it means
By accepting this prompt, users allow their device to write data logs to the device's SD card. This also enables those
logs to be moved using a USB cable.

NOTE
The Company Por tal app never accesses users' photos, media, and files! The message text is controlled by Google
and cannot be changed.

What happens if users deny access

If users deny access, they can still send data logs via email, but the logs won't be copied to the device's SD card.
The second time that users sign in to the Company Portal app after denying access, the message displays a Never
ask again check box that users can select so that the message never shows again. If users allow, but then later
deny access, the message appears the next time users try to send logs. However, if users later decide to allow
access, they can go to Settings > Apps > Company Por tal > Permissions > Storage , and then turn on the
permission.
How to explain this to your users
Send your users to Send logs to your IT admin by email.

Your company support needs to give you access to company resources

Where it appears
If you haven't added the Company Portal app to the Allowed apps or Exempt apps list, and a user attempts to
sign in, the sign-in will fail. The following message displays:

Your company suppor t needs to give you access to company resources

Your company is using Windows Information Protection policies to protect your device. Your company support
will need to make sure they allow the Company Portal to access those resources.

What it means
Add the Company Portal to the Allowed apps or Exempt apps list in the Windows Information Protection (WIP)
app protection policy. For more information, see Create and deploy Windows Information Protection (WIP) app
protection policy with Intune.

Approve a iOS/iPadOS company app (line-of-business app) on your

iOS/iPadOS device
Where it appears
iOS apps developed by your organization that are not available in the App Store are not trusted by your device by
default. When you install such apps using Company Portal and launch the app, the following message will be
displayed:

What it means
This message means you need to modify your iOS/iPadOS device settings to approve and install an app developed
by your company on your iOS/iPadOS device.
When you install such apps using the Company Portal and launch the app, follow these steps to approve the app
after you download it:
1. Upon launching an installed company app (line-of-business app), you will see the "Untrusted Enterprise
Developer" message.
Press Cancel .
2. Navigate to Settings > General > Device Management .
3. Select Management Profile > Enterprise app .
4. Select the developer name.
5. Press Trust developer name .
6. Confirm the app by selecting Trust on the app install pop-up message.

You should be able to launch and use the company app.

See also
What to tell your end users about using Intune
What to expect when your Android app is managed
by app protection policies
4/22/2020 • 3 minutes to read • Edit Online

This article describes the user experience for apps with app protection policies. App protection policies are applied
only when apps are used in a work context: for example, when the user is accessing apps with a work account or
accessing files that are stored in a OneDrive for Business location.

Access apps
The Company Portal app is required for all apps that are associated with app protection policies on Android
devices.
For devices that are not enrolled in Intune, the Company Portal app must be installed on the device. However, the
user does not have to launch or sign into the Company Portal app before they can use apps that are managed by
app protection policies.
The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app
is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in
Intune.

Use apps with multi-identity support

App protection polices are only applied in the work context. Therefore, the app might behave differently depending
on whether the context is work or personal.
For example, the user gets a PIN prompt when accessing work data. For the Outlook app , the user is prompted for
a PIN when they launch the app. For the OneDrive app , the user is prompted for the pin when they type in the
work account. For Microsoft Word , PowerPoint , and Excel , the user is prompted for the pin when they access
documents that are stored in the company OneDrive for Business location.

Manage user accounts on the device

Multi-identity applications allow users to add multiple accounts. Intune APP supports only one managed account.
Intune APP does not limit the number of unmanaged accounts.
When there is a managed account in an application:
If a user attempts to add a second managed account, the user is asked to select which managed account to use.
The other account is removed.
If the IT admin adds a policy to a second existing account, the user is asked to select which managed account to
use. The other account is removed.
Read the following example scenario to get a deeper understanding of how multiple user accounts are treated.
User A works for two companies—Company X and Company Y . User A has a work account for each company,
and both use Intune to deploy app protection policies. Company X deploys app protection policies before
Company Y . The account that's associated with Company X gets the app protection policy, but not the account
that's associated with Company Y. If you want the user account that's associated with Company Y to be managed by
the app protection policies, you must remove the user account that's associated with Company X and add the
account that is associated with Company Y.
Add a second account
Android
If you are using an Android device, you might see a blocking message with instructions to remove the existing
account and add a new one. To remove the existing account, go to Settings >General > Application Manager
>Company Por tal. Then choose Clear Data .

View media files with the Azure Information Protection app

To view company AV, PDF, and image files on Android devices, use the Azure Information Protection app (previously
known as the Rights Management sharing app).
Download this app from the Google Play store.
The following file types are supported:
Audio: AAC LC, HE-AACv1 (AAC+), HE-AACv2 (enhanced AAC+), AAC ELD (enhanced low delay AAC), AMR-NB,
AMR-WB, FLAC, MP3, MIDI, Ogg Vorbis, PCM/WAVE
Video: H.263, H.264 AVC, MPEG-4 SP, VP8
Image: .jpg, .pjpg, .png, .ppng, .bmp, .pbmp, .gif, .pgif, .jpeg, .pjpeg
Documents: PDF, PPDF

P F IL E

Pfile is a generic "wrapper" format for protected files that encapsulates the encrypted content and the Azure Information
Protection licenses. It can be used to protect any file type.

Next steps
What to expect when your iOS/iPadOS app is managed by app protection policies
What to expect when your iOS/iPadOS app is
managed by app protection policies
3/9/2020 • 2 minutes to read • Edit Online

Intune app protection policies apply to apps that used for work or school. This means that when your employees
and students use their apps in a personal context, they may notice no difference in their experience. In the work or
school context, however, they might receive prompts to make account decisions, update their settings, or contact
you for help. Use this article to learn what your users experience when they try to access and use Intune-protected
apps.

Access apps
If the device is not enrolled in Intune , the user is asked to restart the app when they first use it. A restart is
required so that app protection policies can be applied to the app.
For devices that are enrolled for management in Intune , the user sees a message that their app is now
managed.

Use apps with multi-identity support

Apps that support multi-identity let you use different work and personal accounts to access the same apps. App
protection policies, like entering a device PIN, are activated when users access these apps in a work or school
context.
Users might experience the PIN prompt differently across all of their apps, depending on how you configure the
policies. For example, you might configure your policies so that:
Microsoft Outlook prompts the user for a PIN when they launch the app.
OneDrive prompts the user for a pin when they sign in to their work account.
Microsoft Word, PowerPoint, and Excel prompts the user for a pin when they access documents that are stored
in the company OneDrive for Business location.
Learn more about the apps that support app protection and multi-identity with Intune.

Manage user accounts on the device

Intune app protection policies limit users to one managed work or school account per app. App protection policies
don't limit the number of unmanaged accounts a user can add.
If a user attempts to add a second managed account, the user is asked to select which managed account to use.
If the user adds the second account, the first account is removed.
If you add protection policies to another one of your user's accounts, the user is asked to select which managed
account to use. The other account is removed.
Some users won't get the option to switch or select between managed accounts. The option is not available on
devices that are:
Managed by Intune
Managed by third-party enterprise mobility management solutions and configured with the IntuneMAMUPN
setting
The following example scenario describes how multiple user accounts are treated:
User A works for two companies—Company X and Company Y . User A has a work account for each company,
and both use Intune to deploy app protection policies. Company X deploys app protection policies before
Company Y . The account that's associated with Company X gets the app protection policy first. If you want the
user account that's associated with Company Y to be managed by the app protection policies, you must remove the
user account that's associated with Company X and add the user account that's associated with Company Y.

Next steps
What to expect when your Android app is managed by app protection policies
How your Android users get their apps
4/28/2020 • 3 minutes to read • Edit Online

This article helps you understand how and where your Android device administrator end users get the apps that
you distribute through Microsoft Intune. The information can vary by device type (native Android devices or
Samsung Knox Standard devices).

Native (non-Samsung Knox Standard) Android devices

APP TYPE L IN E- O F - B USIN ESS ( LO B ) A P P S P L AY STO RE A P P S

Available apps Users tap install in the Company Users tap the app in the Company
Portal. A notification appears, which Portal, and are taken to an app page in
users then tap to start the installation. the Play Store. This is where they start
After the installation is successful, the the installation.
notification disappears.

Required apps Users are shown a notification, which Users are shown a notification, which
they can't dismiss, indicating that they they can't dismiss, indicating that they
need to install an app. Users tap the need to install an app. Users tap the
notification to start the installation. notification and are taken to an app
After the installation is successful, the page in the Play Store. This is where
notification disappears. they start the installation. After the
installation is successful, the notification
disappears.

Your end users need to allow installation from unknown sources to install LOB apps. This setting is normally found
in two different places, depending on the version of Android:
Android 7.1.2 and lower: Settings > Security > Unknown sources
Android 8.0 and above: Settings > Apps & notifications > Special app access > Install unknown apps
> Company Por tal > Allow from this source
If this occurs, the Company Portal app will inform and directly guide the end user to the appropriate setting.

Samsung Knox Standard Android devices

APP TYPE L IN E- O F - B USIN ESS ( LO B ) A P P S P L AY STO RE A P P S

Available apps Users tap install in the Company Users tap the app in the Company
Portal. The app installs without further Portal and are taken to an app page in
user intervention. the Play Store. This is where they start
the installation.

Required apps The app is installed without any user Users are shown a notification, which
intervention. they can't dismiss, indicating that they
need to install an app. Users tap the
notification and are taken to an app
page in the Play Store. This is where
they start the installation. After the
installation is successful, the notification
disappears.
Apps can be managed or unmanaged, as described below. The process of making apps managed is the same for all
types of Android devices.
Managed apps: These apps are managed through policies. They've been "wrapped" by Intune or built with
the Intune App SDK. These apps can be managed by Intune, and application policies can be applied to them.
Unmanaged apps: These apps aren't managed through policies. They have not been wrapped by Intune or
don't incorporate the Intune App SDK. Application policies can't be applied to these apps.

Zebra devices with Zebra Mobility Extensions

Intune uses the Zebra Mobility Extensions (MX) toolkit to silently install apps on Zebra devices managed by device
administrator. This feature allows you to deploy and update apps on Zebra devices without user intervention. If the
MX version on your device is 4.2 or older, then apps aren't installed silently. For more information, see Full MX
Feature Matrix on Zebra's web site.
LOB apps deployed to Zebra devices must be installed from a public location on the device. The .apk app package
may be accessible to other apps and services that also have access to public storage on the device. Typically, this
access is a small window between the app download completing, and at the beginning of installation. This window
may allow for a timing attack. For example, an .apk package could be changed during this window. Intune
minimizes the amount of time that the .apk spends in public storage, and doesn't allow unsigned apps to install. To
help minimize the security risk, be sure that the .apk files you upload don't contain sensitive information.

See also
Add apps with Microsoft Intune
How your iOS/iPadOS users get their apps
How your Windows users get their apps
How your iOS/iPadOS users get their apps
3/11/2020 • 2 minutes to read • Edit Online

Use this information to understand how and where your end users get the apps that you distribute through
Microsoft Intune.
Required apps --Apps that are required by the admin and that are installed on the device with minimal user
involvement, depending on the platform.
Available apps --Apps that are provided in the Company Portal app list and that a user may optionally choose to
install.
Managed apps --Apps that can be managed through policies and that have been "wrapped" by Intune or have
been built with the Intune App Software Development Kit (SDK). These apps can be managed by Intune, and app
protection policies can be applied to them.
Unmanaged apps --Apps that users can download from the iOS/iPadOS App Store that aren't integrated with the
Intune app SDK. Intune doesn't have any control over the distribution, management, or selective wipe of these
apps.
Enrolled users get their apps by tapping on the following tiles on the Apps screen of the Company Portal app:
All Apps points to a list of all apps in the ALL tab of the Company Portal website.
Featured Apps take users to the FEATURED tab of the Company Portal website.
Categories points to the CATEGORIES tab of the Company Portal website.

For information on how to add apps, see How to add an app to Microsoft Intune.
App management takeover
If an app is already installed on an end user's device, the iOS/iPadOS device shows an alert to allow management
of the app by your organization. The end user must allow the organization to take management of the app before
app configurations can be applied to a managed device. If the user cancels the alert, the alert will appear
periodically for as long as the device is managed and the app is assigned.

See also
How your Android users get their apps
How your Windows users get their apps
How your Windows users get their apps
3/9/2020 • 2 minutes to read • Edit Online

Use this information to understand how and where your users get the apps that you distribute through Microsoft
Intune.
Required apps are required by the administrator and that are installed on the device with minimal user
involvement, depending on the platform.
Available apps are provided in the Company Portal app list and that a user might choose to install.
Managed apps can be managed through policies and that have been "wrapped" by Intune or have been built
with the Intune App Software Development Kit (SDK). These apps can be managed by Intune, and app protection
policies can be applied to them.
Unmanaged apps can be managed through policies and that have not been wrapped by Intune or that do not
incorporate the Intune App SDK. App protection policies cannot be applied to these apps.

See also
How your Android users get their apps How your iOS/iPadOS users get their apps
Data Intune sends to Apple
9/4/2020 • 2 minutes to read • Edit Online

When any of the following Apple services are enabled on a device, Microsoft Intune establishes a connection with
Apple and shares user and device information with Apple:
Apple Device Enrollment Program (DEP)
Apple MDM Push certificate (APNS)
Apple School Manager (ASM)
Apple Volume Purchase Program (VPP)
Before Microsoft Intune can establish a connection, you must create an Apple account for each of the Apple
services.
The following table lists the data that Microsoft Intune sends from a device to the enabled Apple services.

SERVIC E DATA SEN T TO A P P L E USED F O R

APNS Token, PushMagic If the server accepts the device, the

device provides its push notification
device token to the server. The server
should use this token to send push
messages to the device. This check-in
message also contains a PushMagic
string. The server must remember this
string and include it in any push
messages it sends to the device.

ASM/DEP Server token Push notification device token used to

authenticate to Apple service.

ASM/DEP server_name An identifiable name for the MDM

server.

ASM/DEP server_uuid A system-generated server identifier.

ASM/DEP admin_id Apple ID of the person who generated

the current tokens that are in use.

ASM/DEP org_name The organization's name.

ASM/DEP org_email The organization's email address.

ASM/DEP org_phone The organization's phone.

ASM/DEP org_address The organization's address.

ASM/DEP org_id DEP customer ID. This key is available

only in protocol version 3 and later.

ASM/DEP serial_number The device's serial number (string).

SERVIC E DATA SEN T TO A P P L E USED F O R

ASM/DEP model The model name (string).

ASM/DEP description A description of the device (string).

ASM/DEP asset_tag The device's asset tag (string).

ASM/DEP profile_status The status of profile installation. Possible

values: empty , assigned , pushed , or
removed .

ASM/DEP profile_uuid The unique ID of the assigned profile.

ASM/DEP device_assigned_by The email of the person who assigned

the device.

ASM/DEP os The device's operating system:

iOS/iPadOS, OSX, or tvOS. This key is
valid in X-Server-Protocol-Version 2 and
later.

ASM/DEP device_family The device's Apple product family: iPad,

iPhone, iPod, Mac, or AppleTV. This key
is valid in X-Server-Protocol-Version 2
and later.

ASM/DEP profile_name String. A human-readable name for the

profile.

ASM/DEP support_phone_number Optional. String. A support phone

number for the organization.

ASM/DEP support_email_address Optional. String. A support email

address for the organization. This key is
valid in X-Server-Protocol-Version 2 and
later.

ASM/DEP department Optional. String. The user-defined

department or location name.

ASM/DEP devices Array of strings containing device serial

numbers. (May be empty.)

VPP Intune UserId guid GUID generated by Intune.

VPP Managed AppleId UPN AppleID that was specified by Admin

when configuring the VPP token
connection with Apple.

VPP Serial Number Serial number of the managed device.

To stop using Apple services with Microsoft Intune and delete the data, you must both disable the Microsoft Intune
Apple token and also delete your Apple account. Refer to Apple account how to perform account management.
Data Intune sends to Google
4/22/2020 • 2 minutes to read • Edit Online

When Android enterprise device management is enabled on a device, Microsoft Intune establishes a connection
with Google and shares user and device information with Google. Before Microsoft Intune can establish a
connection, you must create a Google account.
The following table lists the data that Microsoft Intune sends to Google when device management is enabled on a
device:

DATA SEN T TO GO O GL E DETA IL S USED F O R EXA M P L E

EnterpriseId Originated in Google upon Primary identifier used to Unique identifier, Example
binding your Gmail account communicate between format: LC04eik8a6
to Intune. Intune and Google. This
communication includes
setting policies, managing
devices, and
binding/unbinding of
Android enterprise with
Intune.

Policy Body Originated in Intune when Applying policies to devices. This is a collection of all
saving a new app or configured settings for an
configuration policy. application or configuration
policy. This can contain
customer information if
provided as part of a policy,
such as network names,
application names, and app-
specific settings.
DATA SEN T TO GO O GL E DETA IL S USED F O R EXA M P L E

Device Data Devices for Work Profile Device Data information is Unique identifier to
scenarios begin with sent between Intune and represent Device Name.
enrollment in Intune. Google for various actions Example:
Devices for Managed device such as applying policies, enterprises/LC04ebru7b/devi
scenarios begin with managing the device and ces/3592d971168f9ae4
enrollment into Google. general reporting. Unique Identifier to
represent User Name.
Example:
Enterprises/LC04ebru7b/user
s/11683851992420744971
1
Device state. Examples:
Active, Disabled,
Provisioning.
Compliance states.
Examples: Setting not
supported, missing required
apps
Software Info. Examples:
software versions & patch
level.
Network Info. Examples:
IMEI, MEID, WifiMacAddress
Device Settings. Examples:
Information on encryption
levels & whether device
allows unknown apps.
See below for an example of
a JSON message.

newPassword Originated in Intune. Resetting device passcode. String representing new

password.

Google User Google Managing the work profile Unique identifier to

for Work Profile (BYOD) represent the linked Gmail
scenarios. account. Example:
114223373813435875042

Application Data Originated in Intune when Application Name string.

saving application policy. Example:
app:com.microsoft.windowsi
ntune.companyportal
DATA SEN T TO GO O GL E DETA IL S USED F O R EXA M P L E

Enterprise Service Account Originated in Google upon Used for authentication There are several parts:
Intune request. between Intune and Google Enterprise Id : documented
for transactions involving previously.
this customer. UPN: generated UPN used
in authentication on behalf
of customer.
Example:
w49d77900526190e26708c
31c9e8a0@pfwp-
commicrosoftonedfmdm2.go
ogle.com.iam.gserviceaccoun
t.com
Key : Base64 encoded blob
used in auth requests, stored
encrypted in the service, but
this is what the blob looks
like:
Unique Identifier to
represent the customer's key
Example:
a70d4d53eefbd781ce7ad6a
6495c65eb15e74f1f

To stop using Android enterprise device management with Microsoft Intune and delete the data, you must both
disable the Microsoft Intune Android enterprise device management and also delete your Google account. Refer to
Google account how to perform account management.
Data Apple sends to Intune
9/4/2020 • 4 minutes to read • Edit Online

When any of the following Apple services are enabled on a device, Microsoft Intune establishes a connection with
Apple to share user and device information:
Apple Device Enrollment Program (DEP)
Apple MDM Push certificate (APNs)
Apple School Manager (ASM)
Apple Volume Purchase Program (VPP)
Before Microsoft Intune can establish a connection, you must create an Apple account for each of the Apple
services.

NOTE
Consistent with Microsoft and Apple policy, we do not sell any data collected by our service to any third parties for any
reason.

The following table lists the data that an Apple device sends to Intune. Intune also sends data to Apple.

SERVIC E M ESSA GE DATA SEN T TO IN T UN E USED F O R

APNs Authenticate MessageType The message type:

authenticate.

APNs Authenticate Topic The topic the device will

listen to.

APNs Authenticate MesUDID The devices UDID.

APNs Authenticate OSVersion The device's OS version.

APNs Authenticate BuildVersion The device's build version.

APNs Authenticate ProductName The device's product name.

APNs Authenticate SerialNumber The device's serial number.

APNs Authenticate IMEI The device's International

Mobile Station Equipment
Identity.

APNs Authenticate MEID The device's Mobile

Equipment Identifier

APNs TokenUpdate Topic The topic the device will

listen to.

APNs TokenUpdate UDID The device's UDID.

SERVIC E M ESSA GE DATA SEN T TO IN T UN E USED F O R

APNs TokenUpdate Token The push token for the

device. The server should
use this updated token when
sending push notifications to
the device.

APNs TokenUpdate PushMagic The magic string that must

be included in the push
notification message.

APNs TokenUpdate UnlockToken A data blob that can be used

to unlock the device.

APNs TokenUpdate AwaitingConfiguration If set to true, the device is

awaiting a DeviceConfigured
MDM command before
proceeding through Setup
Assistant.

APNs Checkout MessageType The type of message:

checkout.

APNs Checkout Topic The topic the device wil listen

to.

APNs Checkout UDID The device's UDID

APNs MDM Protocol Status Status.

APNS MDM Protocol UDID The device's UDID.

APNs MDM Protocol CommandUUID UUID of the command that

this response is for.

APNs MDM Protocol ErrorChain Array of dictionaries

representing the chain of
errors that occurred.

ASM/DEP Enrollment Program token Serial number The device's serial number.

ASM/DEP Enrollment Program token model The device's model name.

ASM/DEP Enrollment Program token Description A description of the device.

ASM/DEP Enrollment Program token Color The color of the device.

ASM/DEP Enrollment Program token Asset tag The device's asset tag.

ASM/DEP Enrollment Program token Profile status The status of the profile
installation.

ASM/DEP Enrollment Program token Profile UUID The UUID of the assigned
profile.
SERVIC E M ESSA GE DATA SEN T TO IN T UN E USED F O R

ASM/DEP Enrollment Program token Profile assign time A time stamp in ISO 8601
format indicating when a
profile was assigned to the
device.

ASM/DEP Enrollment Program token Profile push time A time stamp in ISO 8601
format indicating when a
profile was pushed to the
device.

ASM/DEP Enrollment Program token Device assigned date A time stamp in ISO 8601
format indicating when the
device was enrolled in the
Device Enrollment Program.

ASM/DEP Enrollment Program token Device assigned by The email of the person who
assigned the device.

ASM/DEP Enrollment Program token OS The device's operating

system.

ASM/DEP Enrollment Program token Device family The device's Apple product
family.

VPP Apple VPP Token Apple User ID A user id generated by

Apple.

VPP Apple VPP Token application description The description of a VPP

application.

VPP Apple VPP Token application icon The URL of an Apple hosted
icon for a VPP app.

VPP Apple VPP Token Application Id Apple Application id, also

known as adamsId.

VPP Apple VPP Token application name The name of a VPP

application.

VPP Apple VPP Token assignedCount The number of assigned

licenses for an app.

VPP Apple VPP Token availableCount The number of unassigned

licenses for an app.

VPP Apple VPP Token bundleId The bundleId of an app.

VPP Apple VPP Token copyright The copyright info of an app.

VPP Apple VPP Token CountryCode The country code of a VPP

program.
SERVIC E M ESSA GE DATA SEN T TO IN T UN E USED F O R

VPP Apple VPP Token deviceAssignable Apple returns true if the

admin can assign a device
license for an app. If not,
false is returned.

VPP Apple VPP Token facilitatorMemberId The member id of a VPP

account facilitator.

VPP Apple VPP Token genres The genres of an app.

VPP Apple VPP Token Intune UserId guid The GUID generated by
Intune.

VPP Apple VPP Token isIrrevocable Apple returns true if the

license can't be revoked. If it
can be revoked, false is
returned.

VPP Apple VPP Token License Id The id generated by apple to

identify a specific license.

VPP Apple VPP Token Location Location stored in apple VPP

config data.

VPP Apple VPP Token Managed AppleId UPN The AppleID email for user,
admin, and facilitator
member.

VPP Apple VPP Token OrganizationId The Apple assigned

organization id.

VPP Apple VPP Token pricingParam The Apple pricing type for an
app.

VPP Apple VPP Token productType The product type of a VPP

application.

VPP Apple VPP Token retiredCount The number of retired

licenses for an app.

VPP Apple VPP Token totalCount The total number of licenses

purchased for an app.

VPP Apple VPP Token url The iTunes store URL of an

app.

VPP Apple VPP Token User Status The user status in apple VPP
programs.

To stop using Apple services with Microsoft Intune and delete the data, you must both disable the Microsoft Intune
Apple token and also delete your Apple account. Refer to Apple account how to perform account management.
Data Google sends to Intune
4/22/2020 • 2 minutes to read • Edit Online

When Android enterprise device management is enabled on a device, Microsoft Intune establishes a connection
with Google and user and device information is shared between Intune and Google. Before Microsoft Intune can
establish a connection, you must create a Google account.
The following table lists the data that Google sends to Intune when device management is enabled on a device:

DATA GO O GL E SEN DS TO
IN T UN E DETA IL S USED F O R EXA M P L E

Enterprise data Customer's enterprise Links the customer's enterpriseId example:

identifiers in Google. information between Intune LC04eik8a6.
and Google. Name . The Administrator
name as entered when
configuring Android
enterprise. Example: Joe
Smith.
Admin email.
[email protected] that
was used when configuring
Android enterprise.

Application data Data for managed Play Store Targeting the application to Application Name
applications. users or devices as available example: Contoso
or required. Warehouse Inventory
Application.
Unique Identifier to
represent application
example:
app:com.Contoso.Warehouse
.InventoryTracking

Service account Unique internal Google Used for making calls into Name example:
service account for use with Google on the customer InternalAccount@InternalSer
specific customer calls. behalf (to view apps, devices, vice.com.
and more) Keys example:
ServiceAccountPassword

To stop using Android enterprise device management with Microsoft Intune and delete the data, you must both
disable the Microsoft Intune Android enterprise device management and also delete your Google account. Refer to
Google account how to perform account management.
Set up Intune
9/4/2020 • 2 minutes to read • Edit Online

These set-up steps help you enable mobile device management (MDM) by using Intune. Devices must be managed
before you can give users access to company resources or manage settings on those devices.
Some steps, such as setting up an Intune subscription and setting the MDM authority, are required for most
scenarios. Other steps, such as configuring a custom domain or adding apps, are optional depending upon your
company's needs.
If you're currently using Microsoft Endpoint Configuration Manager to manage computers and servers, you can
cloud-attach Configuration Manager with co-management.

TIP
If you purchase at least 150 licenses for Intune in an eligible plan, you can use the FastTrack Center Benefit. With this service,
Microsoft specialists work with you to get your environment ready for Intune. See FastTrack Center Benefit for Enterprise
Mobility + Security (EMS).

ST EP S STAT US

1 Supported configurations - Need-to-know info before you

start. This includes supported configurations and networking
requirements.

2 Sign in to Intune - Sign in to your trial subscription or create a

new Intune subscription.

3 Configure domain name - Set DNS registration to connect

your company's domain name with Intune. This gives users a
familiar domain when connecting to Intune and using
resources.

4 Add users and groups - Add users and groups, or connect

Active Directory to sync with Intune. Required unless your
devices are "userless" kiosk devices, for example. Groups are
used to assign apps, settings, and other resources.

5 Assign licenses - Give users permission to use Intune. Each

user or userless device requires an Intune license to access the
service.

6 Set the MDM authority - Use user and device groups to

simplify management tasks. Groups are used to assign apps,
settings, and other resources.

7 Add apps - Apps can be assigned to groups and automatically

or optionally installed.
ST EP S STAT US

8 Configure devices - Set up profiles that manage device

settings. Device profiles can preconfigure settings for email,
VPN, Wi-Fi, and device features. They can also restrict devices
to help protect both devices and data.

9 Customize Company Portal - Customize the Intune Company

Portal that users use to enroll devices and install apps. These
settings appear in both the Company Portal app and the
Intune Company Portal website.

10 Enable device enrollment - Enable Intune management of

iOS/iPadOS, Windows, Android, and Mac devices by setting
the MDM authority and enabling specific platforms.

11 Configure app policies - Supply specific settings based on app

protection policies in Microsoft Intune.
Supported operating systems and browsers in Intune
9/4/2020 • 4 minutes to read • Edit Online

Before setting up Microsoft Intune, review the supported operating systems and browsers.
For help installing Intune on your device, see using managed devices to get work done and Intune network
bandwidth usage.
For more information on configuration service provider support, visit the Configuration service provider
reference.

NOTE
Intune now requires Android 5.x (Lollipop) or higher for applications and devices to access company resources via the
Company Portal app for Android and the Intune App SDK for Android. This requirement does NOT apply to Polycom
Android-based Teams devices running 4.4. These devices will continue to be supported.

Intune supported operating systems

You can manage devices running the following operating systems:
Apple
Apple iOS 11.0 and later
Apple iPadOS 13.0 and later
Mac OS X 10.12 and later
Google
Android 5.0 and later (including Samsung KNOX Standard 2.4 and higher: requirements)
Android enterprise: requirements
Microsoft
Surface Hub
Windows 10 (Home, S, Pro, Education, and Enterprise versions)
Windows 10 Enterprise 2019 LTSC
For more information about managing devices running Windows 10 2019 LTSC, see What's new in
Windows 10 Enterprise 2019 LTSC
Windows 10 Mobile
Windows 10 IoT Enterprise (x86, x64)
Windows 10 IoT Mobile Enterprise
Windows Holographic for Business
For more information about managing devices running Windows Holographic for Business, see Window
Holographic for Business support.
Windows 10 Teams (Surface Hub)
For more information about managing devices running Windows 10 Teams, see Manage Surface Hub with
MDM
Windows 10 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode)

NOTE
Not all Windows Editions support all available operating system features being configured through MDM. See the
Windows configuration service provider reference docs. Each CSP highlights which Windows Editions are supported.

Customers with Enterprise Management + Security (EMS) can also use Azure Active Directory (Azure AD) to
register Windows 10 devices.
For guidelines on using Windows 10 virtual machines with Intune, see Using Windows 10 virtual machines.
Supported Samsung Knox Standard devices
To avoid Knox activation errors that prevent MDM enrollment, the Company Portal app only attempts Samsung
Knox activation during MDM enrollment if the device appears in the list of supported Knox devices. Devices that
don't support Samsung Knox activation enroll as standard Android devices. A Samsung device might have some
model numbers that support Knox, while others don't. Verify Knox compatibility with your device reseller before
you buy and deploy Samsung devices.

NOTE
Enrolling Samsung Knox devices may require you to enable access to Samsung servers.

The following list of Samsung device models do not support Knox. They are enrolled as native Android devices by
the Company Portal app for Android:

DEVIC E N A M E DEVIC E M O DEL N UM B ERS

Galaxy Avant SM-G386T

Galaxy Core 2/Core 2 Duos SM-G355H

SM-G355M

Galaxy Core Lite SM-G3588V

Galaxy Core Prime SM-G360H

Galaxy Core LTE SM-G386F

SM-G386W

Galaxy Grand GT-I9082L

GT-I9082
GT-I9080L

Galaxy Grand 3 SM-G7200

Galaxy Grand Neo GT-I9060I

Galaxy Grand Prime Value Edition SM-G531H

Galaxy J Max SM-T285YD

DEVIC E N A M E DEVIC E M O DEL N UM B ERS

Galaxy J1 SM-J100H
SM-J100M
SM-J100ML

Galaxy J1 Ace SM-J110F

SM-J110H

Galaxy J1 Mini SM-J105M

Galaxy J2/J2 Pro SM-J200H

SM-J210F

Galaxy J3 SM-J320F
SM-J320FN
SM-J320H
SM-J320M

Galaxy K Zoom SM-C115

Galaxy Light SGH-T399N

Galaxy Note 3 SM-N9002

SM-N9009

Galaxy Note 7/Note 7 Duos SM-N930S

SM-N9300
SM-N930F
SM-N930T
SM-N9300
SM-N930F
SM-N930S
SM-N930T

Galaxy Note 10.1 3G SM-P602

Galaxy S2 Plus GT-I9105P

Galaxy S3 Mini SM-G730A

SM-G730V

Galaxy S3 Neo GT-I9300

GT-I9300I

Galaxy S4 SM-S975L

Galaxy S4 Neo SM-G318ML

Galaxy S5 SM-G9006W

Galaxy S6 Edge 404SC

Galaxy Tab A 7.0" SM-T280

SM-T285
DEVIC E N A M E DEVIC E M O DEL N UM B ERS

Galaxy Tab 3 7"/Tab 3 Lite 7" SM-T116

SM-T210
SM-T211

Galaxy Tab 3 8.0" SM-T311

Galaxy Tab 3 10.1" GT-P5200

GT-P5210
GT-P5220

Galaxy Trend 2 Lite SM-G318H

Galaxy V Plus SM-G318HZ

Galaxy Young 2 Duos SM-G130BU

Windows PC software client

An Intune software client can be deployed and installed on Windows PCs as an alternate enrollment method. This
functionality is only available using the Intune classic portal. You can use the Intune software client to manage 10
and later PCs with the exception of Windows 10 Home edition.

NOTE
Microsoft announced that Windows 7 support ends onJanuary 14th 2020. On this date, Intune also retires support for
devices running Windows 7.
For more information, see Intune plan for change: end of support for Windows 7.
Microsoft Intune will retire support for the Silverlight-based Intune console on October 15, 2020. This retirement includes
ending support for the Silverlight console configured PC software client (also known as the PC agent).
For more information, see Microsoft Intune ending support for the Silverlight-based admin console.

Intune supported web browsers

Different administrative tasks require that you use one of the following administrative websites.
Microsoft 365 admin center
Azure portal
The following browsers are supported for these portals:
Microsoft Edge (latest version)
Microsoft Internet Explorer 11
Safari (latest version, Mac only)
Chrome (latest version)
Firefox (latest version)
Intune classic portal
The Intune classic portal is only used for managing devices enrolled with the Intune PC software client
(https://manage.microsoft.com). The Intune classic portal requires Silverlight browser support.
The following Silverlight browsers support the Intune console:
Internet Explorer 10 or later
Google Chrome (versions prior to version 42)
Mozilla Firefox with Silverlight enabled (versions prior to version 56)

NOTE
Microsoft Edge and mobile browsers are not supported for the Intune classic portal because they do not support
Microsoft Silverlight.

Only users with service administrator permissions or tenant administrators with the global administrator role can
sign in to this portal. To access the administration console, your account must have a license to use Intune and a
sign-in status of Allowed .
Intune network configuration requirements and
bandwidth
9/4/2020 • 4 minutes to read • Edit Online

You can use this information to understand bandwidth requirements for your Intune deployments.

Average network traffic

This table lists the approximate size and frequency of common content that travels across the network for each
client.

NOTE
To ensure devices receive the updates and content from Intune, they must periodically connect to the Internet. The time
required to receive updates or content can vary, but they should remain continuously connected to the Internet for at least
one hour each day.

C O N T EN T T Y P E A P P RO XIM AT E SIZ E F REQ UEN C Y A N D DETA IL S

Intune client installation 125 MB One time

The following requirements are in The size of the client download varies
addition to the Intune client depending on the operating system of
installation the client computer.

Client enrollment package 15 MB One time

Additional downloads are possible

when there are updates for this content
type.

Endpoint Protection agent 65 MB One time

Additional downloads are possible

when there are updates for this content
type.

Operations Manager agent 11 MB One time

Additional downloads are possible

when there are updates for this content
type.

Policy agent 3 MB One time

Additional downloads are possible

when there are updates for this content
type.
C O N T EN T T Y P E A P P RO XIM AT E SIZ E F REQ UEN C Y A N D DETA IL S

Remote Assistance via Microsoft Easy 6 MB One time

Assist agent
Additional downloads are possible
when there are updates for this content
type.

Daily client operations 6 MB Daily

The Intune client regularly

communicates with the Intune service
to check for updates and policies, and
to report the client's status to the
service.

Endpoint Protection malware definition Varies Daily

updates
Typically 40 KB to 2 MB Up to three times a day.

Endpoint Protection engine update 5 MB Monthly

Software updates Varies Monthly

The size depends on the updates you Typically, software updates release on
deploy. the second Tuesday of each month.

A newly enrolled or deployed computer

can use more network bandwidth while
downloading the full set of previously
released updates.

Service packs Varies Varies

The size varies for each service pack Depends on when you deploy service
you deploy. packs.

Software distribution Varies Varies

The size depends on the software you Depends on when you deploy software.
deploy.

Ways to reduce network bandwidth use

You can use one or more of the following methods to reduce network bandwidth use for Intune clients.
Use a proxy server to cache content requests
A proxy server can cache content to reduce duplicate downloads and reduce network bandwidth from content
from the Internet.
A caching proxy server that receives content requests from clients can retrieve that content and cache both web
responses and downloads. The server uses cached data to answer subsequent requests from clients.
The following are typical settings to use for a proxy server that caches content for Intune clients.

SET T IN G REC O M M EN DED VA L UE DETA IL S

Cache size 5 GB to 30 GB The value varies based on the number

of client computers in your network
and the configurations you use. To
prevent files from being deleted too
soon, adjust the size of the cache for
your environment.

Individual cache file size 950 MB This setting might not be available in all
caching proxy servers.

Object types to cache HTTP Intune packages are CAB files retrieved
by Background Intelligent Transfer
HTTPS Service (BITS) download over HTTP.

BITS

NOTE
If you use a proxy server to cache content requests, communication is only encrypted between the client and the proxy and
from the proxy to Intune. The connection from the client to Intune will not be encrypted end-to-end.

For information about using a proxy server to cache content, see the documentation for your proxy server
solution.
Delivery Optimization
Delivery Optimization lets you use Intune to reduce bandwidth consumption when your Windows 10 devices
download applications and updates. By using a self-organizing distributed cache, downloads can be pulled from
traditional servers and alternate sources (like network peers).
To see the full list of Windows 10 versions and content types supported by Delivery Optimization, see the Delivery
Optimization for Windows 10 updates article.
You can set up Delivery Optimization as part of your device configuration profiles.
Background Intelligent Transfer Service (BITS ) and BranchCache
You can use Microsoft Intune to manage Windows PCs either as mobile devices with mobile device management
(MDM) or as computers with the Intune software client. Microsoft recommends that customers use the MDM
management solution whenever possible. When managed this way, BranchCache and BITS aren't supported. For
more information, see Compare managing Windows PCs as computers or mobile devices.
Use (BITS) on computers (requires Intune software client)
During hours that you configure, you can use BITS on a Windows computer to reduce the network bandwidth. You
can configure BITS policy on the Network bandwidth page of the Intune Agent policy.

NOTE
For MDM management on Windows, only the OS's management interface for the MobileMSI app type uses BITS to
download. AppX/MsiX use their own non-BITS download stack and Win32 apps via the Intune agent use Delivery
Optimization rather than BITS.

To learn more about BITS and Windows computers, see Background Intelligent Transfer Service in the TechNet
Library.
Use BranchCache on computers (requires Intune software client)
Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The following operating systems
support BranchCache:
Windows 7
Windows 8.0
Windows 8.1
Windows 10
To use BranchCache, the client computer must have BranchCache enabled, and then be configured for distributed
cache mode .
When the Intune client is installed on computers, BranchCache and distributed cache mode are enabled by default.
However, if Group Policy has disabled BranchCache, Intune doesn't override that policy and BranchCache remains
disabled.
If you use BranchCache, work with other administrators in your organization to manage Group Policy and Intune
Firewall policy. Ensure they don't deploy policy that disables BranchCache or Firewall exceptions. For more about
BranchCache, see BranchCache Overview.

Next steps
Review endpoints for Intune
Using Windows 10 virtual machines with Intune
4/24/2020 • 2 minutes to read • Edit Online

Intune supports managing virtual machines running Windows 10 Enterprise with certain limitations. Intune
management does not depend on, or interfere with Windows Virtual Desktop management of the same virtual
machine.
When managing Windows 10 VMs with Intune, keep the following points in mind:
Windows 10 Enterprise Multi Session (Enterprise for Virtual Devices) as used in Windows Virtual Desktop does
not currently support Intune management.

Enrollment
We don't recommend managing on-demand, session-host virtual machines with Intune. Each VM must be
enrolled when it's created. Also, regularly deleting VMs will leave orphaned device records in Intune until they're
cleaned up.
Windows Autopilot Self-deploying and White glove deployment types aren't supported because they require a
physical Trusted Platform Module (TPM).
Out of Box Experience (OOBE) enrollment isn't supported on VMs that can only be accessed by using RDP (such
as VMs that are hosted on Azure). This restriction means:
Windows Autopilot and Commercial OOBE aren't supported.
Enrollment Status Page options for device-context policies aren't supported.

Configuration
Intune does not support any configuration that utilizes a Trusted Platform Module or hardware management,
including:
BitLocker settings
Device Firmware Configuration Interface settings

Reporting
Intune automatically detects virtual machines and reports them as "Virtual Machine" in Devices > All devices >
choose a device > Over view > Model field.
Deallocated virtual machines may contribute to noncompliant device reports because they're unable to check in
with the Intune service.

Retirement
If you only have RDP access, don't use the Wipe action. The Wipe action will delete the virtual machine's RDP
settings and prevent you from ever connecting again.
Network endpoints for Microsoft Intune
9/4/2020 • 4 minutes to read • Edit Online

This page lists IP addresses and port settings needed for proxy settings in your Intune deployments.
As a cloud-only service, Intune doesn't require on-premises infrastructure such as servers or gateways.

Access for managed devices

To manage devices behind firewalls and proxy servers, you must enable communication for Intune.

NOTE
The information in section also applies to the Microsoft Intune Certificate Connector. The connector has the same network
requirements as managed devices

The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols.
Windows Information Protection uses port 444.
For some tasks (like downloading software updates for the classic pc agent), Intune requires unauthenticated
proxy server access to manage.microsoft.com
You can modify proxy server settings on individual client computers. You can also use Group Policy settings to
change settings for all client computers located behind a specified proxy server.
Managed devices require configurations that let All Users access services through firewalls.
The following tables list the ports and services that the Intune client accesses:

DO M A IN S IP A DDRESS

login.microsoftonline.com More information Office 365 URLs and IP address ranges

*.officeconfig.msocdn.com
config.office.com
graph.windows.net
enterpriseregistration.windows.net

portal.manage.microsoft.com 52.175.12.209
m.manage.microsoft.com 20.188.107.228
52.138.193.149
51.144.161.187
52.160.70.20
52.168.54.64
13.72.226.202
52.189.220.232

sts.manage.microsoft.com 13.93.223.241
52.170.32.182
52.164.224.159
52.174.178.4
13.75.122.143
52.163.120.84
13.73.112.122
52.237.192.112
DO M A IN S IP A DDRESS

Manage.microsoft.com 40.83.123.72
i.manage.microsoft.com 13.76.177.110
r.manage.microsoft.com 52.169.9.87
a.manage.microsoft.com 52.174.26.23
p.manage.microsoft.com 104.40.82.191
EnterpriseEnrollment.manage.microsoft.com 13.82.96.212
EnterpriseEnrollment-s.manage.microsoft.com 52.147.8.239
40.115.69.185

portal.fei.msua01.manage.microsoft.com 52.160.70.20
m.fei.msua01.manage.microsoft.com 52.168.54.64
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com
fei.amsua0202.manage.microsoft.com
portal.fei.amsua0202.manage.microsoft.com
m.fei.amsua0202.manage.microsoft.com
portal.fei.amsua0402.manage.microsoft.com
m.fei.amsua0402.manage.microsoft.com
portal.fei.amsua0801.manage.microsoft.com
portal.fei.msua08.manage.microsoft.com
m.fei.msua08.manage.microsoft.com
m.fei.amsua0801.manage.microsoft.com

portal.fei.msub01.manage.microsoft.com 52.138.193.149
m.fei.msub01.manage.microsoft.com 51.144.161.187
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com
fei.msub02.manage.microsoft.com
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com
portal.fei.amsub0202.manage.microsoft.com
m.fei.amsub0202.manage.microsoft.com
portal.fei.amsub0302.manage.microsoft.com
m.fei.amsub0302.manage.microsoft.com
portal.fei.amsub0502.manage.microsoft.com
m.fei.amsub0502.manage.microsoft.com
portal.fei.amsub0601.manage.microsoft.com
m.fei.amsub0601.manage.microsoft.com
DO M A IN S IP A DDRESS

portal.fei.msuc01.manage.microsoft.com 52.175.12.209
m.fei.msuc01.manage.microsoft.com 20.188.107.228
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com

portal.fei.amsud0101.manage.microsoft.com 13.72.226.202
m.fei.amsud0101.manage.microsoft.com

fef.msua01.manage.microsoft.com 138.91.243.97

fef.msua02.manage.microsoft.com 52.177.194.236

fef.msua04.manage.microsoft.com 23.96.112.28

fef.msua06.manage.microsoft.com 13.78.185.97

fef.msub05.manage.microsoft.com 23.97.166.52

fef.msuc03.manage.microsoft.com 23.101.0.100

fef.amsua0502.manage.microsoft.com 13.85.68.142

fef.amsua0602.manage.microsoft.com 52.161.28.64

fef.amsua0102.manage.microsoft.com 52.242.211.0

fef.amsua0702.manage.microsoft.com 52.232.225.75

fef.amsub0502.manage.microsoft.com 40.67.219.144

fef.msud01.manage.microsoft.com 20.40.178.139

Admin.manage.microsoft.com 52.224.221.227
52.161.162.117
52.178.44.195
52.138.206.56
52.230.21.208
13.75.125.10

wip.mam.manage.microsoft.com 52.187.76.84
13.76.5.121
52.165.160.237
40.86.82.163
52.233.168.142
168.63.101.57
52.187.196.98
52.237.196.51
DO M A IN S IP A DDRESS

mam.manage.microsoft.com 104.40.69.125
13.90.192.78
40.85.174.177
40.85.77.31
137.116.229.43
52.163.215.232
52.174.102.180
52.187.196.173
52.156.162.48

*.manage.microsoft.com 40.82.248.224/28
20.189.105.0/24
20.37.153.0/24
20.37.192.128/25
20.38.81.0/24
20.41.1.0/24
20.42.1.0/24
20.42.130.0/24
20.42.224.128/25
20.43.129.0/24
40.119.8.128/25
40.74.25.0/24
40.82.249.128/25
40.80.184.128/25
52.150.137.0/25

Network requirements for PowerShell scripts and Win32 apps

If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in
which your tenant currently resides.

A SU STO RA GE N A M E C DN

AMSUA0601 naprodimedatapri naprodimedatapri.azureedge.net

AMSUA0602 naprodimedatasec naprodimedatasec.azureedge.net
AMSUA0101 naprodimedatahotfix naprodimedatahotfix.azureedge.net
AMSUA0102
AMSUA0201
AMSUA0202
AMSUA0401
AMSUA0402
AMSUA0501
AMSUA0502
AMSUA0701
AMSUA0702

AMSUB0101 euprodimedatapri euprodimedatapri.azureedge.net

AMSUB0102 euprodimedatasec euprodimedatasec.azureedge.net
AMSUB0201 euprodimedatahotfix euprodimedatahotfix.azureedge.net
AMSUB0202
AMSUB0301
AMSUB0302
AMSUB0501
AMSUB0502
A SU STO RA GE N A M E C DN

AMSUC0101 approdimedatapri approdimedatapri.azureedge.net

AMSUC0201 approdimedatasec approdimedatasec.azureedge.net
AMSUC0301 approdimedatahotifx approdimedatahotfix.azureedge.net
AMSUC0501
AMSUD0101

Windows Push Notification Services (WNS)

For Intune-managed Windows devices managed using Mobile Device Management (MDM), device actions and
other immediate activities require the use of Windows Push Notification Services (WNS). For more information,
see Allowing Windows Notification traffic through enterprise firewalls.

Delivery Optimization port requirements

Port requirements
For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo).
For client-service communication, it uses HTTP or HTTPS over port 80/443.
Proxy requirements
To use Delivery Optimization, you must allow Byte Range requests. For more information, see Proxy requirements
for Windows Update.
Firewall requirements
Allow the following hostnames through your firewall to support Delivery Optimization. For communication
between clients and the Delivery Optimization cloud service:
*.do.dsp.mp.microsoft.com
For Delivery Optimization metadata:
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com

Apple device network information

H O ST N A M E ( IP
USED F O R A DDRESS/ SUB N ET ) P ROTO C O L P O RT

Retrieving and displaying itunes.apple.com HTTP 80

content from Apple servers *.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-
apple.com.akadns.net

Communications with APNS #-courier.push.apple.com TCP 5223 and 443

servers '#' is a random number from
0 to 50.

Various functionalities phobos.apple.com HTTP/HTTPS 80 or 443

including accessing the ocsp.apple.com
World Wide Web, iTunes ax.itunes.apple.com
store, macOS app store, ax.itunes.apple.com.edgesuit
iCloud, messaging, etc. e.net
For more information, see Apple's TCP and UDP ports used by Apple software products, About macOS, iOS/iPadOS,
and iTunes server host connections and iTunes background processes, and If your macOS and iOS/iPadOS clients
aren't getting Apple push notifications.

Android port information

Depending on how choose to manage Android devices, you may need to open the Google Android Enterprise
ports and/or the Android push notification. For more information on Android management methods supported,
see the Android enrollment documentation.

NOTE
Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require
Google Mobile Services. These features include: Google Play Protect capabilities such as SafetyNet device attestation,
Managing apps from the Google Play Store, Android Enterprise capabilities (see this Google documentation). Additionally, the
Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service.
Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information,
see this article.

Google Android Enterprise

Google provides documentation of required network ports and destination host names in their Android Enterprise
Bluebook, under the Firewall section of that document.
Android push notification
Intune leverages Google Firebase Cloud Messaging (FCM) for push notification to trigger device actions and check-
ins. This is required by both Android Device Administrator and Android Enterprise. For information on FCM
network requirements, see Google's FCM ports and your firewall.

Endpoint analytics
For more information on the required endpoints for endpoint analytics, see Endpoint analytics proxy configuration.
US government endpoints for Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

This page lists the US government endpoints needed for proxy settings in your Intune deployments.
To manage devices behind firewalls and proxy servers, you must enable communication for Intune.
The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols
For some tasks (like downloading software updates), Intune requires unauthenticated proxy server access to
manage.microsoft.com
You can modify proxy server settings on individual client computers. You can also use Group Policy settings to
change settings for all client computers located behind a specified proxy server.
Managed devices require configurations that let All Users access services through firewalls.
For more information about Windows 10 auto-enrollment and device registration for US government customers,
see Set up enrollment for Windows devices.
The following tables list the ports and services that the Intune client accesses:

EN DP O IN T IP A DDRESS

*.manage.microsoft.us 52.243.26.209
52.247.173.11
52.227.183.12
52.227.180.205
52.227.178.107
13.72.185.168
52.227.173.179
52.227.175.242
13.72.39.209
52.243.26.209
52.247.173.11

enterpriseregistration.microsoftonline.us 13.72.188.239
13.72.55.179

US Government customer designated endpoints:

Azure portal: https://portal.azure.us/
Microsoft 365: https://portal.office365.us/
Intune Company Portal: https://portal.manage.microsoft.us/
Microsoft Endpoint Manager admin center: https://endpoint.microsoft.us/

Partner service endpoints that Intune depends on:

Azure AD Sync service: https://syncservice.gov.us.microsoftonline.com/DirectoryService.svc
Evo STS: https://login.microsoftonline.us
Directory Proxy: https://directoryproxy.microsoftazure.us/DirectoryProxy.svc
Azure AD Graph: https://directory.microsoftazure.us and https://graph.microsoftazure.us
MS Graph: https://graph.microsoft.us
ADRS: https://enterpriseregistration.microsoftonline.us

Windows Push Notification Services

On Intune-managed devices managed by using Mobile Device Management (MDM), Windows Push Notification
Services (WNS) is required for device actions and other immediate activities. For more information, see Enterprise
Firewall and Proxy Configurations to Support WNS Traffic

Apple device network information

H O ST N A M E ( IP
USED F O R A DDRESS/ SUB N ET ) P ROTO C O L P O RT

Retrieving and displaying itunes.apple.com HTTP 80

content from Apple servers *.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-
apple.com.akadns.net

Communication with APNS #-courier.push.apple.com TCP 5223 and 443

servers '#' is a random number from
0 to 50.

Various functions including phobos.apple.com HTTP/HTTPS 80 or 443

accessing the internet, iTunes ocsp.apple.com
store, macOS app store, ax.itunes.apple.com
iCloud, messaging, etc. ax.itunes.apple.com.edgesuit
e.net

For more information, see:

TCP and UDP ports used by Apple software products
About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes
If your macOS and iOS/iPadOS clients aren't getting Apple push notifications

Next steps
Network endpoints for Microsoft Intune
China endpoints for Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

This page lists the China endpoints needed for proxy settings in your Intune deployments.
To manage devices behind firewalls and proxy servers, you must enable communication for Intune.
The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols
For some tasks (like downloading software updates), Intune requires unauthenticated proxy server access to
manage.microsoft.com
You can modify proxy server settings on individual client computers. You can also use Group Policy settings to
change settings for all client computers located behind a specified proxy server.
Managed devices require configurations that let All Users access services through firewalls.
For more information about Windows 10 auto-enrollment and device registration for China customers, see Set up
enrollment for Windows devices.
The following tables list the ports and services that the Intune client accesses:

EN DP O IN T IP A DDRESS

*.manage.microsoft.cn 40.73.38.143
139.217.97.81
52.130.80.24
40.73.41.162
40.73.58.153
139.217.95.85

Intune customer designated endpoints in China

Azure portal: https://portal.azure.cn/
Microsoft 365: https://portal.partner.microsoftonline.cn/
Intune Company Portal: https://portal.manage.microsoftonline.cn/
Microsoft Endpoint Manager admin center: https://endpoint.microsoftonline.cn/

Partner service endpoints

Intune operated by 21Vianet depends on the following partner service endpoints:
Azure AD Sync service: https://syncservice.partner.microsoftonline.cn/DirectoryService.svc
Evo STS: https://login.chinacloudapi.cn/
Azure AD Graph: https://graph.chinacloudapi.us
MS Graph: https://microsoftgraph.chinacloudapi.cn
ADRS: https://enterpriseregistration.partner.microsoftonline.cn

Windows Push Notification Services

Retrieving and displaying itunes.apple.com HTTP 80

content from Apple servers *.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-
apple.com.akadns.net

Communication with APNS #-courier.push.apple.com TCP 5223 and 443

servers '#' is a random number from
0 to 50.

Various functions including phobos.apple.com HTTP/HTTPS 80 or 443

accessing the internet, iTunes ocsp.apple.com
store, macOS app store, ax.itunes.apple.com
iCloud, messaging, etc. ax.itunes.apple.com.edgesuit
e.net

For more information, see:

Next steps
Learn more about Intune operated by 21Vianet in China
Intune operated by 21Vianet in China
9/4/2020 • 3 minutes to read • Edit Online

Intune operated by 21Vianet is designed to meet the needs for secure, reliable, and scalable cloud services in
China. Intune as a service is built on top of Microsoft Azure. Microsoft Azure operated by 21Vianet is a physically
separated instance of cloud services located in China. It's independently operated and transacted by 21Vianet. This
service is powered by technology that Microsoft has licensed to 21Vianet.
Microsoft doesn't operate the service itself. 21Vianet operates, provides, and manages delivery of the service.
21Vianet is an Internet data center services provider in China. It provides hosting, managed network services, and
cloud computing infrastructure services. By licensing Microsoft technologies, 21Vianet operates local datacenters
to provide you the ability to use Intune service while keeping your data within China. 21Vianet also provides your
subscription, billing, and support services.

NOTE
If you're interested in viewing or deleting personal data, please see the Azure Data Subject Requests for the GDPR article. If
you're looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Feature differences in Intune operated by 21Vianet

Because the China services are operated by a partner from inside China, there are some feature differences with
Intune.
Intune operated by 21Vianet only supports standalone deployments. Support for co-management with System
Center Configuration Manager is currently in development.
Migrations from public clouds to sovereign clouds aren't supported. Customers interested in moving to Intune
operated by 21Vianet must migrate manually.
The tenant attach feature (syncing devices to Intune without enrollment to support cloud console scenarios)
isn't currently supported.
Derived Credentials are not supported with Intune operated by 21Vianet.
Intune operated by 21Vianet doesn't support the Intune agent and so doesn't support legacy PC management.
Management of Windows 10 is supported by using the modern MDM channel.
Intune operated by 21Vianet doesn't support on-premises Exchange Connector.
Windows Autopilot and Business Store features aren't currently available.
Because Google Mobile Services isn't available in China, customers in Intune operated by 21Vianet can't use
features that require Google Mobile Services. These features include:
Google Play Protect capabilities such as SafetyNet device attestation.
Managing apps from the Google Play Store.
Android Enterprise capabilities. For more information, see this Google documentation.
The Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft
Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to
finish. For more information, see this article.
To follow local regulations and provide improved functionality, the Intune client experience (Company Portal
app) may differ in China.
Fencing isn't available.
Mobile Application Management (MAM) availability is conditional on those apps being available in People's
Republic of China.

You control customer data

In Microsoft Azure, Intune, Microsoft 365, and Power BI operated by 21Vianet, you have full control of your data:
You know where customer data is located.
You control access to your customer data.
You control your customer data if you leave the service.
You have options to control the security of your customer data.
With Microsoft Azure, Intune, Microsoft 365, and Power BI operated by 21Vianet, you’re the owner of your data:
21Vianet doesn’t use customer data for advertising.
You control who has access to your customer data.
We use logical isolation to segregate each customer’s data.
We provide simple, transparent data-use policies, and get independent audits.
Our subcontractors are under contract to meet our privacy requirements.

Data subject requests

The Tenant Administrator role for Intune operated by 21Vianet can request data for data subjects in the following
ways:
Using the Azure Active Directory Admin Center, a Tenant Administrator can permanently delete a data subject
from Azure Active Directory and related services. For more information, see Azure Data Subject Requests -
Delete
System-generated logs for Microsoft services operated by 21Vianet can be exported by Tenant Administrators
using the Data Log Export. For more information, see Azure Data Subject Requests - Export.

Next steps
Learn more about Intune supported configurations
Sign up or sign in to Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

This topic tells system administrators how you can sign up for an Intune account.
Before you sign up for Intune, determine whether you already have a Microsoft Online Services account, Enterprise
Agreement, or equivalent volume licensing agreement. A Microsoft volume licensing agreement or other Microsoft
cloud services subscription like Microsoft 365 usually includes a work or school account.
If you already have a work or school account, sign in with that account and add Intune to your subscription.
Otherwise, you can sign up for a new account to use Intune for your organization.

WARNING
You can't combine an existing work or school account after you sign up for a new account.

How to sign up for Intune

1. Visit the Intune Sign-up page.

2. On the Sign-up page, sign in or sign up to manage a new subscription of Intune.

Post sign up considerations

After you sign up for a new subscription, you receive an email message that contains your account information at
the email address that you provided during the sign-up process. This email confirms your subscription is active.
After completing the sign-up process you are directed to the Microsoft 365 admin center, used to add users and
assign them licenses. If you only have cloud-based accounts using your default onmicrosoft.com domain name,
then you can go ahead and add users and assign licenses at this point. However, if you plan to use your
organization's custom domain name or synchronize user account information from on-premises Active Directory,
then you can close that browser window.

Sign in to Microsoft Intune

Once you have signed up for Intune, you can use any device with a supported browser to sign in to Intune to
administer the service.
By default, your account must have one of the following permissions in Azure AD:
Global Administrator
Intune Service Administrator (also known as Intune Administrator)
To grant access to administer the service for users with other permissions, then See Role Based Access Control
Intune Admin portal URL
Microsoft Endpoint Manager admin center: https://endpoint.microsoft.com
Intune Azure portal: https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExtensionLandingBlade
Intune for Education: https://intuneeducation.portal.azure.com
Intune classic portal: https://manage.microsoft.com The Intune classic portal is only used for managing devices
enrolled with the Intune PC software client
URLs for Intune services provided by Microsoft 365
Microsoft 365 Business: https://portal.microsoft.com/adminportal
Microsoft 365 Mobile Device Management: https://admin.microsoft.com/adminportal/home#/MifoDevices

See also
You can't sign in to Microsoft 365, Azure, or Intune
Unlicensed admins
9/4/2020 • 2 minutes to read • Edit Online

You can grant Intune/Microsoft Endpoint Manager admin center access to admins without Intune licenses.
1. Sign in to Microsoft Endpoint Manager admin center > Tenant administration > Roles > Administrator
licensing .
2. Choose Allow access to unlicensed admins > Yes .

WARNING
You can’t undo this setting after clicking Yes .

3. From now on, users who sign in to the Microsoft Endpoint Manager admin center don’t require an Intune
license. Their scope of access is defined by the roles assigned to them.
Intune supports up to 350 unlicensed admins per security group and only applies to direct members. Admins
above this limit will experience unpredictable behavior.
Configure a custom domain name
9/4/2020 • 2 minutes to read • Edit Online

This topic tells administrators how you can create a DNS CNAME to simplify and customize your logon experience
using Microsoft Intune.
When your organization signs up for a Microsoft cloud-based service like Intune, you're given an initial domain
name hosted in Azure Active Directory (AD) that looks like your-domain.onmicrosoft.com . In this example,
your-domain is the domain name that you chose when you signed up. onmicrosoft.com is the suffix assigned
to the accounts you add to your subscription. You can configure your organization's custom domain to access
Intune instead of the domain name provided with your subscription.
Before you create user accounts or synchronize your on-premises Active Directory, we strongly recommend that
you decide whether to use only the .onmicrosoft.com domain or to add one or more of your custom domain
names. Set up a custom domain before adding users to simplify user management. Setting up a customer domain
lets users sign in with the credentials they use to access other domain resources.
When you subscribe to a cloud-based service from Microsoft, your instance of that service becomes a Microsoft
Azure AD tenant, which provides identity and directory services for your cloud-based service. And, because the
tasks to configure Intune to use your organizations custom domain name are the same as for other Azure AD
tenants, you can use the information and procedures found in Add your domain.

TIP
To learn more about custom domains, see Conceptual overview of custom domain names in Azure Active Directory.

You cannot rename or remove the initial onmicrosoft.com domain name. You can add, verify, or remove custom
domain names used with Intune to keep your business identity clear.

To add and verify your custom domain

1. Go to Microsoft 365 admin center and sign into your administrator account.
2. In the navigation pane, choose Setup > Domains .
3. Choose Add domain , and type your custom domain name. Select Next .
4. The Verify domain dialog box opens giving you the values to create the TXT record in your DNS hosting
provider.
GoDaddy users : Microsoft 365 admin center redirects you to GoDaddy's login page. After you enter
your credentials and accept the domain change permission agreement, the TXT record is created
automatically. You can alternatively create the TXT record.
Register.com users : Follow the step-by-step instructions to create the TXT record.
5. You may need to create additional DNS records for Intune enrollments.
The steps to add and verify a custom domain can also be performed in Azure Active Directory.
You can learn more about your initial onmicrosoft.com domain in Microsoft 365
You can learn more about how to simplify Windows enrollment without Azure AD Premium by creating a DNS
CNAME that redirects enrollment to Intune servers.
Add users and grant administrative permission to
Intune
9/4/2020 • 5 minutes to read • Edit Online

As an administrator, you can add users directly or synchronize users from your on-premises Active Directory.
Once added, users can enroll devices and access company resources. You can also give users additional
permissions including global administrator and service administrator permissions.

Add users to Intune

You can manually add users to your Intune subscription via the Microsoft 365 admin center or the Azure portal.
An administrator can edit user accounts to assign Intune licenses. You can assign licenses in either the Microsoft
365 admin center or the Intune Azure portal. For more information on using the Microsoft 365 admin center, see
Add users individually or in bulk to the Microsoft 365 admin center.
Add Intune users in the Microsoft 365 admin center
1. Sign in to Microsoft 365 admin center with a global administrator or user management administrator
account.
2. In the Microsoft 365 menu, select Admin .
3. In the Admin center, select Add a user .

4. Specify the following user details:

First name
Last name
Display name
User name - Universal principle name (UPN) stored in Azure Active Directory used to access the
service
Location
Contact information (optional)
Password - Auto-generate or specify
5. Assign an Intune license. Select Product licenses and choose the product license. A license including
Intune is required.
6. Choose Add to create the new user.
Add Intune users in the Azure portal
1. In the Microsoft Endpoint Manager admin center, choose Users > All users .
2. In the Admin center, select New user .
3. Specify the following user details:
Name
User name - The new name in Azure Active Directory portal

Choose OK to continue.
4. Optionally, you can specify the following user properties:
Profile - Work information including Job title and Depar tment
Groups - Select groups to add for the user
Director y role - Give the user administrative permissions including an Intune service administrator
role.
Select Create to add the new user to Intune.
5. Select Profile , and then choose a Usage location for the new user. Usage location is required before you
can assign the new user an Intune license. Choose Save to continue.
6. Select Licenses and then choose Assign to assign an Intune license for this user. An Intune license is
required to enroll devices or access company resources. Select Products , choose the license type, choose
Select , and then choose Assign .

Grant admin permissions

After you've added users to your Intune subscription, we recommend that you grant a few users administrative
permission. To grant admin permissions, follow these steps:
Give admin permissions in Microsoft 365
1. Sign in to the Microsoft 365 admin center with a global administrator account.
2. In the Microsoft 365 menu, select Admin .
3. In the Admin center, choose Active users and then choose the user to give admin permissions.
4. In the Roles column, choose Edit .
5. Choose the admin permission to grant from the list of available roles.
6. Choose Save .
Give admin permissions in the Azure portal
1. Sign in to the Azure portal with a global administrator account.
2. In the Azure portal, choose User , and then choose the user you want to give admin permissions.
3. Select Director y role , and then select the permission.
4. Choose Save .
Types of administrators
Assign users one or more administrator permissions. These permissions define the administrative scope for users
and the tasks they can manage. Administrator permissions are common between the different Microsoft cloud
services, and some services might not support some permissions. Both the Azure portal and Microsoft 365
admin center list limited administrator roles that are not used by Intune. Intune administrator permissions include
the following options:
Global administrator - (Microsoft 365 and Intune) Accesses all administrative features in Intune. By default
the person who signs up for Intune becomes a Global admin. Global admins are the only admins who can
assign other admin roles. You can have more than one global admin in your organization. As a best practice,
we recommend that only a few people in your company have this role to reduce the risk to your business.
Password administrator - (Microsoft 365 and Intune) Resets passwords, manages service requests, and
monitors service health. Password admins are limited to resetting passwords for users.
Ser vice administrator - (Microsoft 365 and Intune) Opens support requests with Microsoft, and views the
service dashboard and message center. They have "view only" permissions except for opening support tickets
and reading them.
Billing administrator - (Microsoft 365 and Intune) Makes purchases, manages subscriptions, manages
support tickets, and monitors service health.
User administrator - (Microsoft 365 and Intune) Resets passwords, monitors service health, adds and
deletes user accounts, and manages service requests. The user management admin can't delete a global
admin, create other admin roles, or reset passwords for other admins.
Intune Ser vice administrator - All Intune Global administrator permissions except permission to create
administrators with Director y Role options.
The account you use to create your Microsoft Intune subscription is a global administrator. As a best practice, do
not use a global administrator for day-to-day management tasks. While an administrator does not require an
Intune license to access the Intune on Azure portal, in order to perform certain management tasks, such as setting
up the Exchange service Connector, an Intune license is required.
To access the Microsoft 365 admin center, your account must have a Sign-in allowed set. In the Azure portal
under Profile , set Block sign in to No to allow access. This status is different from having a license to the
subscription. By default, all user accounts are Allowed . Users without administrator permissions can use the
Microsoft 365 admin center to reset Intune passwords.

Sync Active Directory and add users to Intune

You can configure directory synchronization to import user accounts from your on-premises Active Directory to
Microsoft Azure Active Directory (Azure AD) which includes Intune users. Having your on-premises Active
Directory service connected with all of your Azure Active Directory-based services makes managing user identity
much simpler. You can also configure single sign-on features to make the authentication experience for your
users familiar and easy. By linking the same Azure AD tenant with multiple services, the user accounts that you
have previously synchronized are available to all cloud-based services.
How to sync on-premises users with Azure AD
The only tool that you need to synchronize your user accounts with Azure AD is the Azure AD Connect wizard.
The Azure AD Connect wizard provides a simplified and guided experience for connecting your on-premises
identity infrastructure to the cloud. Choose your topology and needs (single or multiple directories, password
hash sync, pass-through authentication, or federation). The wizard deploys and configures all components
required to get your connection up and running. Including: sync services, Active Directory Federation Services
(AD FS), and the Azure AD PowerShell module.

TIP
Azure AD Connect encompasses functionality that was previously released as Dirsync and Azure AD Sync. Learn more
about directory integration. To learn about syncing user accounts from a local directory to Azure AD, see Similarities
between Active Directory and Azure AD.
Add groups to organize users and devices
9/4/2020 • 3 minutes to read • Edit Online

Intune uses Azure Active Directory (Azure AD) groups to manage devices and users. As an Intune admin, you can
set up groups to suit your organizational needs. Create groups to organize users or devices by geographic
location, department, or hardware characteristics. Use groups to manage tasks at scale. For example, you can set
policies for many users or deploy apps to a set of devices.
You can add the following types of groups:
Assigned groups - Manually add users or devices into a static group.
Dynamic groups (Requires Azure AD Premium) - Automatically add users or devices to user groups or
device groups based on an expression you create.
For example, when a user is added with the manager title, the user is automatically added to an All
managers users group. Or, when a device has the iOS/iPadOS device OS type, the device is automatically
added to an All iOS/iPadOS devices devices group.

Add a new group

Use the following steps to create a new group.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Groups > New group :

3. In Group type , choose one of the following options:

Security : Security groups define who can access resources, and are recommended for your groups
in Intune. For example, you can create groups for users, such as All Charlotte employees or
Remote workers . Or, create groups for devices, such as All iOS/iPadOS devices or All Windows
10 student devices .

TIP
The users and groups created can also be seen in the Microsoft 365 admin center, Azure Active Directory
admin center, and Microsoft Intune in the Azure portal. In your organization tenant, you can create and
manage groups in all these areas.
If your primary role is device management, we recommend you use the Microsoft Endpoint Manager admin
center.
Microsoft 365 : Provides collaboration opportunities by giving members access to a shared
mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of
your organization access to the group. For more information, see Learn about Microsoft 365 Groups.
4. Enter a Group name and Group description for the new group. Be specific and include information so
others know what the group is for.
For example, enter All Windows 10 student devices for group name, and All Windows 10 devices
used by students in Contoso high school grades 9-12 for group description.
5. Enter the Membership type . Your options:
Assigned : Administrators manually assign users or devices to this group, and manually remove
users or devices.
Dynamic User : Administrators create membership rules to automatically add and remove
members.
Dynamic Device : Administrators create dynamic group rules to automatically add and remove
devices.

For more information on these membership types, and creating dynamic expressions, see:
Create a basic group and add members using Azure AD
Dynamic membership rules for groups in Azure AD

NOTE
In this admin center, when you create users or groups, you might not see the Azure Active Director y branding.
But, that's what you're using.

6. Choose Create to add the new group. Your group is shown in the list.
TIP
Consider some of the other dynamic user and device groups you can create, such as:
All Students in Contoso high school
All Android Enterprise devices
All iOS 11 and older devices
Marketing
Human Resources
All Charlotte employees
All WA employees

Groups and policies

Access to your organization's resources are controlled by users and groups you create.
When you create groups, consider how you'll apply compliance policies and configuration profiles. For example,
you might have:
Policies that are specific to a device operating system.
Policies that are specific to different roles in your organization.
Policies that are specific to organizational units you defined in Active Directory.
To create the basic compliance requirements of your organization, you can create a default policy that applies to
all groups and devices. Then, create more specific policies for the broadest categories of users and devices. For
example, you might create email policies for each of the device operating systems.
For configuration profile recommendations and guidance, see Assign policies to user groups or device groups and
profile recommendations.

See also
Role-based access control (RBAC) with Microsoft Intune
Manage access to resources with Azure AD groups
Assign licenses to users so they can enroll devices in
Intune
9/4/2020 • 3 minutes to read • Edit Online

Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign
each user an Intune license before users can enroll their devices in Intune. For a list of licenses, see Licenses that
include Intune.

NOTE
Users assigned Intune app protection policy and not enrolling their devices into Microsoft Intune will also require an Intune
license to receive policy.

Assign an Intune license Microsoft Endpoint Manager admin center

You can use the Microsoft Endpoint Manager admin center to manually add cloud-based users and assign licenses
to both cloud-based user accounts and accounts synchronized from your on-premises Active Directory to Azure
AD.
1. In the Microsoft Endpoint Manager admin center, select Users > All Users > choose a user > Licenses >
Assignments .
2. Choose the box for Intune > Save . If you want to use the Enterprise Mobility + Security E5 or other license,
choose that box instead.

3. The user account now has the permissions needed to use the service and enroll devices into management.
NOTE
Users will appear in the Classic Intune portal only after they have enrolled a device using the Intune PC client. Also, you can
select a group of users to edit at once, either selecting to add or replace a license for all selected users.

Assign an Intune license by using Azure Active Directory

You can also assign Intune licenses to users by using Azure Active Directory. For more information, see the License
users in Azure Active Directory article.

Use School Data Sync to assign licenses to users in Intune for

Education
If you are an educational organization, you can use School Data Sync (SDS) to assign Intune for Education licenses
to synced users. Just choose the Intune for Education checkbox when you're setting up your SDS profile.

When you assign an Intune for Education license, make sure that Intune A Direct license is also assigned.

See this overview of School Data Sync to learn more about SDS.

How user and device licenses affect access to services

Each user that you assign a user software license to may access and use the online services and related
software (including System Center software) to manage applications and up to 15 MDM devices. The Intune PC
agent allows 5 physical and 1 virtual machine per user license.
You can purchase licenses for any devices separately from user licenses. Device licenses do not need to be
assigned to the devices. Each device that accesses and uses the online services and related software (including
System Center software) must have a device license.
If a device is used by more than one user, each requires a device software license or all users require a user
software license.

Understanding the type of licenses you have purchased

How you purchased Intune determines your subscription information:
If you purchased Intune through an Enterprise Agreement, you can find your subscription information in the
Volume License portal under Subscriptions .
If you purchased Intune through a Cloud Solution Provider, check with your reseller.
If you purchased Intune with a CC# or Invoice, then your licenses will be user-based.

Use PowerShell to selectively manage EMS user licenses

Organizations that use Microsoft Enterprise Mobility + Security (formerly Enterprise Mobility Suite) might have
users who only require Azure Active Directory Premium or Intune services in the EMS package. You can assign one
or a subset of services using Azure Active Directory PowerShell cmdlets.
To selectively assign user licenses for EMS services, open PowerShell as an administrator on a computer with the
Azure Active Directory Module for Windows PowerShell installed. You can install PowerShell on a local computer
or on an ADFS server.
You must create a new license SKU definition that applies only to the desired service plans. To do this, disable the
plans you don't want to apply. For example, you might create a license SKU definition that does not assign an
Intune license. To see a list of available services, type:

(Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "EMS"}).ServiceStatus

You can run the following command to exclude the Intune service plan. You can use the same method to expand to
an entire security group or you can use more granular filters.
Example 1
Create a new user on the command line and assign an EMS license without enabling the Intune portion of the
license:

Connect-MsolService

New-MsolUser -DisplayName "Test User" -FirstName FName -LastName LName -UserPrincipalName

user@<TenantName>.onmicrosoft.com –Department DName -UsageLocation US

$CustomEMS = New-MsolLicenseOptions -AccountSkuId "<TenantName>:EMS" -DisabledPlans INTUNE_A

Set-MsolUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -AddLicenses <TenantName>:EMS -
LicenseOptions $CustomEMS

Verify with:

(Get-MsolUser -UserPrincipalName "user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus

Example 2
Disable the Intune portion of EMS license for a user that is already assigned with a license:
Connect-MsolService

$CustomEMS = New-MsolLicenseOptions -AccountSkuId "<TenantName>:EMS" -DisabledPlans INTUNE_A

Set-MsolUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -LicenseOptions $CustomEMS

Verify with:

(Get-MsolUser -UserPrincipalName "user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus

Microsoft Intune licensing
9/4/2020 • 2 minutes to read • Edit Online

Microsoft Intune is available for different customer needs and organization sizes, from a simple-to-use
management experience for schools and small businesses, to more advanced functionality required by enterprise
customers. Most licenses that include Microsoft Intune also grant the rights to use Microsoft Endpoint
Configuration Manager, as long as the subscription remains active. An admin must have a license assigned to them
to administer Intune.

Microsoft Intune
Intune is included in the following licenses:
Microsoft 365 E5
Microsoft 365 E3
Enterprise Mobility + Security E5
Enterprise Mobility + Security E3
Microsoft 365 Business Premium
Microsoft 365 F1
Microsoft 365 F3
Microsoft 365 Government G5
Microsoft 365 Government G3

Microsoft Intune for Education

Intune for Education is included in the following licenses:
Microsoft 365 Education A5
Microsoft 365 Education A3

Additional information
A Microsoft Intune user and device subscription is available as a standalone, in addition to the bundles listed
above.
A Microsoft Intune device-only subscription is available to manage kiosks, dedicated devices, phone-room
devices, IoT, and other single-use devices that don't require user-based security and management features.
The appropriate Microsoft Intune license is required if a user or device benefits directly or indirectly from the
Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API.
Intune isn't included in licenses not in the previous tables.
Visit the Microsoft Licensing page for the latest information about product editions, product licensing updates,
volume licensing plans, and other information related to your specific use cases.
For information about how user and device licenses affect access to services, as well as how to assign a license to a
user, see the Assign Intune licenses to your user accounts article.
Set the mobile device management authority
9/4/2020 • 9 minutes to read • Edit Online

The mobile device management (MDM) authority setting determines how you manage your devices. As an IT
admin, you must set an MDM authority before users can enroll devices for management.
Possible configurations are:
Intune Standalone - cloud-only management, which you configure by using the Azure portal. Includes
the full set of capabilities that Intune offers. Set the MDM authority in the Intune console.
Intune co-management - integration of the Intune cloud solution with Configuration Manager for
Windows 10 devices. You configure Intune by using the Configuration Manager console. Configure auto-
enrollment of devices to Intune.
Basic Mobility and Security for Microsoft 365 - If you have this configuration activated, you'll see the
MDM authority set to "Office 365". If you want to start using Intune, you'll need purchase Intune licenses.
Basic Mobility and Security for Microsoft 365 coexistence - You can add Intune to your tenant if
you're already using Basic Mobility and Security for Microsoft 365 and set the management authority to
either Intune or Basic Mobility and Security for Microsoft 365 for each user to dictate which service will be
used to manage their MDM-enrolled devices. Each user's management authority is defined based on the
license assigned to the user: If the user has only a license for Microsoft 365 Basic or Standard, their devices
will be managed by Basic Mobility and Security for Microsoft 365. If the user has a license entitling Intune,
their devices will be managed by Intune. If you add a license entitling Intune to a user previously managed
by Basic Mobility and Security for Microsoft 365, their devices will be switched to Intune management. Be
sure to have Intune configurations assigned to users to replace Basic Mobility and Security for Microsoft
365 before switching users to Intune, otherwise their devices will lose Basic Mobility and Security for
Microsoft 365 configuration and won't receive any replacement from Intune.

Set MDM authority to Intune

For tenants using the 1911 service release and later, the MDM authority is automatically set to Intune.
For pre-1911 service release tenants, if you haven't yet set the MDM authority, follow the steps below.
1. In the Microsoft Endpoint Manager admin center, select the orange banner to open the Mobile Device
Management Authority setting. The orange banner is only displayed if you haven't yet set the MDM
authority.
2. Under Mobile Device Management Authority , choose your MDM authority from the following options:
Intune MDM Authority
None
A message indicates that you have successfully set your MDM authority to Intune.
Workflow of Intune Administration UI
When Android or Apple device management is enabled, Intune sends device and user information to integrate
with these third-party services to manage their respective devices.
Scenarios that add a consent to share data are included when:
You enable Android work profiles.
You enable and upload Apple MDM push certificates.
You Enable any of the Apple services, such as Device Enrollment Program, School Manager, or Volume
Purchasing Program.
In each case, the consent is strictly related to running a mobile device management service. For example,
confirming that an IT Admin has authorized Google or Apple devices to enroll. Documentation to address what
information is shared when the new workflows go live is available from the following locations:
Data Intune sends to Google
Data Intune sends to Apple

Key Considerations
After you switch to the new MDM authority, there will likely be transition time (up to eight hours) before the
device checks in and synchronizes with the service. You're required to configure settings in the new MDM
authority to make sure enrolled devices will continue to be managed and protected after the change.
Devices must connect with the service after the change so that the settings from the new MDM authority
(Intune standalone) replace the existing settings on the device.
After you change the MDM authority, some of the basic settings (such as profiles) from the previous MDM
authority will remain on the device for up to seven days or until the device connects to the service for the first
time. It's recommended that you configure apps and settings (like policies, profiles, and apps) in the new MDM
authority as soon as possible and deploy the setting to the user groups that contains users who have existing
enrolled devices. As soon as a device connects to the service after the change in MDM authority, it will receive
the new settings from the new MDM authority and prevent gaps in management and protection.
Devices that don't have associated users (typically when you have iOS/iPadOS Device Enrollment Program or
bulk enrollment scenarios) aren't migrated to the new MDM authority. For those devices, you need to call
support for assistance to move them to the new MDM authority.

Coexistence
Enabling coexistence lets you use Intune for a new set of users while continuing to use Basic Mobility and Security
for the existing users. You control which devices are managed by Intune through the user. If a user is assigned an
Intune license or is using Intune co-management with Configuration Manager, then all their enrolled devices will
be managed by Intune. Otherwise, the user is managed by Basic Mobility and Security.
There are three major steps to enable coexistence:
1. Preparation
2. Add Intune MDM authority
3. User and Device migration (optional).
Preparation
Before enabling coexistence with Basic Mobility and Security, consider the following points:
Make sure you have sufficient Intune licenses for the users you intend to manage through Intune.
Review which users are assigned Intune licenses. After you enable coexistence, any user already assigned an
Intune license will have their devices switch to Intune. To avoid unexpected device switches, we recommend
not assigning any Intune licenses until you've enabled coexistence.
Create and deploy Intune policies to replace device security policies that were originally deployed through the
Office 365 Security & Compliance portal. This replacement should be done for any users you expect to move
from Basic Mobility and Security to Intune. If there are no Intune policies assigned to those users, enabling
coexistence may cause them to lose Basic Mobility and Security settings. These settings will be lost without
replacement, like managed email profiles. Even when replacing device security policies with Intune policies,
users may be prompted to re-authenticate their email profiles after the device is moved to Intune
management.
Add Intune MDM authority
To enable coexistence, you must add Intune as the MDM authority for your environment:
1. Sign in to endpoint.microsoft.com with Azure AD Global or Intune service administrator rights.
2. Navigate to Devices .
3. The Add MDM Authority blade displays.
4. To switch the MDM authority from Office 365 to Intune and enables coexistence, select Intune MDM
Authority > Add .
Migrate users and devices (optional)
After the Intune MDM authority is enabled, coexistence is activated and you can begin managing users through
Intune. Optionally, if you want to move devices previously managed by Basic Mobility and Security to be
managed by Intune, assign those users an Intune license. The users' devices will switch to Intune on their next
MDM check-in. Settings applied to these devices through Basic Mobility and Security will no longer be applied
and will be removed from the devices.

Mobile device cleanup after MDM certificate expiration

The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If
mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM
certificate won't get renewed. The device is removed from the Azure portal 180 days after the MDM certificate
expires.

Remove MDM authority

The MDM authority can't be changed back to Unknown. The MDM authority is used by the service to determine
which portal enrolled devices report to (Microsoft Intune or Basic Mobility and Security for Microsoft 365).

What to expect after changing the MDM authority

When the Intune service detects that a tenant's MDM authority has changed, it sends out a notification
message to all the enrolled devices to check in and synchronize with the service (this notification is outside of
the regularly scheduled check-in). Therefore, after the MDM authority for the tenant has been changed from
Intune standalone, all the devices that are powered on and online will connect with the service, receive the
new MDM authority, and be managed by the new MDM authority. There's no interruption to the management
and protection of these devices.
Even for devices that are powered on and online during (or shortly after) the change in MDM authority, there
will be a delay of up to eight hours (depending on the timing of the next scheduled regular check-in) before
devices are registered with the service under the new MDM authority.
IMPORTANT
Between the time when you change the MDM authority and when the renewed APNs certificate is uploaded to the new
authority, new device enrollments and device check-in for iOS/iPadOS devices fail. Therefore, it's important that you review
and upload the APNs certificate to the new authority as soon as possible after the change in MDM authority.

Users can quickly change to the new MDM authority by manually starting a check-in from the device to the
service. Users can easily make this change by using the Company Portal app and starting a device compliance
check.
To validate that things are working correctly after devices have checked-in and synchronized with the service
after the change in MDM authority, look for the devices in the new MDM authority.
There's an interim period when a device is offline during the change in MDM authority and when that device
checks in to the service. To help ensure that the device remains protected and functional during this interim
period, the following profiles remain on the device for up to seven days (or until the device connects with the
new MDM authority and receives new settings that overwrite the existing ones):
E-mail profile
VPN profile
Cert profile
Wi-Fi profile
Configuration profiles
After you change to the new MDM authority, the compliance data in the Microsoft Intune administration
console can take up to a week to accurately report. However, the compliance states in Azure Active Directory
and on the device will be accurate so the device is still be protected.
Make sure the new settings that are intended to overwrite existing settings have the same name as the
previous ones to ensure that the old settings are overwritten. Otherwise, the devices might end up with
redundant profiles and policies.

TIP
As a best practice, you should create all management settings and configurations, as well as deployments, shortly after the
change to the MDM authority has completed. This helps ensure that devices are protected and actively managed during
the interim period.

After you change the MDM authority, perform the following steps to validate that new devices are enrolled
successfully to the new authority:
Enroll a new device
Make sure the newly enrolled device shows up in the new MDM authority.
Perform an action, such as Remote Lock, from the administration console to the device. If it's successful, the
device is being managed by the new MDM authority.
If you have issues with specific devices, you can unenroll and reenroll the devices to get them connected to the
new authority and managed as quickly as possible.

Next steps
With the MDM authority set, you can start enrolling devices.
Role-based access control (RBAC) with Microsoft
Intune
9/4/2020 • 4 minutes to read • Edit Online

Role-based access control (RBAC) helps you manage who has access to your organization's resources and what
they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and
change. Each role has a set of permissions that determine what users with that role can access and change within
your organization.
To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:
Global Administrator
Intune Ser vice Administrator (also known as Intune Administrator )
For advice and suggestions about Intune RBAC, you can check out this series of five videos that showcase
examples and walkthroughs: 1, 2, 3, 4, 5.

Roles
A role defines the set of permissions granted to users assigned to that role. You can use both the built-in and
custom roles. Built-in roles cover some common Intune scenarios. You can create your own custom roles with the
exact set of permissions you need. Several Azure Active Directory roles have permissions to Intune. To see a role,
choose Intune > Roles > All roles > choose a role. You'll see the following pages:
Proper ties : The name, description, type, assignments, and scope tags for the role.
Permissions : Lists a long set of toggles defining what permissions the role has.
Assignments : A list of role assignments defining which users have access to which users/devices. A role can
have multiple assignments, and a user can be in multiple assignments.
Built-in roles
You can assign built-in roles to groups without further configuration. You can't delete or edit the name,
description, type, or permissions of a built-in role.
Help Desk Operator : Performs remote tasks on users and devices, and can assign applications or policies to
users or devices.
Policy and Profile Manager : Manages compliance policy, configuration profiles, Apple enrollment,
corporate device identifiers, and security baselines.
Read Only Operator : Views user, device, enrollment, configuration, and application information. Can't make
changes to Intune.
Application Manager : Manages mobile and managed applications, can read device information and can
view device configuration profiles.
Intune Role Administrator : Manages custom Intune roles and adds assignments for built-in Intune roles.
It's the only Intune role that can assign permissions to Administrators.
School Administrator : Manages Windows 10 devices in Intune for Education.
Endpoint Security Manager : Manages security and compliance features, such as security baselines, device
compliance, conditional access, and Microsoft Defender ATP.
Custom roles
You can create your own roles with custom permissions. For more information about custom roles, see Create a
custom role.
Azure Active Directory roles with Intune access
A Z URE A C T IVE DIREC TO RY RO L E A L L IN T UN E DATA IN T UN E A UDIT DATA

Global Administrator Read/write Read/write

Intune Service Administrator Read/write Read/write

Conditional Access Administrator None None

Security Administrator Read only (full administrative Read only

permissions for Endpoint Security
node)

Security Operator Read only Read only

Security Reader Read only Read only

Compliance Administrator None Read only

Compliance Data Administrator None Read only

Global Reader Read Only Read Only

TIP
Intune also shows three Azure AD extensions: Users , Groups , and Conditional Access , which are controlled using Azure
AD RBAC. Additionally, the User Account Administrator only performs AAD user/group activities and does not have full
permissions to perform all activities in Intune. For more information, see RBAC with Azure AD.

Role assignments
A role assignment defines:
which users are assigned to the role
what resources they can see
what resources they can change.
You can assign both custom and built-in roles to your users. To be assigned an Intune role, the user must have an
Intune license. To see a role assignment, choose Intune > Roles > All roles > choose a role > choose an
assignment. You'll see the following pages:
Proper ties : The name, description, role, members, scopes, and tags of the assignment.
Members : All users in the listed Azure security groups have permission to manage the users/devices that are
listed in Scope (Groups).
Scope (Groups) : All users/devices in these Azure security groups can be managed by the users in Members.
Scope (Tags) : Users in Members can see the resources that have the same scope tags.
Multiple role assignments
If a user has multiple role assignments, permissions, and scope tags, those role assignments extend to different
objects as follows:
Assign permissions and scope tags only apply to the objects (like policies or apps) in that role's assignment
Scope (Groups). Assign permissions and scope tags don't apply to objects in other role assignments unless
the other assignment specifically grants them.
Other permissions (such as Create, Read, Update, Delete) and scope tags apply to all objects of the same type
(like all policies or all apps) in any of the user's assignments.
Permissions and scope tags for objects of different types (like policies or apps), don't apply to each other. A
Read permission for a policy, for example, doesn't provide a Read permission to apps in the user's
assignments.

Next steps
Assign a role to a user
Create a custom role
Assign a role to an Intune user
9/4/2020 • 2 minutes to read • Edit Online

You can assign a built-in or custom role to an Intune user.

To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:
Global Administrator
Intune Ser vice Administrator
1. In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles .
2. On the Intune roles - All roles blade, choose the built-in role you want to assign > Assignments >
Assign .
3. On the Basics page, enter an Assignment name and optional Assignment description , and then
choose Next .
4. On the Admin Groups page, select the group that contains the user you want to give the permissions to.
Choose Next
5. On the Scope (Groups) page, choose a group containing the users/devices that the member above will be
allowed to manage. Choose Next .
6. On the Scope (Tags) page, choose tags where this role assignment will be applied. Choose Next .
7. On the Review + Create page, when you're done, choose Create . The new assignment is displayed in the
list of assignments.

Next steps
Learn more about role-based access control in Intune
Create a custom role
Create a custom role in Intune
9/4/2020 • 2 minutes to read • Edit Online

You can create a custom Intune role that includes any permissions required for a specific job function. For
example, if an IT department group manages applications, policies, and configuration profiles, you can add all
those permissions together in one custom role. After creating a custom role, you can assign it to any users that
need those permissions.
To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:
Global Administrator
Intune Ser vice Administrator

To create a custom role

1. In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles >
Create .
2. On the Basics page, enter a name and description for the new role, then choose Next .
3. On the Permissions page, choose the permissions you want to use with this role.
4. On the Scope (Tags) page, choose the tags for this role. When this role is assigned to a user, that user can
access resources that also have these tags. Choose Next .
5. On the Review + create page, when you're done, choose Create . The new role is displayed in the list on
the Intune roles - All roles blade.

Copy a role
You can also copy an existing role.
1. In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles >
select the checkbox for a role in the list > Duplicate .
2. On the Basics page, enter a name. Make sure to use a unique name.
3. All the permissions and scope tags from the original role will already be selected. You can subsequently
change the duplicate role's Name , Description , Permissions , and Scope (Tags) .
4. After you've made all the changes that you want, choose Next to get to the Review + create page. Select
Create .

Next steps
Assign a role to a user
Learn more about role-based access control in Intune
Use role-based access control (RBAC) and scope tags
for distributed IT
9/4/2020 • 4 minutes to read • Edit Online

You can use role-based access control and scope tags to make sure that the right admins have the right access
and visibility to the right Intune objects. Roles determine what access admins have to which objects. Scope tags
determine which objects admins can see.
For example, let's say a Seattle regional office admin has the Policy and Profile Manager role. You want this admin
to see and manage only the profiles and policies that only apply to Seattle devices. To set up this access, you
would:
1. Create a scope tag called Seattle.
2. Create a role assignment for the Policy and Profile Manager role with:
Members (Groups) = A security group named Seattle IT admins. All admins in this group will have
permission to manage policies and profiles for users/devices in the Scope (Groups).
Scope (Groups) = A security group named Seattle users. All users/devices in this group can have their
profiles and policies managed by the admins in the Members (Groups).
Scope (Tags) = Seattle. Admins in the Member (Groups) can see Intune objects that also have the Seattle
scope tag.
3. Add the Seattle scope tag to policies and profiles that you want admins in Members (Groups) to have access to.
4. Add the Seattle scope tag to devices that you want visible to admins in the Members (Groups).

Default scope tag

The default scope tag is automatically added to all untagged objects that support scope tags.
The default scope tag feature is similar to the security scopes feature in Microsoft Endpoint Configuration
Manager.

To create a scope tag

1. In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > Scope (Tags) >
Create .
2. On the Basics page, provide a Name and optional Description . Choose Next .
3. On the Assignments page, choose the groups containing the devices that you want to assign this scope tag.
Choose Next .
4. On the Review + create page, choose Create .

To assign a scope tag to a role

1. In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles >
choose a role > Assignments > Assign .
2. On the Basics page, provide an Assignment name and Description . Choose Next .
3. On the Admin Groups page, choose Select groups to include , and select the groups that you want as
part of this assignment. Users in these group will have permissions to manage users/devices in the Scope
(Groups). Choose Next .
4. On the Scope Groups page, select one of the following options for Assign to
Selected groups : select the groups containing the users/deivces that you want to manage. All
users/devices in the selected groups will be managed by the users in the Admin Groups.
All users : All users can be managed by the users in the Admin Groups.
All devices : All devices can be managed by the users in the Admin Groups.
All users and all devices : All users and devices can be managed by the users in the Admin Groups.
5. Choose Next
6. On the Scope tags page, select the tags that you want to add to this role. Users in the Admin Groups will
have access to Intune objects that also have the same scope tag. You can assign a maximum of 100 scope
tags to a role.
7. Choose Next to go to the Review + create page and then choose Create .

Assign scope tags to other objects

For objects that support scope tags, scope tags usually appear under Proper ties . For example, to assign a scope
tag to a configuration profile, follow these steps:
1. In the Microsoft Endpoint Manager admin center, choose Devices > Configuration profiles > choose a
profile.
2. Choose Proper ties > Scope (Tags) > Edit > Select scope tags > choose the tags that you want to add
to the profile. You can assign a maximum of 100 scope tags to an object.
3. Choose Select > Review + save .

Scope tag details

When working with scope tags, remember these details:
You can assign scope tags to an Intune object type if the tenant can have multiple versions of that object (such
as role assignments or apps). The following Intune objects are exceptions to this rule and don't currently
support scope tags:
Windows ESP profiles
Corp Device Identifiers
Autopilot Devices
Device compliance locations
Jamf devices
VPP apps and ebooks associated with the VPP token inherit the scope tags assigned to the associated VPP
token.
When an admin creates an object in Intune, all scope tags assigned to that admin will be automatically
assigned to the new object.
Intune RBAC doesn't apply to Azure Active Directory roles. So, the Intune Service Admins and Global Admins
roles have full admin access to Intune no matter what scope tags they have.
If a role assignment has no scope tag, that IT admin can see all objects based on the IT admins permissions.
Admins that have no scope tags essentially have all scope tags.
You can only assign a scope tag that you have in your role assignments.
You can only target groups that are listed in the Scope (Groups) of your role assignment.
If you have a scope tag assigned to your role, you can't delete all scope tags on an Intune object. At least one
scope tag is required.

Next steps
Learn how scope tags behave when there are multiple role assignments. Manage your roles and profiles.
Use policy sets to group collections of management
objects
9/4/2020 • 4 minutes to read • Edit Online

Policy sets allow you to create a bundle of references to already existing management entities that need to be
identified, targeted, and monitored as a single conceptual unit. A policy set is an assignable collection of apps,
policies, and other management objects you've created. Creating a policy set enables you to select many different
objects at once, and assign them from a single place. As your organization changes, you can revisit a policy set to
add or remove its objects and assignments. You can use a policy set to associate and assign existing objects, such as
apps, policies, and VPNs in a single package.

IMPORTANT
For a list of known issues related to policy sets, Policy sets known issues.

Policy sets do not replace existing concepts or objects. You can continue to assign individual objects and you can
also reference individual objects as part of a policy set. Therefore, any changes to those individual objects will be
reflected in the policy set.
You can use policy sets to:
Group objects that need to be assigned together
Assign your organization's minimum configuration requirements on all managed devices
Assign commonly used or relevant apps to all users
You can include the following management objects in a policy set:
Apps
App configuration policies
App protection policies
Device configuration profiles
Device compliance policies
Device type restrictions
Windows autopilot deployment profiles
Enrollment status page
When you create a policy set, you create a single unit of assignment, and manage associations between different
objects. A policy set will be a reference to objects external to it. Any changes in the included objects will affect the
policy set as well. After you create a policy set, you can repeatedly view and edit its objects and assignments.

NOTE
Policy sets support Windows, Android, macOS, and iOS/iPadOS settings, and can be assigned cross-platform.

How to create a policy set

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > Policy Sets > Policy sets > Create .
3. On the Basics page, add the following values:
Policy set name - Provide a name for this policy set.
Description - Optionally, provide a description for the policy set.

4. Click Next: Application management .

On the Application management page you can optionally add apps, app configuration policies, and app
protection policies to your policy set. For information about app management, see What is Microsoft Intune
app management?.
5. Click Next: Device management .
The Device management page allows you to add device management objects to your policy set, such as
device configuration profiles and device compliance policies. Be sure to include all associated objects, such
as other policies, certificates, and security baseline profiles.
6. Click Next: Device enrollment .
The Device enrollment page allows you to add device enrollment objects to your policy set, such as device
type restrictions, Windows Autopilot deployment profiles, and enrollment status page profiles.
7. Click Next: Assignments .
The Assignments page allows you can assign the policy set to users and devices. It is important to note that
you can assign a policy set to a device whether or not the device is managed by Intune.
8. Click Next: Review + create to review the values you entered for the profile.
9. When you are done, click Create to create the policy set in Intune.

Policy sets known issues

Policy sets, new to 1910, have the following known issues.
When creating a policy set, if an scoped admin tries to create a policy set without any scope tags selected,
upon reaching the Review + Create page, validation will fail and an error will be displayed on the status
bar. The admin must switch to a different page in the process, then return to the Review + Create page.
This will enable the Create option.
The following app types are currently supported by policy sets:
iOS/iPadOS store app
iOS/iPadOS line-of-business app
Managed iOS/iPadOS line-of-business app
Android store app
Android line-of-business app
Managed Android line-of-business app
Microsoft 365 Apps (Windows 10)
Web link
Built-in iOS/iPadOS app
Built-in Android app
Setting a policy set assignment of All Users to Autopilot Profile is unsupported.
Policy sets have the following enrollment restrictions and Enrollment Status Page (ESP) issues:
Restrictions and ESP do not support virtual group assignments.
Restrictions and ESP do not strictly support exclusion group assignments.
Restrictions and ESP use priority-based conflict resolution. Restrictions and ESP might not be applied to
the same users as the rest of a policy set's payloads if the Restrictions and ESP are also targeted by a
higher priority Restrictions and ESP.
The default Restrictions and ESP cannot be added to a policy set.
MAM policy types that support policy sets include the following:
MAM WIP( Windows) MDM targeted managed app protection
MAM iOS/iPadOS targeted managed app protection
MAM Android targeted managed app protection
MAM iOS/iPadOS targeted managed app configuration
MAM Android targeted managed app configuration
MAM policy types that do not support policy sets include the following:
MAM WIP (Windows) targeted managed app protection
MAM processes policy set assignments as direct assignments for the following policy types:
MAM iOS/iPadOS targeted managed app protection
MAM Android targeted managed app protection
MAM iOS/iPadOS targeted managed app configuration
MAM Android targeted managed app configuration
If a policy is added to a policy set that is deployed to a group, the group would show as directly
assigned in in the workload, not "assigned via the policy set". As a result of this, MAM does not
process group assignment deletions coming from policy sets.
MAM does not support deployment to All Users and All Devices virtual groups for any policy types.
The Device Configuration Profile of type "Administrative Templates" cannot be selected as part of a policy
set.

Next steps
Enroll devices in Microsoft Intune
Use the Intune Tenant Status page
9/4/2020 • 4 minutes to read • Edit Online

The Microsoft Intune Tenant Status page is a centralized hub where you can view current and important details
about your tenant. Details include license availability and use, connector status, and important communications
about the Intune service.

TIP
A tenant is an instance of Azure Active Directory (Azure AD). Your subscription to Intune is hosted by an Azure AD Tenant.
For more information, see Set up a tenant in the Azure AD documentation.

To view the dashboard, sign in to the Microsoft Endpoint Manager admin center go to Tenant administration ,
and then select Tenant Status .
The page is divided into three tabs:

Tenant details
Tenant details provide at-a-glance information about your tenant. View details like your tenant name and location,
your MDM Authority, and your tenants service release number. The service release number is a link that opens the
What's new in Intune article on Microsoft docs. In What's new , you can read about the latest features and updates
to the Intune service.
On this tab you'll also find basic information about your available licenses and how many are assigned to users.
Licenses for devices aren't shown.

Connector status
Connector status is a one-stop location to review the status of all available connectors for Intune.
Connectors are:
Connections you configure to external ser vices . For example, the Apple Volume Purchase Program
service or the Windows Autopilot service. Status for this type of connector is based on the last successful
synchronization time.
Cer tificates or credentials that are required to connect to an external unmanaged ser vice , like
Apple Push Notification Services (APNS) certificates. Status for this type of connector is based on the expiry
timestamp of the certificate or credential.
When you open the Connector status tab, any unhealthy connectors display at the top of the list. Next are
connectors with warnings, and then the list of healthy connectors. Connectors you haven't yet configured appear
last as Not Enabled.
When there's more than a single connector of any one type, the status is a summary for all of those same
connectors. The least healthy status of any single connector is used as the health for the group.
Connector status:
Unhealthy:
The certificate or credential has expired
The last synchronization was three or more days ago
Warning:
The certificate or credential will expire within seven days
The last synchronization was more than one day ago
Healthy:
The certificate or credential won't expire within the next seven days
The last synchronization was less than one day ago
When you select a connector from the list, the portal presents the portal page that is relevant to that connector.
From the connectors page you can view the status for previously configured connectors, or select options to add
or create a new connector of that type.
For example, if you select the VPP Expir y Date connector, the iOS Volume-Purchased Program Tokens page
opens where you can view more details about that connector. You can also create a new configuration or edit and
fix issues with an existing one.

Service health dashboard

On the Service health dashboard you can view details for Service incidents that affect your tenant, and Intune
news that provides information about updates and planned changes.
Intune Service Health and message center
View details for active incidents and advisories without having to navigate to the Microsoft 365 Service Health
Dashboard or the Message Center, both located in the Microsoft 365 admin center. Only incidents that affect your
tenant are shown.
When you select an incident, the incident details are presented directly in the Tenant Status page. To view past
advisories and incidents, select See past Incidents/Advisories . The Microsoft 365 admin center opens and you
can then view advisories and incidents from the last 30 days for your tenant.
To view information for Intune Service Health, your account must have the Global Administrator or Ser vice
suppor t Administrator role in Azure Active Directory or the Microsoft 365 admin center. To assign these
permissions, sign in to the Microsoft 365 admin center with Global Administrator permissions. Select Users >
Active Users , and then select the account that requires access. Select Edit for Roles, select Service support
administrator or Global Administrator, and then Save your edit to assign the permissions.
You can only set up your communication preferences for Intune Service Health through the Microsoft 365 admin
center.
Intune Message Center
View informational communications from the Intune service team without having to navigate to the Office
Message Center. Communications include messages about changes that have recently happened to the Intune
service, or that are on the way for your tenant.
By default, the 10 most recent and active messages display. To view older messages, select See past Messages to
open the Message center in the Microsoft 365 admin center.
To view information for Intune News, your account must have the Global Administrator or Ser vice suppor t
administrator role in Azure Active Directory, or the Message Center reader role in the Microsoft 365 admin
center. To assign this permission, sign in to the Microsoft 365 admin center with administrator permissions. Select
Users > Active Users , and then select the account that requires access. Select Edit for Roles, select Teams
Communications Administrator, and then Save your edit to assign the permissions.
You can only set up your communication preferences for Intune Message center through the Microsoft 365 admin
center.
Use the troubleshooting portal to help users at your
company
3/20/2020 • 4 minutes to read • Edit Online

The troubleshooting portal lets help desk operators and Intune administrators view user information to address
user help requests. Organizations that include a help desk can assign the Help desk operator to a group of
users. The help desk operator role can use the Troubleshoot pane.
The Troubleshoot pane also shows user enrollment issues. Details about the issue and suggested remediation
steps can help administrators and help desk operators troubleshoot problems. Certain enrollment issues aren't
captured and some errors might not have remediation suggestions.
For steps on adding a help desk operator role, see Role-based administration control (RBAC) with Intune
When a user contacts support with a technical issue with Intune, the help desk operator enters the user's name.
Intune shows useful data that can help resolve many tier-1 issues, including:
User status
Assignments
Compliance issues
Device not responding
Device not getting VPN or Wi-Fi settings
App installation failure

To review troubleshooting details

In the troubleshooting pane, choose Select user to view user information. User information can help you
understand the current state of users and their devices.
1. Sign in to Intune.
2. On the Intune pane, choose Troubleshoot .
3. Click Select to select a user to troubleshoot.
4. Select a user by typing the name or email address. Click Select . The troubleshooting information for the user
shows in the Troubleshooting pane. The following table explains the information.

NOTE
You can also access the troubleshooting pane by pointing your browser to: https://aka.ms/intunetroubleshooting.

Areas of troubleshooting dashboard

You can use the Troubleshoot pane to review user information.
A REA NAME DESC RIP T IO N

1. Account status Shows the status of the current Intune

tenant as Active or Inactive .

2. User selection The name of the currently selected user.

Click Change user to choose a new
user.

3. User status Displays the status of the user's Intune

license, number of devices, and each
device compliance.

4. User information Use the list to select the details to

review in the pane.
You can select:
Client apps
Compliance policies
Configuration policies
App protection policies
Enrollment restrictions

5. Group membership Shows the current groups the selected

user is a member of.

Enrollment failure reference

The Enrollment Failures table lists enrollment attempts that failed. A device listed in the below table may have
subsequently enrolled successfully during another attempt. Some failed attempts may not be listed. Mitigation
information isn't available for all failures.

TA B L E C O L UM N DESC RIP T IO N

Enrollment start The start time when the user first began enrolling.

OS The device's operating system.

OS version The device's operating system version.

TA B L E C O L UM N DESC RIP T IO N

Failure The reason for the failure.

Failure details
When you choose a failure row, more details are provided.

SEC T IO N DESC RIP T IO N

Failure details A more detailed explanation of the failure.

Potential remediations Suggested steps to resolve the error. Some failures may not
have remediations.

Resources (Optional) Links for further reading or areas in the portal to take action.

Enrollment errors
ERRO R DETA IL S

iOS/iPadOS Timeout or Failure A timeout between the device and Intune due to the user
taking too long to complete enrollment.

User not found or licensed The user is missing a license or has been removed from the
service.

Device already enrolled Someone attempted to enroll a device by using the Company
Portal on a device that is still enrolled by another user.

Not onboarded into Intune An enrollment was attempted when the Intune mobile device
management (MDM) authority wasn't configured.

Enrollment authorization failed An enrollment was attempted using an old version of

company portal.

Device not supported The device doesn't meet the minimum requirements for
Intune enrollment.

Enrollment restrictions not met This enrollment was blocked due to an admin configured
enrollment restriction.

Device version too low The admin has configured an enrollment restriction requiring
a higher device version.

Device version too high The admin has configured an enrollment restriction requiring
a lower device version.

Device cannot be enrolled as personal The admin has configured an enrollment restriction to block
personal enrollments and the failed device wasn't predefined
as corporate.

Device platform blocked The admin has configured an enrollment restriction that
blocks this device's platform.

Bulk token expired The bulk token in the provisioning package has expired.
ERRO R DETA IL S

Autopilot device or details not found The Autopilot device wasn't found when attempting to enroll.

Autopilot profile not found or not assigned The device doesn't have an active Autopilot profile.

Autopilot enrollment method unexpected The device attempted to enroll by using a non-allowed
method.

Autopilot device removed The device attempting to enroll has been removed from
Autopilot for this account.

Device cap reached This enrollment was blocked due to an admin configured
device limit restriction.

Apple onboarding All iOS/iPadOS devices were blocked from enrolling at this
time due to a missing or expired Apple MDM push certificate
within Intune.

Device not preregistered The device wasn't pre-registered as corporate and all personal
enrollments were blocked by an admin.

Feature not supported The user was likely attempting to enroll via a method not
compatible with your Intune configuration.

Collect available data from mobile device

Use the following resources to help collect device data when troubleshooting user's device issues:
Send iOS/iPadOS enrollment errors to your IT administrator
Help your company support fix device issues with verbose logging
Send Android logs to your company support using a USB cable
Send Android diagnostic data logs to your IT administrator using email
Send Android enrollment errors to your IT administrator

Next steps
You can learn more about Role-based administration control (RBAC) to define roles in your organizational device,
mobile application management, data protection tasks. For more information, see Role-based administration
control (RBAC) with Intune.
Learn about any known issues in Microsoft Intune. For more information, see Known issues in Microsoft Intune.
Learn how to create a support ticket a get help when you need it. Get support.
Using the Intune docs
9/4/2020 • 5 minutes to read • Edit Online

This article provides information to help you search the Microsoft Intune docs for information, provide feedback for
the Intune docs, and shows how you can quickly and easily contribute to the docs.
For general help and support for Intune, see Get support for Intune.

Search the docs

Use the following search tips to help you find the information that you need:
When using your preferred search engine to locate content for Microsoft Intune, include Intune along with
your search keywords.
Look for results from docs.microsoft.com. Results from technet.microsoft.com or msdn.microsoft.com
are for older product versions.
To further focus the search results to the current content library, include site:docs.microsoft.com to
scope the search engine.
Use search terms that match terminology in the user interface and online documentation. Avoid unofficial
terms or abbreviations that you might see in community content.
To search within an article you are currently viewing, use your browser's Find feature. With most modern
web browsers, press Ctrl +F and then enter your search terms.
Each article on docs.microsoft.com includes the following fields to assist with searching the content:
Search in the upper right corner. To search all articles enter terms in this field. The search
automatically includes the Intune search scope.
Filter by title above the left table of contents. To search the current table of contents, enter terms in
this field. This field only matches terms that appear in the article titles for the current node. The last
item in the search results gives you the option to search for the terms in all Intune documentation.
Having problems finding something? File feedback! When filing the issue, provide the search engine you're
using, the keywords you tried, and the target article. This feedback helps Microsoft optimize the content for
better search.

Provide doc feedback

The Feedback section is at the bottom of each article. Click the Feedback link in the upper right of any article to go
to this section. Feedback is integrated with GitHub Issues. For more information about the integration with GitHub
Issues, see this docs platform blog post.
To share feedback about the Intune service (not docs), click Product feedback .
A GitHub account is a prerequisite for providing documentation feedback. Once you sign in, there is a one-time
authorization for MicrosoftDocs. Then when you click Content feedback , enter a title and comment, and then
Submit feedback . This action files a new issue for the target article in the Intune GitHub repository.
You will also see existing open or closed issues for the target article. If any exist, review them before submitting a
new issue. If you find a related issue, click the face icon to add a reaction, or you can expand it to add a comment.
Types of feedback
Use GitHub Issues to submit the following types of feedback:
Doc bug: The content is out of date, unclear, confusing, or broken.
Doc enhancement: A suggestion to improve the article.
Doc question: You need help finding existing documentation.
Doc idea: A suggestion for a new article. Use this method instead of UserVoice for documentation feedback.
Kudos: Positive feedback about a helpful or informative article!
Localization: Feedback about content translation.
Search engine optimization (SEO): Feedback about problems searching for content. Include the search engine,
keywords, and target article in the comments.
If issues are raised for non-doc-related topics, such as product feedback, product questions, or support requests,
these issues will be closed and the user redirected to the proper feedback channel.
To share feedback on the docs.microsoft.com platform, see Docs feedback. The platform includes all of the wrapper
components such as the header, table of contents, and right menu. Also how the articles render in the browser, such
as the font, alert boxes, and page anchors.

Contribute to docs
The Intune docs, like most content on docs.microsoft.com, is open-sourced on GitHub. This library accepts and
encourages community contributions. For more information on how to get started, see the Contributor Guide.
Creating a GitHub account is the only prerequisite.
Basic steps to contribute to docs
1. From the target article, click Edit . This action opens the source file in GitHub.
2. To edit the source file, click the pencil icon.
3. Make changes in the markdown source. For more information, see How to use Markdown for writing Docs.
4. In the Propose file change section, enter the public commit comment describing what you changed. Then
click Propose file change .
5. Scroll down and verify the changes you made. Click Create pull request to open the form. Describe why
you made this change. Click Create pull request .
The writing team will receive your pull request, assign the item to the appropriate writer, review the text and do a
quick edit pass on it, and either approve and merge the changes or contact you for more information about the
update.
What to contribute
If you're interested in contributing, but don't know where to start, see the following suggestions:
Review an article for accuracy. Then update the ms.date metadata using mm/dd/yyyy format. This
contribution helps keep the content fresh.
Add clarifications, examples, or guidance based on your experience. This contribution uses the power of the
community to share knowledge.
Correct translations in a non-English language. This contribution improves the usability of localized content.
NOTE
Larger contributions require signing a Contribution License Agreement (CLA) if you aren't a Microsoft employee. GitHub
automatically requires you to sign this agreement when a contribution meets the threshold. You only need to sign this
agreement once.

Tips
Follow these general guidelines when contributing to Intune docs:
Don't surprise us with large pull requests. Instead, file an issue and start a discussion. Then we can agree on
a direction before you invest a large amount of time.
Read the Microsoft style guide. Know the Top 10 tips for Microsoft style and voice.
Follow the GitHub Flow workflow.
Blog and tweet (or whatever) about your contributions, frequently!

Consolidation of documentation for Microsoft Endpoint Manager

To better support combined scenarios for Intune and Configuration Manager, the Intune and Configuration
Manager documentation have been consolidated on the Microsoft Endpoint Manager site. The Intune
documentation is now at ../index.yml and the Configuration Manager documentation library is available at
../../configmgr/index.yml. All links will automatically redirect if you are using an old URL, so you don't need to make
any changes for reading this content.
If you provide feedback or contribute to articles, some changes are necessary:
Existing GitHub issues remained in the original repository,
https://github.com/MicrosoftDocs/IntuneDocs/issues or https://github.com/MicrosoftDocs/sccmdocs/issues.
These issues won't show as open or closed issues in the Feedback section of the linked article.
We will continue to work towards resolving these issues going forward.
In some instances, we may make the tough decision to close an issue that we don't think we'll be able
to address in a timely manner.
If you have an issue in the existing repository, and are passionate about it, file feedback on the
migrated article in the memdocs repository.
We will merge and close any open pull requests before the migration.
After migration, when you file feedback or edit an article, the issue or pull request will go to the memdocs
repository.
How to get support for Microsoft Intune
9/4/2020 • 9 minutes to read • Edit Online

Microsoft provides global technical, pre-sales, billing, and subscription support for Microsoft Intune. Support is
available both online and by phone for paid and trial subscriptions. Online technical support is available in
English and Japanese. Phone support and online billing support are available in additional languages.
As an Intune admin, you can use the Help and Suppor t option to file an on-line support ticket for Intune from
the Azure portal. To create and manage a support incident, your account must have an Azure Active Directory
(Azure AD) role that includes the action microsoft.office365.suppor tTickets . For information about Azure
AD roles and permissions that are required to create a support ticket, see administrator roles in Azure Active
Directory.

IMPORTANT
For technical support with third-party products that work with Intune (like Saaswedo, Cisco, or Lookout), contact the
supplier of that product first. Before you open a request with Intune support, make sure you configured the other
product correctly.
For information about troubleshooting issues related to Microsoft Intune, see the Troubleshoot section of the Intune
documentation.

Help and support experience

The Help and support experience for Intune is available from the Microsoft Endpoint Manager admin center and
from all of the blades (or pages) under Intune in the Azure portal.
The Help and support experience is similar to the experience seen in the Microsoft 365 admin center, and
replaces the previous Help + support, which remains in place for other services in Azure.
Options to access Help and support
When you use a newly created tenant for Intune, it's possible that Help and Support fails to open and the
following message is returned:
We encountered an unknown problem. Please refresh the page but if the problem persists, please create a
case through M365 Admin Center and reference the session ID provided.
The error details include a Session ID, Extension details, and more.
This problem occurs when you have not authenticated your new tenant account through either the Microsoft
365 Admin Center at https://admin.microsoft.com, or the Office 365 por tal at https://portal.office.com. To
resolve this problem, select the link for Microsoft 365 Admin Center in the message, or visit
https://portal.office.com, and sign in. Following authentication at either site, Help and Support for Intune
becomes accessible.
Access Help and Suppor t :
In the Azure por tal
Select Help and suppor t from any Intune blade or page.
NOTE
If your instance of Intune is hosted on the private cloud for government, also known as a sovereign cloud like
Azure Government, see Intune support for private cloud for government, later in this article. The Intune Help and
support experience won't be available on the private cloud for government until next year.

From the Microsoft Endpoint Manager admin center

From any node in the Microsoft Endpoint Manager admin center, select the ? icon in the upper-
right corner of the portal to open the Help pane. Select Help + suppor t to open the Select a
management type page.

Use the drop-down to select the management type you want help with, which opens the applicable
Help and Support page. The Microsoft Endpoint Manager admin center supports the following
management types, and you must select the one you want assistance for, like Intune:
Configuration Manager
Intune
Co-management
After you select a management type, the applicable Help and support page opens where you can
then specify details to find solutions for a specific problem. Details are filtered based on the type of
management you select.
If the correct management type wasn't selected (1) , click on Select a management type (2) to
return to the management type selection drop-down:

If you drill into any other node like Devices, Apps, or Users, and then select Help and support, you
won't have the opportunity to select a management type nor will the type display below Help and
support. In this case, Intune is assumed. If you don't want the context to be Intune, use the ? option
so you can select a different management type.
The support experience
When you open Help and Support, the portal displays the Need help? window:
In the left top corner there are three icons that you can select to open different panes of the Need Help? window.
The pane your viewing is identified by the underline.
Customers with a Premier or Unified support contract have additional options for support, and see a banner

in Need help? that resembles the following image:

Need Help? opens to the Find Solutions pane. However, if you have an active support case the window opens to
the Service requests pane where you can view details about your active and closed support cases.
Find solutions

On the Find solutions pane, specify a few details about an issue in the provided text box. Based on the text you
provide about an issue, the pane populates with insights that are potential matches. You'll also get links to
recommended articles that might help you resolve the issue.
When a strong match is found for the details you describe, troubleshooting tips can appear right in the Need
help? window.
For example, you might enter Password synchronization errors . The results include troubleshooting
guidance directly in the pane, and links to recommended articles from our documentation library.
Contact support

From the contact support pane, you can submit a request for assistance. This pane is available after you provide
some basic keywords on the find solutions pane.
When requesting assistance, provide a description of the problem with as much detail as needed. After
confirming your phone and email contact information, select the method of contact you prefer. The window
displays a response time for each contact method, which gives you an expectation of when you'll be contacted.
Before submitting your request, attach files like logs or screenshots that can help fill in details about the issue.
After you fill in the required information, select Contact me to submit the request.
Service requests

The Service requests pane displays your case history. Active cases are at the top of the list, with closed issues
also available for review.
If you have an active support case number, you can enter it here to jump to that issue, or you can select any
incident from the list of active and closed incidents to view more information about it.
When you're done viewing details for an incident, select the left arrow that appears at the top of the service
request window just above the icons for the three Need Help? pane icons. The back arrow returns the display to
the list of support incidents you've opened.
Premier and Unified support customers
As a customer with a Premier or Unified support contract, you can specify a severity for your issue, and
schedule a support callback for a specific time and day. These options are available when you open or submit a
new issue and when you edit an active support case.
Severity - The options to specify the severity of an issue depend on your support contract:
Premier: Severity of A, B, or C
Unified: Critical, or non-critical
Selecting either a severity A or Critical issue limits you to a phone support case, which provides the fastest
option to get support.
Callback schedule - You can request a callback on a specific day and time.

Azure Help + support experience

You can no longer use the Azure Help + support experience to get assistance with Intune, unless your
subscription is on a private cloud for government. If your instance of Intune doesn't run on a private cloud for
government, navigating through Azure Help + support redirects you to the Intune Help and support experience
to create and manage support incidents:
When you use the left navigation pane Help + suppor t , or use the ? option to open the Help pane and then
select Help + suppor t , you open the Azure Help + support page.
From this page select + New suppor t request to open the Basics tab of the Help + support + New support
request page.
On this page:
For Issue type, select Technical .
For Service, select Microsoft Intune .
You are then presented with a link that redirects you to the Intune Help and Support page.

Intune support for private cloud for government

When your Intune subscription hosted on the private cloud for government, which is also known as a sovereign
cloud like Azure Government, you don't yet have access to the newer Intune Help and support experience.
Instead, use the following information go get support for Intune.
Create an online support ticket
IMPORTANT
As Help and support transitions to a new system which is not yet available for the private cloud for government, when
you create a support incident, the portal identifies a support case that uses a 15 digit identification number. When the
15-digit case is created, a mirror of that case is created for use by Microsoft Support. This mirror case is created in a new
support system, uses an 8-digit case ID, and is used by support services to track all work and communications for your
support incident. Shortly after your 15-digit case is created, you'll receive an email that identifies the 8-digit number of
the mirrored support case that is used by support services.
Support personal work and communicate from the 8-digit support case, and only use the 8-digit support case to log
communications and track incident progress. Therefore, you'll receive email updates from that 8-digit support case that
serve as your case-work track record. No details are logged into the 15-digit support incident. When support concludes
and the 8-digit support case closes, that status is reflected in by the 15-digit support case that you can view from within
the azure portal. No other updates or status changes should be expected for the 15-digit support case.
When transitions between support tools completes later this year, the support experience Intune hosted on the
government cloud will resemble the default Help and support experience that's currently available for Intune subscriptions
hosted on the public cloud.

1. Sign in to the Azure portal (https://portal.azure.us) with your Intune admin credentials, select the ? icon in
the upper-right corner of the portal, and then select Help + suppor t to go to the Azure Help + support
page.

2. On the Azure Help + suppor t page, select New suppor t request .

3. On the Basics tab, for most Intune technical support issues, choose the following options:
Issue type : Technical
Subscription : <your subscription>
Ser vice : Microsoft Intune
Problem type : Choose your problem type from the drop-down menu.
Problem subtype : Choose the problem subtype from the drop-down menu.
Subject : Briefly describe the issue you want help with.

Choose Next: Solutions to continue.

4. On the Solutions tab, review the recommended steps that might help you solve your problem without
filing a ticket. If you still want to create a support request after looking through the steps, click Next:
Details .
5. On the Details tab, fill out the details for your problem, the support method, your contact information,
and then click Next: Review + create .
6. Review the information, verify that it's correct, and then choose Create to submit your support request.
IMPORTANT
If you have a billing or subscription question, you can open a case to get support through the Microsoft 365 admin
center.

View support requests

You can view your support requests from within the Azure portal. However, limited information is available. To
view your incidents:
1. Sign in to Azure (https://portal.azure.com) with your Intune admin credentials, select the ? icon in the
upper-right corner of the portal, and then select Help + suppor t to go to the Azure Help + support
page.
2. On the Help + suppor t page, you can view the list of Recent suppor t requests .

IMPORTANT
Private cloud for government customers can only view the 15-digit support case number, and the incident status.
All case communications and tracking of work or alerts are sent by email and reference the 8-digit support case
number that is created as a mirror of the support case opened from within the Intune console.

Additional resources
Billing and subscription management support
Volume licensing
Troubleshoot Intune issues
Intune reports
9/4/2020 • 6 minutes to read • Edit Online

Microsoft Intune reports allows you to more effectively and proactively monitor the health and activity of
endpoints across your organization, and also provides other reporting data across Intune. For example, you will be
able to see reports about device compliance, device health, and device trends. In addition, you can create custom
reports to obtain more specific data.

NOTE
The Intune reporting changes will roll out gradually over a period of time to help you prepare and adapt to the new
structure.

The report types are organized into the following focus areas:
Operational - Provides timely, targeted data that helps you focus and take action. Admins, subject matter
experts, and helpdesk will find these reports most helpful.
Organizational - Provides a broader summary of an overall view, such as device management state.
Managers and admins will find these reports most helpful.
Historical - Provides patterns and trends over a period of time. Managers and admins will find these reports
most helpful.
Specialist - Allows you to use raw data to create your own custom reports. Admins will find these reports
most helpful.
The reporting framework provides a consistent and more comprehensive reporting experience. The available
reports provide the following functionality:
Search and sor t – You can search and sort across every column, no matter how large the dataset.
Data paging – You can scan your data based on paging, either page-by-page or by jumping to a specific page.
Performance - You can quickly generate and view reports created from large tenants.
Expor t – You can quickly export reporting data generated from large tenants.
Who can access the data?
Users with the following permissions can review logs:
Global Administrator
Intune Service Administrator
Administrators assigned to an Intune role with Read permissions

Non-compliant devices report (Operational)

The Non-compliant devices report surfaces data typically used by Helpdesk or admin roles to identify problems
and help remediate issues. The data found in these reports is timely, calls out unexpected behavior, and is meant to
be actionable. The report is available alongside the workload, making the non-compliant devices report accessible
without browsing away from active workflows. This report provides filtering, searching, paging, and sorting
capabilities. Also, you can drill down to help troubleshoot.
You can view the Noncompliant devices report using the following steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > Monitor > Noncompliant devices .

TIP
If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in
to Intune and selecting Device compliance > Noncompliant devices .

Device compliance report (Organizational)

Device compliance reports are meant to be broad in nature and provide a more traditional reporting view of data
to identify aggregated metrics. This report is designed to work with large datasets to get a full device compliance
picture. For example, the device compliance report for device compliance shows all the compliance states for
devices to give a broader view of the data, no matter how large the dataset. This report shows the full breakdown
of records in addition to a convenient visualization of aggregated metrics. This report can be generated by
applying filters on it and selecting the "Generate report" button. This will refresh the data to show the latest state
with the ability to view the individual records that make up the aggregate data. Like most reports in the new
framework, these records can be sorted and searched upon to focus on the information you need.
To see a generated report of device state, you can use the following steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Repor ts to view the reports summary.
3. Select Device compliance .
4. Select the Compliance status , OS , and Ownership filters to refine your report.
5. Click Generate repor t (or Generate again ) to retrieve current data.
NOTE
This Device compliance report provides a time stamp of when the report was last generated.

For related information, see Enforce compliance for Microsoft Defender ATP with Conditional Access in Intune.

Reports summary
The device compliance report is available as the summary report in the Repor ts workload. Use the following
steps to view the device compliance report:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Repor ts to view the reports summary.

Device compliance trend report (Historical)

Device compliance trend reports are more likely to be used by admins and architects to identify long term trends
for device compliance. The aggregated data is displayed over a period of time, and is useful for making future
investment decisions, driving process improvements, or prompting investigation into any anomalies. Filters can
also be applied to see specific trends. The data provided by this report is a snapshot of the current tenant state
(near real-time).
A device compliance trend report for device compliance trends can show the trend of device compliance states
over a period of time. You can identify where compliance peaks occurred and focus your time and effort
accordingly.
You can view the Trends report using the following steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Repor ts > Trends to view device compliance over a 60 day trend.

Azure Monitor integration reports (Specialist)

You can customize your own reports to get the data you want. The data in your reports will optionally be available
via Azure Monitor using Log Analytics and Azure Monitor workbooks. These solutions allow you to create custom
queries, configure alerts, and make dashboards to show the device compliance data in the manner you want.
Additionally, you can retain the activity logs in your Azure storage account, integrate with the reports using
security information and event management (SIEM) tools, and correlate the reports to Azure AD activity logs.
Azure Monitor workbooks can be used in addition to importing dashboards for custom reporting needs.

NOTE
Complex reporting functionality require an Azure subscription.

An example specialist report would corelate device ownership data with platform enrollment data in a custom
report. Then, this custom report could be displayed on an existing dashboard in the Azure Active Directory portal.
You can create and view custom reports using the following steps:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Repor ts > Diagnostic settings add a diagnostic setting.
3. Click Add diagnostic setting to display the Diagnostic settings pane.
4. Add a Name for the diagnostic settings.
5. Select the Send to Log Analytics and DeviceComplianceOrg settings.

6. Click Save .
7. Next, select Log analytics to create and run a new log query using Log Analytics.

8. Select Workbooks to create or open an interactive report using Azure Monitor workbooks.

Diagnostic settings
Each Azure resource requires its own diagnostic setting. The diagnostic setting defines the following for a
resource:
Categories of logs and metric data sent to the destinations defined in the setting. The available categories will
vary for different resource types.
One or more destinations to send the logs. Current destinations include Log Analytics workspace, Event Hubs,
and Azure Storage.
Retention policy for data stored in Azure Storage.
A single diagnostic setting can define one of each of the destinations. If you want to send data to more than one of
a particular destination type (for example, two different Log Analytics workspaces), then create multiple settings.
Each resource can have up to 5 diagnostic settings.
For more information, about diagnostic settings, see Create diagnostic setting to collect platform logs and metrics
in Azure.
Log Analytics
Log Analytics is the primary tool in the Azure portal for writing log queries and interactively analyzing the results
of the queries. Even if a log query is used elsewhere in Azure Monitor, you'll typically write and test the query first
using Log Analytics. For details about using Log Analytics and creating log queries, see Overview of log queries in
Azure Monitor.
Workbooks
Workbooks combine text,Analytics queries, Azure Metrics, and parameters into rich interactive reports.
Workbooks are editable by any other team members who have access to the same Azure resources. For more
information about workbooks, see Azure Monitor workbooks. Also, you can work with and contribute to
workbook templates. For more information, see Azure Monitor Workbook Templates.

Next steps
Learn more about the following technologies:
Blog - Microsoft Intune reporting framework
Azure Monitor
What is Log Analytics?
Log queries
Get started with Log Analytics in Azure Monitor
Azure Monitor workbooks
security information and event management (SIEM) tools
Use audit logs to track and monitor events in
Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

Audit logs include a record of activities that generate a change in Microsoft Intune. Create, update (edit), delete,
assign, and remote actions all create audit events that administrators can review for most Intune workloads. By
default, auditing is enabled for all customers. It can't be disabled.

NOTE
Audit events started recording on the December 2017 feature release. Prior events aren't available.

Who can access the data?

Users with the following permissions can review audit logs:
Global Administrator
Intune Service Administrator
Administrators assigned to an Intune role with Audit data - Read permissions

Audit logs for Intune workloads

You can review audit logs in the monitoring group for each Intune workload:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Tenant administration > Audit logs .
3. To filter the results, select Filter and refine the results using the following options.
Categor y : such as Compliance , Device , and Role .
Activity : the options listed here are restricted by the option chosen under Categor y .
Date range : you can choose logs for the previous month, week, or day.
4. Choose Apply .
5. Select an item in the list to see the activity details.

Route logs to Azure Monitor

Audit logs and operational logs can also be routed to Azure Monitor. In Audit logs , select Expor t Data Settings :

NOTE
For more information about this feature and to review the prerequisites to use it, see send log data to storage, event hubs,
or log analytics.
NOTE
Initiated by (actor) includes information on who ran the task, and where it was run. For example, if you run the activity in
Intune in the Azure portal, then Application always lists Microsoft Intune por tal extension and the Application ID
always uses the same GUID.
The Target(s) section lists multiple targets and the properties that were changed.

Use Graph API to retrieve audit events

For details on using the graph API to get up to one year of audit events, see List auditEvents.

Next steps
Send log data to storage, event hubs, or log analytics.
Review client app protection logs.
Send log data to storage, event hubs, or log analytics
in Intune (preview)
9/4/2020 • 9 minutes to read • Edit Online

Microsoft Intune includes built-in logs that provide information about your environment:
Audit Logs shows a record of activities that generate a change in Intune, including create, update (edit), delete,
assign, and remote actions.
Operational Logs (preview) show details on users and devices that successfully (or failed) to enroll, and
details on non-compliant devices.
Device Compliance Organizational Logs (preview) show an organizational report for device compliance
in Intune, and details on non-compliant devices.
These logs can also be sent to Azure Monitor services, including storage accounts, event hubs, and log analytics.
Specifically, you can:
Archive Intune logs to an Azure storage account to keep the data, or archive for a set time.
Stream Intune logs to an Azure event hub for analytics using popular Security Information and Event
Management (SIEM) tools, such as Splunk and QRadar.
Integrate Intune logs with your own custom log solutions by streaming them to an event hub.
Send Intune logs to Log Analytics to enable rich visualizations, monitoring, and alerting on the connected data.
These features are part of the Diagnostics Settings in Intune.
This article shows you how to use Diagnostics Settings to send log data to different services, gives examples
and estimates of costs, and answers some common questions. Once you enable this feature, your logs are routed
to the Azure Monitor service you choose.

Prerequisites
To use this feature, you need:
An Azure subscription: If you don't have an Azure subscription, you can sign up for a free trial.
A Microsoft Intune environment (tenant) in Azure
A user who's a Global Administrator or Intune Ser vice Administrator for the Intune tenant.
Depending on where you want to route the audit log data, you need one of the following services:
An Azure storage account with ListKeys permissions. We recommend that you use a general storage account,
and not a blob storage account. For storage pricing information, see the Azure Storage pricing calculator.
An Azure event hubs namespace to integrate with third-party solutions.
An Azure log analytics workspace to send logs to Log Analytics.

Send logs to Azure monitor

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Repor ts > Diagnostics settings . The first time you open it, turn it on. Otherwise, add a setting.
3. Enter the following properties:
Name : Enter a name for the diagnostic settings. This setting includes all the properties you enter. For
example, enter Route audit logs to storage account .
Archive to a storage account : Saves the log data to an Azure storage account. Use this option if
you want to save or archive the data.
a. Select this option > Configure .
b. Choose an existing storage account from the list > OK .
Stream to an event hub : Streams the logs to an Azure event hub. If you want analytics on your log
data using SIEM tools, such as Splunk and QRadar, choose this option.
a. Select this option > Configure .
b. Choose an existing event hub namespace and policy from the list > OK .
Send to Log Analytics : Sends the data to Azure log analytics. If you want to use visualizations,
monitoring and alerting for your logs, choose this option.
a. Select this option > Configure .
b. Create a new workspace, and enter the workspace details. Or, choose an existing workspace
from the list > OK .
Azure log analytics workspace provides more details on these settings.
LOG > AuditLogs : Choose this option to send the Intune audit logs to your storage account, event
hub, or log analytics. The audit logs show the history of every task that generates a change in Intune,
including who did it and when.
If you choose to use a storage account, then also enter how many days you want to keep the data
(retention). To keep data forever, set Retention (days) to 0 (zero).
LOG > OperationalLogs : Operational logs (preview) show the success or failure of users and
devices that enroll in Intune, as well as details on non-compliant devices. Choose this option to send
the enrollment logs to your storage account, event hub, or log analytics.
If you choose to use a storage account, then also enter how many days you want to keep the data
(retention). To keep data forever, set Retention (days) to 0 (zero).

NOTE
Operational logs are in preview. To provide feedback, including information in the operational logs, go to
UserVoice.

LOG > DeviceComplianceOrg : Device compliance organizational logs (preview) show the
organizational report for Device Compliance in Intune, and details of non-compliant devices. Choose
this option to send the compliance logs to your storage account, event hub, or log analytics.
If you choose to use a storage account, then also enter how many days you want to keep the data
(retention). To keep data forever, set Retention (days) to 0 (zero).

NOTE
Device compliance organizational logs are in preview. To provide feedback, including information in the
report, go to UserVoice.

When finished, your settings look similar to the following settings:

4. Save your changes. Your setting is shown in the list. Once it's created, you can change the settings by
selecting Edit setting > Save .
Use audit logs throughout Intune
You can also export the audit logs in other parts of Intune, including enrollment, compliance, configuration,
devices, client apps, and more.
For more information, see Use audit logs to track and monitor events. You can choose where to send the audit
logs, as described in send logs to Azure monitor (in this article).

Audit log properties

In the audit log, you can find properties that have specific values. The following table provides these details.

P RO P ERT Y P RO P ERT Y DESC RIP T IO N VA L UES

ActivityType The action that the admin takes. Create, Delete, Patch, Action,
SetReference, RemoveReference, Get,
Search

ActorType Person taking the action. Unknown = 0, ItPro, IW, System,

Partner, Application, GuestUser

Category The pane in which the action took Other = 0, Enrollment = 1, Compliance
place. = 2, DeviceConfiguration = 3, Device =
4, Application = 5, EBookManagement
= 6, ConditionalAccess= 7,
OnPremiseAccess= 8, Role = 9,
SoftwareUpdates =10,
DeviceSetupConfiguration = 11,
DeviceIntent = 12, DeviceIntentSetting
= 13, DeviceSecurity = 14,
GroupPolicyAnalytics = 15

ActivityResult Whether the action has been successful Success = 1

or not.

Cost considerations
If you already have a Microsoft Intune license, you need an Azure subscription to set up the storage account and
event hub. The Azure subscription is typically free. But, you do pay to use Azure resources, including the storage
account for archival and the event hub for streaming. The amount of data and the costs vary depending on the
tenant size.
Storage size for activity logs
Every audit log event uses about 2 KB of data storage. For a tenant with 100,000 users, you may have about 1.5
million events per day. You may need about 3 GB of data storage per day. Because writes typically happen in five-
minute batches, you can expect approximately 9,000 write operations per month.
The following tables show a cost estimate depending on the size of the tenant. It also includes a general-purpose
v2 storage account in West US for at least one year of data retention. To get an estimate for the data volume that
you expect for your logs, use the Azure storage pricing calculator.
Audit log with 100,000 users

C AT EGO RY VA L UE

Events per day 1.5 million

Estimated cost per month (USD) $10.83

Audit log with 1,000 users

C AT EGO RY VA L UE

Events per second 0.1

Events per five-minute interval 52

Volume per interval 104 KB

Messages per interval 1

Messages per month 8,640

Estimated cost per month (USD) $10.80

Log Analytics cost considerations

To review costs related to managing the Log Analytics workspace, see Manage cost by controlling data volume and
retention in Log Analytics.

Frequently asked questions

Get answers to frequently asked questions, and read about any known issues with Intune logs in Azure Monitor.
Which logs are included?
Audit logs and operational (preview) logs are both available for routing using this feature.
After an action, when do the corresponding logs show up in the event hub?
The logs typically show up in your event hub within several minutes after the action is performed. What is Azure
Event Hubs? provides more information.
After an action, when do the corresponding logs show up in the storage account?
For Azure storage accounts, the latency is anywhere from 5 to 15 minutes after the action runs.
What happens if an Administrator changes the retention period of a diagnostic setting?
The new retention policy is applied to logs collected after the change. Logs collected before the policy change are
unaffected.
How much does it cost to store my data?
The storage costs depend on the size of your logs and the retention period you choose. For a list of the estimated
costs for tenants, which depend on the log volume generated, see the Storage size for activity logs (in this article).
How much does it cost to stream my data to an event hub?
The streaming costs depend on the number of messages you receive per minute. For details on how costs are
calculated and cost estimates based on the number of messages, see Event hub messages for activity logs (in this
article).
How do I integrate Intune audit logs with my SIEM system?
Use Azure Monitor with Event Hubs to stream logs to your SIEM system. First, stream the logs to an event hub.
Then, set up your SIEM tool with the configured event hub.
What SIEM tools are currently supported?
Currently, Azure Monitor is supported by Splunk, QRadar, and Sumo Logic (opens a new website). For more
information about how the connectors work, see Stream Azure monitoring data to an event hub for consumption
by an external tool.
Can I access the data from an event hub without using an external SIEM tool?
Yes. To access the logs from your custom application, you can use the Event Hubs API.
What data is stored?
Intune doesn't store any data sent through the pipeline. Intune routes data to the Azure Monitor pipeline, at the
authority of the tenant. For more information, see Azure Monitor overview.

Next steps
Archive activity logs to a storage account
Route activity logs to an event hub
Integrate activity logs with Log Analytics
Common error codes and descriptions in Microsoft
Intune
3/9/2020 • 17 minutes to read • Edit Online

This article lists common errors, status codes, descriptions, and possible solutions when accessing organization
resources. Use this information to help troubleshoot access issues when using Microsoft Intune.
If you need support help, see get support for Microsoft Intune.

Status codes for MDM managed Windows devices

STAT US C O DE ERRO R M ESSA GE W H AT TO DO

10 Installation in progress
(APP_CI_ENFORCEMENT_IN_PROGRESS)

20 Waiting for content

(APP_CI_ENFORCEMENT_IN_PROGRESS
_WAITING_CONTENT)

30 Retrieving content Probable Cause: Job status 30 indicates

(APP_CI_ENFORCEMENT_ERROR_RETRIE that a user download of an app failed.
VING_CONTENT)
Likely causes for this may be:

The device lost Internet connectivity

while the download was in progress.

The certificate issued to the device at

the time of enrollment may have
expired.

Mitigation:

Launch the Company Apps app from

Control Panel on the device to confirm
that the device certificate hasn't expired;
if it has then you will need to re-enroll
the device.

Confirm that the device is connected to

the Internet and try to request the app
again.

40 Content download complete

(APP_CI_ENFORCEMENT_IN_PROGRESS
_CONTENT_DOWNLOADED)

50 Installation in progress
(APP_CI_ENFORCEMENT_IN_PROGRESS
_INSTALLING)
STAT US C O DE ERRO R M ESSA GE W H AT TO DO

60 Installation Error occurred The app installation failed after

(APP_CI_ENFORCEMENT_ERROR_INSTA download.
LLING)
The code signing certificate with which
app was signed is not present on the
device.

A framework dependency on which the

application depends is not found
installed on the device.

Ensure that the code signing certificate

with which your app was signed is
present on the device and confirm with
the admin that such a certificate was
targeted for all enterprise enrolled
Windows RT devices.

In case the installation failure is due to a

missing framework dependency, the
admin will have to re-publish the
application again packaging the
framework along with the application
package.

The application package downloaded

isn't a valid package, may have been
corrupted, or may not be compatible
with the OS version on the device.

70 Installation Success
(APP_CI_ENFORCEMENT_SUCCEEDED)

80 Uninstall in progress
(APP_CI_ENFORCEMENT_IN_PROGRESS)

90 (APP_CI_ENFORCEMENT_ERROR) Uninstall Error occurred

100 Uninstall Success

(APP_CI_ENFORCEMENT_SUCCEEDED)

110 (APP_CI_ENFORCEMENT_ERROR) Content hash mismatch

120 (APP_CI_ENFORCEMENT_ERROR) SLK / side loading not enabled

130 (APP_CI_ENFORCEMENT_ERROR) MSADP license install failed

No status n/a The status is currently unknown.

(APP_CI_ENFORCEMENT_UNKNOWN)

Company resource access (common errors)

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016281101 0x87D1FDF3 MDM CRP request not found

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016281102 0x87D1FDF2 NDES URL not found

-2016281103 0x87D1FDF1 MDM CRP certificate info not found

-2016281104 0x87D1FDF0 MDM CI certificate info not found

-2016281105 0x87D1FDEF Failed to evaluate the Rule

-2016281106 0x87D1FDEE Not applicable because it lost in conflict

resolution

-2016281107 0x87D1FDED Unsupported setting discovery source

-2016281108 0x87D1FDEC Referenced setting not found in CI

-2016281109 0x87D1FDEB Data type conversion failed

-2016281110 0x87D1FDEA Invalid parameter to CIM setting

-2016281111 0x87D1FDE9 Not applicable for this device

-2016281112 0x87D1FDE8 Remediation failed

-2016330905 0x87D13B67 The app state is unknown

-2016330906 0x87D13B66 The app is managed, but has been

removed by the user

-2016330907 0x87D13B65 The device is redeeming the redemption

code

-2016330908 0x87D13B64 The app install has failed

-2016330909 0x87D13B63 The user rejected the offer to update

the app

-2016330910 0x87D13B62 The user rejected the offer to install the

app

-2016330911 0x87D13B61 The user has installed the app before

managed app installation could take
place

-2016330912 0x87D13B60 The app is scheduled for installation, but

needs a redemption code to complete
the transaction

-2016341109 0x87D1138B iOS device has returned an error

-2016341110 0x87D1138A iOS device has rejected the command

due to incorrect format
STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016341111 0x87D11389 iOS device has returned an unexpected

Idle status

-2016341112 0x87D11388 iOS device is currently busy

Errors returned by iOS/iPadOS devices

Company Portal errors
ERRO R T EXT IN C O M PA N Y P O RTA L H T T P STAT US C O DE A DDIT IO N A L ERRO R IN F O RM AT IO N

Internal ser ver issue 500 error This error is likely caused by a problem
Looks like you couldn't reach us due to on in the Intune service. The issue
an internal error on our server. Retry should be resolved on the Intune
and then contact your IT admin if the service side and is likely not due to
issue continues. issues on the customer side.

Temporarily unavailable 503 error This is likely due to a temporary Intune

Looks like you couldn't reach us service issue, such as the service being
because our service is temporarily under maintenance. The issue should be
unavailable. Retry and then contact resolved on the Intune service side and
your IT admin if the issue continues. is likely not due to issues on the
customer side.

Can't connect to ser ver Not associated with an HTTP status A secure connection to the server could
Looks like you couldn't reach us. Retry code not be made, likely due to an SSL issue
and then contact your IT admin if the with the certs being used. This issue
issue continues. may be due to customer configurations
not being compliant with Apple's
requirements for App Transport Security
(ATS).

Something went wrong 400 error Any error with an HTTP status code in
The Company Portal client couldn't load. the 400s that does not have a more
Retry and then contact your IT admin if specific error message will see this one.
the issue continues. This is a client side error happening in
the Company Portal app for
iOS/iPadOS.

Can't reach ser ver 500 error Any error with an HTTP status code in
Looks like you couldn't reach us. Retry the 500s that does not have a more
and then contact your IT admin if the specific error message will see this one.
issue continues. This is a service side error happening in
the Intune service.

Service errors
STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016299111 0x87D1B799 Internal error

-2016299112 0x87D1B798 Internal error

-2016300111 0x87D1B3B1 36001:(internal error)

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016300112 0x87D1B3B0 36000:Cellular already configured

-2016301110 0x87D1AFCA 35002:Multiple fonts in a single payload

-2016301111 0x87D1AFC9 35001:Failed font installation

-2016301112 0x87D1AFC8 35000:Invalid font data

-2016302109 0x87D1ABE3 34003:Kerberos principal name invalid

-2016302110 0x87D1ABE2 34002:Kerberos principal name missing

-2016302111 0x87D1ABE1 34001:Invalid URL match pattern

-2016302112 0x87D1ABE0 34000:Invalid app identifier match

pattern

-2016304112 0x87D1A410 32000:Too many apps

-2016305111 0x87D1A029 31001:Cannot apply settings

-2016305112 0x87D1A028 31000:Cannot apply credential

-2016306111 0x87D19C41 30001:Timed out

-2016306112 0x87D19C40 30000:Authentication failed

-2016307109 0x87D1985B 29003:Bad certificate data

-2016307110 0x87D1985A 29002:

-2016307111 0x87D19859 29001:

-2016307112 0x87D19858 29000:Device not supervised

-2016308110 0x87D19472 28002:Cannot set wallpaper

-2016308111 0x87D19471 28001:Bad wallpaper image

-2016308112 0x87D19470 28000:Unknown item

-2016310111 0x87D18CA1 26001:File level encryption

unsupported

-2016310112 0x87D18CA0 26000:Block level encryption

unsupported

-2016311110 0x87D188BA 25002:Cannot remove

-2016311111 0x87D188B9 25001:Cannot install

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016311112 0x87D188B8 25000:Bad profile

-2016312109 0x87D184D3 24003:Bad final profile

-2016312110 0x87D184D2 24002:Bad identity payload

-2016312111 0x87D184D1 24001:Cannot sign attribute dictionary

-2016312112 0x87D184D0 24000:Cannot create attribute

dictionary

-2016313110 0x87D180EA 23002:Invalid server certificate

-2016313111 0x87D180E9 23001:Bad server response

-2016313112 0x87D180E8 23000:Bad identity

-2016314099 0x87D17D0D 22013:Invalid PKIOperation response

-2016314100 0x87D17D0C 22012:Cannot store CACertificate

-2016314101 0x87D17D0B 22011:Cannot generate CSR

-2016314102 0x87D17D0A 22010:Cannot store temporary identity

-2016314103 0x87D17D09 22009:Cannot create temporary

identity

-2016314104 0x87D17D08 22008:Cannot create identity

-2016314105 0x87D17D07 22007:Invalid signed certificate

-2016314106 0x87D17D06 22006:Insufficient CACaps

-2016314107 0x87D17D05 22005:Network error

-2016314108 0x87D17D04 22004:Unsupported certificate

configuration

-2016314109 0x87D17D03 22003:Invalid RAResponse

-2016314110 0x87D17D02 22002:Invalid CAResponse

-2016314111 0x87D17D01 22001:Cannot generate key pair

-2016314112 0x87D17D00 22000:Invalid key usage

-2016315105 0x87D1791F 21007:Cannot verify account

-2016315106 0x87D1791E 21006:Cannot decrypt certificate

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016315107 0x87D1791D 21005:Account not unique (Email Profile

already exists on device)

-2016315108 0x87D1791C 21004:Cannot create account

-2016315109 0x87D1791B 21003:No host name

-2016315110 0x87D1791A 21002:Cannot comply with encryption

policy from server

-2016315111 0x87D17919 21001:Cannot comply with policy from

server

-2016315112 0x87D17918 21000:Cannot get policy from server

-2016316110 0x87D17532 20002:Account not unique

-2016316111 0x87D17531 20001:No host name

-2016316112 0x87D17530 20000:Cannot create account

-2016317110 0x87D1714A 19002:Account not unique

-2016317111 0x87D17149 19001:No host name

-2016317112 0x87D17148 19000:Cannot create account

-2016318110 0x87D16D62 18002:Invalid credentials

-2016318111 0x87D16D61 18001:Host unreachable

-2016318112 0x87D16D60 18000:Unknown error

-2016319110 0x87D1697A 17002:Account not unique

-2016319111 0x87D16979 17001:No host name

-2016319112 0x87D16978 17000:Cannot create account

-2016320110 0x87D16592 16002:Account not unique

-2016320111 0x87D16591 16001:No host name

-2016320112 0x87D16590 16000:Cannot create subscription

-2016321109 0x87D161AB 15003:Invalid certificate

-2016321110 0x87D161AA 15002:Cannot lock network

configuration

-2016321111 0x87D161A9 15001:Cannot remove VPN

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016321112 0x87D161A8 15000:Cannot install VPN

-2016322110 0x87D15DC2 14002:Cloud configuration already

exists

-2016322111 0x87D15DC1 14001:Device locked

-2016322112 0x87D15DC0 14000:Invalid field

-2016323107 0x87D159DD 13005:Cannot set up proxy

-2016323108 0x87D159DC 13004:Cannot set up EAP

-2016323109 0x87D159DB 13003:Cannot create WiFi configuration

-2016323110 0x87D159DA 13002:Password required

-2016323111 0x87D159D9 13001:Username required

-2016323112 0x87D159D8 13000:Cannot install

-2016324070 0x87D1561A 12042:Unknown locale code

-2016324071 0x87D15619 12041:Unknown language code

-2016324072 0x87D15618 12040:iTunes store login required

-2016324073 0x87D15617 12039:(unused)

-2016324074 0x87D15616 12038:App not managed

-2016324075 0x87D15615 12037:Invalid redemption code

-2016324076 0x87D15614 12036:Cannot remove app in current

state

-2016324077 0x87D15613 12035:App cannot be purchased

-2016324078 0x87D15612 12034:URL is not HTTPS

-2016324079 0x87D15611 12033:Invalid manifest

-2016324080 0x87D15610 12032:Too many apps in manifest

-2016324081 0x87D1560F 12031:App installation disabled

-2016324082 0x87D1560E 12030:Invalid URL

-2016324083 0x87D1560D 12029:App not managed

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016324084 0x87D1560C 12028:Not waiting for redemption

-2016324085 0x87D1560B 12027:Not an app

-2016324086 0x87D1560A 12026:App already queued

-2016324087 0x87D15609 12025:App already installed

-2016324088 0x87D15608 12024:Could not validate app manifest

-2016324089 0x87D15607 12023:Could not validate app iD

-2016324090 0x87D15606 12022:Invalid topic

-2016324091 0x87D15605 12021:Invalid request type

-2016324092 0x87D15604 12020:Unauthorized by server

-2016324093 0x87D15603 12019:Cannot copy escrow secret

-2016324094 0x87D15602 12018:Cannot copy escrow keybag data

-2016324095 0x87D15601 12017:Cannot create escrow keybag

-2016324096 0x87D15600 12016:Missing identity

-2016324097 0x87D155FF 12015:Cannot get push token

-2016324098 0x87D155FE 12014:Provisioning profile not managed

-2016324099 0x87D155FD 12013:Profile not managed

-2016324100 0x87D155FC 12012:MDM replacement mismatch

-2016324101 0x87D155FB 12011:Invalid MDM configuration

-2016324102 0x87D155FA 12010:Internal inconsistency error

-2016324103 0x87D155F9 12009:Invalid replacement profile

-2016324104 0x87D155F8 12008:Malformed request

-2016324105 0x87D155F7 12007:Not authorized

-2016324106 0x87D155F6 12006:Redirect refused

-2016324107 0x87D155F5 12005:Cannot find certificate

-2016324108 0x87D155F4 12004:Invalid push certificate

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016324109 0x87D155F3 12003:Invalid challenge response

-2016324110 0x87D155F2 12002:Cannot check in

-2016324111 0x87D155F1 12001:Multiple MDM instances

-2016324112 0x87D155F0 12000:Invalid access rights

-2016325111 0x87D15209 11001:Custom APN already installed

-2016325112 0x87D15208 11000:Cannot install APN

-2016326111 0x87D14E21 10001:Invalid signer

-2016326112 0x87D14E20 10000:Cannot install defaults

-2016327106 0x87D14A3E 9006:Certificate is not an identity

-2016327107 0x87D14A3D 9005:Certificate is malformed

-2016327108 0x87D14A3C 9004:Cannot store root certificate

-2016327109 0x87D14A3B 9003:Cannot store WAPI data

-2016327110 0x87D14A3A 9002:Cannot store certificate

-2016327111 0x87D14A39 9001:Too many certificates in a payload

-2016327112 0x87D14A38 9000:Invalid password

-2016328112 0x87D14650 8000:Cannot install Web Clip

-2016329105 0x87D1426F 7007:SMTP account is misconfigured

-2016329106 0x87D1426E 7006:POP account is misconfigured

-2016329107 0x87D1426D 7005:IMAP account is misconfigured

-2016329108 0x87D1426C 7004:SMIME certificate is bad

-2016329109 0x87D1426B 7003:SMIME certificate not found

-2016329110 0x87D1426A 7002:Unknown error occurred during

validation

-2016329111 0x87D14269 7001:Invalid credentials

-2016329112 0x87D14268 7000:Host unreachable

-2016330110 0x87D13E82 6002:Cannot create query

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016330111 0x87D13E81 6001:Empty string

-2016330112 0x87D13E80 6000:Keychain system error

-2016331097 0x87D13AA7 5015:Cannot set grace period

-2016331098 0x87D13AA6 5014:Cannot set passcode

-2016331099 0x87D13AA5 5013:Cannot clear passcode

-2016331100 0x87D13AA4 5012:(unused)

-2016331101 5011:Wrong passcode

-2016331102 5010:Device locked

-2016331103 0x87D13AA4 5009:(unused)

-2016331104 0x87D13AA0 5008:Passcode too recent

-2016331105 0x87D13A9F 5007:Passcode expired

-2016331106 0x87D13AA3 5006:Passcode requires alpha characters

-2016331107 0x87D13A9D 5005:Passcode requires number

-2016331108 0x87D13A9C 5004:Passcode has ascending

descending characters

-2016331109 0x87D13A9B 5003:Passcode has repeating characters

-2016331110 0x87D13A9A 5002:Too few complex characters

-2016331111 0x87D13A99 5001:Too few unique characters

-2016331112 0x87D13A98 5000:Passcode too short

-2016332093 0x87D136C3 4019:Multiple App Lock payloads

-2016332094 0x87D136C2 4018:Multiple APN or Cellular payloads

-2016332095 0x87D136C1 4017:Multiple global HTTPProxy

payloads

-2016332096 0x87D136C0 4016:(Internal error)

-2016332097 0x87D136BF 4015:Replacement profile does not

contain an MDM payload

-2016332098 0x87D136BE 4014:No device identity available

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016332099 0x87D136BD 4013:Update failed

-2016332100 0x87D136BC 4012:Profile is not updatable

-2016332101 0x87D136BB 4011:Final profile is not a configuration

profile

-2016332102 0x87D136BA 4010:Updated profile does not have the

same identifier

-2016332103 0x87D136B9 4009:Device locked

-2016332104 0x87D136B8 4008:Mismatched certificates

-2016332105 0x87D136B7 4007:Unrecognized file format

-2016332106 0x87D136B6 4006:Profile removal date is in the past

-2016332107 0x87D136B5 4005:Passcode does not comply

-2016332108 0x87D136B4 4004:User canceled installation

-2016332109 0x87D136B3 4003:Profile not queued for installation

-2016332110 0x87D136B2 4002:Duplicate UUID

-2016332111 0x87D136B1 4001:Installation failure

-2016332112 0x87D136B0 4000:Cannot parse profile

-2016333111 0x87D132C9 3001:Inconsistent value comparison

sense (internal error)

-2016333112 0x87D132C8 3000:Inconsistent restriction sense

(internal error)

-2016334108 0x87D12EE4 2004:Unsupported field value

-2016334109 0x87D12EE3 2003:Bad data type in field

-2016334110 0x87D12EE2 2002:Missing required field

-2016334111 0x87D12EE1 2001:Unsupported payload version

-2016334112 0x87D12EE0 2000:Malformed Payload

-2016335102 0x87D12B02 1010:Unsupported field value

-2016335103 0x87D12B01 1009:Profile installation failure

-2016335104 0x87D12B00 1008:Non-unique payload identifiers

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016335105 0x87D12AFF 1007:Non-unique UUIDs

-2016335106 0x87D12AFE 1006:Cannot decrypt

-2016335107 0x87D12AFD 1005:Empty profile

-2016335108 0x87D12AFC 1004:Bad signature

-2016335109 0x87D12AFB 1003:Bad data type in field

-2016335110 0x87D12AFA 1002:Missing required field

-2016335111 0x87D12AF9 1001:Unsupported profile version

-2016335112 0x87D12AF8 1000:Malformed profile

OMA response codes

STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016344008 0x87D10838 (1404): Certificate access denied

-2016344009 0x87D10837 (1403): Certificate not found

-2016344010 0x87D10836 DCMO(1402): The Operation failed

-2016344011 0x87D10835 DCMO(1401): User chose not to accept

the operation when prompted

-2016344012 0x87D10834 DCMO(1400): Client error

-2016344108 0x87D107D4 DCMO(1204): Device Capability is

disabled and User is allowed to re-
enable it

-2016344109 0x87D107D3 DCMO(1203): Device Capability is

disabled and User is not allowed to re-
enable it

-2016344110 0x87D107D2 DCMO(1202): Enable operation is

performed successfully but the Device
Capability is currently detached

-2016344111 0xF3FB4D95 DCMO(1201): Enable operation is

performed successfully and the Device
Capability is currently attached

-2016344112 0x87D107D0 DCMO(1200): Operation is performed

successfully
STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016345595 0x87D10205 Syncml(517): The response to an atomic

command was too large to fit in a single
message.

-2016345596 0x87D10204 Syncml(516): Command was inside

Atomic element and Atomic failed. This
command was not rolled back
successfully.

-2016345598 0x87D10202 Syncml(514): The SyncML command

was not completed successfully, since
the operation was already canceled
before processing the command.

-2016345599 0x87D10201 Syncml(513): The recipient does not

support or refuses to support the
specified version of the SyncML
Synchronization Protocol used in the
request SyncML Message.

-2016345600 0x87D10200 Syncml(512): An application error

occurred during the synchronization
session.

-2016345601 0x87D101FF Syncml(511): A severe error occurred in

the server while processing the request.

-2016345602 0x87D101FE Syncml(510): An error occurred while

processing the request. The error is
related to a failure in the recipient data
store.

-2016345603 0x87D101FD Syncml(509): Reserved for future use.

-2016345604 0x87D101FC Syncml(508): An error occurred that

necessitates a refresh of the current
synchronization state of the client with
the server.

-2016345605 0x87D101FB Syncml(507): The error caused all

SyncML commands within an Atomic
element type to fail.

-2016345606 0x87D101FA Syncml(506): An application error

occurred while processing the request.

-2016345607 0x87D101F9 Syncml(505): The recipient does not

support or refuses to support the
specified version of SyncML DTD used in
the request SyncML Message.
STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016345608 =0x87D101F8 Syncml(504): The recipient, while acting

as a gateway or proxy, did not receive a
timely response from the upstream
recipient specified by the URI (e.g. HTTP,
FTP, LDAP) or some other auxiliary
recipient (e.g. DNS) it needed to access
in attempting to complete the request.

-2016345609 0x87D101F7 Syncml(503): The recipient is currently

unable to handle the request due to a
temporary overloading or maintenance
of the recipient.

-2016345610 0x87D101F6 Syncml(502): The recipient, while acting

as a gateway or proxy, received an
invalid response from the upstream
recipient it accessed in attempting to
fulfill the request.

-2016345611 0x87D101F5 Syncml(501): The recipient does not

support the command required to fulfill
the request.

-2016345612 0x87D101F4 Syncml(500): The recipient encountered

an unexpected condition which
prevented it from fulfilling the request

-2016345684 0x87D101AC Syncml(428): Move failed

-2016345685 0x87D101AB Syncml(427): Parent cannot be deleted

since it contains children.

-2016345686 0x87D101AA Syncml(426): Partial item not accepted.

-2016345687 0x87D101A9 Syncml(425): The requested command

failed because the sender does not have
adequate access control permissions
(ACL) on the recipient.

-2016345688 0x87D101A8 Syncml(424): The chunked object was

received, but the size of the received
object did not match the size declared
within the first chunk.

-2016345689 0x87D101A7 Syncml(423): The requested command

failed because the "Soft Deleted" item
was previously "Hard Deleted" on the
server.

-2016345690 0x87D101A6 Syncml(422): The requested command

failed on the server because the CGI
scripting in the LocURI was incorrectly
formed.
STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016345691 0x87D101A5 Syncml(421): The requested command

failed on the server because the
specified search grammar was not
known.

-2016345692 0x87D101A4 Syncml(420): The recipient has no more

storage space for the remaining
synchronization data.

-2016345693 0x87D101A3 Syncml(419): The client request created

a conflict which was resolved by the
server command winning.

-2016345694 0x87D101A2 Syncml(418): The requested Put or Add

command failed because the target
already exists.

-2016345695 0x87D101A1 Syncml(417): The request failed at this

time and the originator should retry the
request later.

-2016345696 0x87D101A0 Syncml(416): The request failed because

the specified byte size in the request
was too big.

-2016345697 0x87D1019F Syncml(415): Unsupported media type

or format.

-2016345698 0x87D1019E Syncml(414): The requested command

failed because the target URI is too long
for what the recipient is able or willing
to process.

-2016345699 0x87D1019D Syncml(413): The recipient is refusing to

perform the requested command
because the requested item is larger
than the recipient is able or willing to
process.

-2016345700 0x87D1019C Syncml(412): The requested command

failed on the recipient because it was
incomplete or incorrectly formed.

-2016345701 0x87D1019B Syncml(411): The requested command

must be accompanied by byte size or
length information in the Meta element
type.

-2016345702 0x87D1019A Syncml(410): The requested target is no

longer on the recipient and no
forwarding URI is known.

-2016345703 0x87D10199 Syncml(409): The requested failed

because of an update conflict between
the client and server versions of the
data.
STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016345704 0x87D10198 Syncml(408): An expected message was

not received within the required period
of time.

-2016345705 0x87D10197 Syncml(407): The requested command

failed because the originator must
provide proper authentication.

-2016345706 0x87D10196 Syncml(406): The requested command

failed because an optional feature in the
request was not supported.

-2016345707 0x87D10195 Syncml(405): The requested command

is not allowed on the target.

-2016345708 0x87D10194 Syncml(404): The requested target was

not found.

-2016345709 0x87D10193 Syncml(403): The requested command

failed, but the recipient understood the
requested command.

-2016345710 0x87D10192 Syncml(402): The requested command

failed because proper payment is
needed.

-2016345711 0x87D10191 Syncml(401): The requested command

failed because the requestor must
provide proper authentication.

-2016345712 0x87D10190 Syncml(400): The requested command

could not be performed because of
malformed syntax in the command.

-2016345807 0x87D10131 Syncml(305): The requested target must

be accessed through the specified proxy
URI.

-2016345808 0x87D10130 Syncml(304):The requested SyncML

command was not executed on the
target.

-2016345809 0x87D1012F Syncml(303): The requested target can

be found at another URI.

-2016345810 0x87D1012E Syncml(302): The requested target has

temporarily moved to a different URI.

-2016345811 0x87D1012D Syncml(301): The requested target has a

new URI.

-2016345812 0x87D1012C Syncml(300): The requested target is

one of a number of multiple alternatives
requested target.
STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016345896 0x87D100D8 Syncml(216): A command was inside

Atomic element and Atomic failed. This
command was rolled back successfully.

-2016345897 0x87D100D7 Syncml(215): A command was not

executed, as a result of user interaction
and user chose not to accept the choice.

-2016345898 0x87D100D6 Syncml(214): Operation canceled. The

SyncML command completed
successfully, but no more commands
will be processed within the session.

-2016345899 0x87D100D5 Syncml(213): Chunked item accepted

and buffered

-2016345900 0x87D100D4 Syncml(212): Authentication accepted.

No further authentication is needed for
the remainder of the synchronization
session. This response code can only be
used in response to a request in which
the credentials were provided.

-2016345901 0x87D100D3 Syncml(211): Item not deleted. The

requested item was not found. It could
have been previously deleted.

-2016345902 0x87D100D2 Syncml(210): Delete without archive.

The response indicates that the
requested data was successfully deleted,
but that it was not archived prior to
deletion because this OPTIONAL feature
was not supported by the
implementation.

-2016345903 0x87D100D1 Conflict resolved with duplicate. The

response indicates that the request
created an update conflict; which was
resolved with a duplication of the
client's data being created in the server
database. The response includes both
the target URI of the duplicate in the
Item of the Status. In addition, in the
case of a two-way synchronization, an
Add command is returned with the
duplicate data definition.

-2016345904 0x87D100D0 Conflict resolved with client's command

"winning". The response indicates that
there was an update conflict; which was
resolved by the client command
winning.
STAT US C O DE H EXA DEC IM A L ERRO R C O DE ERRO R M ESSA GE

-2016345905 0x87D100CF Conflict resolved with merge. The

response indicates that the request
created a conflict; which was resolved
with a merge of the client and server
instances of the data. The response
includes both the Target and Source
URLs in the Item of the Status. In
addition, a Replace command is
returned with the merged data.

-2016345906 0x87D100CE The response indicates that only part of

the command was completed. If the
remainder of the command can be
completed later, then when completed
another appropriate completion request
status code SHOULD be created.

-2016345907 0x87D100CD The source SHOULD update their

content. The originator of the request is
being told that their content SHOULD
be synchronized to get an up-to-date
version.

-2016345908 0x87D100CC The request was successfully completed

but no data is being returned. The
response code is also returned in
response to a Get when the target has
no content.

-2016345909 0x87D100CB Non-authoritative response. The

request is being responded to by an
entity other than the one targeted. The
response is only to be returned when
the request would have been resulted in
a 200 response code from the
authoritative target.

-2016345910 0x87D100CA Accepted for processing. The request to

either run a remote execution of an
application or to alert a user or
application was successfully performed.

-2016345911 0x87D100C9 The requested item was added.

-2016345912 0x87D100C8 The SyncML command completed

successfully.

-2016346011 0x87D10065 The specified SyncML command is being

carried out, but has not yet completed.

Next steps
Contact Microsoft Support to get support for Microsoft Intune.
What's new in the Microsoft Intune - previous
months
9/4/2020 • 303 minutes to read • Edit Online

January 2020
App management
Intune support for additional Microsoft Edge version 77 deployment channel for macOS
Microsoft Intune now support the additional Stable deployment channel for the Microsoft Edge app for macOS.
The Stable channel is the recommended channel for deploying Microsoft Edge broadly in Enterprise
environments. It updates every six weeks, each release incorporating improvements from the Beta channel. In
addition to the Stable and Beta channels, Intune supports a Dev channel. The public preview offers stable and
dev channels for Microsoft Edge version 77 and later for macOS. Automatic updates of the browser are On by
default. For more information, see Add Microsoft Edge for macOS devices using Microsoft Intune.
Retirement of Intune Managed Browser
The Intune Managed Browser will be retired. Use Microsoft Edge for your protected Intune browser experience.
User experience change when adding apps to Intune
You'll see a new user experience when adding apps to via Intune. This experience provides the same settings and
details that you have used previously, however the new experience follows a wizard-like process before adding an
app to Intune. This new experience also provides a review page before adding the app. From the Microsoft
Endpoint Manager admin center, select Apps > All apps > Add . For more information, see Add apps to Microsoft
Intune.
Require Win32 apps to restart
You can require that a Win32 app must restart after a successful install. Also, you can choose the amount of time
(the grace period) before the restart must occur.
User experience change when configuring apps in Intune
You'll see a new user experience when creating app configuration policies in Intune. This experience provides the
same settings and details that you have used previously, however the new experience follows a wizard-like
process before adding a policy to Intune. From the Microsoft Endpoint Manager admin center, select Apps > App
configuration policies > Add . For more information, see App configuration policies for Microsoft Intune.
Intune support for additional Microsoft Edge for Windows 10 deployment channel
Microsoft Intune now support the additional Stable deployment channel for the Microsoft Edge (version 77 and
later) for Windows 10 app. The Stable channel is the recommended channel for deploying Microsoft Edge for
Windows 10 broadly in Enterprise environments. This channel updates every six weeks, each release incorporating
improvements from the Beta channel. In addition to the Stable and Beta channels, Intune supports a Dev
channel. For more information, see Microsoft Edge for Windows 10 - Configure app settings.
S/MIME support for Microsoft Outlook for iOS
Intune supports delivering S/MIME signing and encryption certificates that can be used with Outlook for iOS on
iOS devices. For more information, see Sensitivity labeling and protection in Outlook for iOS and Android.
Cache Win32 app content using Microsoft Connected Cache server
You can install a Microsoft Connected Cache server on your Configuration Manager distribution points to cache
Intune Win32 app content. For more information, see Microsoft Connected Cache in Configuration Manager -
Support for Intune Win32 apps.
Device configuration
Improved user interface experience when configuring Exchange ActiveSync on-premises connector UI
We've updated the experience for configuring the Exchange ActiveSync on-premises connector. The updated
experience uses a single pane to configure, edit, and summarize the details of your on-premises connectors.
Add automatic proxy settings to Wi-Fi profiles for Android Enterprise work profiles
On Android Enterprise Work Profile devices, you can create Wi-Fi profiles. When you choose the Wi-Fi Enterprise
type, you can also enter the Extensible Authentication Protocol (EAP) type used on your Wi-Fi network.
Now when you choose the Enterprise type, you can also enter automatic proxy settings, including a proxy server
URL, such as proxy.contoso.com .
To see the current Wi-Fi settings you can configure, go to Add Wi-Fi settings for devices running Android
Enterprise and Android kiosk in Microsoft Intune.
Applies to:
Android Enterprise work profile
Device enrollment
Block Android enrollments by device manufacturer
You can block devices from enrolling based on the manufacturer of the device. This feature applies to Android
device administrator and Android Enterprise work profile devices. To see enrollment restrictions, go to the
Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions .
Improvements to the iOS/iPadOS Create enrollment type profile UI
For iOS/iPadOS User Enrollment, the Create enrollment type profile Settings page has been streamlined to
improve the Enrollment type choice process while keeping the same functionality. To see the new UI, go to
Microsoft Endpoint Manager admin center > Devices > iOS > iOS enrollment > Enrollment types > Create
profile > Settings page. For more information, see Create a User Enrollment profile in Intune.
Device management
New information in device details
The following information is now on the Over view page for devices:
Memory Capacity (amount of physical memory on the device)
Storage Capacity (amount of physical storage on the device)
CPU architecture
iOS Bypass Activation Lock remote action renamed to Disable Activation Lock
The remote action Bypass Activation Lock has been renamed to Disable Activation Lock . For more
information, see Disable iOS Activation Lock with Intune.
Windows 10 feature update deployment support for Autopilot devices
Intune now supports targeting Autopilot registered devices using Windows 10 feature update deployments.
Windows 10 feature update policies cannot be applied during the Autopilot out of box experience (OOBE) and will
only apply at the first Windows Update scan after a device has finished provisioning (which is typically a day).
Monitor and troubleshoot
Windows Autopilot deployment reports (preview)
A new report details each device deployed through Windows Autopilot. For more information, see Autopilot
deployment report.
Role -based access control
New Intune built-in role Endpoint security manager
A new Intune built-in role is available: the Endpoint security manager. This new role gives admins full access to the
Endpoint Manager node in Intune and ready-only access to other areas. The role is an expansion of the "Security
Administrator" role from Azure AD. If you currently just have Global Admins as roles, then there's no changes
needed. If you use roles, and you'd like the granularity that the Endpoint Security Manager provides, then assign
that role when it is available. For more information about built-in roles, see Role-based access control.
Windows 10 administrative templates (ADMX) profiles now support scope tags
You can now assign scope tags to administrative template profiles (ADMX). To do so, go to Intune > Devices >
Configuration profiles > choose an administrative templates profile in the list > Proper ties > Scope tags . For
more information about scope tags, see Assign scope tags to other objects.

December 2019
App management
Retrieve personal recovery key from MEM encrypted macOS devices
End users can retrieve their personal recovery key (FileVault key) using the iOS Company Portal app. The device
that has the personal recovery key must be enrolled with Intune and encrypted with FileVault through Intune.
Using the iOS Company Portal app, an end user can retrieve their personal recovery key on their encrypted
macOS device by clicking Get recover y key . You can also retrieve the recovery key from Intune by selecting
Devices > the encrypted and enrolled macOS device > Get recover y key . For more information about FileVault,
see FileVault encryption for macOS.
iOS and iPadOS user-licensed VPP apps
For user enrolled iOS and iPadOS devices, end users will no longer be presented with newly created device-
licensed VPP applications deployed as available. However, end users will continue to see all user-licensed VPP apps
within the Company Portal. For more information about VPP apps, see How to manage iOS and macOS apps
purchased through Apple Volume Purchase Program with Microsoft Intune.
Notice - Windows 10 1703 (RS2) will be moving out of support
Starting October 9, 2018, Windows 10 1703 (RS2) moved out of Microsoft platform support for Home, Pro, and
Pro for Workstations editions. For Windows 10 Enterprise and Education editions, Windows 10 1703 (RS2) moved
out of platform support on October 8, 2019. Starting December 26, 2019, we will be updating the minimum
version of the Windows Company Portal application to Windows 10 1709 (RS3). Computers running versions
prior to 1709 will no longer receive updated versions for the application from the Microsoft Store. We have
previously communicated this change to customers who are managing older versions of Windows 10 via the
message center. For more information, see Windows lifecycle fact sheet.
App management
Migrating to Microsoft Edge for managed browsing scenarios
As we move closer to the retirement of the Intune Managed Browser, we made changes to app protection policies
to simplify the steps needed to move your users over to Edge. We have updated the options for the app protection
policy setting Restrict web content transfer with other apps to be one of the following:
Any app
Intune Managed Browser
Microsoft Edge
Unmanaged browser
When you select Microsoft Edge , your end users will see conditional access messaging notifying them that
Microsoft Edge is required for managed browsing scenarios. They will be prompted to download and sign in to
Microsoft Edge with their Azure AD accounts, if they have not already done so. This will be the equivalent to
having targeted your MAM-enabled apps with the app config setting com.microsoft.intune.useEdge set to True .
Existing app protection policies that used the Policy managed browsers setting will now have Intune
Managed Browser selected, and you will see no change in behavior. This means your users will see messaging to
use Microsoft Edge if you've set the useEdge app configuration setting to True . We encourage all customers
leveraging managed browsing scenarios to update their app protection policies with Restrict web content
transfer with other apps to ensure users are seeing the proper guidance to transition to Microsoft Edge, no
matter which app they are launching links from.
Configure app notification content for organization accounts
Intune app protection policies (APP) on Android and iOS devices allow you to control app notification content for
Org accounts. You can select an option (Allow, Block org Data, or Blocked) to specify how notifications for org
accounts are shown for the selected app. This feature requires support from applications and may not be available
for all APP enabled applications. Outlook for iOS version 4.15.0 (or later) and Outlook for Android 4.83.0 (or later)
will support this setting. The setting is available in the console, but the functionality will begin to take effect after
December 16, 2019. For more about APP, see What are app protection policies?.
Microsoft app icons update
The icons used for Microsoft apps in the app targeting pane for App protection policies and App configuration
policies have been updated.
Require use of approved keyboards on Android
As part of an app protection policy, you can specify the setting Approved keyboards to manage which Android
keyboards can be used with managed Android apps. When a user opens the managed app and doesn't already use
an approved keyboard for that app, they are prompted to switch to one of the approved keyboards already
installed on their device. If needed, they're presented with a link to download an approved keyboard from the
Google Play Store, which they can install and set up. The user can only edit text fields in a managed app when their
active keyboard isn't one of the approved keyboards.
Device configuration
Updates to Administrative Templates for Windows 10 devices
You can use ADMX templates in Microsoft Intune to control and manage settings for Microsoft Edge, Office, and
Windows. Administrative Templates in Intune made the following policy setting updates:
Added support for Microsoft Edge versions 78 and 79.
Includes the November 11, 2019 ADMX files in Administrative Template files (ADMX/ADML) and Office
Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016.
For more information on ADMX templates in Intune, see Use Windows 10 templates to configure group policy
settings in Microsoft Intune.
Applies to:
Windows 10 and later
Updated single sign-on experience for apps and websites on your iOS, iPadOS, and macOS devices
Intune has added more single sign-on (SSO) settings for iOS, iPadOS, and macOS devices. You can now configure
redirect SSO app extensions written by your organization or by your identity provider. Use these settings to
configure a seamless single sign-on experience for apps and websites that use modern authentication methods,
such as OAuth and SAML2.
These new settings expand on the previous settings for SSO app extensions and Apple's built-in Kerberos
extension (Devices > Device configuration > Profiles > Create profile > iOS/iPadOS or macOS for
platform type > Device features for profile type).
To see the full range of SSO app extension settings you can configure, go to SSO on iOS and SSO on macOS.
Applies to:
iOS/iPadOS
macOS
We have updated two device restriction settings for iOS and iPadOS devices to correct their behavior
For iOS devices, you can create device restriction profiles that Allow over-the-air PKI updates and Blocks USB
Restricted mode (Devices > Device configuration > Profiles > Create profile > iOS/iPadOS for platform
> Device restrictions for profile type). Prior to this release, the UI settings and descriptions for the following
settings were incorrect, and they have now been corrected. Beginning with this release, the settings behavior is as
follows:
Block over-the-air PKI updates : Block prevents your users from receiving software updates unless the device
is connected to a computer. Not configured (default): allows a device to receive software updates without being
connected to a computer.
Previously, this setting let you configure it as: Allow , which let your users receive software updates without
connecting their devices to a computer. Allow USB accessories while device is locked : Allow lets USB
accessories exchange data with a device that's been locked for over an hour. Not configured (default) doesn't
update USB Restricted mode on the device, and USB accessories will be blocked from transferring data from
the device if locked for over an hour.
Previously, this setting let you configure it as: Block to disable USB Restricted mode on supervised devices.
For more information on the setting you can configure, see iOS and iPadOS device settings to allow or restrict
features using Intune.
This feature applies to:
OS/iPadOS
Block users from configuring certificate credentials in the managed keystore on Android Enterprise device owner devices
On Android Enterprise device owner devices, you can configure a new setting that blocks users from configuring
their certificate credentials in the managed keystore (Device configuration > Profiles > Create profile >
Android Enterprise for platform > Device Owner Only > Device Restrictions for profile type > Users +
Accounts ).
New Microsoft Endpoint Configuration Manager co-management licensing
Configuration Manager customers with Software Assurance can get Intune co-management for Windows 10 PCs
without having to purchase an additional Intune license for co-management. Customers no longer need to assign
individual Intune/EMS licenses to their end users for co-managing Windows 10.
Devices managed by Configuration Manager and enrolled into co-management have almost the same rights as
Intune Standalone MDM-managed PCs. However, after resetting they can't be re-provisioned by using
Autopilot.
Windows 10 devices enrolled into Intune by using other means require full Intune licenses.
Devices on other platforms still require full Intune licenses.
For more information, see Licensing terms.
Device management
Protected wipe action now available
You now have the option to use the Wipe device action to perform a protected wipe of a device. Protected wipes
are the same as standard wipes, except that they can't be circumvented by powering off the device. A protected
wipe will keep trying to reset the device until successful. In some configurations, this action may leave the device
unable to reboot. For more information, see Retire or wipe devices.
Device Ethernet MAC address added to device's Overview page
You can now see a device's Ethernet MAC address on the device details page (Devices > All devices > choose a
device > Over view .
Device security
Improved experience on a shared device when device-based conditional access policies are enabled
We improved the experience on a shared device with multiple users who are targeted with device-based
conditional access policy by checking the latest compliance evaluation for the user when enforcing policy. For
more information, see the following overview articles:
Azure overview for Conditional Access
Intune device compliance overview
Use PKCS certificate profiles to provision devices with certificates
You can now use PKCS certificate profiles to issue certificates to devices that run Android for Work, iOS/iPadOS,
and Windows, when associated with profiles like those for Wi-Fi and VPN. Previously those three platforms
supported only user-based certificates, with device-based support being limited to macOS.

NOTE
PKCS certificate profiles are not supported with Wi-Fi profiles. Instead, use SCEP certificate profiles when you use an EAP
type.

To use a device-based certificate, while creating a PKCS certificate profile for the supported platforms, select
Settings . You'll now see the setting for Cer tificate type , which supports the options for Device, or User.
Monitor and troubleshoot
Centralized audit logs
A new centralized audit log experience now collects audit logs for all categories into one page. You can filter the
logs to get the data you're looking for. To see the audit logs, go to Tenant administration > Audit logs .
Scope tag information included in audit log activity details
Audit log activity details now include scope tag information (for Intune objects that support scope tags). For more
information about audit logs, see Use audit logs to track and monitor events.

November 2019
App management
UI update when selectively wiping app data
The UI to selectively wipe app data in Intune has been updated. UI changes include:
A simplified experience by using a wizard-style format condensed within one pane.
An update to the create flow to include assignments.
A summarized page of all things set when viewing properties, prior to creating a new policy or when editing a
property. Also, when editing properties, the summary will only show a list of items from the category of
properties being edited.
For more information, see How to wipe only corporate data from Intune-managed apps.
iOS and iPadOS third-party keyboard support
In March 2019, we announced the removal of support for the iOS App protection policy setting "Third party
keyboards". The feature is returning to Intune with both iOS and iPadOS support. To enable this setting, visit the
Data protection tab of a new or existing iOS/iPadOS app protection policy and find the Third par ty keyboards
setting under Data Transfer .
The behavior of this policy setting differs slightly from the previous implementation. In multi-identity apps using
SDK version 12.0.16 and later, targeted by app protection policies with this setting configured to Block , end users
will be unable to opt for third party keyboards in both their organization and personal accounts. Apps using SDK
versions 12.0.12 and earlier will continue to exhibit the behavior documented in our blog post title, Known issue:
Third party keyboards are not blocked in iOS for personal accounts.
Improved macOS enrollment experience in Company Portal
The Company Portal for macOS enrollment experience has a simpler enrollment process that aligns more closely
with the Company Portal for iOS enrollment experience. Device users now see:
A sleeker user interface.
An improved enrollment checklist.
Clearer instructions about how to enroll their devices.
Improved troubleshooting options.
Web apps launched from the Windows Company Portal app
End users can now launch web apps directly from the Windows Company Portal app. End users can select the web
app and then choose the option Open in browser . The published web URL is opened directly in a web browser.
This functionality will be rolled out over the next week. For more information about Web apps, see Add web apps
to Microsoft Intune.
New assignment type column in Company Portal for Windows 10
The Company Portal > Installed Apps > Assignment type column has been renamed to Required by your
organization . Under that column, users will see a Yes or No value to indicate that an app is either required or
made optional by their organization. These changes were made because device users were confused about the
concept of available apps. Your users can find more information about installing apps from Company Portal in
Install and share apps on your device. For more information about configuring the Company Portal app for your
users, see How to configure the Microsoft Intune Company Portal app.
Device configuration
Target macOS user groups to require Jamf management
You can target specific groups of users that will get their macOS devices managed by Jamf. This targeting enables
you to apply the Jamf compliance integration to a subset of macOS devices while other devices are managed by
Intune. If you are already using the Jamf integration, All Users will be targeted for the integration by default.
New Exchange ActiveSync settings when creating an Email device configuration profile on iOS devices
On iOS/iPadOS devices, you can configure email connectivity in a device configuration profile (Device
configuration > Profiles > Create profile > iOS/iPadOS for platform > Email for profile type).
There are new Exchange ActiveSync settings available, including:
Exchange data to sync : Choose the Exchange services to sync (or block syncing) for Calendar, Contacts,
Reminders, Notes, and Email.
Allow users to change sync settings : Allow (or block) users to change the sync settings for these services
on their devices.
For more information on these settings, go to Email profile settings for iOS devices in Intune.
Applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
Prevent users from adding personal Google accounts to Android Enterprise fully managed and dedicated devices
On Android Enterprise fully managed and dedicated devices, there's a new setting that prevents users from
creating personal Google accounts (Device configuration > Profiles > Create profile > Android Enterprise
for platform > Device Owner Only > Device Restrictions for profile type > Users and Accounts settings >
Personal Google Accounts ).
To see the settings you can configure, go to Android Enterprise device settings to allow or restrict features using
Intune.
Applies to:
Android Enterprise fully managed devices
Android Enterprise dedicated devices
Server-side logging for Siri commands setting is removed in iOS/iPadOS device restrictions profile
On iOS and iPadOS devices, the Ser ver-side logging for Siri commands setting is removed from the
Microsoft Endpoint Manager admin console (Device configuration > Profiles > Create profile >
iOS/iPadOS for platform > Device restrictions for profile type > Built-in apps ).
This setting has no effect on devices. To remove the setting from existing profiles, open the profile, make any
change, and then save the profile. The profile is updated, and the setting is deleted from devices.
To see all the settings you can configure, see iOS and iPadOS device settings to allow or restrict features using
Intune.
Applies to:
iOS/iPadOS
Windows 10 feature updates (public preview)
You can now deploy Windows 10 feature updates to Windows 10 devices. Windows 10 feature updates are a new
software update policy that sets the version of Windows 10 that you want devices to install and remain at. You can
use this new policy type along with your existing Windows 10 update rings.
Devices that receive Windows 10 feature updates policy will install the specified version of Windows, and then
remain at that version until the policy is edited or removed. Devices that run a later version of Windows remain at
their current version. Devices that are held at a specific version of Windows can still install quality and security
updates for that version from Windows 10 update rings.
This new type of policy begins rolling out to tenants this week. If this policy isn't available for your tenant yet, it
will be soon.
Add and change key information in plist files for macOS applications
On macOS devices, you can now create a device configuration profile that uploads a property list file (.plist)
associated with an app or with the device (Devices > Configuration profiles > Create profile > macOS for
platform > Preference File for profile type).
Only some apps support managed preferences, and these apps might not allow you to manage all settings. Be
sure to upload a property list file that configures device channel settings, not user channel settings.
For more information on this feature, see Add a property list file to macOS devices using Microsoft Intune.
Applies to:
macOS devices running 10.7 and newer
Device management
Edit device name value for Autopilot devices
You can edit the Device Name value for Azure AD Joined Autopilot devices. For more information, see Edit
Autopilot device attributes.
Edit Group Tag value for Autopilot devices
You can edit the Group Tag value for Autopilot devices. For more information, see Edit Autopilot device attributes.
Monitor and troubleshoot
Updated support experience
Starting today, an updated and streamlined in-console experience for getting help and support for Intune is rolling
out to tenants. If this new experience isn't available for you yet, it will be soon.
We've improved the in-console search and feedback for common issues, and the workflow you use to contact
support. When opening a support issue, you'll see real-time estimates for when you can expect a callback or email
reply, and Premier and Unified support customers can easily specify a severity for their issue, to help get support
faster.
Improved Intune reporting experience (public preview)
Intune now provides an improved reporting experience, including new report types, better report organization,
more focused views, improved report functionality, as well as more consistent and timely data. New report types
focus on the following:
Operational - Provides fresh records with a negative health focus.
Organizational - Provides a broader summary of the overall state.
Historical - Provides patterns and trends over a period of time.
Specialist - Allows you to use raw data to create your own custom reports.
The first set of new reports focuses on device compliance. For more information, see Blog - Microsoft Intune
reporting framework and Intune reports.
Role -based access control
Duplicate custom or built-in roles
You can now copy built-in and custom roles. For more information, see Copy a role.
New permissions for school administrator role
Two new permissions, Assign profile and Sync device , have been added to the school administrator role >
Permissions > Enrollment programs . The sync profile permission lets group admins sync Windows Autopilot
devices. The assign profile permission lets them delete user-initiated Apple enrollment profiles. It also gives them
permission to manage Autopilot device assignments and Autopilot deployment profile assignments. For a list of
all school administrator/group admin permissions, see Assign group admins.
Security
BitLocker key rotation
You can use an Intune device action to remotely rotate BitLocker recovery keys for managed devices that run
Windows version 1909 or later. To qualify to have recovery keys rotated, devices must be configured to support
recovery key rotation.
Updates to dedicated device enrollment to support SCEP device certificate deployment
Intune now supports SCEP device certificate deployment to Android Enterprise dedicated devices for certificate-
based access to Wi-Fi profiles. The Microsoft Intune app must be present on the device for deployment to work. As
a result, we've updated the enrollment experience for Android Enterprise dedicated devices. New enrollments still
start the same (with QR, NFC, Zero-touch, or device identifier) but now have a step that requires users to install
the Intune app. Existing devices will start getting the app automatically installed on a rolling basis.
Intune audit logs for business-to-business collaboration
Business-to-business (B2B) collaboration allows you to securely share you company's applications and services
with guest users from any other organization, while maintaining control over your own corporate data. Intune
now supports audit logs for B2B guest users. For example, when guest users make changes, Intune will be able to
capture this data through audit logs. For more information, see What is guest user access in Azure Active Directory
B2B?
Security baselines are supported on Microsoft Azure Government
Instances of Intune that are hosted on Microsoft Azure Government can now use security baselines to help you
secure and protect your users and devices.

October 2019
App management
Improved checklist design in Company Portal app for Android
The setup checklist in the Company Portal app for Android has been updated with a lightweight design and new
icons. The changes align with the recent updates made to the Company Portal app for iOS. For a side-by-side
comparison of the changes, see What's new in the app UI. For a look at the updated enrollment steps, see Enroll
with Android work profile and Enroll your Android device.
Win32 apps on Windows 10 S mode devices
You can install and run Win32 apps on Windows 10 S mode managed devices. To do this, you can create one or
more supplemental policies for S mode using the Windows Defender Application Control (WDAC) PowerShell
tools. Sign the supplemental policies with the Device Guard Signing Portal and then upload and distribute the
policies via Intune. In Intune, you will find this capability by selecting Client apps > Windows 10 S
supplemental policies . For more information, see Enable Win32 apps on S mode devices.
Set Win32 app availability based on a date and time
As an admin, you can configure the start time and deadline time for a required Win32 app. At the start time,
Intune management extension will start the app content download and cache it. The app will be installed at the
deadline time. For available apps, start time will dictate when the app is visible in Company Portal. For more
information, see Intune Win32 app management.
Require device restart based on grace period after Win32 app install
You can require that a device must restart after a Win32 app successfully installs. For more information, see Win32
app management.
Dark Mode for iOS Company Portal
Dark Mode is available for the iOS Company Portal. Users can download company apps, manage their devices,
and get IT support in the color scheme of their choice based on device settings. The iOS Company Portal will
automatically match the end user's device settings for dark or light mode. For more information, see Introducing
dark mode on Microsoft Intune Company Portal for iOS. For more information about the iOS Company Portal, see
How to configure the Microsoft Intune Company Portal app.
Android Company Portal enforced minimum app version
By using the Min Company Por tal version setting of an app protection policy, you can specify a specific
minimum defined version of the Company Portal that is enforced on an end user device. This conditional launch
setting allows you to Block access , Wipe data , or Warn as possible actions when the value is not met. The
possible formats for this value follows the pattern [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].
[Build].[Revision].
The Min Company Por tal version setting, if configured, will affect any end user who gets version 5.0.4560.0 of
the Company Portal and any future versions of the Company Portal. This setting will have no effect on users using
a version of Company Portal that is older than the version that this feature is released with. End users using app
auto-updates on their device will likely not see any dialogs from this feature, given that they will likely be on the
latest Company Portal version. This setting is Android only with app protection for enrolled and unenrolled
devices. For more information, see Android app protection policy settings - Conditional launch.
Add Mobile Threat Defense apps to unenrolled devices
You can create an Intune app protection policy that may block, or selectively wipe the users corporate data based
on the health of a device. The health of the device is determined using your chosen Mobile Threat Defense (MTD)
solution. This capability exists today with Intune enrolled devices as a device compliance setting. With this new
feature, we extend the threat detection from an Mobile Threat Defense vendor to function on unenrolled devices.
On Android, this feature requires the latest Company Portal on the device. On iOS, this feature will be available for
use when apps integrate the latest Intune SDK (v 12.0.15+). We'll update the What's New topic when the first app
adopts the latest Intune SDK. The remaining apps will become available on a rolling basis. For more information,
see Create Mobile Threat Defense app protection policy with Intune.
Available Google Play app reporting for Android work profiles
For available app installs on Android Enterprise work profile, dedicated, and fully managed devices you can view
app installation status as well as the installed version of managed Google Play apps. For more information, see
How to monitor app protection policies, Manage Android work profile devices with Intune and Managed Google
Play app type.
Microsoft Edge version 77 and later for Windows 10 and macOS (public preview)
Microsoft Edge version 77 and later will be available to deploy to PCs running Windows 10 and macOS.
The public preview offers Dev and Beta channels for Windows 10 and a Beta channel for macOS. The
deployment is in English (EN) only, however end users can change the display language in the browser under
Settings > Languages . Microsoft Edge is a Win32 app installed in system context and on like architectures (x86
app on x86 OS, and x64 app on x64 OS). In addition, automatic updates of the browser is On by default, and
Microsoft Edge cannot be uninstalled. For more information, see Add Microsoft Edge for Windows 10 to Microsoft
Intune and Microsoft Edge documentation.
Update to app protection UI and iOS app provisioning UI
The UI to create and edit app protection policies and iOS app provisioning profiles in Intune has been updated. UI
changes include:
A simplified experience by using a wizard-style format condensed within one blade.
An update to the create flow to include assignments.
A summarized page of all things set when viewing properties, prior to creating a new policy or when editing a
property. Also, when editing properties, the summary will only show a list of items from the category of
properties being edited.
For more information, see How to create and assign app protection policies and Use iOS app provisioning profiles.
Intune guided scenarios
Intune now provides guided scenarios to help you complete a specific task or set of tasks within Intune. A guided
scenario is a customized series of steps (workflow) centered around one end-to-end use-case. Common scenarios
are defined based on the role an admin, user, or device plays in your organization. These workflows typically
require a collection of carefully orchestrated profiles, settings, applications, and security controls to provide the
best user experience and security. New guided scenarios include:
Deploy Microsoft Edge for Mobile
Secure Microsoft Office mobile apps
Cloud-managed Modern Desktop
For more information, see Intune guided scenarios overview.
Additional app configuration variable available
When creating an app configuration policy, you can include the AAD_Device_ID configuration variable as part of
your configuration settings. In Intune, select Client apps > App configuration policies > Add . Enter your
configuration policy details and select Configuration settings to view the Configuration settings blade. For
more information, see App configuration policies for managed Android Enterprise devices - Use the configuration
designer.
Create groups of management objects called policy sets
Policy sets allow you to create a bundle of references to already existing management entities that need to be
identified, targeted, and monitored as a single conceptual unit. Policy sets do not replace existing concepts or
objects. You can continue to assign individual objects in Intune and you can reference individual objects as part of
a policy set. Therefore, any changes to those individual objects will be reflected in the Policy set. In Intune, you will
select Policy sets > Create to create a new Policy set.
Device configuration
'
New device firmware configuration interface profile for Windows 10 and later devices (public preview)
On Windows 10 and later, you can create a device configuration profile to control settings and features (Device
configuration > Profiles > Create profile > Windows 10 and later for platform). In this update, there's a
new device firmware configuration interface profile type that allows Intune to manage UEFI (BIOS) settings.
For more information on this feature, see Use DFCI profiles on Windows devices in Microsoft Intune.
Applies to:
Windows 10 RS5 (1809) and newer on supported firmware
UI update for creating and editing Windows 10 Update Rings
We've updated the UI ex'erience for creating and editing Windows 10 Update Rings for Intune. Changes to UI
include:
A wizard-style format condensed into a single console blade, which does away with the blade sprawl seen
previously as you configure update rings.
The revised workflow includes Assignments, before completing the initial configuration of the ring.
A summary page you can use to review all the configurations you made, before saving and deploying a new
update ring. When editing an update ring, the summary shows only the list of items set within the category of
properties you edited.
UI update for creating and editing iOS software update policy
We've updated the UI experience for creating and editing iOS software update policies for Intune. Changes to UI
include:
A wizard-style format condensed into a single console blade, which does away with the blade sprawl seen
previously as you configure update policies.
The revised workflow includes Assignments, before completing the initial configuration of the policy.
A summary page you can use to review all the configurations you made, before saving and deploying a new
policy. When editing a policy, the summary shows only the list of items set within the category of properties
you edited.
Engaged restart settings are removed from Windows Update rings
As previously announced, Intune's Windows 10 Update rings now support settings for deadlines and no longer
support Engaged restart. Settings for Engaged restart are no longer available when you configure or manage
Update rings in Intune.
This change aligns with recent Windows servicing changes and on devices that run Windows 10 1903 or later,
deadlines supersede configurations for engaged restart.
Prevent installation of apps from Unknown Sources on Android Enterprise work profile devices
On Android Enterprise work profile devices, users can't ever install apps from unknown sources. In this update,
there's a new setting - Prevent app installations from unknown sources in the personal profile . By
default, this setting prevents users from side-loading apps from unknown sources into the personal profile on the
device.
To see the setting you can configure, go to Android Enterprise device settings to allow or restrict features using
Intune.
Applies to:
Android Enterprise work profile
Create a global HTTP proxy on Android Enterprise device owner devices
On Android Enterprise devices, you can configure a global HTTP Proxy to meet your organization's web browsing
standards (Device configuration > Profiles > Create profile > Android Enterprise for platform > Device
owner > Device restrictions for profile type > Connectivity ). Once configured, all HTTP traffic will use this
proxy.
To configure this feature, and see all the settings you configure, go to Android Enterprise device settings to allow
or restrict features using Intune.
Applies to:
Android Enterprise device owner
Connect automatically setting is removed in Wi-Fi profiles on Android device administrator and Android Enterprise
On Android device administrator and Android Enterprise devices, you can create a Wi-Fi profile to configure
different settings (Device configuration > Profiles > Create profile > Android device administrator or
Android Enterprise for platform > Wi-Fi for profile type). In this update, the Connect automatically setting is
removed, as it's not support by Android.
If you use this setting in a Wi-Fi profile, you may have noticed that Connect automatically doesn't work. You
don't need to take any action, but be aware this setting is removed in the Intune user interface.
To see the current settings, go to Android Wi-Fi settings or Android Enterprise Wi-Fi settings.
Applies to:
Android device administrator
Android Enterprise
New device configuration settings for supervised iOS and iPadOS devices
On iOS and iPadOS devices, you can create a profile to restrict features and settings on devices (Device
configuration > Profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type).
In this update, there are new settings you can control:
Access to network drive in Files app
Access to USB drive in Files app
Wi-Fi always turned on
To see these settings, go to iOS device settings to allow or restrict features using Intune.
Applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
Device enrollment
Toggle to only show Enrollment Status Page on devices provisioned by out-of-box experience (OOBE)
You can now choose to only show the Enrollment Status Page on devices provisioned by Autopilot OOBE.
To see the new toggle, choose Intune > Device enrollment > Windows enrollment > Enrollment Status
Page > Create Profile > Settings > Only show page to devices provisioned by out-of-box experience
(OOBE) .
Specify which Android device operating system versions enroll with work profile or device administrator enrollment
Using Intune device type restrictions, you can use the device's OS version to specify which user devices will use
Android Enterprise work profile enrollment or Android device administrator enrollment. For more information, see
Set enrollment restrictions.
Device management
Intune supports iOS 11 and later
Intune enrollment and Company Portal now support iOS versions 11 and later. Older versions aren't supported.
New restrictions for renaming Windows devices
When renaming a Windows device, you must follow new rules:
15 characters or less (must be less than or equal to 63 bytes, not including trailing NULL)
Not null or an empty string
Allowed ASCII: Letters (a-z, A-Z), numbers (0-9), and hyphens
Allowed Unicode: characters >= 0x80, must be valid UTF8, must be IDN-mappable (that is,
RtlIdnToNameprepUnicode succeeds; see RFC 3492)
Names must not contain only numbers
No spaces in the name
Disallowed characters: { | } ~ [ \ ] ^ ' : ; < = > ? & @ ! " # $ % ` ( ) + / , . _ *)
For more information, see Rename a device in Intune.
New Android report on Devices overview page
A new report to the Devices overview page displays how many Android devices have been enrolled in each device
management solution. This chart shows work profile, fully managed, dedicated, and device administrator enrolled
device counts. To see the report, choose Intune > Devices > Over view .
Device security
Microsoft Edge baseline (Preview)
We've added a security baseline Preview for Microsoft Edge settings.
PKCS certificates for macOS
You can now use PKCS certificates with macOS. You can select the PKCS certificate as a profile type for macOS, and
deploy user and device certificates that have customized subject and subject alternative name fields.
PKCS certificate for macOS also support a new setting, Allow All Apps Access. With this setting you can enable all
associated apps access to the private key of the certificate. For more information about this setting, see the Apple
documentation at https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf.
Derived Credentials to provision iOS mobile devices with certificates
Intune supports use of derived credentials as an authentication method and for S/MIME signing and encryption
for iOS devices. Derived credentials are an implementation of the National Institute of Standards and Technology
(NIST) 800-157 standard for deploying certificates to devices.
Derived credentials rely on the use of a Personal Identity Verification (PIV) or Common Access Card (CAC) card,
like a smart card. To get a derived credential for their mobile device, users start in the Company Portal app and
follow an enrollment workflow that is unique to the provider you use. Common to all providers is the requirement
to use a smart card on a computer to authenticate to the derived credential provider. That provider then issues a
certificate to the device that's derived from the user's smart card.
Intune supports the following derived credential providers:
DISA Purebred
Entrust Datacard
Intercede
You use derived credentials as the authentication method for device configuration profiles for VPN, Wi-Fi, and
email. You can also use them for app authentication, and S/MIME signing and encryption.
For more information about the standard, see Derived PIV Credentials at www.nccoe.nist.gov.
Use Graph API to specify an on-premises User Principal Name as a variable for SCEP certificates
When you use the Intune Graph API, you can specify onPremisesUserPrincipalName as a variable for the Subject
Alternative Name (SAN) for SCEP certificates.
'
Microsoft 365 Device Management
Improved administration experience in Microsoft 365 Device Management
A refreshed and streamlined administration experience is now generally available in the Microsoft 365 Device
Management specialist workspace at https://endpoint.microsoft.com, including:
Updated navigation : You will find a simplified 1st level navigation that logically groups features.
New platform filters : You can select a single platform, which shows only the policies and apps for the
selected platform, on the Devices and Apps pages.
A new home page : Quickly see service health, state of your tenant, news, etc. on the new home page. ' For
more information about these improvements, see the Enterprise Mobility + Security blog post on the Microsoft
Tech Community web site.
Introducing Endpoint Security node in Microsoft 365 Device Management
Endpoint Security node is now generally available in Microsoft 365 Device Management specialist workspace at
https://endpoint.microsoft.com, which groups together the capabilities to secure endpoints such as:
Security Baselines: Pre'configured group of settings that help you apply known group of settings and default
values that are recommended by Microsoft.
Security Tasks: Take advantage of Microsoft Defender ATPs Threat and Vulnerability Management (TVM) and
use Intune to remediate endpoint weaknesses.
Microsoft Defender ATP: Integrated Microsoft Defender Advanced Threat Protection (ATP) to help prevent
security breaches.""
These settings will continue to be accessible from other applicable nodes such as devices, and current configured
state will be the same no matter where you access and enable these capabilities.
For more information about these improvements, see the Intune Customer Success blog post on the Microsoft
Tech Community web site.

September 2019
App management
Managed Google Play private LOB apps '
Intune now allows IT admins to publish private Android LOB apps to Managed Google Play via an iframe
embedded in the Intune console. Previously, IT admins needed to publish LOB apps directly to Google's Play
publishing console, which required several steps and was time consuming. This new feature allows for easy
publishing of LOB apps with a minimal set of steps, without needing to leave the Intune console. Admins will no
longer need to manually register as a developer with Google, and will no longer need to pay the Google $25
registration fee. Any of the Android Enterprise management scenarios that use Managed Google Play can take
advantage of this feature (work profile, dedicated, fully managed, and non-enrolled devices). From Intune, select
Client apps > Apps > Add . Then, select Managed Google Play from the App type list. For more information
about Managed Google Play apps, see Add Managed Google Play apps to Android Enterprise devices with Intune.
Windows Company Portal experience
The Windows Company Portal is being updated. You will be able to use multiple filters on the Apps page within
the Windows Company Portal. The Device Details page is also being updated with an improved user experience.
We are in the process of rolling out these updates to all customers and expect to be completed by the end of next
week.
macOS support for web apps
Web apps, which allow you to add a'shortcut to a URL on the web, can be installed to the Dock using the macOS
Company Portal. End users can access the Install action from the app details pa'e for a web app in the macOS
Company Portal. For more information about the Web link app type, see Add apps to Microsoft Intune and Add
web apps to Microsoft Intune.
macOS support for VPP apps
macOS apps, purchased using Apple Business Manager, are displayed in the console when Apple VPP tokens are
synced in Intune. You can assign, revoke and reassign device and user-based licenses for groups using the Intune
console. Microsoft Intune helps you manage VPP apps purchased for use at your company by:
Reporting license information from the app store.
Tracking how many of the licenses you have used.
Helping you prevent installation of more copies of the app than you own.
For more information about Intune and VPP, see Manage volume-purchased apps and books with Microsoft
Intune.
Managed Google Play iframe support
Intune now provides support for adding and managing web links directly in the Intune console via the Managed
Google Play iframe. This lets IT admins submit a URL and icon graphic, and then deploy those links to devices just
like regular Android apps. Any of the Android Enterprise management scenarios that use Managed Google Play
can take advantage of this feature (work profile, dedicated, fully managed, and non-enrolled devices). From Intune,
select Client apps > Apps > Add . Then, select Managed Google Play from the App type list. For more
information about Managed Google Play apps, see Add Managed Google Play apps to Android Enterprise devices
with Intune.
Silently install Android LOB apps on Zebra devices
When installing Android line-of-business (LOB) apps on Zebra devices, rather than being prompted to both
download and install the LOB app, you will be able to install the app silently. In Intune, select Client apps > Apps
> Add . In the Select app type pane, select Line-of-business app . For more information, see Add an Android
line-of-business app to Microsoft Intune.
Currently, after the LOB app is downloaded, a download success notification will appear on the user's device. The
notification can only be dismissed by tapping Clear All in the notification shade. This notification issue will be
fixed in an upcoming release, and the installation will be completely silent with no visual indicators.
Read and write Graph API operations for Intune apps
Applications can call the Intune Graph API with both read and write operations using app identity without user
credentials. For more information about accessing the Microsoft Graph API for Intune, see Working with Intune in
Microsoft Graph.
Protected data sharing and encryption for Intune App SDK for iOS
The Intune App SDK for iOS will use 256-bit encryption keys when encryption is enabled by App Protection
Policies. All apps will need to have an SDK version 8.1.1 to allow protected data sharing.
Updates to Microsoft Intune app
The Microsoft Intune app for Android has been updated with the following improvements:
Updated and improved the layout to include bottom navigation for the most important actions.
Added an additional page that shows the user's profile.
Added the display of actionable notifications in the app for the user, such as the need to update their device
settings.
Added the display of custom push notifications, aligning the app with the support recently added in the
Company Portal app for iOS and Android. For more information, see Send custom notifications in Intune. ""
For iOS devices, customize the enrollment process privacy screen of the Company Portal
Using Markdown, you can customize the Company Portal's privacy screen that end users see during iOS
enrollment. Specifically, you'll be able to customize the list of things that your organization can't see or do on the
device. For more information, see How to configure the Intune Company Portal app.
Device configuration
Support for IKEv2 VPN profiles for iOS
In this update, you can create VPN profiles for the iOS native VPN client using the IKEv2 protocol. IKEv2 is a new
connection type in Device configuration > Profiles > Create profile > iOS for platform > VPN for profile
type > Connection Type .
These VPN profiles configure the native VPN client, so no VPN client apps are installed or pushed to managed
devices. This feature requires devices be enrolled in Intune (MDM enrollment).
To see the current VPN settings you can configure, go to Configure VPN settings on iOS devices.
Applies to:
iOS
Device features, device restrictions, and extension profiles for iOS and macOS settings are shown by enrollment type
In Intune, you create profiles for iOS and macOS devices (Device configuration > Profiles > Create profile >
iOS or macOS for platform > Device features , Device restrictions , or Extensions for profile type).
In this update, the available settings in the Intune portal are categorized by the enrollment type they apply to:
iOS
User enrollment""
Device enrollment
Automated device enrollment (supervised)
All enrollment types
macOS
User approved
Device enrollment
Automated device enrollment
All enrollment types
Applies to:
iOS
New voice control settings for supervised iOS devices running in kiosk mode
In Intune, you can create policies to run supervised iOS devices as a kiosk, or dedicated device (Device
configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > Kiosk ).
In this update, there are new settings you can control:
Voice control : Enables Voice Control on the device while in kiosk mode.
Modification of voice control : Allow users to change the Voice Control setting on the device while in kiosk
mode.
To see the current settings, go to iOS Kiosk settings.
Applies to:
iOS 13.0 and later
Use single sign-on for apps and websites on your iOS and macOS devices
In this update, there are some new single sign-on settings for iOS and macOS devices (Device configuration >
Profiles > Create profile > iOS or macOS for platform > Device features for profile type).
Use these settings to configure a single sign-on experience, especially for apps and websites that use Kerberos
authentication. You can choose between a generic credential single sign-on app extension, and Apple's built-in
Kerberos extension.
To see the current device features you can configure, go to iOS device features and macOS device features.
Applies to:
iOS 13.' and newer
macOS 10.15 and newer
Associate domains to apps on macOS 10.15+ devices
On macOS devices, you can configure different features, and push these features to your devices using a policy
(Device configuration > Profiles > Create profile > macOS for platform > Device features for profile
type). In this update, you can associate domains to your apps. This feature helps share credentials with websites
related to your app, and can be used with Apple's single sign-on extension, universal links, and password autofill.
To see the current features you can configure, go to macOS device feature settings in Intune.
Applies to:
macOS 10.15 and newer
Use "iTunes" and "a'ps" in the iTunes App store URL when showing or hiding apps on iOS supervised devices
In Intune, you can create policies to show or hide apps on your supervised iOS devices (Device configuration >
Profiles > Create profile > iOS for platform > Device restrictions for profile type > Show or hide apps ).
You can enter the iTunes App store URL, such as https://itunes.apple.com/us/app/work-folders/id950878067?mt=8 .
In this update, both apps and itunes can be used in the URL, such as:
https://itunes.apple.com/us/app/work-folders/id950878067?mt=8
https://apps.apple.com/us/app/work-folders/id950878067?mt=8

For more information on these settings, see Show or hide apps.

Applies to:
iOS
Windows 10 compliance policy password type values are clearer and match CSP
On Windows 10 devices, you can create a compliance policy that requires specific password features (Device
compliance > Policies > Create policy > Windows 10 and later for platform > System Security ). In this
update:
The Password type values are clearer, and updated to match the
DeviceLock/AlphanumericDevicePasswordRequired CSP.
The Password expiration (days) setting is updated to allow values from 1-730 days.
For more information on Windows 10 compliance settings, see Windows 10 and later settings to mark devices as
compliant or not compliant.
Applies to:
Windows 10 and later
Updated UI for configuring Microsoft Exchange on-premises access
We've updated the console where you configure access Microsoft Exchange on-premises access. All of the
configurations for Exchange on-premises access are now available on the same pane of the console where you
Enable Exchange on-premises access control.
Allow or restrict adding app widgets to the home screen on Android Enterprise work profile devices
On Android Enterprise devices, you can configure features in the work profile (Device configuration > Profiles
> Create profile > Android Enterprise for platform > Work profile only > Device restrictions for profile
type). In this update, you can allow users to add widgets exposed by work profile apps to the device home screen.
To see the settings you can configure, go to Android Enterprise device settings to allow or restrict features using
Intune.
Applies to:
Android Enterprise work profile
Device enrollment
New tenants will default away from Android device administrator management
Android's device administrator capabilities have been superseded by Android Enterprise. Therefore, we
recommend using Android Enterprise for new enrollments instead. In a future update, new tenants will need to
complete the following prerequisite steps in Android enrollment to use device administrator management: Go to
Intune > Device enrollment > Android enrollment > Personal and corporate-owned devices with
device administration privileges > Use device administrator to manage devices .
Existing tenants will experience no change in their environments.
For more information about Android device administrator in Intune, see Android device administrator enrollment.
List of DEP devices associated with a profile
You can now see a paged list of Apple Automated Device Enrollment Program (DEP) devices that are associated
with a profile. You can search the list from any page in the list. To see the list, go to Intune > Device enrollment
> Apple enrollment > Enrollment program tokens > choose a token > Profiles > choose a profile >
Assigned devices (under Monitor ).
iOS User Enrollment in Preview
Apple's iOS 13.1 release includes User Enrollment, a new form of lightweight management for iOS devices. It can
be used in place of Device Enrollment or Automated Device Enrollment (formerly Device Enrollment Program) for
personally-owned devices. Intune's Preview is supporting this feature set by letting you:
Target User Enrollment to user groups.
Give end users the ability to select between lighter User Enrollment or stronger Device Enrollment when they
enroll their devices.
Starting on 9/24/2019 with the release of iOS 13.1, we're in the process of rolling out these updates to all
customers and expect to be completed by the end of next week.
Applies to:
iOS 13.1 and later
Device management
More Android Fully Managed support
We've added the following support for Android Fully Managed devices:
SCEP certificates for fully managed Android are available for cert authentication on devices managed as Device
Owner. SCEP certificates are already supported on Work Profile devices. With SCEP certificates for Device
Owner, you will be able to:
create SCEP profile under DO section of Android Enterprise
link SCEP certificates to DO Wi-Fi profile for authentication
link SCEP certificates to DO VPN profiles for authentication
link SCEP certificates to DO Email profiles for authentication (via AppConfig)
System apps are supported on Android Enterprise devices. In Intune, add an Android Enterprise system app by
selecting Client apps > Apps > Add . In the App type list, select Android Enterprise system app . For more
information, see Add Android Enterprise system apps to Microsoft Intune.
In Device compliance > Android Enterprise > Device Owner , you can create a compliance policy that sets
the Google SafetyNet attestation level.
On Android Enterprise fully managed devices, the mobile threat defense providers is supported. In Device
compliance > Android Enterprise > Device Owner , you can choose an acceptable threat level. Android
Enterprise settings to mark devices as compliant or not compliant using Intune lists the current settings.
On Android Enterprise fully managed devices, the Microsoft Launcher app can now be configured via app
configuration policies to allow a standardized end-user experience on the fully managed device. The Microsoft
Launcher app can be used to personalize your Android device. Using the app along with a Microsoft account or
work/school account, you can access your calendar, documents, and recent activities in your personalized feed.
With this update we are happy to announce that Intune support for Android Enterprise Fully Managed is now
generally available.
Applies to:
Android Enterprise fully managed devices
Send custom notifications to a single device
You can now select a single device, and then use a remote device action to send a custom notification to only that
device.
Wipe and Passcode Reset actions aren't available for iOS devices that are enrolled by using User Enrollment
User Enrollment is a new type of Apple device enrollment. When you enroll devices using User Enrollment, the
Wipe and Passcode Reset remote actions won't be available for such devices.
Intune support for iOS 13 and macOS Catalina devices
Intune now supports managing both iOS 13 and macOS Catalina devices. For more information see the Microsoft
Intune Support for iOS 13 and iPadOS blog post.
Intune support for iPadOS and iOS 13.1 devices
Intune now supports managing both iPadOS and iOS 13.1 devices. For more information, see this blog post.
Device security
BitLocker support for client-driven recovery password rotation
Use Intune Endpoint Protection settings to configure Client-driven recovery password rotation for BitLocker on
devices that run Windows version 1909 or later.
This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using
bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting refreshes the specific
recovery password that was used, and other unused passwords on the volume remain unchanged. For more
information see the BitLocker CSP documentation for ConfigureRecoveryPasswordRotation.
Tamper Protection for Windows Defender Antivirus
Use Intune to manage Tamper Protection for Windows Defender Antivirus. You'll find the setting for Tamper
Protection in the Microsoft Defender Security Center group when you use device configuration profiles for
Windows 10 endpoint protection. You can set Tamper Protection to Enabled to turn on Temper Protection
restrictions, set Disabled to turn them off, or set Not configured to leave a device's current configuration in
place.
For more information about Tamper Protection, see Prevent security settings changes with tamper protection in
the Windows documentation.
Advanced settings for Windows Defender Firewall are now generally available
The Windows Defender custom firewall rules for endpoint protection, which you configure as part of a device
configuration profile, are out of public preview and are generally available (GA). You can use these rules to specify
inbound and outbound behavior to applications, network addresses, and ports. These rules were released in July
as a public preview.
Monitor and troubleshoot
Intune user interface update – Tenant Status dashboard
The user interface for the Tenant Status dashboard has been updated to align with Azure user interface styles. For
more information, see Tenant status.
Role -based access control
Scope tags now support Terms of Use policies
You can now assign scope tags to Terms of Use policies. To do so, go to Intune > Device enrollment > Terms
and conditions > choose an item in the list > Proper ties > Scope tags > choose a scope tag.

August 2019
App management
Control iOS app uninstall behavior at device unenrollment
Admins can manage whether an app is removed or retained on a device when the device is unenrolled at a user or
device group level.
Categorize Microsoft Store for Business apps
You can categorize Microsoft Store for Business apps. To do so, choose Intune > Client apps > Apps > Select a
Microsoft Store for Business app > App Information > Categor y . On the drop-down menu, assign a category.
Customized notifications for Microsoft Intune app users
The Microsoft Intune app for Android now supports the display of custom push notifications, aligning it with the
support recently added in the Company Portal apps for iOS and Android. For more information, see Send custom
notifications in Intune.
Device configuration
Configure Microsoft Edge settings using administrative templates for Windows 10 and newer
On Windows 10 and newer devices, you can create administrative templates to configure group policy settings in
Intune. In this update, you can configure settings that apply to Microsoft Edge version 77 and newer.
To learn more about administrative templates, see Use Windows 10 templates to configure group policy settings
in Intune.
Applies to:
Windows 10 and newer (Windows RS4+)
New features for Android Enterprise dedicated devices in multi-app mode
In Intune, you can control features and settings in a kiosk-style experience on your Android Enterprise dedicated
devices (Device configuration > Profiles > Create profile > Android Enterprise for platform > Device
Owner only, Device restrictions for profile type).
In this update, the following features are being added:
Dedicated devices > Multi-app : The Vir tual home button can be shown by swiping up on the device, or
floating on the screen so users can move it.
Dedicated devices > Multi-app : Flashlight access allows users to use the flashlight.
Dedicated devices > Multi-app : Media volume control allows users to control the device's media volume
using a slider.
Dedicated devices > Multi-app : Enable a screensaver , upload a custom image, and control when the
screensaver is shown.
To see the current settings, go to Android Enterprise device settings to allow or restrict features using Intune.
Applies to:
Android Enterprise dedicated devices
New app and configuration profiles for Android Enterprise fully managed devices
Using profiles, you can configure settings that apply VPN, email, and Wi-Fi settings to your Android Enterprise
device owner (fully managed) devices. In this update, you can:
Use app configuration policies to deploy Outlook, Gmail, and Nine Work email settings.
Use device configuration profiles to deploy trusted root certificate settings.
Use device configuration profiles to deploy VPN and Wi-Fi settings.

IMPORTANT
With this feature, users authenticate with their username and password for VPN, Wi-Fi, and e-mail profiles. Currently,
certificate-based authentication isn't available.

Applies to:
Android Enterprise device owner (fully managed)
Control the apps, files, documents, and folders that open when users sign in to macOS devices
You can enable and configure features on macOS devices (Device configuration > Profiles > Create profile >
macOS for platform > Device features for profile type).
In this update, there's a new Login Items setting to control which apps, files, documents, and folders open when a
user signs in to the enrolled device.
To see the current settings, go to macOS device feature settings in Intune.
Applies to:
macOS
Deadlines replace Engaged restart settings for Windows Update rings
To align with recent Windows servicing changes, Intune's Windows 10 Update rings now support settings for
deadlines. Deadlines determine when a device installs feature and security updates. On devices that run Windows
10 1903 or later, deadlines supersede configurations for engaged restart. In the future, deadlines will supersede
engaged restart on earlier versions of Windows 10 as well.
When you don't' configure deadlines, devices continue to use their engaged restart settings, however Intune will
deprecate support for engaged restart settings in a future update.
Plan to use deadlines for all your Windows 10 devices. After settings for deadlines are in place, you can change
your Intune configurations for engaged restart to be Not configured. When set to Not configured, Intune stops
managing those settings on devices but doesn't remove the last configurations for the setting from the device.
Therefore, the last configurations that were set for engaged restart remain active and in use on devices until those
settings are modified by a method other than Intune. Later, when the devices version of Windows changes or
when Intune support for deadlines expands to the devices Windows version, the device will begin to use the new
settings, which are already in place.
Support for multiple Microsoft Intune Certificate Connectors
Intune now supports install and use of multiple Microsoft Intune Certificate Connectors for PKCS operations. This
change supports load balancing and high availability of the connector. Each connector instance can process
certificate requests from Intune. If one connector is unavailable, other connectors continue to process requests.
To use multiple connectors, you don't need to upgrade to the latest version of the connector software.
New settings, and changes to existing settings to restrict features on iOS and macOS devices
You can create profiles to restrict settings on devices running iOS and macOS (Device configuration > Profiles
> Create profile > iOS or macOS for platform type > Device restrictions ). This update includes the following
features:
On macOS > Device restrictions > Cloud and storage , use the new Handoff setting to block users
from starting work on one macOS device, and continue working on another macOS or iOS device.
To see the current settings, go to macOS device settings to allow or restrict features using Intune.
On iOS > Device restrictions , there are a few changes:
Built-in apps > Find my iPhone (super vised only) : New setting that blocks this feature in the Find
My app feature.
Built-in apps > Find my Friends (super vised only) : New setting that blocks this feature in the Find
My app feature.
Wireless > Modification of Wi-Fi state (super vised only) : New setting that prevents users from
turning on or turning off Wi-Fi on the device.
Keyboard and Dictionar y > QuickPath (super vised only) : New setting that blocks the QuickPath
feature.
Cloud and storage : Activity continuation is renamed to Handoff .
To see the current settings, go to iOS device settings to allow or restrict features using Intune.
Applies to:
macOS 10.15 and newer
iOS 13 and newer
Some unsupervised iOS device restrictions will become supervised-only with the iOS 13.0 release
In this update, some settings apply to supervised-only devices with the iOS 13.0 release. If these settings are
configured and assigned to unsupervised devices prior to the iOS 13.0 release, the settings are still applied to
those unsupervised devices. They also still apply after the devices upgrade to iOS 13.0. These restrictions are
removed on unsupervised devices that are backed up and restored.
These settings include:
App Store, Doc Viewing, Gaming
App store
Explicit iTunes, music, podcast, or news content
Adding Game Center friends
Multiplayer gaming
Built-in Apps
Camera
FaceTime
Safari
Autofill
Cloud and Storage
Backup to iCloud
Block iCloud Document sync
Block iCloud Keychain sync
To see the current settings, go to iOS device settings to allow or restrict features using Intune.
Applies to:
iOS 13.0 and newer
Improved device status for macOS FileVault encryption
We've updated several of the device status messages for FileVault encryption on macOS devices.
Some Windows Defender Antivirus scan settings in the reporting show a Failed status
In Intune, you can create policies to use Windows Defender Antivirus to scan your Windows 10 devices (Device
configuration > Profiles > Create profile > Windows 10 and later for platform > Device restrictions for
profile type > Windows Defender Antivirus ). The Time to perform a daily quick scan and Type of system
scan to perform reporting shows a failed status, when it's actually a success status.
In this update, this behavior is fixed. So, the Time to perform a daily quick scan and Type of system scan to
perform settings shows a success status when the scans complete successfully, and show a failed status when the
settings fail to apply.
For more information on the Windows Defender Antivirus settings, see Windows 10 (and newer) device settings
to allow or restrict features using Intune.
Zebra Technologies is a supported OEM for OEMConfig on Android Enterprise devices
In Intune, you can create device configuration profiles, and apply settings to Android Enterprise devices using
OEMConfig (Device configuration > Profiles > Create profile > Android enterprise for platform >
OEMConfig for profile type).
In this update, Zebra Technologies is a supported original equipment manufacturer (OEM) for OEMConfig. For
more information on OEMConfig, see Use and manage Android Enterprise devices with OEMConfig.
Applies to:
Android enterprise
Device enrollment
Default scope tags
A new built-in default scope tag is now available. All un-tagged Intune objects that support scope tags are
automatically assigned to the default scope tag. The Default scope tag is added to all existing role assignments to
maintain parity with the admin experience today. If you don't want an admin to see Intune objects with the default
scope tag, remove the default scope tag from the role assignment. This feature is similar to the security scopes
feature in Configuration Manager. For more information, see Use RBAC and scope tags to for distributed IT.
Android enrollment device administrator support
The Android device administrator enrollment option has been added to the Android enrollment page (Intune >
Device enrollment > Android enrollment ). Android device administrator will still be enabled by default for all
tenants. For more information, see Android device administrator enrollment.
Skip more screens in Setup Assistant
You can set Device Enrollment Program profiles to skip the following Setup Assistant screens:
For iOS
Appearance
Express Language
Preferred Language
Device to Device Migration
For macOS
Screen Time
Touch ID Setup
For more information about Setup Assistant customization, see Create an Apple enrollment profile for iOS and
Create an Apple enrollment profile for macOS .
Add a user column to the Autopilot device CSV upload process
You can now add a user column to the CSV upload for Autopilot devices. This lets you bulk assign users at the time
you import the CSV. For more information, see Enroll Windows devices in Intune by using the Windows Autopilot.
Device management
Configure automatic device clean-up time limit down to 30 days
You can set the automatic device clean-up time limit as short as 30 days (instead of previous limit of 90 days) after
the last sign-in. To do so, go to Intune > Devices > Setup > Device Clean Up Rules .
Build number included on Android device Hardware page
A new entry on the Hardware page for each Android device includes the device's operating system build number.
For more information, see View device details in Intune.

July 2019
App management
Customized notifications for users and groups
Send custom push notifications from the Company Portal application to users on iOS and Android devices that
you manage with Intune. These mobile push notifications are highly customizable with free text and can be used
for any purpose. You can target them to different user groups in your organization. For more information, see
custom notifications.
Google's Device Policy Controller app
The Managed Home Screen app now provides access to Google's Android Device Policy app. The Managed Home
Screen app is a custom launcher used for devices enrolled in Intune as Android Enterprise (AE) dedicated devices
using multi-app kiosk mode. You can access the Android Device Policy app, or guide users to the Android Device
Policy app, for support and debug purposes. This launching capability is available at the time the device enrolls
and locks into Managed Home Screen. No additional installations are needed to use this functionality.
Outlook protection settings for iOS and Android devices
You can now configure both general app and data protection configuration settings for Outlook for iOS and
Android using simple Intune admin controls without device enrollment. The general app config settings provide
parity with the settings administrators can enable when managing Outlook for iOS and Android on enrolled
devices. For more information about Outlook settings, see Deploying Outlook for iOS and Android app
configuration settings.
Managed Home Screen and Managed Settings icons
The Managed Home Screen app icon and the Managed Settings icon have been updated. The Managed Home
Screen app is only used by devices enrolled in Intune as Android Enterprise (AE) dedicated devices and running in
multi-app kiosk mode. For more information about the Managed Home Screen app, see Configure the Microsoft
Managed Home Screen app for Android Enterprise.
Android Device Policy on Android Enterprise dedicated devices
You can access the Android Device Policy application from the Managed Home Screen app's debug screen. The
Managed Home Screen app is only used by devices enrolled in Intune as Android Enterprise (AE) dedicated
devices and running in multi-app kiosk mode. For more information, see Configure the Microsoft Managed Home
Screen app for Android Enterprise.
iOS Company Portal updates
Your company name on iOS app management prompts will replace the current "i.manage.microsoft.com" text. For
instance, users will see their company name instead of "i.manage.microsoft.com" when users attempt to install an
iOS app from the Company Portal or when users allow management of the app. This will be rolled out to all
customers over the next few days.
Azure AD and APP on Android Enterprise devices
When onboarding fully managed Android Enterprise devices, users will now register with Azure Active Directory
(Azure AD) during the initial setup of their new or factory reset device. Previously for a fully managed device, after
setup was complete, the user had to manually launch the Microsoft Intune app to start Azure AD registration. Now
when the user lands on the device home page after initial setup, the device is both enrolled and registered.
In addition to the Azure AD updates, Intune app protection policies (APP) are now supported on fully managed
Android Enterprise devices. This functionality will become available as we roll it out. For more information, see
Add Managed Google Play apps to Android Enterprise devices with Intune.
Device configuration
Use "applicability rules" when creating Windows 10 device configuration profiles
You create Windows 10 device configuration profiles (Device configuration > Profiles > Create profile >
Windows 10 for platform > Applicability rules ). In this update, you can create an applicability rule so the
profile only applies to a specific edition or specific version. For example, you create a profile that enables some
BitLocker settings. Once you add the profile, use an applicability rule so the profile only applies to devices running
Windows 10 Enterprise.
To add an applicability rule, see Applicability rules.
Applies to: Windows 10 and later
Use tokens to add device-specific information in custom profiles for iOS and macOS devices
You can use custom profiles on iOS and macOS devices to configure settings and features not built in to Intune
(Device configuration > Profiles > Create profile > iOS or macOS for platform > Custom for profile type).
In this update, you can add tokens to your .mobileconfig files to add device-specific information. For example,
you can add Serial Number: {{serialnumber}} to your configuration file to show the serial number of the device.
To create a custom profile, see iOS custom settings or macOS custom settings.
Applies to:
iOS
macOS
New configuration designer when creating an OEMConfig profile for Android Enterprise
In Intune, you can create a device configuration profile that uses an OEMConfig app (Device Configuration >
Profiles > Create profile > Android enterprise for platform > OEMConfig for profile type). When you do this, a
JSON editor opens with a template and values for you to change.
This update includes a Configuration Designer with an improved user experience that shows details embedded in
the app, including titles, descriptions, and more. The JSON editor is still available, and shows any changes you
make in the Configuration Designer.
To see the current settings, go to Use and manage Android Enterprise devices with OEMConfig.
Applies to: Android Enterprise
Updated UI for configuring Windows Hello
We've updated the console where you configure Intune to use Windows Hello for Business. All of the configuration
settings are now available on the same pane of the console where you enable support for Windows Hello.
Intune PowerShell SDK
The Intune PowerShell SDK, which provides support for the Intune API through Microsoft Graph, has been updated
to version 6.1907.1.0. The SDK now supports the following:
Works with Azure Automation.
Supports app-only auth read operations.
Supports friendly shortened names as aliases.
Conforms to PowerShell naming conventions. Specifically, the PSCredential parameter (on the
Connect-MSGraph cmdlet) has been renamed to Credential .
Supports manually specifying the value of the Content-Type header when using the Invoke-MSGraphRequest
cmdlet.
For more information, see PowerShell SDK for Microsoft Intune Graph API.
Manage FileVault for macOS
You can use Intune to manage FileVault key encryption for macOS devices. To encrypt devices, you use an
endpoint protection device configuration profile.
Our support for FileVault includes encrypting unencrypted devices, escrow of a devices personal recovery key,
automatic or manual rotation of personal encryption keys, and key retrieval for your corporate devices. End users
can also use the Company Portal website to get the personal recovery key for their encrypted devices.
We've also expanded the encryption report to include information about FileVault along-side information for
BitLocker, so you can view all your device encryption details in one place.
New Office, Windows, and OneDrive settings in Windows 10 administrative templates
You can create Administrative templates in Intune that mimic on-premises group policy management (Device
management > Profiles > Create profile > Windows 10 and later for platform > Administrative
template for profile type).
This update includes more Office, Windows, and OneDrive settings you can add to your templates. With these new
settings, you can now configure over 2500 settings that are 100% cloud-based.
To learn more about this feature, see Use Windows 10 templates to configure group policy settings in Intune.
Applies to: Windows 10 and later
Device enrollment
Updates for Enrollment Restrictions
Enrollment Restrictions for new tenants have been updated so that Android Enterprise work profiles are allowed
by default. Existing tenants will experience no change. To use Android Enterprise work profiles, you still need to
connect your Intune account to your Managed Google Play account.
UI updates for Apple enrollment and enrollment restrictions
Both of the following processes use a wizard-style user interface:
Apple device enrollment. For more information, see Automatically enroll iOS devices with Apple's Device
Enrollment Program.
Enrollment restriction creation. For more information, see Set enrollment restrictions.
Handling pre-configuration of corporate device identifiers for Android Q devices
In Android Q (v10), Google will remove the ability for MDM agents on legacy-managed (device administrator)
Android devices to collect device identifier information. Intune has a feature that enables IT admins to pre-
configure a list of device serial numbers or IMEIs in order to automatically tag these devices as corporate-owned.
This feature won't work for Android Q devices that are device admin-managed. Regardless of whether the serial
number or IMEI for the device is uploaded, it will always be considered to be personal during Intune enrollment.
You can manually switch ownership to corporate after enrollment. This affects new enrollments only, and existing
enrolled devices are not affected. Android devices managed with work profiles are not affected by this change and
will continue working as they do today. Additionally, Android Q devices enrolled as device administrator will no
longer be able to report serial number or IMEI in the Intune console as device properties.
Icons have changed for Android Enterprise enrollments (work profile, dedicated devices, and fully managed devices )
The icons for Android Enterprise enrollment profiles have changed. To see the new icons, go to Intune >
Enrollment > Android enrollment > look under Enrollment profiles .
Windows Diagnostic Data collection change
The default value for diagnostic data collection has changed for devices running Windows 10, version 1903 and
later. Starting with Windows 10 1903, diagnostic data collection is enabled by default. Windows diagnostic data is
vital technical data from Windows devices about the device and how Windows and related software are
performing. For more information, see Configure Windows diagnostic data in your organization. Autopilot devices
are also opted into "Full" telemetry unless otherwise set in the Autopilot profile with System/AllowTelemetry.
Windows Autopilot reset removes the device's primary user
When Autopilot reset is used on a device, the device's primary user will be removed. The next user who signs in
after the reset will be set as the primary user. This feature will be rolled out to all customers over the next few days.
Device management
Improve device location
You can zoom in to the exact coordinates of a device using the Locate device action. For more information about
locating lost iOS devices, see Find lost iOS devices.
Device security
Advanced settings for Windows Defender Firewall (public preview)
Use Intune to manage custom firewall rules as part of a device configuration profile for endpoint protection on
Windows 10. Rules can specify inbound and outbound behavior to applications, network addresses, and ports.
Updated UI for managing security baselines
We've updated the create and edit experience in the Intune console for our security baselines. Changes include:
A simpler wizard-style format that's been condensed to a single blade. within one blade. This new design does
away with blade sprawl that requires IT Pros to drill down into several separate panes.
You can now create Assignments as part of the create and edit experience, instead of having to return later to
assign baselines. We've added a summarization of settings you can view prior to creating a new baseline and
when editing an existing one. When editing, the summary only shows the list of items set within the one category
of properties being edited.

June 2019
App management
Configure which browser is allowed to link to organization data
Intune App Protection Policies (APP) on Android and iOS devices now allow you to transfer Org web links to a
specific browser beyond the Intune Managed Browser or Microsoft Edge. For more about APP, see What are app
protection policies?.
All apps page identifies online/offline Microsoft Store for Business apps
The All apps page now includes labeling to identify Microsoft Store for Business (MSFB) apps as online or offline
apps. Each MSFB app now includes a suffix for Online or Offline . The app details page also includes License
Type and Suppor ts device context installation (offline licensed apps only) information.
Company Portal app on Windows shared devices
Users can now access the Company Portal app on Windows shared devices. End users will see a Shared label on
the device tile. This applies to the Windows Company Portal app version 10.3.45609.0 and later.
View all installed apps from new Company Portal web page
The Company Portal website's new Installed Apps page lists all managed apps (both required and available) that
are installed on a user's devices. In addition to assignment type, users can see the app's publisher, date published,
and current installation status. If you haven't made any apps required or available to your users, they'll see a
message explaining that no company apps have been installed. To see the new page on the web, go to the
Company Portal website and click Installed Apps .
New view lets app users see all managed apps installed on device
The Company Portal app for Windows now lists all managed apps (both required and available) that are installed
on a user's device. Users can also see attempted and pending app installations, and their current statuses. If you
haven't made apps required or available to your users, they'll see a message explaining that no company apps
have been installed. To see the new view, go to the Company Portal navigation pane and select Apps > Installed
Apps .
New features in Microsoft Intune app
We've added new features to the Microsoft Intune app (preview) for Android. Users on fully managed Android
devices can now:
View and manage the devices they've enrolled through the Intune Company Portal or Microsoft Intune app.
Contact their organization for support.
Send their feedback to Microsoft.
View terms and conditions, if set by their organization.
New sample apps showing Intune SDK integration available on GitHub
The msintuneappsdk GitHub account has added new sample applications for iOS (Swift), Android, Xamarin.iOS,
Xamarin Forms, and Xamarin.Android. These apps are meant to supplement our existing documentation and
provide demonstrations of how to integrate the Intune APP SDK into your own mobile apps. If you are an app
developer that needs additional Intune SDK guidance, see the following linked samples:
Chatr - A native iOS (Swift) instant messaging app that uses the Azure Active Directory Authentication Library
(ADAL) for brokered authentication.
Taskr - A native Android todo list app that uses ADAL for brokered authentication.
Taskr - A Xamarin.Android todo list app that uses ADAL for brokered authentication, this repository also has the
Xamarin.Forms app.
Xamarin.iOS sample app - A barebones Xamarin.iOS sample app.
Device configuration
Configure settings for kernel extensions on macOS devices
On macOS devices, you can create a device configuration profile (Device configuration > Profiles > Create
profile > choose macOS for platform). This update includes a new group of settings that let you configure and
use kernel extensions on your devices. You can add specific extensions, or allow all extensions from a specific
partner or developer.
To learn more about this feature, see kernel extensions overview and kernel extension settings.
Applies to: macOS 10.13.2 and later
Apps from the store only setting for Windows 10 devices includes more configuration options
When you create a device restrictions profile for Windows devices, you can use the Apps from the store only
setting so users only install apps from the Windows App Store (Device configuration > Profiles > Create
profile > Windows 10 and later for platform > Device restrictions for profile type). In this update, this
setting is expanded to support more options.
To see the new setting, go to Windows 10 (and newer) device settings to allow or restrict features.
Applies to: Windows 10 and later
Deploy multiple Zebra mobility extensions device profiles to a device, same user group, or same devices group
In Intune, you can use Zebra mobility extensions (MX) in a device configuration profile to customize settings for
Zebra devices that aren't built into Intune. Currently, you can deploy one profile to a single device. In this update,
you can deploy multiple profiles to:
The same user group
The same devices group
A single device
Use and manage Zebra devices with Zebra Mobility Extensions in Microsoft Intune shows how to use MX in Intune.
Applies to: Android
Some kiosk settings on iOS devices are set using "Block", replacing "Allow"
When you create a device restrictions profile on iOS devices (Device configuration > Profiles > Create
profile > iOS for platform > Device restrictions for profile type > Kiosk ), you set the Auto lock , Ringer
switch , Screen rotation , Screen sleep button , and Volume buttons .
In this update, the values are Block (blocks the feature) and Not configured (allows the feature). To see the
settings, go to iOS device settings to allow or restrict features.
Applies to: iOS
Use Face ID for password authentication on iOS devices
When you create a device restrictions profile for iOS devices, you can use a fingerprint for a password. In this
update, the fingerprint password settings also allow facial recognition (Device configuration > Profiles >
Create profile > iOS for platform > Device restrictions for profile type > Password ). As a result, the following
settings changed:
Fingerprint unlock is now Touch ID and Face ID unlock .
Fingerprint modification (super vised only) is now Touch ID and Face ID modification (super vised
only) .
Face ID is available in iOS 11.0 and later. To see the settings, go to iOS device settings to allow or restrict features
using Intune.
Applies to: iOS
Restricting gaming and app store features on iOS devices is now dependent on ratings region
On iOS devices, you can allow or restrict features related to gaming, the app store, and viewing documents
(Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type
> App Store, Doc Viewing, Gaming ). You can also choose the Ratings region, such as the United States.
In this update, the Apps feature is moved to be a child to Ratings region , and is dependent on Ratings region .
To see the settings, go to iOS device settings to allow or restrict features using Intune.
Applies to: iOS
Device enrollment
Windows Autopilot support for Hybrid Azure AD Join
Windows Autopilot for existing devices now supports Hybrid Azure AD Join (in addition to the existing Azure AD
Join support). Applies to Windows 10 version 1809 and above devices. For more information, see Windows
Autopilot for existing devices.
Device management
See the security patch level for Android devices
You can now see the security patch level for Android devices. To do so, choose Intune > Devices > All devices >
choose a device > Hardware . The patch level is listed in the Operating System section.
Assign scope tags to all managed devices in a security group
You can now assign scope tags to a security group and all devices in the security group will also be associated with
those scope tags. All devices in these groups will also be assigned the scope tag. The scope tags set with this
feature will overwrite the scope tags set with the current device scope tags flow. For more information, see Use
RBAC and scope tags for distributed IT.
Device security
Use keyword search with Security Baselines
When you create or edit Security Baseline profiles, you can specify keywords in the new Search bar to filter the
available groups of settings to those that contain your search criteria.
The Security Baselines feature is now generally available
The Security Baselines feature is out of preview and is now generally available (GA). This means the feature is
ready for use in production. However, the individual baseline templates can remain in preview and are evaluated
and released to GA on their own schedules.
The MDM Security Baseline template is now generally available
The MDM Security Baseline template has moved out of preview and is now generally available (GA). The GA
template is identified as MDM Security Baseline for May 2019 . This is a new template and not an upgrade
from the preview version. As a new template, you'll need to review the settings it contains, and then create new
profiles to deploy the template to your device. Other security baseline templates can remain in preview. For a list
of available baselines, see Available security baselines.
In addition to being a new template, the MDM Security Baseline for May 2019 template includes the two settings
that we recently announced in our In Development article:
Above Lock: Voice activate apps from a locked screen
DeviceGuard: Use virtualization-based security (VBS) at the next reboot of devices.
The MDM Security Baseline for May 2019 also includes the addition of several new settings, the removal of others,
and a revision of the default value of one setting. For a detailed list of the changes from Preview to GA, see
What's changed in the new template .
Security baseline versioning
Security baselines for Intune support versioning. With this support, as new versions of each security baseline are
released, you can update your existing security baseline profiles to use the newer baseline version without having
to recreate and deploy a new baseline from scratch. Additionally, in the Intune console you can view information
about each baseline like the number of individual profiles you have that use the baseline, how many of the
different baseline versions your profiles use, and when the latest release of a specific security baseline was. For
more information, see Security Baselines .
The Use security keys for sign-in setting has moved
The device configuration setting for identity protection named Use security keys for sign-in is no longer found
as a sub-setting of Configure Windows Hello for Business. It's now a top-level setting that is always available, even
when you don't enable use of Windows Hello for Business. For more information, see Identity protection.
Role -based access control
New permissions for assigned group admins
Intune's built-in School Administrator role now has create, read, update, and delete (CRUD) permissions for
Managed Apps. This update means that if you're assigned as a group admin in Intune for Education, you can now
create, view, update, and delete the iOS MDM Push Certificate, iOS MDM server tokens, and iOS VPP tokens along
with all of the existing permissions you have. To take any of these actions, go to Tenant settings > iOS Device
Management .
Applications can use the Graph API to call read operations without user credentials
Applications can call Intune Graph API read operations with app identity without user credentials. For more
information about accessing the Microsoft Graph API for Intune, see Working with Intune in Microsoft Graph.
Apply scope tags to Microsoft Store for Business apps
You can now apply scope tags to Microsoft Store for Business apps. For more information about scope tags, see
Use role-based access control (RBAC) and scope tags for distributed IT.

May 2019
App management
Reporting for potentially harmful apps on Android devices
Intune now provides additional reporting information about potentially harmful apps on Android devices.
Windows Company Portal app
The Windows Company Portal app will now have a new page labeled Devices . The Devices page will show end
users all of their enrolled devices. Users will see this change in the Company Portal when they use version
10.3.4291.0 and later. For information about the configuring the Company Portal, see How to configure the
Microsoft Intune Company Portal app.
Intune policies update authentication method and Company Portal app installation
On devices already enrolled via Setup Assistant through one of Apple's corporate device enrollment methods,
Intune will no longer support the Company Portal when it is manually installed by end users from the app store.
This change is only relevant when you authenticate with Apple Setup Assistant during enrollment. This change
also only affects iOS devices enrolled through:
Apple configurator
Apple Business Manager
Apple School Manager
Apple Device Enrollment Program (DEP)
If users install the Company Portal app from the App store, and then try to enroll these devices through it, they will
receive an error. These devices will be expected to only use the Company Portal when it's been pushed,
automatically, by Intune during enrollment. Enrollment profiles in Intune in the Azure portal will be updated so
that you can specify how devices authenticate and if they receive the Company Portal app. If you want your DEP
device users to have the Company Portal, you will need to specify your preferences in an enrollment profile.
In addition, the Identify your device screen in the iOS Company Portal is being removed. Therefore, admins who
want to enable Conditional Access or deploy company apps must update the DEP enrollment profile. This
requirement only applies if the DEP enrollment is authenticated with Setup Assistant. In that case, you must push
the Company Portal onto the device. To do so, choose Intune > Device enrollment > Apple enrollment >
Enrollment program tokens > choose a token > Profiles > choose a profile > Proper ties > set Install
Company Por tal to Yes .
To install the Company Portal on already-enrolled DEP devices, you will need to go to Intune > Client apps, and
push it as a managed app with app configuration policies.
Configure how end users update a line-of-business (LOB) app using an app protection policy
You can now configure where your end users can get an updated version of a line-of-business (LOB) app. End
users will see this feature in the min app version conditional launch dialog, which will prompt end users to
update to a minimum version of the LOB app. You must provide these update details as part of your LOB app
protection policy (APP). This feature is available on iOS and Android. On iOS, this feature requires the app to be
integrated (or wrapped using the wrapping tool) with the Intune SDK for iOS v. 10.0.7 or above. On Android, this
feature would require the latest Company Portal. To configure how an end user updates a LOB app, the app needs
a managed app configuration policy sent to it with the key, com.microsoft.intune.myappstore . The value sent will
define which store the end user will download the app from. If the app is deployed via the Company Portal, the
value must be CompanyPortal . For any other store, you must enter a complete URL.
Intune management extension PowerShell scripts
You can configure PowerShell scripts to run with the user's admin privileges on the device. For more information,
see Use PowerShell scripts on Windows 10 devices in Intune and Win32 app management.
Android Enterprise app management
To make it easier for IT admins to configure and use Android Enterprise management, Intune will automatically
add four common Android Enterprise related apps to the Intune admin console. The four Android Enterprise apps
are the following apps:
Microsoft Intune - Used for Android Enterprise fully managed scenarios.
Microsoft Authenticator - Helps you sign in to your accounts if you use two-factor verification.
Intune Company Por tal - Used for App Protection Policies (APP) and Android Enterprise work profile
scenarios.
Managed Home Screen - Used for Android Enterprise dedicated/kiosk scenarios.
Previously, IT admins would need to manually find and approve these apps in the Managed Google Play store as
part of setup. This change removes those previously manual steps to make it easier and faster for customers to
use Android Enterprise management.
Admins will see these four apps automatically added to their Intune apps list at the time that they first connect
their Intune tenant to managed Google Play. For more information, see Connect your Intune account to your
Managed Google Play account. For tenants that have already connected their tenant or who already use Android
Enterprise, there is nothing admins need to do. Those four apps will automatically show up within 7 days of the
completion of the May 2019 service rollout.
Device configuration
Updated PFX Certificate Connector for Microsoft Intune
We've released an update for the PFX Certificate Connector for Microsoft Intune that addresses an issue where
existing PFX certificates continue to be reprocessed, which causes the connector to stop processing new requests.
Intune security tasks for Defender ATP (In public preview)
In public preview, you can use Intune to manage security tasks for Microsoft Defender Advanced Threat Protection
(ATP). This integration with ATP and adds a risk-based approach to discover, prioritize, and remediate endpoint
vulnerabilities and misconfigurations, while reducing the time between discovery to mitigation.
Check for a TPM chipset in a Windows 10 device compliance policy
Many Windows 10 and later devices have Trusted Platform Module (TPM) chipsets. This update includes a new
compliance setting that checks the TPM chip version on the device.
Windows 10 and later compliance policy settings describes this setting.
Applies to: Windows 10 and later
Prevent end users from modifying their Personal HotSpot and disable Siri server logging on iOS devices
You create a device restrictions profile on iOS device (Device configuration > Profiles > Create profile > iOS
for platform > Device restrictions for profile type). This update includes new settings you can configure:
Built-in Apps : Server-side logging for Siri commands
Wireless : User modification of Personal Hotspot (supervised only)
To see these settings, go to built-in app settings for iOS and wireless settings for iOS.
Applies to: iOS 12.2 and newer
New classroom app device restriction settings for macOS devices
You can create device configuration profiles for macOS devices (Device configuration > Profiles > Create
profile > macOS for platform > Device restrictions for profile type). This update includes new classroom app
settings, the option to block screenshots, and the option to disable the iCloud Photo Library.
To see the current settings, go to macOS device settings to allow or restrict features using Intune.
Applies to: macOS
The iOS Password to access app store setting is renamed
The Password to access app store setting is renamed to Require iTunes Store password for all purchases
(Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type
> App store, Doc viewing, and Gaming ).
To see the available settings, go to App Store, Doc Viewing, Gaming iOS settings.
Applies to: iOS
Microsoft Defender Advanced Threat Protection baseline (Preview)
We've added a security baseline Preview for Microsoft Defender Advanced Threat Protection settings. This baseline
is available when your environment meets the prerequisites for using Microsoft Defender Advanced Threat
Protection.
Outlook signature and biometric settings for iOS and Android devices
You can now specify if the default signature is enabled in Outlook on iOS and Android devices. Additionally, you
can choose to allow users to change the biometric setting in Outlook on iOS.
Network Access Control (NAC) support for F5 Access for iOS devices
F5 released an update to BIG-IP 13 that allows NAC functionality for F5 Access on iOS in Intune. To use this feature:
Update BIG-IP to 13.1.1.5 refresh. BIG-IP 14 isn't supported.
Integrate BIG-IP with Intune for NAC. Steps in Overview: Configuring APM for device posture checks with
endpoint management systems.
Check the Enable Network Access Control (NAC) setting in the VPN profile in Intune.
To see the available setting, go to Configure VPN settings on iOS devices.
Applies to: iOS
Updated PFX Certificate Connector for Microsoft Intune
We've released an update for the PFX Certificate Connector for Microsoft Intune that drops the polling interval
from 5 minutes to 30 seconds.
Device enrollment
Autopilot device OrderID attribute name changed to Group Tag
To make it more intuitive, the OrderID attribute name on Autopilot devices has been changed to Group Tag .
When using CSVs to upload Autopilot device information, you must use Group Tag as the column header, not
OrderID.
Windows Enrollment Status Page (ESP) is now generally available
The Enrollment Status Page is now out of preview. For more information, see Set up an enrollment status page.
Intune user interface update - Autopilot enrollment profile creation
The user interface for creating an Autopilot enrollment profile has been updated to align with Azure user interface
styles. For more information, see Create an Autopilot enrollment profile. Moving forward, additional Intune
scenarios will be updated to this new UI style.
Enable Autopilot Reset for all Windows devices
Autopilot Reset now works for all Windows devices, even those not configured to use the Enrollment Status Page.
If an enrollment status page wasn't configured for the device during initial device enrollment, the device will go
straight to the desktop after sign-in. It might take up to eight hours to sync and appear compliant in Intune. For
more information, see Reset devices with remote Windows Autopilot Reset.
Exact IMEI format not required when searching All devices
You won't need to include spaces in IMEI numbers when you search All devices .
Deleting a device in the Apple portal will be reflected in the Intune portal
If a device is deleted from Apple's Device Enrollment Program or Apple Business Manager portals, the device will
automatically be deleted from Intune during the next sync.
The Enrollment Status Page now tracks Win32 apps
This only applies to devices running Windows 10 version 1903 and above. For more information, see Set up an
enrollment status page.
Device management
Reset and wipe devices in bulk by using the Graph API
You can now reset and wipe up to 100 devices in bulk using the Graph API.
Monitor and troubleshoot
The Encryption report is out of Public Preview
The report for BitLocker and device encryption is now generally available, and no longer part of the public
preview.

April 2019
App management
User experience update for the Company Portal app for iOS
The home page of the Company Portal app for iOS devices has been redesigned. With this change, the home page
will better follow iOS UI patterns, and also provide improved discoverability for apps and ebooks.
Changes to Company Portal enrollment for iOS 12 device users
The Company Portal for iOS enrollment screens and steps have been updated to align with the MDM enrollment
changes released in Apple iOS 12.2. The updated workflow prompts users to:
Allow Safari to open the Company Portal website and download the management profile before returning to
the Company Portal app.
Open the Settings app to install the management profile on their device.
Return to the Company Portal app to complete enrollment.
For updated enrollment steps and screens, see Enroll iOS device in Intune.
OpenSSL encryption for Android app protection policies
Intune app protection policies (APP) on Android devices now uses an OpenSSL encryption library that is FIPS 140-
2 compliant. For more information, see the encryption section of Android app protection policy settings in
Microsoft Intune.
Enable Win32 app dependencies
As the admin, you can require that other apps are installed as dependencies before installing your Win32 app.
Specifically, the device must install the dependent app(s) before it installs the Win32 app. In Intune, select Client
apps > Apps > Add to display the Add app blade. Select Windows app (Win32) as the App type . After you
have added the app, you can select Dependencies to add the dependent apps that must be installed before the
Win32 app can be installed. For more information, see Intune Standalone - Win32 app management.
App version installation information for Microsoft Store for Business apps
App installation reports include app version information for Microsoft Store for Business apps. In Intune, select
Client apps > Apps . Select a Microsoft Store for Business app and then select Device install status under
the Monitor section.
Additions to Win32 apps requirement rules
You can create requirement rules based on PowerShell scripts, registry values, and file system information. In
Intune, select Client apps > Apps > Add . Then select Windows app (Win32) as the App type in the Add app
blade. Select Requirements > Add to configure additional requirement rules. Then, select either File type ,
Registr y , or Script as the Requirement type . For more information, see Win32 app management.
Configure your Win32 apps to be installed on Intune enrolled Azure AD joined devices
You can assign your Win32 apps to be installed on Intune enrolled Azure AD joined devices. For more information
about Win32 apps in Intune, see Win32 app management.
Device overview shows Primary User
The Device overview page will show the Primary User, also called the User Device Affinity User (UDA). To see the
Primary User for a device, choose Intune > Devices > All devices > choose a device. The Primary User will
appear near the top of the Over view page.
Additional Managed Google Play app reporting for Android Enterprise work profile devices
For Managed Google Play apps deployed to Android Enterprise work profile devices, you can view the specific
version number of the app installed on a device. This applies to required apps only.
iOS Third Party Keyboards
The Intune app protection policy (APP) support for the Third Par ty Keyboards setting for iOS is no longer
supported due to an iOS platform change. You will not be able to configure this setting in the Intune Admin
Console and it will not be enforced on the client in the Intune App SDK.
Device configuration
Updated certificate connectors
We've released updates for both the Intune Certificate Connector and the PFX Certificate Connector for Microsoft
Intune. The new releases fix several known issues.
Set login settings and control restart options on macOS devices
On macOS devices, you can create a device configuration profile (Device configuration > Profiles > Create
profile > choose macOS for platform > Device features for profile type). This update includes new login
window settings, such as showing a custom banner, choose how users sign in, show or hide the power settings,
and more.
To see these settings, go to macOS device feature settings.
Configure WiFi on Android Enterprise, Device Owner dedicated devices running in multi-app kiosk mode
You can enable settings on Android Enterprise, Device Owner when running as a dedicated device in multi-app
kiosk mode. In this update, you can enable users to configure and connect to WiFi networks (Intune > Device
configuration > Profiles > Create profile > Android Enterprise for platform > Device owner only,
Device restrictions for profile type > Dedicated devices > Kiosk mode : Multi-app > WiFi configuration ).
To see all the settings you can configure, go to Android Enterprise device settings to allow or restrict features.
Applies to: Android Enterprise dedicated devices running in multi-app kiosk mode
Configure Bluetooth and pairing on Android Enterprise, Device Owner dedicated devices running in multi-app kiosk mode
You can enable settings on Android Enterprise, Device Owner when running as a dedicated device in multi-app
kiosk mode. In this update, you can allow end users to enable Bluetooth, and pair devices over Bluetooth (Intune
> Device configuration > Profiles > Create profile > Android Enterprise for platform > Device owner
only, Device restrictions for profile type > Dedicated devices > Kiosk mode : Multi-app > Bluetooth
configuration ).
To see all the settings you can configure, go to Android Enterprise device settings to allow or restrict features.
Applies to: Android Enterprise dedicated devices running in multi-app kiosk mode
Create and use OEMConfig device configuration profiles in Intune
In this update, Intune supports configuring Android Enterprise devices with OEMConfig. Specifically, you can
create a device configuration profile, and apply settings to Android Enterprise devices using OEMConfig (Device
configuration > Profiles > Create profile > Android enterprise for platform).
Support for OEMs is currently on a per-OEM basis. If an OEMConfig app you want isn't available in the list of
OEMConfig apps, contact [email protected] .
To learn more about this feature, go to Use and manage Android Enterprise devices with OEMConfig in Microsoft
Intune.
Applies to: Android enterprise
Windows Update notifications
We've added two User experience settings to the Windows Update ring configurations that you can manage from
within the Intune console. You can now:
Block or allow users to scan for Windows updates.
Manage the Windows Update notification level that users see.
New device restriction settings for Android Enterprise, Device Owner
On Android Enterprise devices, you can create a device restriction profile to allow or restrict features, set password
rules, and more (Device configuration > Profiles > Create profile > choose Android Enterprise for
platform > Device owner only > Device restrictions for profile type).
This update includes new password settings, allows full access to apps in Google Play Store for fully managed
devices, and more. To see the current list of settings, go to Android Enterprise device settings to allow or restrict
features.
Applies to: Android Enterprise fully managed devices
Check for a TPM chipset in a Windows 10 device compliance policy
This feature is delayed and is planned to be released later.
Updated UI changes for Microsoft Edge Browser on Windows 10 and later devices
When you create a device configuration profile, you can allow or restrict Microsoft Edge features on Windows 10
and later devices (Device configuration > Profiles > Create profile > Windows 10 and later for platform,
> Device restrictions for profile type > Microsoft Edge Browser ). In this update, the Microsoft Edge settings
are more descriptive, and easier to understand.
To see these features, go to Microsoft Edge Browser device restriction settings.
Applies to: Windows 10 and later
Expanded support for Android Enterprise fully managed devices (Preview)
Still in a public preview, we've expanded our support of Android Enterprise fully managed devices first announced
in January of 2019 to include the following:
On fully managed and dedicated devices, you can create compliance policies to include password rules and
operating system requirements (Device compliance > Policies > Create policy > Android Enterprise
for platform > Device owner for profile type).
On dedicated devices, the device may show as Not compliant . Conditional Access isn't available on
dedicated devices. Be sure to complete any tasks or actions to get dedicated devices compliant with your
assigned policies.
Conditional Access - Conditional Access policies that apply to Android also apply to Android Enterprise fully
managed devices. Users can now register their fully managed device in Azure Active Directory using the
Microsoft Intune app . Then, see and resolve any compliance issues to access organizational resources.
New end-user app (Microsoft Intune app) - There is a new end-user app for Android fully managed devices
called Microsoft Intune . This new app is light-weight and modern, and provides similar functionally as the
Company Portal app, but for fully managed devices. For more information, see Microsoft Intune app on
Google Play.
To set up Android fully managed devices, go to Device enrollment > Android enrollment > Corporate-
owned, fully managed user devices . Support for fully managed Android devices remains in preview, and
some Intune features might not be fully functional.
To learn more about this preview, see our blog, Microsoft Intune - Preview 2 for Android Enterprise Fully Managed
devices.
Use Compliance Manager to create assessments for Microsoft Intune
Compliance Manager (opens another Microsoft site) is a workflow-based risk assessment tool in the Microsoft
Service Trust Portal. It enables you to track, assign, and verify your organization's regulatory compliance activities
related to Microsoft services. You can create your own compliance assessment with Microsoft 365, Azure,
Dynamics, Professional Services, and Intune. Intune has two assessments available - FFIEC and GDPR.
Compliance Manager helps you focus your efforts by breaking down controls - controls managed by Microsoft,
and controls managed by your organization. You can complete the assessments, and then export and print the
assessments.
Federal Financial Institutions Examination Council (FFIEC) (opens another Microsoft site) compliance is a set of
standards for online banking issued by FFIEC. It's the most requested assessment for financial institutions that use
Intune. It interprets how Intune helps meet FFIEC cybersecurity guidelines related to public cloud workloads.
Intune's FFIEC assessment is the second FFIEC assessment in Compliance Manager.
In the following example, you can see the breakdown for FFIEC controls. Microsoft covers 64 controls. You're
responsible for the remaining 12 controls.

General Data Protection Regulation (GDPR) (opens another Microsoft site) is a European Union (EU) law that helps
protect the rights of individuals and their data. GDPR is the most requested assessment to help comply with
privacy regulations.
In the following example, you see the breakdown for GDPR controls. Microsoft covers 49 controls. You're
responsible for the remaining 66 controls.

Device enrollment
Configure profile to skip some screens during Setup Assistant
When you create a macOS enrollment profile, you can configure it to skip any of the following screens when a
user goes through the Setup Assistant:
Appearance
Display Tone
iCloudStorage If you create a new profile or edit a profile, the selected skip screens need to sync with the Apple
MDM server. Users can issue a manual sync of the devices so that there is no delay in picking up the profile
changes. For more information, see Automatically enroll macOS devices with the Device Enrollment Program
or Apple School Manager.
Bulk device naming when enrolling corporate iOS devices
When using one of Apple's corporate enrollment methods (DEP/ABM/ASM), you can set a device name format to
automatically name incoming iOS devices. You can specify a format that includes the device type and serial
number in your template. To do so, choose Intune > Device enrollment > Apple enrollment > Enrollment
program tokens > Select a token >Create profile > Device naming format . You can edit existing profiles,
but only newly synced devices will have the name applied.
Updated default timeout message on Enrollment Status Page
We've updated the default timeout message users see when the Enrollment Status Page (ESP) exceeds the timeout
value specified in the ESP profile. The new default message is what users see and helps them understand the next
actions to take with their ESP deployment.
Device management
Retire noncompliant devices
This feature has been delayed and is planned for a future release.
Monitor and troubleshoot
Intune Data Warehouse V1.0 changes reflecting back to beta
When V1.0 was first introduced in 1808, it differed in some significant ways from the beta API. In 1903 those
changes will be reflected back into the beta API version. If you have important reports that use the beta API
version, we strongly recommend switching those reports to V1.0 to avoid breaking changes. For more
information, see Change log for the Intune Data Warehouse API.
Monitor Security Baseline status (public preview)
We've added a per-category view to the monitoring of security baselines. (Security baselines remain in preview).
The per-category view displays each category from the baseline along with the percentage of devices that fall into
each status group for that category. You can now see how many devices don't match the individual categories, are
misconfigured, or are not applicable.
Role -based access control
Scope tags for Apple VPP tokens
You can now add scope tags to Apple VPP tokens. Only users assigned with the same scope tag will have access to
the Apple VPP token with that tag. VPP apps and ebooks purchased with that token inherit its scope tags. For more
information about scope tags, see Use RBAC and scope tags.

March 2019
App management
Deploy Microsoft Visio and Microsoft Project
You can now deploy Microsoft Visio Pro for Microsoft 365 and Microsoft Project Online Desktop Client as
independent apps to Windows 10 devices using Microsoft Intune, if you own licenses for these apps. From Intune,
select Client apps > Apps > Add to display the Add app blade. On the Add app blade, select Windows 10 as
the App type . Then, select Configure App Suite to select apps to install. For more information about Microsoft
365 apps for Windows 10 devices, see Assign Microsoft 365 apps to Windows 10 devices with Microsoft Intune.
Microsoft Visio Pro for Office 365 product name change
Microsoft Visio Pro for Office 365 will now be known as Microsoft Visio Online Plan 2 . For more
information about Microsoft Visio, see Visio Online Plan 2. For more information about Office 365 apps for
Windows 10 devices, see Assign Office 365 apps to Windows 10 devices with Microsoft Intune.
Intune app protection policy (APP) character limit setting
Intune admins can specify an exception to the Intune APP Restrict cut, copy, and paste with other apps policy
setting. As the admin, you can specify the number of characters that may be cut or copied from a managed app.
This setting will allow sharing of the specified number of characters to any app, regardless of the "Restrict cut,
copy, and paste with other apps" setting. Note that the Intune Company Portal app version for Android requires
version 5.0.4364.0 or later. For more information, see iOS data protection, Android data protection, and Review
client app protection logs.
Office Deployment Tool (ODT) XML for Microsoft 365 Apps for enterprise deployment
You will be able to provide Office Deployment Tool (ODT) XML when creating an instance of Microsoft 365 Apps
for enterprise deployment in the Intune admin console. This will allow greater customizability if the existing Intune
UI options do not meet your needs. For more information, see Assign Microsoft 365 apps to Windows 10 devices
with Microsoft Intune and Configuration options for the Office Deployment Tool.
App icons will now be displayed with an automatically generated background
In the Windows Company Portal app, app icons will now be displayed with an automatically generated
background based on the dominant color of the icon (if it can be detected). When applicable, this background will
replace the gray border that was previously visible on app tiles. Users will see this change in versions of Company
Portal later than 10.3.3451.0.
Install available apps using the Company Portal app after Windows bulk enrollment
Windows devices that enrolled into Intune using Windows bulk enrollment (provisioning packages) will be able to
use the Company Portal app to install available apps. For more information about the Company Portal app, see
Manually add the Windows 10 Company Portal and How to configure the Microsoft Intune Company Portal app.
The Microsoft Teams app can be selected as part of the Office app suite
The Microsoft Teams app can be included or excluded as part of the Microsoft 365 Apps for enterprise deployment
app suite installation. This feature works for Microsoft 365 Apps for enterprise deployment build number
16.0.11328.20116+. The user must sign out and then sign in to the device for the installation to complete. In
Intune, select Client apps > Apps > Add . Select one of the Office 365 Suite app types and then select
Configure App Suite .
Device configuration
Automatically start an app when running multiple apps in kiosk mode on Windows 10 and later devices
On Windows 10 and later devices, you can run a device in kiosk mode, and run many apps. In this update, there's
an AutoLaunch setting (Device configuration > Profiles > Create profile > Windows 10 and later for
platform > Kiosk for profile type > Multi-app kiosk ). Use this setting to automatically start an app when the
user signs in to the device.
To see a list and description of all the kiosk settings, see Windows 10 and later device settings to run as a kiosk in
Intune.
Applies to: Windows 10 and later
Operational logs also show details on non-compliant devices
When routing Intune logs to Azure monitor features, you can also route the operational logs. In this update, the
operational logs also provide information on non-compliant devices.
For more information on this feature, see Send log data to storage, event hubs, or log analytics in Intune.
Route logs to Azure Monitor in more Intune workloads
In Intune, you can route audit and operational logs to events hubs, storage, and log analytics in Azure Monitor
(Intune > Monitoring > Diagnostics settings ). In this update, you can route these logs in more Intune
workloads, including compliance, configurations, client apps, and more.
To learn more about routing logs to Azure Monitor, see send log data to storage, event hubs, or log analytics.
Create and use mobility extensions on Android Zebra devices in Intune
In this update, Intune supports configuring Android Zebra devices. Specifically, you can create a device
configuration profile, and apply settings to Android Zebra devices using Mobility Extensions (MX) profiles
generated by StageNow (Device configuration > Profiles > Create profile > Android for platform > MX
profile (Zebra only) for profile type).
For more information on this feature, see Use and manage Zebra devices with mobility extensions in Intune.
Applies to: Android
Device management
Encryption report for Windows 10 Devices (in public preview)
Use the new Encryption report (Preview) to view details about the encryption status of your Windows 10 devices.
Available details include a devices TPM version, encryption readiness and status, error reporting, and more.
Access BitLocker recovery keys from the Intune portal (in public preview)
You can now use Intune to view details about BitLocker Key ID and BitLocker recovery keys, from Azure Active
Directory.
Microsoft Edge support for Intune scenarios on iOS and Android devices
Microsoft Edge will support all of the same management scenarios as the Intune Managed Browser with the
addition of improvements to end-user experience. Microsoft Edge enterprise features that are enabled by Intune
policies include dual-Identity, app protection policy integration, Azure application proxy integration, and managed
favorites and home page shortcuts. For more information, see Microsoft Edge support.
Exchange Online/Intune Connector deprecate support for EAS only devices
The Intune console no longer supports viewing and managing EAS-only devices connected to Exchange Online
with the Intune Connector. Instead, you have the following options:
Enroll devices in Mobile Device Management (MDM)
Use Intune App Protection Policies to manage your devices
Use Exchange controls as outlined in Clients and mobile in Exchange Online
Search the All devices page for an exact device by using [name]
You can now search for an exact device name. Go to Intune > Devices > All devices > in the search box,
surround the device name with {} to search for an exact match. For example, {Device12345} .
Monitor and troubleshoot
Support for additional connectors on the Tenant Status page
The Tenant Status page now displays status information for additional connectors, including Windows Defender
Advanced Threat Protection (ATP) and other Mobile Threat Defense connectors.
Support for the Power BI Compliance app from the Data Warehouse blade in Microsoft Intune
Previously, the Download Power BI file link in the Intune Data Warehouse blade downloaded an Intune Data
Warehouse report (.pbix file). This report has been replaced with the Power BI Compliance app. The Power BI
Compliance app will not require special loading or setup. It will open directly in the Power BI online portal and
display data specifically for your Intune tenant based on your credentials. In Intune, select the Set up Intune Data
Warehouse link on the right side of the Intune blade. Then, click Get Power BI App . For more information, see
Connect to the Data Warehouse with Power BI.
Role -based access control
Granting Intune read-only access to some Azure Active Directory roles
Intune read-only access has been granted to the following Azure AD roles. Permissions granted with Azure AD
roles supersede permissions granted with Intune role-based access control (RBAC).
Read-only access to Intune audit data:
Compliance Administrator
Compliance Data Administrator
Read-only access to all Intune data:
Security Administrator
Security Operator
Security Reader
For more information, see Role-based access control.
Scope tags for iOS app provisioning profiles
You can add a scope tag to an iOS app provisioning profile so that only people with roles also assigned that scope
tag have access to the iOS app provisioning profile. For more information, see Use RBAC and scope tags.
Scope tags for app configuration policies
You can add a scope tag to an app configuration policy so that only people with roles also assigned that scope tag
have access to the app configuration policy. The app configuration policy can only be targeted to or associated
with apps assigned the same scope tag. For more information, see Use RBAC and scope tags.
Microsoft Edge support for Intune scenarios on iOS and Android devices
Microsoft Edge will support all of the same management scenarios as the Intune Managed Browser with the
addition of improvements to the end-user experience. Microsoft Edge enterprise features that are enabled by
Intune policies include dual-Identity, app protection policy integration, Azure application proxy integration, and
managed favorites and home page shortcuts. For more information, see Microsoft Edge support.

February 2019
App management
Intune macOS Company Portal Dark Mode
The Intune macOS Company Portal now supports Dark Mode for macOS. When you enable Dark Mode on a
macOS 10.14+ device, the Company Portal will adjust its appearance to colors that reflect that mode.
Intune will leverage Google Play Protect APIs on Android devices
Some IT admins are faced with a BYOD landscape where end users may end up rooting or jailbreaking their
mobile phone. This behavior, while sometimes not ill-intentioned, results in a bypass of many Intune policies that
are set in order to protect the organization's data on end-user devices. Thus, Intune provides root and jailbreak
detection for both enrolled and unenrolled devices. With this release, Intune will now leverage Google Play Protect
APIs to add to our existing root detection checks for unenrolled devices. While Google does not share the entirety
of the root detection checks that occur, we expect these APIs to detect users who have rooted their devices for any
reason from device customization to being able to get newer OS updates on older devices. These users can then
be blocked from accessing corporate data, or their corporate accounts can be wiped from their policy enabled
apps. For additional value, the IT admin will now have several reporting updates within the Intune App Protection
blade - the "Flagged Users" report will show which users are detected via Google Play Protect's SafetyNet API
scan, the "Potentially Harmful Apps" report will show which apps are detected via Google's Verify Apps API
scanning. This feature is available on Android.
Win32 app information available in Troubleshooting blade
You can now collect failure log files for a Win32 app installation from the Intune app Troubleshooting blade. For
more information about app installation troubleshooting, see Troubleshoot app installation issues and
Troubleshoot Win32 app issues.
App status details for iOS apps
There are new app installation error messages related to the following:
Failure for VPP apps when installing on shared iPad
Failure when app store is disabled
Failure to find VPP license for app
Failure to install system apps with MDM provider
Failure to install apps when device is in lost mode or kiosk mode
Failure to install app when user is not signed in to the App Store
In Intune, select Client apps > Apps > "App name" > Device install status . New error messages will be
available in the Status details column.
New App categories screen in the Company Portal app for Windows 10
A new screen called App categories has been added to improve the app browsing and selection experience in
Company Portal for Windows 10. Users will now see their apps sorted under categories such as Featured ,
Education , and Productivity . This change appears in Company Portal versions 10.3.3451.0 and later. To view the
new screen, see What's new in the app UI. For more information about apps in the Company Portal, see Install and
share apps on your device.
Power BI Compliance app
Access your Intune Data Warehouse in Power BI Online using the Intune Compliance (Data Warehouse) app. With
this Power BI app, you can now access and share pre-created reports without any setup and without leaving your
web browser. For additional information, see Change log - Power BI Compliance app.
Device configuration
PowerShell scripts can run in a 64-bit host on 64-bit devices
When you add a PowerShell script to a device configuration profile, the script always executes in 32-bit, even on
64-bit operating systems. With this update, an administrator can run the script in a 64-bit PowerShell host on 64-
bit devices (Device configuration > PowerShell scripts > Add > Configure > Run script in 64 bit
PowerShell Host ).
For more details on using PowerShell, see PowerShell scripts in Intune.
Applies to: Windows 10 and later
macOS users are prompted to update their password
Intune is enforcing the ChangeAtNextAuth setting on macOS devices. This setting impacts end-users and
devices that have compliance password policies or device restriction password profiles. End users are prompted
once to update their password. This prompt happens whenever a user first runs a task that requires authentication,
such as signing in to the device. Users can also be prompted to update their password when doing anything that
requires administrative privileges, such as requesting keychain access.
Any new or existing password policy changes by the administrator prompt end users again to update their
password.
Applies to:
macOS
Assign SCEP certificates to a userless macOS device
You can assign Simple Certificate Enrollment Protocol (SCEP) certificates using device attributes to macOS devices,
including devices without user affinity, and associate the certificate profile with Wi-Fi or VPN profiles. This expands
the support we already have to assign SCEP certificates to devices with and without user affinity that run
Windows, iOS, and Android. This update adds the option to select a Certificate type of Device when you configure
a SCEP certificate profile for the macOS.
Applies to:
macOS
Intune Conditional Access UI update
We've made improvements to the UI for Conditional Access in the Intune console. These include:
Replaced the Intune Conditional Access blade with the blade from Azure Active Directory. This ensures you'll
have access to the full range of settings and configurations for Conditional Access (which remains an Azure AD
technology), from within the Intune console.
We've renamed the On-premises access blade to Exchange access, and relocated the Exchange service
connector setup to this renamed blade. This change consolidates where you configure and monitor details
related to Exchange online and on-premises.
Kiosk Browser and Microsoft Edge Browser apps can run on Windows 10 devices in kiosk mode
You can use Windows 10 devices in kiosk mode to run one app, or many apps. This update includes several
changes to using browser apps in kiosk mode, including:
Add the Microsoft Edge Browser or Kiosk Browser to run as apps on the kiosk device (Device
configuration > Profiles > New profile > Windows 10 and later for platform > Kiosk for profile
type).
New features and settings are available to allow or restrict (Device configuration > Profiles > New
profile > Windows 10 and later for platform > Device restrictions for profile type), including:
Microsoft Edge Browser:
Use Microsoft Edge kiosk mode
Refresh browser after idle time
Favorites and search:
Allow changes to search engine
For a list of these settings, see:
Windows 10 and later device settings to run as a kiosk
Microsoft Edge Browser device restrictions
Favorites and search device restrictions
Applies to: Windows 10 and later
New device restriction settings for iOS and macOS devices
You can restrict some settings and features on devices running iOS and macOS (Device configuration >
Profiles > New profile > iOS or macOS for platform > Device restrictions for profile type). This update adds
more features and settings you can control, including setting screen time, changing eSIM settings and cellular
plans, and more on iOS devices. Also, delaying the user's visibility of software updates and blocking content
caching on macOS devices.
To see the features and settings you can restrict, see:
iOS device restriction settings
macOS device restriction settings
Applies to:
iOS
macOS
"Kiosk" devices are now called "Dedicated devices" on Android Enterprise devices
To align with Android terminology, kiosk is changed to dedicated devices for Android enterprise devices
(Device configuration > Profiles > Create profile > **Android enterprise for platform > Device Owner
Only > Device Restrictions > Dedicated devices ).
To see the available settings, go to Device settings to allow or restrict features.
Applies to:
Android Enterprise
Safari and Delaying user software update visibility iOS settings are moving in the Intune UI
For iOS devices, you can set Safari settings and configure Software Updates. In this update, these settings are
moving to different parts of the Intune UI:
The Safari settings moved from Safari (Device configuration > Profiles > New profile > iOS for platform
> Device restrictions for profile type) to Built-in Apps .
The Delaying user software update visibility for super vised iOS devices setting (Software updates >
Update policies for iOS ) is moving to Device restrictions > General . For details on the impact to existing
policies, see iOS software updates.
For a list of the settings, see:
iOS device restrictions
iOS software updates
This feature applies to:
iOS
Enabling restrictions in the device settings is renamed to Screen Time on iOS devices
You can configure the Enabling restrictions in the device settings on supervised iOS devices (Device
configuration > Profiles > New profile > iOS for platform > Device restrictions for profile type >
General ). In this update, this setting is renamed to Screen Time (super vised only) .
The behavior is the same. Specifically:
iOS 11.4.1 and earlier: Block prevents end users from setting their own restrictions in the device settings.
iOS 12.0 and later: Block prevents end users from setting their own Screen Time in the device settings,
including content & privacy restrictions. Devices upgraded to iOS 12.0 won't see the restrictions tab in the
device settings anymore. These settings are in Screen Time .
For a list of the settings, see iOS device restrictions.
Applies to:
iOS
Intune PowerShell module
The Intune PowerShell module, which provides support for the Intune API through Microsoft Graph, is now
available in the Microsoft PowerShell Gallery.
Details about how use this module
Scenario examples using this module
Improved support for delivery optimization
We've expanded the support in Intune for configuring delivery optimization. You can now configure an expanded
list of Delivery Optimization settings and target it to your devices right from Intune console.
Device management
Rename an enrolled Windows device
You can now rename an enrolled Windows 10 device (RS4 or later). To do, choose Intune > Devices > All
devices > choose a device > Rename device . This feature does not currently support renaming hybrid Azure AD
Windows devices.
Auto-assign scope tags to resources created by an admin with that scope
When an admin creates a resource, any scope tags assigned to the admin will automatically be assigned to those
new resources.
Monitor and troubleshoot
Failed enrollment report moves to the Device Enrollment blade
The Failed enrollments report has been moved to the Monitor section of the Device enrollment blade. Two
new columns (Enrollment Method and OS Version) have been added.
Company Portal abandonment report renamed to Incomplete user enrollments
The Company Por tal abandonment report has been renamed to Incomplete user enrollments .
January 2019
App management
Intune app PIN
As the IT admin, you can now configure the number of days an end user can wait until their Intune app PIN must
be changed. The new setting is PIN reset after number of days and is available in the Azure portal by selecting
Intune > Client apps > App protection policies > Create Policy > Settings > Access requirements .
Available for iOS and Android devices, this feature supports a positive integer value.
Intune device reporting fields
Intune provides additional device reporting fields, including App Registration ID, Android manufacturer, model,
and security patch version, as well as iOS model. In Intune, these fields are available by selecting Client apps >
App protection status and choosing App Protection Repor t: iOS, Android . In addition, these parameters will
help you configure the Allow list for device manufacturer (Android), the Allow list for device model (Android and
iOS), and the minimum Android security patch version setting.
Toast notifications for Win32 apps
You can suppress showing end-user toast notifications per app assignment. From Intune, select Client apps >
Apps > select the app > Assignments > Include Groups .
Intune app protection policies UI update
We've changed the labels for settings and buttons for Intune app protection to make each easier to understand.
Some of the changes include:
Controls are changed from yes / no controls to primarily block / allow and disable / enable controls. The
labels are also updated.
Settings are reformatted, so the setting and its label are side-by-side in the control, to provide better
navigation.
The default settings and number of settings remain the same, but this change allows the user to understand,
navigate, and utilize the settings more easily to apply selected app protection policies. For information, see iOS
settings and Android settings.
Additional settings for Outlook
You can now configure the following additional settings for Outlook for iOS and Android using Intune:
Only allow work or school accounts to be used in Outlook in iOS and Android
Deploy modern authentication for Microsoft 365 and hybrid modern authentication on-premises accounts
Use SAMAccountName for the username field in the email profile when basic authentication is selected
Allow contacts to be saved
Configure external recipients MailTips
Configure Focused Inbox
Require biometrics to access Outlook for iOS
Block external images

NOTE
If you are using Intune App Protection policies to manage access for corporate identities, you should consider not enabling
require biometrics . For more information, see Require corporate credentials for access for iOS Access Settings and
Android Access Settings.

For more information, see Microsoft Outlook configuration settings.

Delete Android Enterprise apps
You can delete managed Google Play apps from Microsoft Intune. To delete a managed Google Play app, open
Microsoft Intune in the Azure portal and select Client apps > Apps . From the app list, select the ellipses (...) to the
right of the managed Google Play app, then select Delete from the displayed list. When you delete a managed
Google Play app from the app list, the managed Google Play app is automatically unapproved.
Managed Google Play app type
The managed Google Play app type will allow you to specifically add managed Google Play apps to Intune. As
the Intune admin, you can now browse, search, approve, sync and assign approved managed Google Play apps
within Intune. You no longer need to browse to the managed Google Play console separately, and you no longer
have to reauthenticate. In Intune, select Client apps > Apps > Add . In the App type list, select Managed
Google Play as the app type.
Default Android PIN keyboard
For end users who have set an Intune App Protection Policy (APP) PIN on their Android devices with PIN type of
'Numeric', they will now see the default Android keyboard instead of the fixed Android keyboard UI that was
previously designed. This change was made to be consistent when using default keyboards on both Android and
iOS, for both PIN types of 'Numeric' and/or 'Passcode'. For more information about end user Access settings on
Android, such as APP PIN, see Android access requirements.
Device configuration
Administrative templates are in public preview, and moved to their own configuration profile
Administrative templates in Intune (Device configuration > Administrative templates ) are currently in public
preview. With this update:
Administrative templates include about 300 settings that can be managed in Intune. Previously, these settings
only existed in the group policy editor.
Administrative templates are available in public preview.
Administrative templates are moving from Device configuration > Administrative templates to Device
configuration > Profiles > Create profile > in Platform , choose Windows 10 and later > in Profile
type , choose Administrative templates .
Reporting is enabled
To read more about this feature, go to Windows 10 templates to configure group policy settings.
Applies to: Windows 10 and later
Use S/MIME to encrypt and sign multiple devices for a user
This update includes S/MIME email encryption using a new imported certificate profile (Device configuration >
Profiles > Create profile > select the platform > PKCS impor ted cer tificate profile type). In Intune, you can
import certificates in PFX format. Intune can then deliver those same certificates to multiple devices enrolled by a
single user. This also includes:
The native iOS email profile supports enabling S/MIME encryption using imported certificates in PFX format.
The native mail app on Windows Phone 10 devices automatically uses the S/MIME certificate.
The private certificates can be delivered across multiple platforms. But, not all email apps support S/MIME.
On other platforms, you may need to manually configure the mail app to enable S/MIME.
Email apps that support S/MIME encryption may handle retrieving certificates for S/MIME email encryption in
a way that an MDM cannot support, such as reading from their publisher's certificate store. For more
information on this feature, see S/MIME overview to sign and encrypt email. Supported on: Windows,
Windows Phone 10, macOS, iOS, Android
New options to automatically connect and persist rules when using DNS settings on Windows 10 and later devices
On Windows 10 and later devices, you can create a VPN configuration profile that includes a list of DNS servers to
resolve domains, such as contoso.com. This update includes new settings for name resolution (Device
configuration > Profiles > Create profile > Choose Windows 10 and later for platform > Choose VPN for
profile type > DNS settings >Add ):
Automatically connect : When Enabled , the device automatically connects to the VPN when a device
contacts a domain you enter, such as contoso.com.
Persistent : By default, all Name Resolution Policy table (NRPT) rules are active as long as the device is
connected using this VPN profile. When this setting is Enabled on an NRPT rule, the rule remains active on the
device, even when the VPN disconnects. The rule stays until the VPN profile is removed or until the rule is
manually removed, which can be done using PowerShell. Windows 10 VPN settings describes the settings.
Use trusted network detection for VPN profiles on Windows 10 devices
When using trusted network detection, you can prevent VPN profiles from automatically creating a VPN
connection when the user is already on a trusted network. With this update, you can add DNS suffixes to enable
trusted network detection on devices running Windows 10 and later (Device configuration > Profiles >
Create profile > Windows 10 and later for platform > VPN for profile type). Windows 10 VPN settings lists
the current VPN settings.
Manage Windows Holographic for Business devices used by multiple users
Currently, you can configure shared PC settings on Windows 10 and Windows Holographic for Business devices
using a custom OMA-URI setting. With this update, a new profile is added to configure shared device settings
(Device configuration > Profiles > Create Profile > Windows 10 and later > Shared multi-user device ).
To learn more about this feature, go to Intune settings to manage shared devices. Applies to: Windows 10 and later,
Windows Holographic for Business
New Windows 10 Update settings
For your Windows 10 Update Rings, you can configure:
Automatic update behavior - Use a new option, Reset to default to restore the original auto update settings
on a Windows 10 machine on machines running the October 2018 Update
Block user from pausing Windows updates - Configure a new Software updates setting that lets you
block or allow your users to pause update installation from the Settings of their machines.
iOS email profiles can use S/MIME signing and encryption
You can create an email profile that includes different settings. This update includes S/MIME settings that can be
used for signing and encrypting email communications on iOS devices (Device configuration > Profiles >
Create profile > Choose iOS for platform > Email for profile type). iOS email configuration settings lists the
settings.
Some BitLocker settings support Windows 10 Pro edition
You can create a configuration profile that sets endpoint protection settings on Windows 10 devices, including
BitLocker. This update adds support for Windows 10 Professional edition for some BitLocker settings. To see these
protection settings, go to Endpoint protection settings for Windows 10.
Shared device configuration is renamed to Lock Screen Message for iOS devices in the Azure portal
When you create a configuration profile for iOS devices, you can add Shared Device Configuration settings to
show specific text on the lock screen. This update includes the following changes:
The Shared Device Configuration settings in the Azure portal are renamed to "Lock Screen Message
(supervised only)" (Device configuration > Profiles > Create profile > Choose iOS for platform > Choose
Device features for profile type > Lock Screen Message ).
When adding lock screen messages, you can insert a serial number, a device name, or another device-specific
value as a variable in Asset tag information and Lock screen footnote . For example, you can enter
Device name: {{devicename}} or Serial number is {{serialnumber}} using curly brackets. iOS tokens lists the
available tokens that can be used. Settings to display messages on the lock screen lists the settings.
New App Store, Doc Viewing, Gaming device restriction settings added to iOS devices
In Device Configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile
type > App Store, Doc Viewing, Gaming , the following settings are added: Allow managed apps to write
contacts to unmanaged contacts accounts Allow unmanaged apps to read from managed contacts accounts To see
these settings, go to iOS device restrictions.
New notification, hints, and keyguard settings to Android Enterprise device owner devices
This update includes several new features on Android Enterprise devices when running as device owner. To use
these features, go to Device Configuration > Profiles > Create profile > In Platform , choose Android
Enterprise > In Profile type , choose Device owner only > Device Restrictions .
New features include:
Disable system notifications from showing, including incoming calls, system alerts, system errors, and more.
Suggests skip starting tutorials and hints for apps that are opened the first time.
Disable advanced keyguard settings, such as the camera, notifications, fingerprint unlock, and more.
To see the settings, go to Android Enterprise device restriction settings.
Android enterprise device owner devices can use Always On VPN connections
In this update, you can use Always-on VPN connections on Android enterprise device owner devices. Always-on
VPN connections stay connected, or immediately reconnect when the user unlocks their device, when the device
restarts, or when the wireless network changes. You can also put the connection in "lockdown" mode, which blocks
all network traffic until the VPN connection is active. You can enable Always-on VPN in Device configuration >
Profiles > Create profile > Android enterprise for platform > Device restrictions for Device Owner Only >
Connectivity settings. To see the settings, go to Android Enterprise device restriction settings.
New setting to end processes in Task manager on Windows 10 devices
This update includes a new setting to end processes using Task Manager on Windows 10 devices. Using a device
configuration profile (Device configuration > Profiles > Create profile > In Platform , choose Windows 10
> In Profile type , choose Device restrictions > General settings), you choose to allow or prevent this setting.
To see these settings, go to Windows 10 device restriction settings. Applies to: Windows 10 and later
Use Microsoft-recommended settings with Security Baselines (Public Preview)
Intune integrates with other services that focus on security, including Windows Defender ATP and Office 365 ATP.
Customers are asking for a common strategy and a cohesive set of end-to-end security workflows across the
Microsoft 365 services. Our goal is to align strategies to build solutions that bridge security operations and
common administrator tasks. In Intune, we aim to accomplish this goal by publishing a set of Microsoft
recommended "Security baselines" (Intune > Security baselines ). An administrator can create security policies
directly from these baselines, and then deploy them to their users. You can also customize the best practice
recommendations to meet the needs of your organization. Intune makes sure that devices stay in compliance with
these baselines, and notifies administrators of users or devices that aren't in compliance.
This feature is in public preview so any profiles created now will not move over to Security Baselines templates
that are generally available (GA). You shouldn't plan to use these preview templates in your production
environment.
To learn more about security baselines, see Create a Windows 10 security baseline in Intune.
This feature applies to: Windows 10 and later
Non-Administrators can enable BitLocker on Windows 10 devices joined to Azure AD
When you enable BitLocker settings on Windows 10 devices (Device configuration > Profiles > Create
profile > Windows 10 and later for platform > Endpoint protection for profile type > Windows
Encr yption ), you add BitLocker settings.
This update includes a new BitLocker setting to allow standard users (non-administrators) to enable encryption.
To see the settings, go to Endpoint protection settings for Windows 10.
Check for Configuration Manager compliance
This update includes a new Configuration Manager compliance setting (Device compliance > Policies > Create
policy > Windows 10 and later > Configuration Manager Compliance ). Configuration Manager sends
signals to Intune compliance. Using this setting, you can require all Configuration Manager signals to return
"compliant".
For example, you require all software updates to be installed on devices. In Configuration Manager, this
requirement has the "Installed" state. If any programs on the device are in unknown state, then the device is non-
compliant in Intune.
Configuration Manager Compliance describes this setting.
Applies to: Windows 10 and later
Customize wallpaper on supervised iOS devices using a device configuration profile
When you create a device configuration profile for iOS devices, you can customize some features (Device
configuration > Profiles > Create profile > iOS for platform > Device features for profile type). This update
includes new Wallpaper settings that allow an Administrator to use a .png, .jpg, or .jpeg image on the home
screen or lock screen. These wallpaper settings apply only to supervised devices.
For a list of these settings, see iOS device feature settings.
Windows 10 kiosk is generally available
In this update, the Kiosk feature on Windows 10 and later devices is generally available (GA). To see all the settings
you can add and configure, see Kiosk settings for Windows 10 (and later).
Contact Sharing via Bluetooth is removed in Device Restrictions > Device Owner for Android Enterprise
When you create a device restrictions profile for Android Enterprise devices, there is a Contact Sharing via
Bluetooth setting. In this update, the Contact Sharing via Bluetooth setting is removed (Device
configuration > Profiles > Create profile > Android Enterprise for platform > Device Restrictions >
Device owner for profile type > General ).
The Contact Sharing via Bluetooth setting isn't supported for Android Enterprise Device Owner management.
So when this setting is removed, it won't impact any devices or tenants, even if this setting is enabled and
configured in your environment.
To see the current list of settings, go to Android Enterprise device settings to allow or restrict features.
Applies to: Android Enterprise Device Owner
Device enrollment
More detailed enrollment restriction failure messaging
More detailed error messages are available when enrollment restrictions are not met. To see these messages, go to
Intune > Troubleshoot > and check the Enrollment Failures table. For more information, see the enrollment
failures list.
Device Management
Preview of support for Android corporate-owned, fully managed devices
Intune now supports fully managed Android devices, a corporate-owned "device owner" scenario where devices
are tightly managed by IT and are affiliated with individual users. This allows admins to manage the entire device,
enforce an extended range of policy controls unavailable to work profiles, and restricts users to installing apps
from managed Google Play only. For more information, see Set up Intune enrollment of Android fully managed
devices and Enroll your dedicated devices or fully managed devices. Please note that this feature is in preview.
Some Intune capabilities, such as certificates, compliance, and Conditional Access, are not currently available with
Android fully managed user devices.
Selective wipe support for WIP Without Enrollment devices
Windows Information Protection Without Enrollment (WIP-WE) allows customers to protect their corporate data
on Windows 10 devices without the need for full MDM enrollment. Once documents are protected with a WIP-WE
policy, the protected data can be selectively wiped by an Intune administrator. By selecting the user and device, and
sending a wipe request, all data that was protected via the WIP-WE policy will become unusable. From the Intune
in the Azure portal, select Mobile app > App selective wipe .
Monitor and troubleshoot
Tenant Status dashboard
The new Tenant Status page provides a single location where you can view status and related details for your
tenant. The dashboard is divided into four areas:
Tenant Details - Displays information that includes your Tenant name and location, your MDM Authority, the
total enrolled devices in your tenant, and your license counts. This section also lists the current service release
for your tenant.
Connector Status - Displays information about available connectors you have configured and can also list
those which you have not yet enabled.
Based on the current state of each connector, they are flagged as Healthy, Warning, or Unhealthy. Select a
connector to drill through and view details or configure additional information for it.
Intune Ser vice Health - Displays details about active incidents or outages for your tenant. The information in
this section is retrieved directly from the Office Message Center.
Intune News - Displays active messages for your tenant. Messages include things like notifications when your
tenant receives the latest Intune features. The information in this section is retrieved directly from the Office
Message Center.
New help and support experience in Company Portal for Windows 10
The new Company Portal Help & support page helps users troubleshoot and request help for app and access
problems. From the new page, they can email error and diagnostic log details and find their organization's
Helpdesk details. They'll also find a FAQ section with links to the relevant Intune documentation.
New Help and Support experience for Intune
We are rolling out the new Help and Support experience to all tenants over the next few days. This new experience
is available for Intune and can be accessed when using the Intune blades in the Azure portal. The new experience
lets you describe your problem in your own words and receive troubleshooting insight and web-based
remediation content. These solutions are offered via a rule-based machine learning algorithm, driven by user
inquires. In addition to issue-specific guidance, you use the new case creation workflow to open a support case by
email or phone. This new experience replaces the previous Help and Support experience of a static set of pre-
selected options that are based on the area of the console you are in when you open Help and Support. For more
information, see How to get support for Microsoft Intune.
New operational logs, and ability to send logs to Azure Monitor services
Intune has built-in audit logging that tracks events as changes are made. This update includes new logging
features, including:
Operational logs (preview) that show details on users and devices that enrolled, including success and failed
attempts.
The audit logs and operational logs can be sent to Azure Monitor, including storage accounts, event hubs, and
log analytics. These services allow you to store, use analytics such as Splunk and QRadar, and get visualizations
of your logging data.
Send log data to storage, event hubs, or log analytics in Intune provides more information on this feature.
Skip more Setup Assistant screens on an iOS DEP device
In addition to the screens you can currently skip, you can set iOS DEP devices to skip the following screens in the
Setup Assistant when a user enrolls the device: Display Tone, Privacy, Android Migration, Home Button, iMessage
& FaceTime, Onboarding, Watch Migration, Appearance, Screen Time, Software Update, SIM Setup. To choose
which screens to skip, go to Device enrollment > Apple enrollment > Enrollment program tokens >
choose a token > Profiles > choose a profile > Proper ties > Setup Assistant customization > choose Hide
for any screens that you want to skip > OK . If you create a new profile or edit a profile, the selected skip screens
need to sync with the Apple MDM server. Users can issue a manual sync of the devices so that there is no delay in
picking up the profile changes.
Android Enterprise APP-WE app deployment
For Android devices in a non-enrolled App Protection Policy Without Enrollment (APP-WE) deployment scenario,
you can now use managed Google Play to deploy store apps and LOB apps to users. Specifically, you can provide
end users with an app catalog and installation experience that no longer requires end users to loosen the security
posture of their devices by allowing installations from unknown sources. In addition, this deployment scenario will
provide an improved end user experience.
Role -based access control
Scope tags for apps
You can create scope tags to limit access for roles and apps. You can add a scope tag to an app so that only people
with roles also assigned that scope tag have access to the app. Currently, apps added to Intune from managed
Google Play or apps purchased using Apple Volume Purchase Program (VPP) can't be assigned scope tags (future
support is planned). For more information, see Use scope tags to filter policies.

December 2018
App management
Updates for Application Transport Security
Microsoft Intune supports Transport Layer Security (TLS) 1.2+ to provide best-in-class encryption, to ensure
Intune is more secure by default, and to align with other Microsoft services such as Microsoft 365. In order to
meet this requirement, the iOS and macOS company portals will enforce Apple's updated Application Transport
Security (ATS) requirements, which also require TLS 1.2+. ATS is used to enforce stricter security on all app
communications over HTTPS. This change impacts Intune customers using the iOS and macOS Company Portal
apps. For more information, see the Intune support blog.
The Intune App SDK will support 256-bit encryption keys
The Intune App SDK for Android now uses 256-bit encryption keys when encryption is enabled by App Protection
Policies. The SDK will continue to provide support of 128-bit keys for compatibility with content and apps that use
older SDK versions.
Microsoft Auto Update version 4.5.0 required for macOS devices
To continue receiving updates for the Company Portal and other Office applications, macOS devices managed by
Intune must upgrade to Microsoft Auto Update 4.5.0. Users might already have this version for their Office apps.
Device management
Intune requires macOS 10.12 or later
Intune now requires macOS version 10.12 or later. Devices using prior macOS versions can't use the Company
Portal to enroll into Intune. To receive support assistance and new features, users must upgrade their device to
macOS 10.12 or later and upgrade the Company Portal to the latest version.

November 2018
App management
Uninstalling apps on corporate-owned supervised iOS devices
You can remove any app on corporate-owned supervised iOS devices. You can remove any app by targeting either
user or device groups with an Uninstall assignment type. For personal or unsupervised iOS devices, you will
continue to be able to remove only apps that were installed using Intune.
Downloading Intune Win32 app content
Windows 10 RS3 and above clients will download Intune Win32 app content using a Delivery Optimization
component on the Windows 10 client. Delivery optimization provides Peer-to-Peer functionality that it is turned on
by default. Currently, delivery optimization can be configured by group policy. For more information, see Delivery
Optimization for Windows 10.
End user device and app content menu
End users can now use context menu on device and apps to trigger common actions like renaming a device or
checking compliance.
Set custom background in Managed Home Screen app
We're adding a setting that lets you customize the background appearance of the Managed Home Screen app on
Android Enterprise, multi-app, kiosk mode devices. To configure the Custom URL background , go to Intune in
the Azure portal > Device configuration. Select a current device configuration profile or create a new one to edit its
kiosk settings. To see the kiosk settings, see Android Enterprise device restrictions.
App protection policy assignment save and apply
You now have better control over your app protection policy assignments. When you select Assignments to set or
edit the assignments of a policy, you must Save your configuration before the change applies. Use Discard to
clear all changes you make without saving any changes to the Include or Exclude lists. By requiring Save or
Discard, only the users you intend are assigned an app protection policy.
New Microsoft Edge browser settings for Windows 10 and later
This update includes new settings to help control and manage the Microsoft Edge browser on your devices. For a
list of these settings, see Device restriction for Windows 10 (and newer).
New apps support with app protection policies
You can now manage the following apps with Intune app protection policies:
Stream (iOS)
To DO (Android, iOS)
PowerApps (Android, iOS)
Flow (Android, iOS)
Use app protection policies to protect corporate data and control data transfer for these apps, like other Intune
policy managed apps. Note: If Flow is not yet visible in the console, you add Flow when you create or edit and app
protection policies. To do so, use the + More apps option, and then specify the App ID for Flow in the input field.
For Android use com.microsoft.flow , and for iOS use com.microsoft.procsimo.
Device configuration
Support for iOS 12 OAuth in iOS email profiles
Intune's iOS email profiles support iOS 12 Open Authorization (OAuth). To see this feature, create a new profile
(Device Configuration > Profiles > Create profile > iOS for platform > Email for profile type), or update an
existing iOS email profile. If you enable OAuth in a profile that's already deployed to users, then users are
prompted to reauthenticate, and download their email again.
iOS email profiles has more information on using OAuth in an email profile.
Network Access Control (NAC) support for Citrix SSO for iOS
Citrix released an update to Citrix Gateway to allow Network Access Control (NAC) for Citrix SSO for iOS in Intune.
You can opt in to include a device ID within a VPN profile in Intune, and then push this profile to your iOS devices.
You will need to install the latest update to Citrix Gateway to use this functionality.
Configure VPN settings on iOS devices provides more information on using NAC, including some additional
requirements.
iOS and macOS version numbers and build numbers are shown
In Device compliance > Device compliance , the iOS and macOS operating system versions are shown, and
available to use in compliance policies. This update includes, the build number, which is configurable for both
platforms. When security updates are released, Apple typically leaves the version number as-is, but updates the
build number. By using the build number in a compliance policy, you can easily check if a vulnerability update is
installed. To use this feature, see iOS and macOS compliance policies.
Update rings are being replaced with Delivery Optimization settings for Windows 10 and later
Delivery optimization is a new configuration profile for Windows 10 and later. This feature provides a more
streamlined experience to deliver software updates to devices in your organization. This update also helps you
deliver the settings in new and existing update rings using a configuration profile. To configure a delivery
optimization configuration profile, see Windows 10 (and newer) delivery optimization settings.
New device restriction settings added to iOS and macOS devices
This update includes new settings for your iOS and macOS devices that are released with iOS 12:
iOS settings :
General: Block app removal (supervised only)
General: Block USB Restricted mode (supervised only)
General: Force automatic date and time (supervised only)
Password: Block password AutoFill (supervised only)
Password: Block password proximity requests (supervised only)
Password: Block password sharing (supervised only)
macOS settings :
Password: Block password AutoFill
Password: Block password proximity requests
Password: Block password sharing
To learn more about these settings, see iOS and macOS device restriction settings.
Device enrollment
Autopilot support for hybrid Azure Active Directory joined devices (Preview)
You can now set up hybrid Azure Active Directory joined devices by using Autopilot. Devices must be joined to
your organization's network to use the hybrid Autopilot feature. For more information, see Deploy hybrid Azure
AD joined devices using Intune and Windows Autopilot. This feature is rolling out across the user base over the
next few days. Therefore, you might not be able to follow these steps until it rolls out to your account.
Select apps tracked on the Enrollment Status Page
You can choose which apps are tracked on the enrollment status page. Until these apps are installed, the user can't
use the device. For more information, see Set up an enrollment status page.
Search for Autopilot device by serial number
You can now search for Autopilot devices by serial number. To do so, choose Device enrollment > Windows
enrollment > Devices > type a serial number in the Search by serial number box > press Enter.
Track installation of Office ProPlus
Users can track the installation progress of Office ProPlus using the Enrollment Status Page. For more information,
see Set up an enrollment status page.
Alerts for expiring VPP token or Company Portal license running low
If you are using Volume Purchase Program (VPP) to pre-provision the Company Portal during DEP enrollment,
Intune will alert you when the VPP token is about to expire and when the licenses for the Company Portal are
running low.
macOS Device Enrollment Program support for Apple School Manager accounts
Intune now supports using the Device Enrollment Program on macOS devices for Apple School Manager
accounts. For more information, see Automatically enroll macOS devices with Apple School Manager or Device
Enrollment Program.
New Intune device subscription SKU
To help lower the cost of managing devices in enterprises, a new device-based subscription SKU is now available.
This Intune device SKU is licensed per device on a monthly basis. Price varies by the licensing program. It's
available directly through the Microsoft 365 admin center, and through the Enterprise Agreement (EA), Microsoft
Products and Services Agreement (MPSA), Microsoft Open Agreements, and Cloud Solution Provider (CSP).
Device management
Temporarily pause kiosk mode on Android devices to make changes
When using Android devices in multi-app kiosk mode, an IT administrator may need to make changes to the
device. This update includes new multi-app kiosk settings that allows an IT Administrator to temporarily pause
kiosk-mode using a PIN, and get access to the entire device. To see the kiosk settings, see Android Enterprise
device restrictions.
Enable virtual home button on Android Enterprise kiosk devices
A new setting will allow users to tap a soft-key button on their device to switch between the Managed Home
Screen app and other assigned apps on their multi-app kiosk device. This setting is particularly helpful in scenarios
where a user's kiosk app does not respond appropriately to the "back" button. You'll be able to configure this
setting for corporate-owned, single use Android devices. To enable or disable the Vir tual home button , go to
Intune in the Azure portal > Device configuration. Select a current device configuration profile or create a new one
to edit its kiosk settings. To see the kiosk settings, see Android Enterprise device restrictions.

October 2018
App management
Access to key profile properties using the company portal app
End users can now access key account properties and actions, such as password reset, from the Company portal
app.
3rd-party keyboards can be blocked by APP settings on iOS
On iOS devices, Intune admins can block the use of 3rd-party keyboards when accessing organization data in
policy protected apps. When the Application Protection Policy (APP) is set to block 3rd-party keyboards, the device
user receives a message the first time they interact with corporate data when using a 3rd-party keyboard. All
options, other than the native keyboard, are blocked and device users will not see them. Device users will only see
the dialog message once.
User account access of Intune apps on managed Android and iOS devices
As the Microsoft Intune admin, you can control which user accounts are added to Microsoft Office applications on
managed devices. You can limit access to only allowed organization user accounts and block personal accounts on
enrolled devices.
Outlook iOS and Android app configuration policy
You can now create an Outlook iOS and Android app configuration policy for iOS and Android for on-premises
users that leverage Basic authentication with the ActiveSync protocol. Additional configuration settings will be
added as they are enabled for the Outlook for iOS and Android.
Microsoft 365 Apps for enterprise language packs
As the Intune admin, you will be able to deploy additional languages for Microsoft 365 Apps for enterprise apps
managed through Intune. The list of available languages includes the Type of language pack (core, partial, and
proofing). In the Azure portal, select Microsoft Intune > Client apps > Apps > Add . In the App type list of the
Add app blade, select Windows 10 under Office 365 Suite . Select Languages in the App Suite Settings
blade.
Windows line-of-business (LOB) apps file extensions
The file extensions for Windows LOB apps will now include .msi, .appx, .appxbundle, .msix, and .msixbundle. You
can add an app in Microsoft Intune by selecting Client apps > Apps > Add . The Add app pane is displayed
which allows you to select the App type . For Windows LOB apps, select Line-of-business app as the app type,
select the App package file , and then enter an installation file with the appropriate extension.
Windows 10 app deployment using Intune
Building upon the existing support for line-of-business (LOB) apps and Microsoft Store for Business apps,
administrators can use Intune to deploy most of their organization's existing applications to end users on
Windows 10 devices. Administrators can add, install, and uninstall applications for Windows 10 users in a variety
of formats, such as MSIs, Setup.exe, or MSP. Intune will evaluate requirement rules before downloading and
installing, notifying end users of the status or reboot requirements using the Windows 10 Action Center. This
functionality will effectively unblock organizations interested in shifting this workload to Intune and the cloud. This
feature is currently in public preview and we expect to add significant new capabilities to the feature over the next
few months.
App Protection Policy (APP) settings for web data
APP policy settings for web content on both Android and iOS devices will be updated to better handle both http
and https web links, as well as data transfer via iOS Universal Links and Android App Links.
End user device and app content menu
End users can now use the context menu on device and apps to trigger common actions like renaming a device or
checking compliance.
Windows Company Portal keyboard shortcuts
End users will now be able to trigger app and device actions in the Windows Company Portal using keyboard
shortcuts (accelerators).
Require non-biometric PIN after a specified timeout
By requiring a non-biometric PIN after an admin-specified timeout, Intune provides improved security for Mobile
Application Management (MAM) enabled apps by restricting the use of biometric identification for access to
corporate data. The settings affect users who rely on Touch ID (iOS), Face ID (iOS), Android Biometric, or other
future biometric authentication methods to access their APP/MAM-enabled applications. These settings enable
Intune admins to have more granular control over user access, eliminating cases where a device with multiple
fingerprints or other biometric access methods can reveal corporate data to an incorrect user. In the Azure portal,
open Microsoft Intune . Select Client apps > App protection policies > Add a policy > Settings . Locate the
Access section for specific settings. For information about access settings, see iOS settings and Android settings.
Intune APP data transfer settings on iOS MDM enrolled devices
You can separate the control of Intune APP data transfer settings on iOS MDM enrolled devices from specifying
the enrolled user's identity, also known as the User Principal Name (UPN). Admins not using the IntuneMAMUPN
will not observe a behavior change. When this functionality is available, admins using the IntuneMAMUPN to
control data transfer behavior on enrolled devices should review the new settings and update their APP settings as
needed.
Windows 10 Win32 apps
You can configure your Win32 apps to be installed in user context for individual users, versus installing the app for
all users of the device.
Windows Win32 apps and PowerShell scripts
End users are no longer required to be logged in on the device to install Win32 apps or execute PowerShell scripts.
Troubleshooting client app installation
You can troubleshoot the installation success of client apps by reviewing the column labeled App install in the
Troubleshoot blade. To view the Troubleshoot blade, in the Intune portal, select Troubleshoot under Help and
suppor t .
Device configuration
Create DNS suffixes in VPN configuration profiles on devices running Windows 10
When you create a VPN device configuration profile (Device configuration > Profiles > Create profile >
Windows 10 and later platform > VPN profile type), you enter some DNS settings. With this update, you can
also enter multiple DNS suffixes in Intune. When using DNS suffixes, you can search for a network resource
using its short name, instead of the fully qualified domain name (FQDN). This update also lets you change the
order of the DNS suffixes in Intune. Windows 10 VPN settings lists the current DNS settings. Applies to: Windows
10 devices
Support for always-on VPN for Android enterprise work profiles
In this update, you can use Always-on VPN connections on Android enterprise devices with managed work
profiles. Always-on VPN connections stay connected, or immediately reconnect when the user unlocks their
device, when the device restarts, or when the wireless network changes. You can also put the connection in
"lockdown" mode, which blocks all network traffic until the VPN connection is active. You can enable Always-on
VPN in Device configuration > Profiles > Create profile > Android enterprise for platform > Device
restrictions > Connectivity settings.
Issue SCEP certificates to user-less devices
Currently, certificates are issued to users. With this update, SCEP certificates can be issued to devices, including
user-less devices such as kiosks (Device configuration > Profiles > Create profile > Windows 10 and later
for platform > SCEP cer tificate for profile). Other updates include:
The Subject property in an SCEP profile is now a custom textbox and can include new variables.
The Subject alternative name (SAN) property in an SCEP profile is now a table format and can include
new variables. In the table, an admin can add an attribute and fill out the value in a custom textbox. The SAN
will support the following attributes:
DNS
Email address
UPN
These new variables can be added with static text in a custom value textbox. For example, the DNS attribute
can be added as DNS = {{AzureADDeviceId}}.domain.com .

NOTE
Curly brackets, semicolons, and pipe symbols " { } ; | " will not work in the static text of the SAN. Curly brackets must
only enclose one of the new device certificate variables to be accepted for either Subject or
Subject alternative name .

New device certificate variables:

"{{AAD_Device_ID}}",
"{{Device_Serial}}",
"{{Device_IMEI}}",
"{{SerialNumber}}",
"{{IMEINumber}}",
"{{AzureADDeviceId}}",
"{{WiFiMacAddress}}",
"{{IMEI}}",
"{{DeviceName}}",
"{{FullyQualifiedDomainName}}",
"{{MEID}}",

NOTE
{{FullyQualifiedDomainName}} only works for Windows and domain-joined devices.
When specifying device properties such as IMEI, Serial Number, and Fully Qualified Domain Name in the subject or SAN
for a device certificate, be aware that these properties could be spoofed by a person with access to the device.

Create a SCEP certificate profile lists the current variables when creating an SCEP configuration profile.
Applies to: Windows 10 and later and iOS, supported for Wi-Fi
Remotely lock uncompliant devices
When a device is not compliant, you can create an action on the compliance policy that locks the device remotely.
In Intune > Device compliance , create a new policy, or select an existing policy > Proper ties . Select Actions
for noncompliance > Add , and choose to remotely lock the device. Supported on:
Android
iOS
macOS
Windows 10 Mobile
Windows Phone 8.1 and later
Windows 10 and later Kiosk profile improvements in the Azure portal
This update includes the following improvements to the Windows 10 Kiosk device configuration profile (Device
configuration > Profiles > Create profile > Windows 10 and later for platform > Kiosk preview for
profile type):
Currently, you can create multiple kiosk profiles on the same device. With this update, Intune will support only
one kiosk profile per device. If you still need multiple kiosk profiles on a single device, you can use a Custom
URI.
In a Multi-app kiosk profile, you can select the application tile size and order for the Star t menu layout in
the application grid. If you prefer more customization, you can continue to upload an XML file.
The Kiosk Browser settings are moving into the Kiosk settings. Currently, the Kiosk web browser settings
have their own category in the Azure portal. Applies to: Windows 10 and later
PIN prompt when you change fingerprints or face ID on an iOS device
Users are now prompted for a PIN after making biometric changes on their iOS device. This includes changes to
registered fingerprints or face ID. The timing of the prompt depends on how the configuration of the Recheck
access requirements after (minutes) timeout. When no PIN is set, the user is prompted to set one.
This feature is only available for iOS, and requires the participation of applications that integrate the Intune APP
SDK for iOS, version 9.0.1 or later. Integration of the SDK is necessary so that the behavior can be enforced on the
targeted applications. This integration happens on a rolling basis and is dependent on the specific application
teams. Some apps that participate include WXP, Outlook, Managed Browser, and Yammer.
Network access control support on iOS VPN clients
With this update, there's a new setting to enable Network Access Control (NAC) when your create a VPN
configuration profile for Cisco AnyConnect, F5 Access, and Citrix SSO for iOS. This setting allows the NAC ID of the
device to be included in the VPN profile. Currently, there aren't any VPN clients or NAC partner solutions that
support this new NAC ID, but we will keep you informed through our support blog post when they do.
To use NAC, you'll need to:
1. Opt in to allow Intune to include device IDs in VPN profiles
2. Update your NAC provider software/firmware, using guidance directly from your NAC provider
For information on this setting within an iOS VPN profile, see Add VPN settings on iOS devices in Microsoft
Intune. For more information on network access control, see Network access control (NAC) integration with
Intune.
Applies to: iOS
Remove an email profile from a device, even when there's only one email profile
Previously, you couldn't remove an email profile from a device if it's the only email profile. With this update, this
behavior changes. Now, you can remove an email profile, even if it's the only email profile on the device. See Add
email settings to devices using Intune for details.
PowerShell scripts and Azure AD
PowerShell scripts in Intune can be targeted to Azure AD device security groups.
New "Required password type" default setting for Android, Android enterprise
When you create a new compliance policy (Intune > Device compliance > Policies > Create policy >
Android or Android enterprise for Platform > System Security), the default value for Required password
type changes:
From: Device default To: At least numeric
Applies to: Android, Android Enterprise
To see these settings, go to Android and Android Enterprise.
Use a pre-shared key in a Windows 10 Wi-Fi profile
With this update, you can use a pre-shared key (PSK) with the WPA/WPA2-Personal security protocol to
authenticate a Wi-Fi configuration profile for Windows 10. You can also specify the cost configuration for a
metered network for devices on Windows 10 October 2018 update.
Currently, you must import a Wi-Fi profile, or create a custom profile to use a pre-shared key. Wi-Fi settings for
Windows 10 lists the current settings.
Remove PKCS and SCEP certificates from your devices
In some scenarios, PKCS and SCEP certificates remained on devices, even when removing a policy from a group,
deleting a configuration or compliance deployment, or an admin updating an existing SCEP or PKCS profile. This
update changes the behavior. There are some scenarios where PKCS and SCEP certificates are removed from
devices, and some scenarios where these certificates remain on the device. See Remove SCEP and PKCS
certificates in Microsoft Intune for these scenarios.
Use Gatekeeper on macOS devices for compliance
This update includes the macOS Gatekeeper to evaluate devices for compliance. To set the Gatekeeper property,
Add a device compliance policy for macOS devices.
Device enrollment
Apply Autopilot profile to enrolled Win 10 devices not already registered for Autopilot
You can apply Autopilot profiles to enrolled Win 10 devices that have not already been registered for Autopilot. In
the Autopilot profile, choose the Conver t all targeted devices to Autopilot option to automatically register
non-Autopilot devices with the Autopilot deployment service. Allow 48 hours for the registration to be processed.
When the device is unenrolled and reset, Autopilot will provision it.
Create and assign multiple Enrollment Status Page profiles to Azure AD groups
You can now create and assign multiple Enrollment Status Page profiles to Azure ADD groups.
Migration from Device Enrollment Program to Apple Business Manager in Intune
Apple Business Manager (ABM) works in Intune and you can upgrade your account from Device Enrollment
Program (DEP) to ABM. The process in Intune is the same. To upgrade your Apple account from DEP to ABM, go to
https://support.apple.com/HT208817.
Alert and enrollment status tabs on the Device enrollment overview page
Alerts and enrollment failures now appear on separate tabs on the Device enrollment overview page.
Enrollment abandonment report
A new report that provides details on abandoned enrollments is available under Device enrollment > Monitor .
For more information, see Company portal abandonment report.
New Azure Active Directory terms of use feature
Azure Active Directory has a terms of use feature that you can use instead of existing Intune terms and conditions.
The Azure AD terms of use feature provides more flexibility on which terms to show and when to show them,
better localization support, more control in how terms are rendered and improved reporting. The Azure AD terms
of use feature does require Azure Active Directory Premium P1 which is also part of the Enterprise Mobility +
Security E3 suite. To learn more, see the Manage your company's terms and conditions for user access article.
Android Device Owner mode support
For Samsung Knox Mobile Enrollment, Intune now supports enrolling devices to the Android Device Owner mode
of management. Users on WiFi or cellular networks can enroll with just a few taps when they turn on their devices
for the first time. For more information, see Automatically enroll Android devices by using Samsung's Knox Mobile
Enrollment.
Device management
New settings for Software Updates
You can now configure some notifications to alert end-users about restarts that are required to finish
installation of the latest software updates.
You can now configure a restart warning prompt for restarts that happen outside of work hours, which
supports BYOD scenarios.
Group Windows Autopilot-enrolled devices by correlator ID
Intune now supports grouping Windows devices by a correlator ID when enrolled using Autopilot for existing
devices through Configuration Manager. The correlator ID is a parameter of the Autopilot configuration file. Intune
will automatically set the Azure AD device attribute enrollmentProfileName to equal "OfflineAutopilotprofile-".
This allows arbitrary Azure AD dynamic groups to be created based off correlator ID via the
enrollmentprofileName attribute for offline Autopilot enrollments. For more information, see Windows Autopilot
for existing devices.
Intune app protection policies
Intune app protection policies allow you to configure various data protection settings for Intune protected apps,
such as Microsoft Outlook and Microsoft Word. We've change the look and feel of these settings for both iOS and
Android to make it easier to find individual settings. There are three categories of policy settings:
Data relocation - This group includes the data loss prevention (DLP) controls, like cut, copy, paste, and save-
as restrictions. These settings determine how users interact with data in the apps.
Access requirements - This group contains the per-app PIN options that determine how the end user
accesses the apps in a work context.
Conditional launch - This group holds settings like the minimum OS settings, jailbreak and rooted device
detection, and offline grace periods.
The functionality of the settings doesn't change, but it will be easier to find them when you work in the policy
authoring flow.
Restricts apps, and block access to company resources on Android devices
In Device compliance > Policies > Create policy > Android > System Security , there is a new setting under
the Device Security section, named Restricted apps . The Restricted apps setting uses a compliance policy to
block access to company resources if certain apps are installed on the device. The device is considered non-
compliant until the restricted apps are removed from the device. Applies to:
Android
Intune apps
Intune will support a maximum package size of 8 GB for LOB apps
Intune increased the maximum package size to 8 GB for Line-of-business (LOB) apps. For more information, see
Add apps to Microsoft Intune.
Add custom brand image for Company Portal app
As the Microsoft Intune admin, you can upload a custom brand image which will be displayed as a background
image on the user's profile page in the iOS Company Portal app. For more information about configuring the
Company Portal app, see How to configure the Microsoft Intune Company Portal app.
Intune will maintain the Office localized language when updating Office on end users machines
When Intune installs Office on your end user's machines, end users automatically get the same language packs
that they had with previous .MSI Office installations. For more information, see Assign Microsoft 365 apps to
Windows 10 devices with Microsoft Intune.
Monitor and troubleshoot
New Intune Support Experience in the Microsoft 365 Device Management portal
We are rolling out a new Help and Support experience for Intune in the Microsoft 365 Device Management portal.
The new experience lets you describe your problem in your own words and receive troubleshooting insight and
web-based remediation content. These solutions are offered via a rule-based machine learning algorithm, driven
by user inquiries.
In addition to issue-specific guidance, you can also use the new case creation workflow to open a support case by
email or phone.
For customers who are part of the rollout, this new experience replaces the current Help and Support experience
of a static set of pre-selected options that are based on the area of the console you are in when you open Help and
Support.
This new Help and Support experience is being rolled out to some but not all tenants and is available in the Device
Management portal. Participants for this new experience are randomly selected from the available Intune tenants.
New tenants will be added as we expand the rollout.
For more information, see Help and Support experience in How to get support for Microsoft Intune.
PowerShell module for Intune – Preview available
A new PowerShell module, which provides support for the Intune API through Microsoft Graph, is now available
for preview on GitHub. For details about how to use this module, see the README in that location.

September 2018
App management
Remove duplication of app protection status tiles
The User status for iOS and the User status for Android tiles were present in both the Client Apps -
Over view page, as well as the Client Apps - App protection status page. The status tiles have been removed
from the Client Apps - Over view page to avoid duplication.
Device configuration
Support for more third-party certification authorities (CA)
By using the Simple Certificate Enrollment Protocol (SCEP), you can now issue new certificates and renew
certificates on mobile devices using Windows, iOS, Android, and macOS.
Device enrollment
Intune moves to support iOS 10 and later
Intune enrollment, the Company Portal, and the managed browser now only support iOS devices running iOS 10
and later. To check for devices or users that are affected in your organization, go to Intune in the Azure portal >
Devices > All devices . Filter by OS and then click Columns to surface OS version details. Ask these users to
upgrade their devices to a supported OS version.
If you have any of the devices listed below, or want to enroll any of the devices listed below, be aware that they
only support iOS 9 and earlier. To continue to access the Intune Company Portal, you must upgrade these devices
to devices that support iOS 10 or later:
iPhone 4S
iPod Touch
iPad 2
iPad (3rd Generation)
iPad Mini (1st Generation)
Device management
Microsoft 365 Device Management administration center
One of the promises of Microsoft 365 is simplified administration, and over the years we've integrated the back-
end Microsoft 365 services to deliver end-to-end scenarios such as Intune and Azure AD Conditional Access. The
new Microsoft 365 administration center is the place to consolidate, simplify, and integrate the admin experience.
The specialist workspace for Device Management provides easy access to all of the device and app management
information and tasks that your organization needs. We expect this to become the primary cloud workspace for
enterprise end user computing teams.

August 2018
App management
Packet tunnel support for iOS per-app VPN profiles for custom and Pulse Secure connection types
When using iOS per-app VPN profiles, you can choose to use app-layer tunneling (app-proxy) or packet-level
tunneling (packet-tunnel). These options are available with the following connection types:
Custom VPN
Pulse Secure If you are not sure which value to use, consult your VPN provider's documentation.
Delay when iOS software updates are shown on the device
In Intune > Software Updates > Update policies for iOS , you can configure the days and times when you
don't want devices to install any updates. In a future update, you'll be able to delay when a software update is
visibly shown on the device, from 1-90 days. Configure iOS update policies in Microsoft Intune lists the current
settings.
Microsoft 365 Apps for enterprise version
When assigning the Microsoft 365 Apps for enterprise apps to Windows 10 devices using Intune, you will be able
to select the version of Office. In the Azure portal, select Microsoft Intune > Apps > Add App . Then, select
Office 365 ProPlus Suite (Windows 10) from the Type dropdown list. Select App Suite Settings to display
the associated blade. Set the Update Channel to a value, such as Monthly . Optionally, remove other version of
Office (msi) from end user devices by selecting Yes . Select Specific to install a specific version of Office for the
selected channel on end user devices. At this point, you can select the Specific version of Office to use. The
available versions will change over time. Therefore, when creating a new deployment, the versions available may
be newer and not have certain older versions available. Current deployments will continue to deploy the older
version, but the version list will be continually updated per channel. For more information, see Overview of update
channels for Microsoft 365 Apps.
Support for Register DNS setting for Windows 10 VPN
With this update, you can configure Windows 10 VPN profiles to dynamically register the IP addresses assigned to
the VPN interface with the internal DNS, without needing to use custom profiles. For information about the
current VPN profile settings available, see Windows 10 VPN settings.
The macOS Company Portal installer now includes the version number in the installer file name
iOS automatic app updates
Automatic app updates work for both device and user licensed apps for iOS Version 11.0 and above.
Device configuration
Windows Hello will target users and devices
When you create a Windows Hello for Business policy, it applies to all users within the organization (tenant-wide).
With this update, the policy can also be applied to specific users or specific devices using a device configuration
policy (Device Configuration > Profiles > Create profile > Identity Protection > Windows Hello for
Business ). In Intune in the Azure portal, the Windows Hello configuration and settings now exists in both Device
enrollment and Device configuration . Device enrollment targets the entire organization (tenant-wide), and
supports Windows AutoPilot (OOBE). Device configuration targets devices and users using a policy that's
applied during check-in. This feature applies to:
Windows 10 and later
Windows Holographic for Business
Zscaler is an available connection for VPN profiles on iOS
When you create an iOS VPN device configuration profile (Device configuration > Profiles > Create profile >
iOS platform > VPN profile type), there are several connection types, including Cisco, Citrix, and more. This
update adds Zscaler as a connection type. VPN settings for devices running iOS lists the available connection
types.
FIPS mode for Enterprise Wi-Fi profiles for Windows 10
You can now enable Federal Information Processing Standards (FIPS) mode for Enterprise Wi-Fi profiles for
Windows 10 in the Intune Azure portal. Be sure FIPS mode is enabled on your Wi-Fi infrastructure if you enable it
in your Wi-Fi profiles. Wi-Fi settings for Windows 10 and later devices in Intune shows you how to create a Wi-Fi
profile.
Control S-mode on Windows 10 and later devices - public preview
With this feature update, you can create a device configuration profile that switches a Windows 10 device out of S-
mode, or prevent users from switching the device out of S-mode. This feature is in Intune > Device
configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch . Introducing
Windows 10 in S mode provides more information on S mode. Applies to: the most recent Windows Insider build
(while in preview).
Windows Defender ATP configuration package automatically added to configuration profile
When using Advanced Threat Protection and onboarding devices in Intune, you previously had to download a
configuration package, and add it to your configuration profile. With this update, Intune automatically gets the
package from Windows Defender Security Center, and adds it to your profile. Applies to Windows 10 and later.
Require users to connect during device setup
You can now set device profiles to require that the device connects to a network before proceeding past the
Network page during Windows 10 setup. While this feature is in preview, a Windows Insider build 1809 or later is
required to use this setting. Applies to: the most recent Windows Insider build (while in preview).
Restricts apps, and block access to company resources on iOS and Android Enterprise devices
In Device compliance > Policies > Create policy > iOS > System Security , there is a new Restricted
applications setting. This new setting uses a compliance policy to block access to company resources if certain
apps are installed on the device. The device is considered non-compliant until the restricted apps are removed
from the device. Applies to: iOS
Modern VPN support updates for iOS
This update adds support the following iOS VPN clients:
F5 Access (version 3.0.1 and higher)
Citrix SSO
Palo Alto Networks GlobalProtect version 5.0 and higher Also in this update:
Existing F5 Access connection type is renamed to F5 Access Legacy for iOS.
Existing Palo Alto Networks GlobalProtect connection type is renamed to Palo Alto Networks
GlobalProtect (legacy) for iOS. Existing profiles with these connection types continue to work with their
respective legacy VPN client. If you're using Cisco Legacy AnyConnect, F5 Access Legacy, Citrix VPN, or Palo
Alto Networks GlobalProtect version 4.1 and earlier with iOS, you should move to the new apps. Do this as
soon as possible to ensure that VPN access is available for iOS devices as they update to iOS 12. For more
information about iOS 12 and VPN profiles, see the Microsoft Intune Support Team Blog.
Export Azure classic portal compliance policies to recreate these policies in the Intune Azure portal
Compliance policies created in the Azure classic portal will be deprecated. You can review and delete any existing
compliance policies, however you can't update them. If you need to migrate any compliance policies to the current
Intune Azure portal, you can export the policies as a comma-separated file (.csv file). Then, use the details in the
file to recreate these policies in the Intune Azure portal.

IMPORTANT
When the Azure classic portal retires, you will no longer be able to access or view your compliance policies. Therefore, be
sure to export your policies and recreate them in the Azure portal before the Azure classic portal retires.

Better Mobile - New Mobile Threat Defense partner

You can control mobile device access to corporate resources using Conditional Access based on risk assessment
conducted by Better Mobile, a Mobile Threat Defense solution that integrates with Microsoft Intune.
Device enrollment
Lock the Company Portal in single app mode until user sign-in
You now have the option to run the Company Portal in Single App mode if you authenticate a user through the
Company Portal instead of Setup Assistant during DEP enrollment. This option locks the device immediately after
Setup Assistant completes so that a user must sign in to access the device. This process makes sure that the device
completes onboarding and is not orphaned in a state without any user tied.
Assign a user and friendly name to an Autopilot device
You can now assign a user to a single Autopilot device. Admins will also be able to give friendly names to greet the
user when setting up their device with Autopilot. Applies to: the most recent Windows Insider build (while in
preview).
Use VPP device licenses to pre-provision the Company Portal during DEP enrollment
You can now use Volume Purchase Program (VPP) device licenses to pre-provision the Company Portal during
Device Enrollment Program (DEP) enrollments. To do so, when you create or edit an enrollment profile, specify the
VPP token that you want to use to install the Company Portal. Make sure that your token doesn't expire and that
you have enough licenses for the Company Portal app. In cases where the token expires or runs out of licenses,
Intune will push the App Store Company Portal instead (this will prompt for an Apple ID).
Confirmation required to delete VPP token that is being used for Company Portal pre-provisioning
A confirmation is now required to delete a Volume Purchase Program (VPP) token if it is being used to pre-
provision the Company Portal during DEP enrollment.
Block Windows personal device enrollments
You can block Windows personal devices from enrolling with mobile device management in Intune. Devices
enrolled with Intune PC agent can't be blocked with this feature. This feature is rolling out over the next couple
weeks so you might not see it immediately in the user interface.
Specify machine name patterns in an Autopilot profile
You can specify a computer name template to generate and set the computer name during Autopilot enrollment.
Applies to: the most recent Windows Insider build (while in preview).
For Windows Autopilot profiles, hide the change account options on the company sign-in page and domain error page
There are new Windows Autopilot profile options for admins to hide the change account options on the company
sign-in and domain error pages. Hiding these options requires Company Branding to be configured in Azure
Active Directory. Applies to: the most recent Windows Insider build (while in preview).
macOS support for Apple Device Enrollment Program
Intune now supports enrolling macOS devices into the Apple Device Enrollment Program (DEP). For more
information, see Automatically enroll macOS devices with Apple's Device Enrollment Program.
Device management
Delete Jamf devices
You can delete JAMF-managed devices by going to Devices > choose the Jamf device > Delete .
Change terminology to "retire" and "wipe"
To be consistent with the Graph API, the Intune user interface and documentation has changed the following
terms:
Remove company data will be changed to "retire"
Factor y reset will be changed to wipe
Confirmation dialog if admin tries to delete MDM Push Certificate
If anyone tries to delete an Apple MDM Push certificate, a confirmation dialog box displays the number of related
iOS and macOS devices. If the certificate is deleted, these devices will need to be re-enrolled.
Additional security settings for Windows installer
You can allow users to control app installs. If enabled, installations that may otherwise be stopped due to a security
violation would be permitted to continue. You can direct the Windows installer to use elevated permissions when it
installs any program on a system. Additionally, you can enabled Windows Information Protection (WIP) items to
be indexed and the metadata about them stored in an unencrypted location. When the policy is disabled, the WIP
protected items are not indexed and do not show up in the results in Cortana or file explorer. The functionality for
these options are disabled by default.
New user experience update for the Company Portal website
We've added new features, based on feedback from customers, to the Company Portal website. You'll experience a
significant improvement in existing functionality and usability from your devices. Areas of the site–such as device
details, feedback and support, and device overview–have received a new, modern, responsive design. You'll also
see:
Streamlined workflows across all device platforms
Improved device identification and enrollment flows
More helpful error messages
Friendlier language, less tech jargon
Ability to share direct links to apps
Improved performance for large app catalogs
Increased accessibility for all users
The Intune Company Portal website documentation has been updated to reflect these changes. To view an example
of the app enhancements, see UI updates for Intune end-user apps.
Monitor and troubleshoot
Enhanced jailbreak detection in compliance reporting
The enhanced jailbreak detection setting states now appears in all compliance reporting in the admin console.
Role -based access control
Scope tags for policies
You can create scope tags to limit access to Intune resources. Add a scope tag to a role assignment and then add
the scope tag to a configuration profile. The role will only have access to resources with configuration profiles that
have matching scope tags (or no scope tag).

July 2018
App management
Line-of-business (LOB) app support for macOS
Microsoft Intune allows macOS LOB apps to be deployed as Required or Available with enrollment . End users
can get apps deployed as Available using the Company Portal for macOS or the Company Portal website.
iOS built-in app support for kiosk mode
In addition to Store Apps and Managed Apps, you can now select a Built-In App (such as Safari) that runs in kiosk
mode on an iOS device.
Edit your Microsoft 365 Apps for enterprise app deployments
As the Microsoft Intune admin, you have greater ability to edit your Microsoft 365 Apps for enterprise app
deployments. Additionally, you no longer have to delete your deployments to change any of the suite's properties.
In the Azure portal, select Microsoft Intune > Client apps > Apps . From the list of apps, select your Microsoft
365 Apps for enterprise suite.
Updated Intune App SDK for Android is now available
An updated version of the Intune App SDK for Android is available to support the Android P release. If you are an
app developer and use the Intune SDK for Android, you must install the updated version of the Intune app SDK to
ensure that Intune functionality within your Android apps continue to work as expected on Android P devices. This
version of the Intune App SDK provides a built-in plugin that performs the SDK updates. You do not need to
rewrite any existing code that's integrated. For details, see Intune SDK for Android. If you are using the old badging
style for Intune, we recommend that you use the briefcase icon. For branding details, see this GitHub repository.
More opportunities to sync in the Company portal app for Windows
The Company Portal app for Windows now lets you initiate a sync directly from the Windows taskbar and Start
menu. This feature is especially useful if your only task is to sync devices and get access to corporate resources. To
access the new feature, right-click the Company portal icon that's pinned to your taskbar or Start menu. In the
menu options (also referred to as a jump list), select Sync this device . The Company Portal will open to the
Settings page and initiate your sync. For a look at the new functionality see What's new in the UI.
New browsing experiences in the Company portal app for Windows
Now when browsing or searching for apps in the Company Portal app for Windows, you can toggle between the
existing Tiles view and the newly added Details view. The new view lists application details such as name,
publisher, publication date and installation status.
The Apps page's Installed view lets you see details about completed and in-progress app installations. To see
what the new view looks like, see What's new in the UI.
Improved Company Portal app experience for device enrollment managers
When a device enrollment manager (DEM) signs in to the Company Portal app for Windows, the app will now only
list the DEM's current, running device. This improvement will reduce timeouts that previously occurred when the
app tried to show all DEM-enrolled devices.
Block app access based on unapproved device vendors and models
The Intune IT admin can enforce a specified list of Android manufacturers, and/or iOS models through Intune App
Protection Policies. The IT admin can provide a semicolon separated list of manufacturers for Android policies and
device models for iOS policies. Intune App Protection Policies are for Android and iOS only. There are two separate
actions that can be performed on this specified list:
A block from app access on devices that are not specified.
Or, a selective wipe of corporate data on devices that are not specified.
The user will be unable to access the targeted application if the requirements through the policy are not met.
Based on settings, the user may either be blocked, or selectively wiped of their corporate data within the app. On
iOS devices, this feature requires the participation of applications (such as WXP, Outlook, Managed Browser,
Yammer) to integrate the Intune APP SDK for this feature to be enforced with the targeted applications. This
integration happens on a rolling basis and is dependent on the specific application teams. On Android, this feature
requires the latest Company Portal.
On end-user devices, the Intune client will take action based on a simple matching of the strings specified in the
Intune blade for Application Protection Policies. This depends entirely on the value that the device reports. As such,
the IT administrator is encouraged to ensure that the intended behavior is accurate. This can be accomplished by
testing this setting based on a variety of device manufacturers and models targeted to a small user group. In
Microsoft Intune, select Client apps > App protection policies to view and add app protection policies. For
more information about app protection policies, see What are app protection policies and Selectively wipe data
using app protection policy access actions in Intune.
Access to macOS Company Portal pre-release build
Using Microsoft AutoUpdate, you can sign up to receive builds early by joining the Insider program. Signing up
will enable you to use the updated Company Portal before it's available to your end users. For more information,
see the Microsoft Intune blog.
Device configuration
Create device compliance policy using Firewall settings on macOS devices
When you create a new macOS compliance policy (Device compliance > Policies > Create policy > Platform:
macOS > System security ), there are some new Firewall settings available:
Firewall : Configure how incoming connections are handled in your environment.
Incoming connections : Block all incoming connections except those required for basic internet services,
such as DHCP, Bonjour, and IPSec. This setting also blocks all sharing services.
Stealth Mode : Enable stealth mode to prevent the device from responding to probing requests. The device
continues to answer incoming requests for authorized apps.
Applies to: macOS 10.12 and later
New Wi-Fi device configuration profile for Windows 10 and later
Currently, you can import and export Wi-Fi profiles using XML files. With this update, you can create a Wi-Fi
device configuration profile directly in Intune, just like some other platforms.
To create the profile, open Device configuration > Profiles > Create Profile > Windows 10 and later > Wi-
Fi .
Applies to Windows 10 and later.
Kiosk - obsolete is grayed out, and can't be changed
The Kiosk (preview) feature (Device configuration > Profiles > Create profile > Windows 10 and later >
Device restrictions ) is obsolete, and replaced with Kiosk settings for Windows 10 and later. With this update, the
Kiosk - Obsolete feature is grayed out, and the user interface can't be changed or updated.
To enable kiosk mode, see Kiosk settings for Windows 10 and later.
Applies to Windows 10 and later, Windows Holographic for Business
APIs to use 3rd party certification authorities
In this update, there is a Java API that enables third-party certificate authorities to integrate with Intune and SCEP.
Then, users can add the SCEP certificate to a profile, and apply it to devices using MDM.
Currently, Intune supports SCEP requests using Active Directory Certificate Services.
Toggle to show or not show the End Session button on a Kiosk browser
You can now configure whether or not Kiosk browsers show the End Session button. You can see the control at
Device configuration > Kiosk (preview) > Kiosk Web Browser . If turned on, when a user clicks the button,
the app prompts for confirmation to end the session. When confirmed, the browser clears all browsing data and
navigates back to the default URL.
Create an eSIM cellular configuration profile
In Device configuration , you can create an eSIM cellular profile. You can import a file that contains cellular
activation codes provided by your mobile operator. You can then deploy these profiles to your eSIM LTE enabled
Windows 10 devices, such as the Surface Pro LTE and other eSIM capable devices.
Check to see if your devices support eSIM profiles.
Applies to Windows 10 and later.
Select device categories by using the Access Work or School settings
If you've enabled device group mapping, users on Windows 10 will now be prompted to select a device category
after enrolling through the Connect button in Settings > Accounts > Access work or school .
Use sAMAccountName as the account username for email profiles
You can use the on-premises sAMAccountName as the account username for email profiles for Android, iOS,
and Windows 10. You can also get the domain from the domain or ntdomain attribute in Azure Active Directory
(Azure AD). Or, enter a custom static domain.
To use this feature, you must sync the sAMAccountName attribute from your on-premises Active Directory
environment to Azure AD.
Applies to Android, iOS, Windows 10 and later
See device configuration profiles in conflict
In Device Configuration , a list of the existing profiles is shown. With this update, a new column is added that
provides details on profiles that have a conflict. You can select a conflicting row to see the setting and profile that
has the conflict.
More on manage configuration profiles.
New status for devices in device compliance
In Device compliance > Policies > select a policy > Over view , the following new states are added:
succeeded
error
conflict
pending
not-applicable An image that shows the device count of a different platform is also shown. For example, if
you're looking at an iOS profile, the new tile shows the count of non-iOS devices that are also assigned to this
profile. See Device compliance policies.
Device compliance supports 3rd party anti-virus solutions
When you create a device compliance policy (Device compliance > Policies > Create policy > Platform:
Windows 10 and later > Settings > System Security ), there are new Device Security options:
Antivirus : When set to Require , you can check compliance using antivirus solutions that are registered with
Windows Security Center, such as Symantec and Windows Defender.
AntiSpyware : When set to Require , you can check compliance using antispyware solutions that are registered
with Windows Security Center, such as Symantec and Windows Defender.
Applies to: Windows 10 and later
Device enrollment
Automatically mark Android devices enrolled by using Samsung Knox Mobile Enrollment as "corporate".
By default, Android devices enrolled using Samsung Knox Mobile Enrollment are now marked as corporate under
Device Ownership . You don't need to manually identify corporate devices using IMEI or serial numbers prior to
enrolling using Knox Mobile Enrollment.
Devices without profiles column in the list of enrollment program tokens
In the enrollment program tokens list, there is a new column showing the number of devices without a profile
assigned. This helps admins assign profiles to these devices before handing them out to users. To see the new
column, go to Device enrollment > Apple enrollment > Enrollment program tokens .
Device management
Bulk delete devices on devices blade
You can now delete multiple devices at a time on the Devices blade. Choose Devices > All devices > select the
devices you want to delete > Delete . For devices that can't be deleted, an alert will be displayed.
Google name changes for Android for Work and Play for Work
Intune has updated "Android for Work" terminology to reflect Google branding changes. The terms "Android for
Work" and "Play for Work" are no longer be used. Different terminology is used depending on the context:
"Android enterprise" refers to the overall modern Android management stack.
"Work profile" or "Profile Owner" refers to BYOD devices managed with work profiles.
"Managed Google Play" refers to the Google app store.
Rules for removing devices
New rules are available that let you automatically remove devices that haven't checked in for a number of days
that you set. To see the new rule, go to the Intune pane, select Devices , and select Device cleanup rules .
Corporate-owned, single use support for Android devices
Intune now supports highly-managed, locked-down, kiosk-style Android devices. This allows admins to further
lock down the usage of a device to a single app or small set of apps, and prevents users from enabling other apps
or performing other actions on the device. To set up Android kiosk, go to Intune > Device enrollment >
Android enrollment > Kiosk and task device enrollments . For more information, see Set up enrollment of
Android enterprise kiosk devices.
Per-row review of duplicate corporate device identifiers uploaded
When uploading corporate IDs, Intune now provides a list of any duplicates and gives you the option to replace or
keep the existing information. The report will appear if there are duplicates after you choose Device enrollment
> Corporate Device Identifiers > Add Identifiers .
Manually add corporate device identifiers
You can now manually add corporate device IDs. Choose Device enrollment > Corporate Device Identifiers
> Add .

June 2018
App management
Microsoft Edge mobile support for Intune app protection policies
The Microsoft Edge browser for mobile devices now supports app protection policies defined in Intune.
Retrieve the associated app user model ID (AUMID) for Microsoft Store for Business apps in kiosk mode
Intune can now retrieve the app user model IDs (AUMIDs) for Microsoft Store for Business (WSfB) apps to provide
improved configuration of the kiosk profile.
For more information about Microsoft Store for Business apps, see Manage apps from Microsoft Store for
Business.
New Company Portal branding page
The Company Portal branding page has a new layout, messages, and tooltips.
Device configuration
Pradeo - New Mobile Threat Defense partner
You can control mobile device access to corporate resources using Conditional Access based on risk assessment
conducted by Pradeo, a Mobile Threat Defense solution that integrates with Microsoft Intune.
Use FIPS mode with the NDES Certificate connector
When you install the NDES Certificate connector on a computer with Federal Information Processing Standard
(FIPS) mode enabled, issuing and revoking certificates didn't work as expected. With this update, support for FIPS
is included with the NDES Certificate connector.
This update also includes:
The NDES Certificate connector requires .NET 4.5 Framework, which is automatically included with Windows
Server 2016 and Windows Server 2012 R2. Previously, .NET 3.5 Framework was the minimum required
version.
TLS 1.2 support is included with the NDES Certificate connector. So if the server with NDES Certificate
connector installed supports TLS 1.2, then TLS 1.2 is used. If the server doesn't support TLS 1.2, then TLS 1.1 is
used. Currently, TLS 1.1 is used for authentication between the devices and server.
For more information, see Configure and use SCEP certificates and Configure and use PKCS certificates.
Support for Palo Alto Networks GlobalProtect VPN profiles
With this update, you can choose Palo Alto Networks GlobalProtect as a VPN connection type for VPN profiles in
Intune (Device configuration > Profiles > Create profile > Profile type > VPN ). In this release, the following
platforms are supported:
iOS
Windows 10
Additions to Local Device Security Options settings
You can now configure additional Local Device Security Options settings for Windows 10 devices. Additional
settings are available in the areas of Microsoft Network Client, Microsoft Network Server, Network access and
security, and Interactive logon. Find these settings in the Endpoint Protection category when you create a Windows
10 device configuration policy.
Enable kiosk mode on Windows 10 devices
On Windows 10 devices, you can create a configuration profile and enable kiosk mode (Device Configuration >
Profiles > Create profile > Windows 10 > Device Restrictions > Kiosk ). In this update, the Kiosk
(preview) setting is renamed to Kiosk (obsolete) . Kiosk (obsolete) is no longer recommended for use, but will
continue to function until the July update. Kiosk (obsolete) is replaced by the new Kiosk profile type (Create
profile > Windows 10 > Kiosk (preview) ), which will contain the settings to configure Kiosks on Windows 10
RS4 and later.
Applies to Windows 10 and later.
Device profile graphical user chart is back
While improving the numeric counts shown on the device profile graphical chart (Device configuration >
Profiles > select an existing profile > Over view ), the graphical user chart was temporarily removed.
With this update, the graphical user chart is back, and shown in the Azure portal.
Device enrollment
Support for Windows Autopilot enrollment without user authentication
Intune now supports Windows Autopilot enrollment without user authentication. This is a new option in the
Windows Autopilot deployment profile "Autopilot Deployment mode" set to "Self-Deploying". The device must be
running Windows 10 Insider Preview Build 17672 or later and possess a TPM 2.0 chip to successfully complete
this type of enrollment. Since no user authentication is required, you should only assign this option to devices that
you have physical control over.
New language/region setting when configuring OOBE for Autopilot
A new configuration setting is available to set the language and region for Autopilot profiles during the Out of Box
Experience. To see the new setting, choose Device enrollment > Windows enrollment > Deployment
profiles > Create profile > Deployment mode = Self-deploying > Defaults configured .
New setting for configuring device keyboard
A new setting will be available to configure the keyboard for Autopilot profiles during the Out of Box Experience.
To see the new setting, choose Device enrollment > Windows enrollment > Deployment profiles > Create
profile > Deployment mode = Self-deploying > Defaults configured .
Autopilot profiles moving to group targeting
AutoPilot deployment profiles can be assigned to Azure AD groups containing AutoPilot devices.
Device management
Set compliance by device location
In some situations, you may want to restrict access to corporate resources to a specific location, defined by a
network connection. You can now create a compliance policy (Device compliance > Locations ) based on the IP
address of the device. If the device moves outside the IP range, then the device cannot access corporate resources.
Applies to: Android devices 6.0 and higher, with the updated Company Portal app
Prevent consumer apps and experiences on Windows 10 Enterprise RS4 Autopilot devices
You will be able to prevent the installation of consumer apps and experiences on your Windows 10 Enterprise RS4
AutoPilot devices. To see this feature, go to Intune > Device configuration > Profiles > Create profile >
Platform = Windows 10 or later > Profile type = Device restrictions > Configure > Windows Spotlight
> Consumer features .
Uninstall the latest from Windows 10 software updates
Should you discover a breaking issue on your Windows 10 machines, you can choose to uninstall (rollback) the
latest feature update or the latest quality update. Uninstalling a feature or quality update is only available for the
servicing channel the device is on. Uninstalling will trigger a policy to restore the previous update on your
Windows 10 machines. For feature updates specifically, you can limit the time from 2-60 days that an uninstall of
the latest version can be applied. To set software update uninstall options, select Software updates from the
Microsoft Intune blade within the Azure portal. Then, select Windows 10 Update Rings from the Software
updates blade. You can then choose the Uninstall option from the Over view section.
Search all devices for IMEI and serial number
You can now search for IMEI and serial numbers on the All devices blade (email, UPN, device name, and
management name are still available). In Intune, choose Devices > All devices > enter your search in the search
box.
Management name field will be editable
You can now edit the management name field on a device's Proper ties blade. To edit this field, choose Devices >
All devices > choose the device > Proper ties . You can use the management name field to uniquely identify a
device.
New All devices filter: Device category
You can now filter the All devices list by device category. To do so, choose Devices > All devices > Filter >
Device categor y .
Use TeamViewer to screen share iOS and macOS devices
Administrators can now connect to TeamViewer, and start a screen sharing session with iOS and macOS devices.
iPhone, iPad, and macOS users can share their screens live with any other desktop or mobile device.
Multiple Exchange Connector support
You're no longer limited to one Microsoft Intune Exchange Connector per tenant. Intune now supports multiple
Exchange Connectors so that you can set up Intune Conditional Access with multiple on-premises Exchange
organizations.
With an Intune on-premises Exchange connector, you can manage device access to your on-premises Exchange
mailboxes based on whether a device is enrolled in Intune and complies with Intune device compliance policies. To
set up a connector, you download the Intune on-premises Exchange connector from the Azure portal and install it
on a server in your Exchange organization. On the Microsoft Intune dashboard, choose On-premises access , and
then under Setup , choose Exchange ActiveSync connector . Download the Exchange on-premises connector
and install it on a server in your Exchange organization. Now that you're no longer limited to one Exchange
connector per tenant, if you have additional Exchange organizations, you can follow this same process to
download and install a connector for each additional Exchange organization.
New device hardware detail: CCID
The Chip Card Interface Device (CCID) information is now included for each device. To see it, choose Devices > All
devices > choose a device > Hardware > check under Network details >
Assign all users and all devices as scope groups
You can now assign all users, all devices, and all users and all devices in scope groups. To do this, choose Intune
roles > All roles > Policy and profile manager > Assignments > choose an assignment > Scope (groups) .
UDID information now included for iOS and macOS devices
To see the Unique Device Identifier (UDID) for iOS and macOS devices, go to Devices > All devices > choose a
device > Hardware . UDID is only available for corporate devices (as set under Devices > All devices > choose a
device > Proper ties > Device ownership ).
Intune apps
Improved troubleshooting for app installation
On Microsoft Intune MDM-managed devices, sometimes app installations can fail. When these app installs fail, it
can be challenging to understand the failure reason or troubleshoot the issue. We're shipping a Public Preview of
our App Troubleshooting features. You will notice a new node under each individual device called Managed Apps .
This lists the apps that have been delivered via Intune MDM. Inside the node, you'll see a list of app install states. If
you select an individual app, you'll see the troubleshooting view for that specific app. In the troubleshooting view,
you'll see the end-to-end lifecycle of the app, such as when the app was created, modified, targeted, and delivered
to a device. Additionally, if the app install was not successful, you'll be presented with the error code and a helpful
message about the cause of the error.
Intune app protection policies and Microsoft Edge
The Microsoft Edge browser for mobile devices (iOS and Android) now supports Microsoft Intune app protection
policies. Users of iOS and Android devices who sign in with their corporate Azure AD accounts in the Microsoft
Edge application will be protected by Intune. On iOS devices, the Require managed browser for web content
policy will allow users to open links in Microsoft Edge when it is managed.

May 2018
App management
Configuring your app protection policies
In the Azure portal, instead of going to the Intune App Protection service blade, you now just go to Intune. There is
now only one location for app protection policies within Intune. Note that all of your app protection policies are on
the Mobile app blade in Intune under App protection policies . This integration helps to simplify your cloud
management administration. Remember, all app protection policies are already in Intune and you can modify any
of your previously configured policies. Intune App Policy Protection (APP) and Conditional Access (CA) policies are
now under Conditional Access , which can be found under the Manage section in the Microsoft Intune blade
or under the Security section in the Azure Active Director y blade. For more information about modifying
Conditional Access policies, see Conditional Access in Azure Active Directory. For additional information, see What
are app protection policies?
Device configuration
Require installation of policies, apps, certificate and network profiles
Admins can block end users from accessing the Windows 10 RS4 desktop until Intune installs policies, apps, and
certificate and network profiles during the provisioning of AutoPilot devices. For more info, see Set up an
enrollment status page.
Device enrollment
Samsung Knox mobile enrollment support
When using Intune with Samsung Knox Mobile Enrollment (KME), you can enroll large numbers of company-
owned Android devices. Users on WiFi or cellular networks can enroll with just a few taps when they turn on their
devices for the first time. When using the Knox Deployment App, devices can be enrolled using Bluetooth or NFC.
For more information, see Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.
Monitor and troubleshoot
Requesting help in the Company Portal for Windows 10
The Company Portal for Windows 10 will now send app logs directly to Microsoft when the user initiates the
workflow to get help with an issue. This will make it easier to troubleshoot and resolve issues that are raised to
Microsoft.

April 2018
App management
Passcode support for MAM PIN on Android
Intune admins can set an application launch requirement to enforce a passcode instead of a numeric MAM PIN. If
configured, the user is required to set and use a passcode when prompted before getting access to MAM-
enlightened applications. A passcode is defined as a numeric PIN with at least one special character or
upper/lowercase alphabet. Intune supports passcode in a similar way to the existing numeric PIN... being able to
set a minimum length, allowing repeat characters and sequences through the admin console. This feature requires
the latest version of Company Portal on Android. This feature is already available for iOS.
Line-of-business (LOB) app support for macOS
Microsoft Intune will provide the capability to install macOS LOB apps from the Azure portal. You will be able to
add a macOS LOB app to Intune after it has been pre-processed by the tool available in GitHub. In the Azure portal,
choose Client apps from the Intune blade. On the Client apps blade, choose Apps > Add . On the Add App
blade, select Line-of-business app .
Built-in All Users and All Devices Group for Android Enterprise work profile app assignment
You can leverage the built-in All Users and All Devices groups for Android Enterprise work profile app
assignment. For more information, see Include and exclude app assignments in Microsoft Intune.
Intune will reinstall required apps that are uninstalled by users
If an end user uninstalls a required app, Intune automatically reinstalls the app within 24 hours rather than waiting
for the 7-day re-evaluation cycle.
Update where to configure your app protection policies
In the Azure portal within the Microsoft Intune service, we're going to temporarily redirect you from the Intune
App Protection service blade to the Mobile app blade. Note that all of your app protection policies are already
on the Mobile app blade in Intune under app configuration. Instead of going to Intune App Protection, you'll just
go to Intune. In April 2018, we will stop the redirection and fully remove the Intune App Protection service
blade, so that there's only one location for app protection policies within Intune.
How does this affect me? This change will affect both Intune standalone customers and hybrid (Intune with
Configuration Manager) customers. This integration will help simplify your cloud management administration.
What do I need to do to prepare for this change? Please tag Intune as a favorite instead of the Intune App
Protection service blade and ensure you're familiar with the App protection policy workflow in the Mobile app
blade within Intune. We'll redirect for a short period of time and then remove the App Protection blade.
Remember, all app protection policies are already in Intune and you can modify any of your Conditional Access
policies. For more information about modifying Conditional Access policies, see Conditional Access in Azure Active
Directory. For additional information, see What are app protection policies?
Device configuration
Device profile chart and status list show all devices in a group
When you configure a device profile (Device configuration > Profiles ), you choose the device profile, such as
iOS. You assign this profile to a group that includes iOS devices and non-iOS devices. The graphical chart count
shows that the profile is applied to the iOS and the non-iOS devices (Device configuration > Profiles > select
an existing profile > Over view ). When you select the graphical chart in the Over view tab, the Device status
lists all the devices in the group, instead of only the iOS devices.
With this update, the graphical chart (Device configuration > Profiles > select an existing profile > Over view )
only shows the count for the specific device profile. For example, if the configuration device profile applies to iOS
devices, the chart only lists the count of the iOS devices. Selecting the graphical chart, and opening the Device
status only lists the iOS devices.
While this update is being made, the graphical user chart is temporarily removed.
Always On VPN for Windows 10
Currently, Always On can be used on Windows 10 devices by using a custom virtual private network (VPN) profile
created using OMA-URI.
With this update, admins can enable Always On for Windows 10 VPN profiles directly in Intune in the Azure portal.
Always On VPN profiles will automatically connect when:
Users sign into their devices
The network on the device changes
The screen on the device turns back on after being turned off
New printer settings for education profiles
For education profiles, new settings are available under the Printers category: Printers , Default printer , Add
new printers .
Show caller ID in personal profile - Android Enterprise work profile
When using a personal profile on a device, end users may not see the caller ID details from a work contact.
With this update, there is a new setting in Android Enterprise > Device restrictions > Work profile settings :
Display work contact caller-id in personal profile
When enabled (not configured), the work contact caller details are displayed in the personal profile. When blocked,
the work contact caller number is not displayed in the personal profile.
Applies to: Android work profile devices on Android OS v6.0 and newer
New Windows Defender Credential Guard settings added to endpoint protection settings
With this update, Windows Defender Credential Guard (Device configuration > Profiles > Endpoint
protection ) includes the following settings:
Windows Defender Credential Guard : Turns on Credential Guard with virtualization-based security.
Enabling this feature helps protect credentials at the next reboot when Platform Security Level with Secure
Boot and Vir tualization Based Security are both enabled. Options include:
Disabled : If Credential Guard was previously turned on with the Enabled without lock " option,
then it turns off Credential Guard remotely.
Enabled with UEFI lock : Ensures that Credential Guard cannot be disabled using a registry key or
using Group Policy. To disable Credential Guard after using this setting, you must set the Group
Policy to "Disabled". Then, remove the security functionality from each computer, with a physically
present user. These steps clear the configuration persisted in UEFI. As long as the UEFI configuration
persists, Credential Guard is enabled.
Enabled without lock : Allows Credential Guard to be disabled remotely using Group Policy. The
devices that use this setting must be running at least Windows 10 (Version 1511).
The following dependent technologies are automatically enabled when configuring Credential Guard:
Enable Vir tualization-based Security (VBS) : Turns on virtualization-based security (VBS) at next reboot.
Virtualization-based security uses the Windows Hypervisor to provide support for security services, and
requires Secure Boot.
Secure Boot with Direct Memor y Access (DMA) : Turns on VBS with Secure Boot and direct memory
access. DMA protection require hardware support, and is only enabled on properly configured devices.
Use a custom subject name on SCEP certificate
You can use the OnPremisesSamAccountName the common name in a custom subject on an SCEP certificate
profile. For example, you can use CN={OnPremisesSamAccountName}) .
Block camera and screen captures on Android Enterprise work profiles
Two new properties are available to block when you configure device restrictions for Android devices:
Camera: Blocks access to all cameras on the device
Screen capture: Blocks the screen capture, and also prevents the content from being shown on display devices
that don't have a secure video output
Applies to Android Enterprise work profiles.
Use Cisco AnyConnect client for iOS
When you create a new VPN profile for iOS, there are now two options: Cisco AnyConnect and Cisco Legacy
AnyConnect . Cisco AnyConnect profiles support 4.0.7x and newer versions. Existing iOS Cisco AnyConnect VPN
profiles are labeled Cisco Legacy AnyConnect , and continue to work with Cisco AnyConnect 4.0.5x and older
versions, as they do today.

NOTE
This change only applies to iOS. There continues to be only one Cisco AnyConnect option for Android, Android Enterprise
work profiles, and macOS platforms.

Device enrollment
New enrollment steps for users on devices with macOS High Sierra 10.13.2+
macOS high Sierra 10.13.2 introduced the concept of "User Approved" MDM enrollment. Approved enrollments
allow Intune to manage some security-sensitive settings. For more information, see Apple's support
documentation here: https://support.apple.com/HT208019.
Devices enrolled using the macOS Company Portal are considered "Not User Approved" unless the end user
opens System Preferences and manually provides approval. To this end, the macOS Company Portal now directs
users on macOS 10.13.2 and above to go and manually approve their enrollment at the end of the enrollment
process. The Intune admin console will report on if an enrolled device is user approved.
Jamf-enrolled macOS devices can now register with Intune
Versions 1.3 and 1.4 of the macOS company portal did not successfully register Jamf devices with Intune. Version
1.4.2 of the macOS portal fixes this issue.
Updated help experience in Company Portal app for Android
We've updated the help experience in the Company Portal app for Android to align with best practices for the
Android platform. Now when users encounter a problem in the app, they can tap Menu > Help and:
Upload diagnostic logs to Microsoft.
Send an email that describes the problem and incident ID to a company support person.
To check out the updated help experience go to Send logs using email and Send errors to Microsoft.
New enrollment failure trend chart and failure reasons table
On the Enrollment Overview page, you can view the trend of enrollment failures and the top five causes of
failures. By clicking on the chart or table, you can drill into details to find troubleshooting advice and remediation
suggestions.
Device management
Advanced Threat Protection (ATP) and Intune are fully integrated
Advanced Threat Protection (ATP) shows the risk level of Windows 10 devices. In Windows Defender Security
Center (ATP portal), you can create a connection to Microsoft Intune. Once created, an Intune compliance policy is
used to determine an acceptable threat level. If the threat level is exceeded, an Azure Active Directory (AD)
Conditional Access policy can then block access to different apps within your organization.
This feature allows ATP to scan files, detect threats, and report any risk on your Windows 10 devices.
See Enable ATP with Conditional Access in Intune.
Support for user-less devices
Intune supports the ability to evaluate compliance on a user-less device, such as the Microsoft Surface Hub.
Compliance policy can target specific devices. So compliance (and noncompliance) can be determined for devices
that don't have an associated user.
Delete Autopilot devices
Intune admins can delete Autopilot devices.
Improved device deletion experience
You're no longer be required to remove company data or factory reset a device before deleting a device from
Intune.
To see the new experience, sign in to Intune and select Devices > All devices > the name of the device > Delete .
If you still want the wipe/retire confirmation, you can use the standard device lifecycle route by issuing a Remove
company data and Factor y Reset prior to Delete .
Play sounds on iOS when in Lost mode
When supervised iOS devices are in Mobile Device Management (MDM) Lost mode, you can play a sound
(Devices > All devices > select an iOS device > Over view > More ). The sound continues to play until the
device is removed from Lost mode, or a user disables sound on the device. Applies to iOS devices 9.3 and newer.
Block or allow web results in searches made on an Intune device
Admins can now block web results from searches made on a device.
Improved error messaging for Apple MDM Push Certificate upload failure
The error message explains that the same Apple ID must be used when renewing an existing MDM certificate.
Test the Company Portal for macOS on virtual machines
We've published guidance to help IT admins test the Company Portal app for macOS on virtual machines in
Parallels Desktop and VMware Fusion. Find out more in enroll virtual macOS machines for testing.
Intune apps
User experience update for the Company Portal app for iOS
We've released a major user experience update to the Company Portal app for iOS. The update features a
complete visual redesign that includes a modernized look and feel. We've maintained the functionality of the app,
but increased its usability and accessibility.
You'll also see:
Support for iPhone X.
Faster app launch and loading responses, to save users time.
Additional progress bars to provide users with the most up-to-date status information.
Improvements to the way users upload logs, so if something goes wrong, it's easier to report.
To see the updated look, go to What's new in the app UI.
Protect on-premises Exchange data using Intune APP and CA
You can now use Intune App Policy Protection (APP) and Conditional Access (CA) to protect access to on-premises
Exchange data with Outlook Mobile. To add or modify an app protection policy within the Azure portal, select
Microsoft Intune > Client apps > App protection policies . Before using this feature, make sure you meet the
Outlook for iOS and Android requirements.
User interface
Improved device tiles in the Windows 10 Company Portal
The tiles have been updated to be more accessible to low-vision users and to perform better for screen reading
tools.
Send diagnostic reports in Company Portal app for macOS
The Company Portal app for macOS devices was updated to improve how users report Intune-related errors.
From the Company Portal app, your employees can:
Upload diagnostic reports directly to the Microsoft developer team.
Email an incident ID to your company's IT support team.
For more information see Send errors for macOS.
Intune adapts to Fluent Design System in the Company Portal app for Windows 10
The Intune Company Portal app for Windows 10 has been updated with the Fluent Design System's navigation
view. Along the side of the app, you'll notice a static, vertical list of all top-level pages. Click any link to quickly view
and switch between pages. This is the first of several updates you'll see as part of our ongoing effort to create a
more adaptive, empathetic, and familiar experience in Intune. To see the updated look, go to What's new in the app
UI.

March 2018
App management
Alerts for expiring iOS line-of-business (LOB) apps for Microsoft Intune
In the Azure portal, Intune will alert you to iOS line-of-business apps that are about to expire. Upon uploading a
new version of the iOS line-of-business app, Intune removes the expiration notification from the app list. This
expiration notification will only be active for newly uploaded iOS line-of-business apps. A warning appears 30
days before the iOS LOB app provisioning profile expires. When it expires, the alert changes to Expired.
Customize your Company Portal themes with hex codes
You can customize theme color in the Company Portal apps using hex codes. When you enter your hex code,
Intune determines the text color that provides the highest level of contrast between the text color and the
background color. You can preview both the text color and your company logo against the color in Client apps >
Company Por tal .
Including and excluding app assignment based on groups for Android Enterprise
Android Enterprise (formerly known as Android for Work) supports including and excluding groups, but does not
support the pre-created All Users and All Devices built-in groups. For more information, see Include and
exclude app assignments in Microsoft Intune.
Device management
Export all devices into CSV files in IE, Microsoft Edge, or Chrome
In Devices > All devices , you can Expor t the devices into a CSV formatted list. Internet Explorer (IE) users with
>10,000 devices can successfully export their devices into multiple files. Each file has up to 10,000 devices.
Microsoft Edge and Chrome users with >30,000 devices can successfully export their devices into multiple files.
Each file has up to 30,000 devices.
Manage devices provides more details on what you can do with devices you manage.
New security enhancements in the Intune service
We've introduced a toggle in Intune on Azure that Intune standalone customers can use to treat devices without
any policy assigned as Compliant (security feature off) or treat these devices as Not compliant (security feature
on). This will ensure access to resources only after device compliance has been evaluated.
This feature affects you differently depending on whether you already have compliance policies assigned or not.
If you are a new or existing account, and don't have any compliance policies assigned to your devices, then the
toggle is automatically set to Compliant . The feature is off as a default setting in the console. There is no end-
user impact.
If you are an existing account, and you have any devices with a compliance policy assigned to them, then the
toggle is automatically set to Not compliant . The feature is on as a default setting, as the March update rolls
out.
If you use compliance policies with Conditional Access (CA), and have the feature turned on, any devices without at
least one compliance policy assigned are now be blocked by CA. End-users associated with these devices, who
were previously allowed access to email, lose their access unless you assign at least one compliance policy to all
devices.
Note that although the default toggle status is displayed in the UI immediately with the Intune service March
updates, this toggle status is not enforced right away. Any changes you make to the toggle will not impact device
compliance until we flight your account to have a working toggle. We'll inform you via the Message center when
we finish flighting your account. This could take up to a few days after your Intune service is updated for March.
Additional Information : https://aka.ms/compliance_policies
Enhanced jailbreak detection
Enhanced jailbreak detection is a new compliance setting that improves how Intune evaluates jailbroken devices.
The setting causes the device to check in with Intune more frequently, which uses the device's location services and
impacts battery usage.
Reset passwords for Android O devices
You'll be able to reset the passwords for enrolled Android 8.0 devices with Work profiles. When you send a "Reset
password" request to an Android 8.0 device, it sets a new device unlock password or a managed profile challenge
to the current user. The password or challenge is sent and immediately takes effect.
Targeting compliance policies to devices in device groups
You can target compliance policies to users in user groups. With this update, you can target compliance policies to
devices in device groups. Devices targeted as part of device groups will not receive any compliance actions.
New Management name column
A new column named Management name is available on the devices blade. This is an auto-generated, non-
editable name assigned per device, based on the following formula:
Default name for all devices:
For bulk added devices: <PackageId/ProfileId>
This is an optional column in the devices blade. It isn't available by default and you can only access it by using the
column selector. The device name is not affected by this new column.
iOS devices are prompted for a PIN every 15 minutes
After a compliance or configuration policy is applied to an iOS device, users are prompted to set a PIN every 15
minutes. Users are continually prompted until a PIN is set.
Schedule your automatic updates
Intune gives you control on installing automatic updates using Windows Update Ring settings. With this update,
you can schedule reoccurring updates, including the week, the day, and the time.
Use fully distinguished name as subject for SCEP certificate
When you create a SCEP certificate profile, you enter the Subject Name. With this update, you can use the fully
distinguished name as the subject. For Subject Name , select Custom , and then enter
CN={{OnPrem_Distinguished_Name}} . To use the {{OnPrem_Distinguished_Name}} variable, be sure to sync the
onpremisesdistingishedname user attribute using Azure Active Directory (AD) Connect to your Azure AD.
Device configuration
Enable Bluetooth contact sharing - Android for Work
By default, Android prevents contacts in the work profile from syncing with Bluetooth devices. As a result, work
profile contacts are not displayed on caller ID for Bluetooth devices.
With this update, there is a new setting in Android for Work > Device restrictions > Work profile settings :
Contact sharing via Bluetooth
The Intune administrator can configure these settings to enable sharing. This is useful when pairing a device with a
car-based Bluetooth device that displays caller ID for hands-free usage. When enabled, work profile contacts are
displayed. When not enabled, work profile contacts won't display.
Configure Gatekeeper to control macOS app download source
You can configure Gatekeeper to protect your devices from apps by controlling where the apps can be
downloaded from. You can configure the following download sources: Mac App Store , Mac App Store and
identified developers , or Anywhere . You can configure whether users can install an app using control-click to
override these Gatekeeper controls.
These settings can be found under Device configuration -> Create profile -> macOS -> Endpoint
protection .
Configure the Mac application firewall
You can configure the Mac application firewall. You can use this to control connections on a per-application basis,
rather than on a per-port basis. This makes it easier to get the benefits of firewall protection, and helps prevent
undesirable apps from taking control of network ports open for legitimate apps.
This feature can be found under Device configuration -> Create profile -> macOS -> Endpoint protection .
Once you enable the Firewall setting, you can configure the firewall using two strategies:
Block all incoming connections
You can block all incoming connections for the targeted devices. If you choose to do this, incoming
connections are blocked for all apps.
Allow or block specific apps
You can allow or block specific apps from receiving incoming connections. You can also enable stealth mode
to prevent responses to probing requests.
Detailed error codes and messages
In your Device Configuration, there are more detailed error codes and error messages available to see. This
improved reporting shows the settings, the state of these settings, and details on troubleshooting.
M o r e i n fo r m a t i o n

Block all incoming connections

This blocks all sharing services (such as File Sharing and Screen Sharing) from receiving incoming
connections. The system services that are still allowed to receive incoming connections are:
configd - implements DHCP and other network configuration services
mDNSResponder - implements Bonjour
racoon - implements IPSec
To use sharing services, ensure Incoming connections is set to Not configured (not Block ).
Stealth mode
Enable this to prevent the computer from responding to probing requests. The computer still answers
incoming requests for authorized apps. Unexpected requests, such as ICMP (ping), are ignored.
Disable checks on device restart
Intune gives you control to manage software updates. With this update, the Restar t checks property is available,
and enabled by default. To skip the typical checks that occur when you restart a device (such as active users,
battery levels, and so on), select Skip .
New Windows 10 Insider Preview channels available for deployment rings
You now have the option to select the following Windows 10 Insider Preview servicing channels when you create a
Windows 10 deployment ring:
Windows Insider build Fast
Windows Insider build Slow
Release Windows Insider build
For more information about these channels, see Manage Insider Preview Builds. For more information about
creating deployment channels in Intune, see Manage software updates in Intune.
New Windows Defender Exploit Guard settings
Six new Attack Surface Reduction settings and expanded Controlled folder access: Folder protection
capabilities are now available. These settings can be found at: Device configuration\Profiles
Create profile\Endpoint protection\Windows Defender Exploit Guard.
Attack Surface Reduction

SET T IN G N A M E SET T IN G O P T IO N S DESC RIP T IO N

Advanced ransomware protection Enabled, Audit, Not configured Use aggressive ransomware protection.

Flag credential stealing from the Enabled, Audit, Not configured Flag credential stealing from the
Windows local security authority Windows local security authority
subsystem subsystem (lsass.exe).

Process creation from PSExec and WMI Block, Audit, Not configured Block process creations originating from
commands PSExec and WMI commands.

Untrusted and unsigned processes that Block, Audit, Not configured Block untrusted and unsigned
run from USB processes that run from USB.

Executables that don't meet a Block, Audit, Not configured Block executable files from running
prevalence, age, or trusted list criteria unless they meet a prevalence, age, or
trusted list criteria.

Controlled folder access

SET T IN G N A M E SET T IN G O P T IO N S DESC RIP T IO N

Folder protection (already Not configured, Enable, Audit only

implemented) (already implemented)

New
Block disk modification, Audit disk
modification

Protect files and folders from unauthorized changes by unfriendly apps.

Enable : Prevent untrusted apps from modifying or deleting files in protected folders and from writing to disk
sectors.

Block disk modification only :

Block untrusted apps from writing to disk sectors. Untrusted apps can still modify or delete files in protected
folders.|
Intune apps
Azure Active Directory web sites can require the Intune Managed Browser app and support Single Sign-On for
the Managed Browser (Public Preview)
Using Azure Active Directory (Azure AD), you can now restrict access to web sites on mobile devices to the Intune
Managed Browser app. In the Managed Browser, web site data will remain secure and separate from end-user
personal data. In addition, the Managed Browser will support Single Sign-On capabilities for sites protected by
Azure AD. Signing in to the Managed Browser, or using the Managed Browser on a device with another app
managed by Intune, allows the Managed Browser to access corporate sites protected by Azure AD without the user
having to enter their credentials. This functionality applies to sites like Outlook Web Access (OWA) and SharePoint
Online, as well as other corporate sites like intranet resources accessed through the Azure App Proxy. For
additional information, see Access controls in Azure Active Directory Conditional Access.
Company Portal app for Android visual updates
We've updated the Company Portal app for Android to follow Android's Material Design guidelines. You can see
the images of the new icons in the What's new in app UI article.
Company Portal enrollment improved
Users enrolling a device by using the Company Portal on Windows 10 build 1709 and up are now able to
complete the first step of enrollment without leaving the app.
HoloLens and Surface Hub now appear in device lists
We added support for showing Intune-enrolled HoloLens and Surface Hub devices to the Company Portal app for
Android.
Custom Book categories for volume-purchase program (VPP) eBooks
You can create custom eBook categories and then assign VPP eBooks to those custom eBook categories. End users
can then see the newly created eBook categories and books assigned to the categories. For more information, see
Manage volume-purchased apps and books with Microsoft Intune.
Support changes for Company Portal app for Windows send feedback option
Starting April 30, 2018, the Send Feedback option in the Company Portal app for Windows will only work on
devices running the Windows 10 Anniversary Update (1607) and later. The option to send feedback is no longer
supported when using the Company Portal app for Windows with:
Windows 10, 1507 release
Windows 10, 1511 release
Windows Phone 8.1
If your device is running on Windows 10 RS1 or later, download the latest version of the Windows Company
Portal app from the Store. If you are running an unsupported version, please continue to send feedback through
the following channels:
The Feedback Hub app on Windows 10
Email [email protected]
New Windows Defender Application Guard settings
Enable graphics acceleration : Administrators can enable a virtual graphics processor for Windows
Defender Application Guard. This setting allows the CPU to offload graphics rendering to the vGPU. This can
improve performance when working with graphics intense websites or watching video within the container.
SaveFilestoHost : Administrators can enable files to pass from Microsoft Edge running in the container to
the host file system. Turning this on allows users to download files from Microsoft Edge in the container to
the host file system.
MAM protection policies targeted based on management state
You can target MAM policies based on the management state of the device:
Android devices - You can target unmanaged devices, Intune managed devices, and Intune managed
Android Enterprise Profiles (formerly Android for Work).
iOS devices - You can target unmanaged devices (MAM only) or Intune managed devices.

NOTE
iOS support for this functionality is rolling out throughout April 2018.

For more information, see Target app protection policies based on device management state.
Improvements to the language in the Company Portal app for Windows
We've improved the language in the Company Portal for Windows 10 to be more user-friendly and specific to
your company. To see some sample images of what we've done, see what's new in app UI.
New additions to our docs about user privacy
As part of our effort to give end users more control over their data and privacy, we've published updates to our
docs that explain how to view and remove data stored locally by the Company Portal apps. You can find these
updates at:
Android : How to remove your Android device from Intune
Android, if the user has declined terms of use : Remove your device management if you declined "Terms
of Use"
iOS : Remove your iOS device from Intune
Windows : Remove your Windows device from Intune

February 2018
Device enrollment
Intune support for multiple Apple DEP / Apple School Manager accounts
Intune now supports enrolling devices from up to 100 different Apple Device Enrollment Program (DEP) or Apple
School Manager accounts. Each token uploaded can be managed separately for enrollment profiles and devices. A
different enrollment profile can be automatically assigned per DEP/School Manager token uploaded. If multiple
School Manager tokens are uploaded, only one can be shared with Microsoft School Data Sync at a time.
After migration, the beta Graph APIs and published scripts for managing Apple DEP or ASM over Graph will no
longer work. New beta Graph APIs are in development and will be released after the migration.
See enrollment restrictions per user
On the Troubleshoot blade, you can now see the enrollment restrictions that are in effect for each user by
selecting Enrollment restrictions from the Assignments list.
New option for user authentication for Apple bulk enrollment
NOTE
New tenants see this right away. For existing tenants, this feature is being rolled out through April. Until this roll out is
complete, you might not have access to these new features.

Intune now gives you the option to authenticate devices by using the Company Portal app for the following
enrollment methods:
Apple Device Enrollment Program
Apple School Manager
Apple Configurator Enrollment
When using the Company Portal option, Azure Active Directory multi-factor authentication can be enforced
without blocking these enrollment methods.
When using the Company Portal option, Intune skips user authentication in the iOS Setup Assistant for user
affinity enrollment. This means that the device is initially enrolled as a userless device, and so doesn't receive
configurations or policies of user groups. It only receives configurations and policies for device groups. However,
Intune will automatically install the Company Portal app on the Device. The first user to launch and sign in to the
Company Portal app will be associated with the device in Intune. At this point, the user will receive configurations
and policies of their user groups. The user association cannot be changed without re-enrollment.
Intune support for multiple Apple DEP / Apple School Manager accounts
Intune now supports enrolling devices from up to 100 different Apple Device Enrollment Program (DEP) or Apple
School Manager accounts. Each token uploaded can be managed separately for enrollment profiles and devices. A
different enrollment profile can be automatically assigned per DEP/School Manager token uploaded. If multiple
School Manager tokens are uploaded, only one can be shared with Microsoft School Data Sync at a time.
After migration, the beta Graph APIs and published scripts for managing Apple DEP or ASM over Graph will no
longer work. New beta Graph APIs are in development and will be released after the migration.
Remote printing over a secure network
PrinterOn's wireless mobile printing solutions will enable users to remotely print from anywhere at any time over
a secure network. PrinterOn will integrate with the Intune APP SDK for both iOS and Android. You will be able to
target app protection policies to this app through the Intune App protection policies blade in the admin
console. End users will be able to download the app 'PrinterOn for Microsoft' through the Play Store or iTunes to
use within their Intune ecosystem.
macOS Company Portal support for enrollments that use the Device Enrollment Manager
Users can now use the Device Enrollment Manager when enrolling with the macOS Company Portal.
Device management
Windows defender health status and threat status reports
Understanding Windows Defender's health and status is key to managing Windows PCs. With this update, Intune
adds new reports and actions to the status and health of the Windows Defender agent. Using a status roll-up
report in the Device Compliance workload, you can see devices that need any of the following:
signature update
Restart
manual intervention
full scan
other agent states requiring intervention
A drill-in report for each status category lists the individual PCs that need attention, or those that report as Clean .
New privacy settings for device restrictions
Two new privacy settings are now available for devices:
Publish user activities : Set this to Block to prevent shared experiences and discovery of recently used
resources in the task switcher.
Local activities only : Set this to Block to prevent shared experiences and discovery of recently used
resources in task switcher based only on local activity.
New settings for the Microsoft Edge browser
Two new settings are now available for devices with the Microsoft Edge browser: Path to favorites file and
Changes to Favorites .
App management
Protocol exceptions for applications
You can now create exceptions to the Intune Mobile Application Management (MAM) data transfer policy to open
specific unmanaged applications. Such applications must be trusted by IT. Other than the exceptions you create,
data transfer is still restricted to applications that are managed by Intune when your data transfer policy is set to
managed apps only . You can create the restrictions by using protocols (iOS) or packages (Android).
For example, you can add the Webex package as an exception to the MAM data transfer policy. This will allow
Webex links in a managed Outlook email message to open directly in the Webex application. Data transfer will still
be restricted in other unmanaged applications. For more information, see Data transfer policy exceptions for apps.
Windows Information Protection (WIP) encrypted data in Windows search results
A setting in the Windows Information Protection (WIP) policy now allows you to control whether WIP-encrypted
data is included in Windows search results. Set this app protection policy option by selecting Allow Windows
Search Indexer to search encr ypted items in the Advanced settings of the Windows Information Protection
policy. The app protection policy must be set to the Windows 10 platform and the app policy Enrollment state
must be set to With enrollment . For more information, see Allow Windows Search Indexer to search encrypted
items.
Configuring a self-updating mobile MSI app
You can configure a known self-updating mobile MSI app to ignore the version check process. This capability is
useful to avoid getting into a race condition. For instance, this type of race condition could occur when the app
being auto-updated by the app developer is also being update by Intune. Both could try to enforce a version of the
app on a Windows client, which could create a conflict. For these automatically updated MSI apps, you can
configure the Ignore app version setting in the App information blade. When this setting is switched to Yes ,
Microsoft Intune will ignore the app version installed on the Windows client.
Related sets of app licenses supported in Intune
Intune in the Azure portal now supports related sets of app licenses as a single app item in the UI. In addition, any
Offline Licensed apps synced from Microsoft Store for Business will be consolidated into a single app entry and
any deployment details from the individual packages will be migrated over to the single entry. To view related sets
of app licenses in the Azure portal, select App licenses from the Client apps blade.
Device configuration
Windows Information Protection (WIP) file extensions for automatic encryption
A setting in the Windows Information Protection (WIP) policy now lets you specify which file extensions are
automatically encrypted when copying from a Server Message Block (SMB) share within the corporate boundary,
as defined in the WIP policy.
Configure resource account settings for Surface Hubs
You can now remotely configure resource account settings for Surface Hubs.
The resource account is used by a Surface Hub to authenticate against Skype/Exchange so it can join a meeting.
You will want to create a unique resource account so the Surface Hub can show up in the meeting as the
conference room. For example, a resource account such as Conference Room B41/6233 .
NOTE
If you leave fields blank you will override previously configured attributes on the device.
Resource Account properties can change dynamically on the Surface Hub. For example, if password rotation is on. So,
it's possible that the values in the Azure console will take some time to reflect the reality on the device.
To understand what is currently configured on the Surface Hub, the Resource Account information can be included in
hardware inventory (which already has a 7 day interval) or as read-only properties. To enhance the accuracy after the
remote action has taken place, you can get the state of the parameters immediately after running the action to
update the account/parameters on the Surface Hub.

A t t a c k Su r fa c e R e d u c t i o n

SET T IN G N A M E SET T IN G O P T IO N S DESC RIP T IO N

Execution of password-protected Block, Audit, Not configured Prevent password-protected executable

executable content from email files downloaded over email from
running.

Advanced ransomware protection Enabled, Audit, Not configured Use aggressive ransomware protection.

Flag credential stealing from the Enabled, Audit, Not configured Flag credential stealing from the
Windows local security authority Windows local security authority
subsystem subsystem (lsass.exe).

Process creation from PSExec and WMI Block, Audit, Not configured Block process creations originating from
commands PSExec and WMI commands.

Untrusted and unsigned processes that Block, Audit, Not configured Block untrusted and unsigned
run from USB processes that run from USB.

Executables that don't meet a Block, Audit, Not configured Block executable files from running
prevalence, age, or trusted list criteria unless they meet a prevalence, age, or
trusted list criteria.

C o n t r o l l e d fo l d e r a c c e ss

SET T IN G N A M E SET T IN G O P T IO N S DESC RIP T IO N

Folder protection (already Not configured, Enable, Audit only

implemented) (already implemented)

New
Block disk modification, Audit disk
modification

Protect files and folders from unauthorized changes by unfriendly apps.

Enable : Prevent untrusted apps from modifying or deleting files in protected folders and from writing to disk
sectors.

Block disk modification only :

Block untrusted apps from writing to disk sectors. Untrusted apps can still modify or delete files in protected
folders.|
Additions to System Security settings for Windows 10 and later compliance policies
Additions to the Windows 10 compliance settings are now available, including requiring Firewall and Windows
Defender Antivirus.
Intune apps
Support for offline apps from the Microsoft Store for Business
Offline apps that you purchased from the Microsoft Store for Business are now synchronized to the Azure portal.
You can deploy these apps to device groups or user groups. Offline apps are installed by Intune, not by the store.
Prevent end users from manually adding or removing accounts in the work profile
When you deploy the Gmail app into an Android for Work profile, you can now prevent end users from manually
adding or removing accounts in the work profile by using the Add and remove accounts setting in the Android
for Work Device restrictions profile.

January 2018
Device enrollment
Alerts for expired tokens and tokens that will soon expire
The overview page now shows alerts for expired tokens and tokens that will soon expire. When you click on an
alert for a single token, you'll go to the token's details page. If you click on alert with multiple tokens, you'll go to a
list of all tokens with their status. Admins should renew their tokens before the expiration date.
Device management
Remote "Erase" command support for macOS devices
Admins can issue an Erase command remotely for macOS devices.

IMPORTANT
The erase command can't be reversed and should be used with caution.

The erase command removes all data, including the operating system, from a device. It also removes the device
from Intune management. No warning is issued to the user and the erasure occurs immediately upon issuing the
command.
You must configure a 6-digit recovery PIN. This PIN can be used to unlock the erased device, at which point
reinstallation of the operating system will begin. After erasure has started, the PIN appears in a status bar on the
device's overview blade in Intune. The PIN will remain as long as the erasure is underway. After erasure is
complete, the device disappears entirely from Intune management. Be sure to record the recovery PIN so that
whoever is restoring the device can use it.
Revoke licenses for an iOS Volume Purchasing Program token
You can revoke the license of all iOS Volume Purchasing Program (VPP) apps for a given VPP Token.
App management
Revoking iOS Volume-Purchase Program apps
For a given device that has one or more iOS Volume-Purchase Program (VPP) apps, you can revoke the associated
device-based app license for the device. Revoking an app license will not uninstall the related VPP app from the
device. To uninstall a VPP app, you must change the assignment action to Uninstall . For more information, see
How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune.
Assign Microsoft 365 mobile apps to iOS and Android devices using built-in app type
The Built-in app type makes it easier for you to create and assign Microsoft 365 apps to the iOS and Android
devices that you manage. These apps include Microsoft 365 apps such as Word, Excel, PowerPoint, and OneDrive.
You can assign specific apps to the app type and edit the app information configuration.
Including and excluding app assignment based on groups
During app assignment and after selecting an assignment type, you can select the groups to include, as well as the
groups to exclude.
Device configuration
You can assign an application configuration policy to groups by including and excluding assignments
You can assign an application configuration policy to a group of users and devices by using a combination of
including and excluding assignments. Assignments can be chosen as either a custom selection of groups or as a
virtual group. A virtual group can include All users , All Device , or All Users + All Devices .
Support for Windows 10 edition upgrade policy
You can create a Windows 10 edition upgrade policy that upgrades Windows 10 devices to Windows 10
Education, Windows 10 Education N, Windows 10 Professional, Windows 10 Professional N, Windows 10
Professional Education, and Windows 10 Professional Education N. For details about Windows 10 edition
upgrades, see How to configure Windows 10 edition upgrades.
Conditional Access policies for Intune is only available from the Azure portal
Starting with this release, you must configure and manage your Conditional Access policies in the Azure portal
from Azure Active Director y > Conditional Access . For your convenience, you can also access this blade from
Intune in the Azure portal at Intune > Conditional Access .
Updates to compliance emails
When an email is sent to report a noncompliant device, details about the noncompliant device are included.
Intune apps
New functionality for the "Resolve" action for Android devices
The Company Portal app for Android is expanding the "Resolve" action for Update device settings to resolve
device encryption issues.
Remote lock available in Company Portal app for Windows 10
End users can now remotely lock their devices from the Company Portal app for Windows 10. This will not be
displayed for the local device they're actively using.
Easier resolution of compliance issues for the Company Portal app for Windows 10
End users with Windows devices will be able to tap the noncompliance reason in the Company Portal app. When
possible, this will take them directly to the correct location in the settings app to fix the issue.

2017
December 2017
New automatic redeployment setting
The Automatic redeployment setting allows users with administrative rights to delete all user data and settings
using CTRL + Win + R at the device lock screen. The device is automatically reconfigured and reenrolled into
management. This setting can be found under Windows 10 > Device restrictions > General > Automatic
redeployment. For details, see Intune device restriction settings for Windows 10.
Support for additional source editions in the Windows 10 edition upgrade policy
You can now use the Windows 10 edition upgrade policy to upgrade from additional Windows 10 editions
(Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Cloud, etc.). Prior to this release, the supported
edition upgrade paths were more limited. For details, see How to configure Windows 10 edition upgrades.
New Windows Defender Security Center (WDSC) device configuration profile settings
Intune adds a new section of device configuration profile settings under the Endpoint protection named Windows
Defender Security Center . IT admins can configure which pillars of the Windows Defender Security Center app
end users can access. If an IT admin hides a pillar in the Windows Defender Security Center app, all notifications
related to the hidden pillar do not display on the user's device.
These are the pillars admins can hide from the Windows Defender Security Center device configuration profile
settings:
Virus and threat protection
Device performance and health
Firewall and network protections
App and browser control
Family options
IT admins can also customize which notifications users receive. For example, you can configure whether the users
receive all notifications generated by visible pillars in the WDSC, or only critical notifications. Non-critical
notifications include periodic summaries of Windows Defender Antivirus activity and notifications when scans
have completed. All other notifications are considered critical. Additionally, you can also customize the notification
content itself, for example, you can provide the IT contact information to embed in the notifications that appear on
the users' devices.
Multiple connector support for SCEP and PFX certificate handling
Customers who use the on-premises NDES connector to deliver certificates to devices can now configure multiple
connectors in a single tenant.
This new capability supports the following scenario:
High availability
Each NDES connector pulls certificate requests from Intune. If one NDES connector goes offline, the other
connector can continue to process requests.
Customer subject name can use AAD_DEVICE_ID variable
When you create a SCEP certificate profile in Intune, you can now use the AAD_DEVICE_ID variable when you build
the custom subject name. When the certificate is requested using this SCEP profile, the variable is replaced with
the Azure AD device ID of the device making the certificate request.
Manage Jamf-enrolled macOS devices with Intune's device compliance engine
You can now use Jamf to send macOS device state information to Intune, which will then evaluate it for
compliance with policies defined in the Intune console. Based on the device compliance state as well as other
conditions (such as location, user risk, etc.), Conditional Access will enforce compliance for macOS devices
accessing cloud and on-premises applications connected with Azure AD, including Microsoft 365. Find out more
about setting up Jamf integration and enforcing compliance for Jamf-managed devices.
New iOS device action
You can now shut down iOS 10.3 supervised devices. This action shuts down the device immediately without
warning to the end user. The Shut down (super vised only) action can be found at the device properties when
you select a device in the Device workload.
Disallow date/time changes to Samsung Knox devices
We've added a new feature that allows you to block date and time changes on Samsung Knox devices. You can find
this in Device configuration profiles > Device restrictions (Android) > General .
Surface Hub resource account supported
A new device action has been added so administrators can define and update the resource account associated with
a Surface Hub.
The resource account is used by a Surface Hub to authenticate with Skype/Exchange so it can join a meeting. You
can create a unique resource account so the Surface Hub appears in the meeting as the conference room. For
example, the resource account might appear as Conference Room B41/6233. The resource account (known as the
device account) for the Surface Hub typically needs to be configured for the conference room location and when
other resource account parameters need to be changed.
When administrators want to update the resource account on a device, they must provide the current Active
Directory/Azure Active Directory credentials associated with the device. If password rotation is on for the device,
administrators must go to Azure Active Directory to find the password.
NOTE
All fields get sent down in a bundle and overwrite all fields that were previously configured. Empty fields also overwrite
existing fields.

The following are the settings administrators can configure:

Resource account
Active Director y user
Domainname\username or User Principle Name (UPN): [email protected]
Password
Optional resource account parameters (must be set using the specified resource account)
Password rotation period
Ensures the account password is updated automatically by the Surface Hub every week for security
reasons. To configure any parameters after this has been enabled, the account in Azure Active
Directory must have the password reset first.
SIP (Session Initiation Protocol) address
Only used when autodiscovery fails.
Email
Email address of the device/resource account.
Exchange ser ver
Only required when autodiscovery fails.
Calendar sync
Specifies whether calendar sync and other Exchange server services are enabled. For example:
meeting sync.
Install Office apps on macOS devices
You will now be able to install Office apps on macOS devices. This new app type will allow you to install Word,
Excel, PowerPoint, Outlook, and OneNote. These apps also come with the Microsoft AutoUpdate (MAU), to help
keep your apps secure and up-to-date.
Delete an iOS Volume Purchasing Program token
You can delete the iOS Volume Purchasing Program (VPP) token using the console. This may be necessary when
you have duplicate instances of a VPP token.
A new entity collection named Current User is limited to currently active user data
The Users entity collection contains all the Azure Active Directory (Azure AD) users with assigned licenses in your
enterprise. For example, a user may be added to Intune and then removed during the course of the last month.
While this user is not present at the time of the report, the user and state are present in the data. You could create
a report that would show the duration of the user's historic presence in your data.
In contrast, the new Current User entity collection only contains users who have not been removed. The Current
User entity collection only contains currently active users. For information about the current user entity
collection, see Reference for current user entity.
Updated Graph APIs
In this release, we've updated a few of the Graph API's for Intune that are in beta. Please check out the monthly
Graph API changelog for more information.
Intune supports Windows Information Protection (WIP) denied apps
You can specify denied apps in Intune. If an app is denied, it is blocked from accessing corporate information,
effectively the opposite of the allowed apps list. For more information, see Recommended deny list for Windows
Information Protection.
November 2017
Troubleshoot enrollment issues
The Troubleshoot workspace now shows user enrollment issues. Details about the issue and suggested
remediation steps can help administrators and help desk operators troubleshoot problems. Certain enrollment
issues aren't captured and some errors might not have remediation suggestions.
Group-assigned enrollment restrictions
As an Intune administrator, you can now create custom Device Type and Device Limit enrollment restrictions for
user groups.
The Intune Azure portal lets you create up to 25 instances of each restriction type, which can then be assigned to
user groups. Group-assigned restrictions override the default restrictions.
All the instances of a restriction type are maintained in a strictly ordered list. This order defines a priority value for
conflict resolution. A user impacted by more than one restriction instance is only restricted by the instance with
the highest priority value. You can change a given instance's priority by dragging it to a different position in the list.
This functionality will be released with the migration of Android for Work settings from the Android For Work
enrollment menu to the Enrollment Restrictions menu. Since this migration may take several days, your account
may be upgraded for other parts of the November release before you see group assignment become enabled for
Enrollment Restrictions.
Support for multiple Network Device Enrollment Service (NDES) connectors
NDES allows mobile devices running without domain credentials to obtain certificates based on the Simple
Certificate Enrollment Protocol (SCEP). With this update, multiple NDES connectors are supported.
Manage Android for Work devices independently from Android devices
Intune supports managing enrollment of Android for Work devices independently from the Android platform.
These settings are managed under Device Enrollment > Enrollment restrictions > Device Type
Restrictions . (They were previously located under Device Enrollment > Android for Work Enrollment >
Android for Work Enrollment Settings .)
By default, your Android for Work devices settings are the same as your settings for your Android devices.
However, after you change your Android for Work settings that will no longer be the case.
If you block personal Android for Work enrollment, only corporate Android devices can enroll as Android for
Work.
When working with the new settings, consider the following points:
If you have never previously onboarded Android for Work enrollment
The new Android for Work platform is blocked in the default Device Type Restrictions. After you onboard the
feature, you can allow devices to enroll with Android for Work. To do so, change the default or create a new Device
Type Restriction to supersede the default Device Type Restriction.
If you have onboarded Android for Work enrollment
If you've previously onboarded, your situation depends on the setting you chose:
A N DRO ID F O R W O RK STAT US IN
SET T IN G DEFA ULT DEVIC E T Y P E REST RIC T IO N N OT ES

Manage all devices as Android Blocked All Android devices must enroll without
Android for Work.

Manage suppor ted devices as Allowed All Android devices that support
Android for Work Android for Work must enroll with
Android for Work.

Manage suppor ted devices for Blocked A separate Device Type Restriction
users only in these groups as policy was created to override the
Android for Work default. This policy defines the groups
you previously selected to allow
Android for Work enrollment. Users
within the selected groups will continue
to be allowed to enroll their Android for
Work devices. All other users are
restricted from enrolling with Android
for Work.

In all cases, your intended regulation is preserved. No action is required on your part to maintain the global or
per-group allowance of Android for Work in your environment.
Google Play Protect support on Android
With the release of Android Oreo, Google introduces a suite of security features called Google Play Protect that
allow users and organizations to run secure apps and secure Android images. Intune now supports Google Play
Protect features, including SafetyNet remote attestation. Admins can set compliance policy requirements that
require Google Play Protect to be configured and healthy. The SafetyNet device attestation setting requires the
device to connect with a Google service to verify that the device is healthy and is not compromised. Admins can
also set a configuration profile setting for Android for Work to require that installed apps are verified by Google
Play services. If a device is not compliant with Google Play Protect requirements, Conditional Access might block
users from accessing corporate resources.
Learn How to create a device compliance policy to enable Google Play Protect.
Text protocol allowed from managed Apps
Apps managed by the Intune App SDK are able to send SMS messages.
App install report updated to include Install Pending status
The App install status report, accessible for each app through the App list in the Client apps workload, now
contains an Install Pending count for Users and Devices.
iOS 11 app inventory API for Mobile Threat Detection
Intune collects app inventory information from both personal and corporate-owned devices and makes it available
for Mobile Threat Detection (MTD) providers to fetch, such as Lookout for Work. You can collect an app inventory
from the users of iOS 11+ devices.
App inventor y
Inventories from both corporate-owned iOS 11+ and personally owned devices are sent to your MTD service
provider. Data in the app inventory includes:
App ID
App Version
App Short Version
App Name
App Bundle Size
App Dynamic Size
App is validated or not
App is managed or not
Migrate hybrid MDM users and devices to Intune standalone
New processes and tools are now available for moving users and their devices from hybrid MDM to Intune in the
Azure portal, allowing you to do the following tasks:
Copy policies and profiles from the Configuration Manager console to Intune in the Azure portal
Move a subset of users to Intune in the Azure portal, while keeping the rest in hybrid MDM
Migrate devices to Intune in the Azure portal without needing to re-enroll them
On-premises Exchange connector high availability support
After the Exchange connector creates a connection to Exchange using the specified Client Access Server (CAS), the
connector now has the ability to discovery other CASs. If the primary CAS becomes unavailable, the connector will
fail over to another CAS, if available, until the primary CAS becomes available. For details, see On-premises
Exchange connector high availability support.
Remotely restart iOS device (supervised only )
You can now trigger a supervised iOS 10.3+ device to restart using a device action. For more information on using
the device restart action, see Remotely restart devices with Intune.

NOTE
This command requires a supervised devices and the Device Lock access right. The device restarts immediately. Passcode-
locked iOS devices will not rejoin a Wi-Fi network after restart; after restart, they may not be able to communicate with the
server.

Single Sign-on support for iOS

You can use Single Sign-on for iOS users. The iOS apps that are coded to look for user credentials in the Single
Sign-on payload are functional with this payload configuration update. You can also use UPN and Intune Device ID
to configure the Principal Name and Realm. For details, see Configure Intune for iOS device single sign-on.
Add "Find my iPhone" for personal devices
You can now view whether iOS devices have Activation Lock turned on. This feature previously could be found in
the Intune in the classic portal.
Remotely lock managed macOS device with Intune
You can lock a lost macOS device, and set a 6-digit recovery PIN. When locked, the Device over view blade
displays the PIN until another device action is sent.
For more information, see Remotely lock managed devices with Intune.
New SCEP profile details supported
Administrators are now able to set additional settings when creating a SCEP profile on Windows, iOS, macOS, and
Android platforms. Administrators can set IMEI, serial number, or common name including email in the subject
name format.
Retain data during a factory reset
When resetting Windows 10 version 1709 and later to factory settings, a new capability is available. Admins can
specify if device enrollment and other provisioned data are retained on a device through a factory reset.
The following data is retained through a factory reset:
User accounts associated with the device
Machine state (domain join, Azure Active Directory-joined)
MDM enrollment
OEM installed apps (store and Win32 apps)
User profile
User data outside of user profile
User autologon
The following data is not retained:
User files
User installed apps (store and Win32 apps)
Non-default device settings
Window 10 update ring assignments are displayed
When you are Troubleshooting, for the user you are viewing, you are able to see any Windows 10 update rings
assignments.
Windows Defender Advanced Threat Protection reporting frequency settings
Windows Defender Advanced Threat Protection (WDATP) service allows admins to manage reporting frequency
for managed devices. With the new Expedite telemetr y repor ting frequency option, WDATP collects data and
assesses risks more frequently. The default for reporting optimizes speed and performance. Increasing the
frequency of reporting can be valuable for high-risk devices. This setting can be found in the Windows Defender
ATP profile in Device configurations .
Audit updates
Intune auditing provides a record of change operations related to Intune. All create, update, delete, and remote
task operations are captured and retained for one year. The Azure portal provides a view of the last 30 days of
audit data in each workload, and is filterable. A corresponding Graph API allows retrieval of the auditing data
stored for the last year.
Auditing is found under the MONITOR group. There is an Audit Logs menu item for each workload.
Company Portal app for macOS is available
The Intune Company Portal on macOS has an updated experience, which has been optimized to cleanly display all
the information and compliance notifications your users need for all the devices they have enrolled. And, once the
Intune Company Portal has been deployed to a device, Microsoft AutoUpdate for macOS will provide updates to it.
You can download the new Intune Company Portal for macOS by logging into the Intune Company Portal website
from a macOS device.
Microsoft Planner is now part of the mobile app management (MAM) list of approved apps
The Microsoft Planner app for iOS and Android is now part of the approved apps for mobile app management
(MAM). The app can be configured through the Intune App Protection blade in the Azure portal to all tenants.
Learn more the MAM list of approved apps.
Per-App VPN requirement update frequency on iOS devices
Administrators may now remove Per-App VPN requirements for apps on iOS devices; affected devices will after
their next Intune check-in, which generally occurs within 15 minutes.
Support for System Center Operations Manager management pack for Exchange connector
The System Center Operations Manager management pack for Exchange connector is now available to help you
parse the Exchange connector logs. This feature gives you different ways of monitoring the service when you need
to troubleshoot issues.
Co-management for Windows 10 devices
Co-management is a solution that provides a bridge from traditional to modern management, and it provides you
with a path to make the transition using a phased approach. At its foundation, co-management is a solution where
Windows 10 devices are concurrently managed by Configuration Manager and Microsoft Intune, as well as joined
to Active Directory (AD) and Azure Active Directory (Azure AD). This configuration provides you with a path to
modernize over time, at the pace that's right for your organization if you can't move all at once.
Restrict Windows Enrollment by OS version
As an Intune administrator, you can now specify a minimum and maximum version of Windows 10 for device
enrollments. You can set these restrictions in the Platform Configurations blade.
Intune will continue to support enrolling Windows 8.1 PCs and phones. However, only Windows 10 versions can
be set with minimum and maximum limits. To permit enrollment of 8.1 devices, leave the minimum limit empty.
Alerts for Windows AutoPilot unassigned devices
A new alert is available for Windows AutoPilot unassigned devices on the Microsoft Intune > Device
enrollment > Over view page. This alert shows how many devices from the AutoPilot program do not have
AutoPilot deployment profiles assigned. Use the information in the alert to create profiles and assign them to the
unassigned devices. When you click the alert, you see a full list of Windows AutoPilot devices and detailed
information about them. For more information, see Enroll Windows devices using Windows AutoPilot deployment
program.
Refresh button for Devices list
Because the Device list does not refresh automatically, you can use the new Refresh button to update the devices
that display in the list.
Support for Symantec Cloud Certification Authority (CA)
Intune now supports Symantec Cloud CA, which allows the Intune Certificate Connector to issue PKCS certificates
from the Symantec Cloud CA to Intune managed devices. If you're already using the Intune Certificate Connector
with Microsoft Certification Authority (CA), you can use the existing Intune Certificate Connector setup to add the
Symantec CA support.
New items added to device inventory
The following new items are now available to the inventory taken by enrolled devices:
Wi-Fi MAC address
Total storage space
Total free space
MEID
Subscriber carrier
Set access for apps by minimum Android security patch on the device
An administrator is able to define the minimum Android security patch that must be installed on the device in
order to gain access to a managed application under a managed account.

NOTE
This feature only restricts security patches released by Google on Android 6.0+ devices.

App-conditional launch support

IT admins can now set a requirement through the Azure admin portal to enforce a passcode instead a numeric PIN
through the mobile app management (MAM) when the application launch. If configured, the user is required to set
and use a passcode when prompted before getting access to MAM-enlightened applications. A passcode is defined
as a numeric PIN with at least one special character or upper/lowercase alphabet. This release of Intune will enable
this feature on iOS only . Intune supports passcode in a similar way to numeric PIN, it sets a minimum length,
allowing repeat characters and sequences. This feature requires the participation of applications (that is, WXP,
Outlook, Managed Browser, Yammer) to integrate the Intune App SDK with the code for this feature in place for the
passcode settings to be enforced in the targeted applications.
App Version number for line-of-business in device install status report
With this release, the Device install status report displays the app version number for the line-of-business apps for
iOS and Android. You may use this information to troubleshoot your apps, or find devices that are running
outdated app versions.
Admins can now configure the Firewall settings on a device using a device configuration profile
Admins can turn on firewall for devices, and also configure various protocols for domain, private, and public
networks. These firewall settings can be found in the "Endpoint protection" profile.
Windows Defender Application Guard helps protect devices from untrusted websites, as defined by your organization
Admins can define sites as "trusted" or "corporate" using a Windows Information Protection workflow or the new
"Network boundary" profile under device configurations. If they are viewed with Microsoft Edge, any sites that
aren't listed in on a 64-bit Windows 10 device's trusted network boundary open instead in a browser within a
Hyper-V virtual computer.
Application Guard can be found in the device configuration profiles, in the "Endpoint protection" profile. From
there, admins can configure interaction between the virtualized browser and the host machine, nontrusted sites
and trusted sites, and storing data generated in the virtualized browser. To use Application Guard on a device, a
network boundary first must be configured. It's important to define only one network boundary for a device.
Windows Defender Application Control on Windows 10 Enterprise provides mode to trust only authorized apps
With thousands of new malicious files created every day, using antivirus signature-based detection to fight against
malware might no longer provide an adequate defense against new attacks. Using Windows Defender Application
Control on Windows 10 Enterprise, you can change device configuration from a mode where apps are trusted
unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps
authorized by your enterprise. You assign trust to apps in Windows Defender Application Control.
Using Intune, you can configure the application control policies either in "audit only" mode or enforce mode. Apps
aren't blocked when running in "audit only" mode. "Audit only" mode logs all events in local client logs. You can
also configure whether only Windows components and Microsoft Store apps are allowed to run or whether
additional apps with good reputations as defined by the Intelligent Security Graph are allowed to run.
Window Defender Exploit Guard is a new set of intrusion prevention capabilities for Windows 10
Window Defender Exploit Guard includes custom rules to reduce the exploitability of applications, prevents macro
and script threats, automatically blocks network connections to low reputation IP addresses, and can secure data
from ransomware and unknown threats. Windows Defender Exploit Guard consists of the following components:
Attack Surface Reduction provides rules that allow you to prevent macro, script, and email threats.
Controlled Folder access automatically blocks access to content to protected folders.
Network Filter blocks outbound connection from any app to low rep IP/domain
Exploit Protection provides memory, control flow, and policy restrictions that can be used to protect an
application from exploits.
Manage PowerShell scripts in Intune for Windows 10 devices
The Intune management extension lets you upload PowerShell scripts in Intune to run on Windows 10 devices. The
extension supplements Windows 10 mobile device management (MDM) capabilities and makes it easier for you to
move to modern management. For details, see Manage PowerShell scripts in Intune for Windows 10 devices.
New device restriction settings for Windows 10
Messaging (mobile only) - disable testing or MMS messages
Password - settings to enable FIPS and the use of Windows Hello devices secondary devices for authentication
Display - settings to turn on or off GDI Scaling for legacy apps
Windows 10 kiosk mode device restrictions
You can restrict Windows 10 device users to kiosk mode, which limits users to a set of predefined apps. To do so,
create a Windows 10 device restriction profile and set the Kiosk settings.
Kiosk mode supports two modes: single app (allows a user to run just one app) or multi app (permits access to
a set of apps). You define the user account and device name, which determines the supported apps). When the
user is logged in, they're limited to the defined apps. To learn more, see AssignedAccess CSP.
Kiosk mode requires:
Intune must be the MDM authority.
The apps must already be installed on the target device.
The device must be properly provisioned.
New device configuration profile for creating network boundaries
A new device configuration profile called Network boundar y can be found with your other device configuration
profiles. Use this profile to define online resources that you want to be considered corporate and trusted. You must
define a network boundary for a device before features such as Windows Defender Application Guard and
Windows Information Protection can be used on the device. It's important to define only one network boundary
for each device.
You can define enterprise cloud resources, IP address ranges, and internal proxy servers that you want to be
considered trusted. Once defined, the network boundary can be consumed by other features such as Windows
Defender Application Guard and Windows Information Protection.
Two additional settings for Windows Defender Antivirus
File blocking level

SET T IN G DETA IL S

Not Configured Not Configured uses the default Windows Defender

Antivirus blocking level and provides strong detection without
increasing the risk of detecting legitimate files.

High High applies a strong level of detection.

High + High + provides the High level with additional protection

measures that might impact client performance.

Zero tolerance Zero tolerance blocks all unknown executables.

While unlikely, setting to High may cause some legitimate files to be detected. We recommend you set File
blocking level to the default, Not configured .
Time out extension for file scanning by the cloud

SET T IN G DETA IL

Number of seconds (0-50) Specify the maximum amount of time that Windows Defender
Antivirus should block a file while waiting for a result from the
cloud. The default amount is 10 seconds: any additional time
specified here (up to 50 seconds) is added to those 10
seconds. In most cases, the scan takes much less time than
the maximum. Extending the time allows the cloud to
thoroughly investigate suspicious files. We recommend that
you enable this setting and specify at least 20 additional
seconds.

Citrix VPN added for Windows 10 devices

You can configure Citrix VPN for their Windows 10 devices. You can choose the Citrix VPN in the Select a
connection type list in the Base VPN blade when configuring a VPN for Windows 10 and later.
NOTE
Citrix configuration existed for iOS and Android.

Wi-Fi connections support pre-shared keys on iOS

Customers can configure Wi-Fi profiles to use pre-shared keys (PSK) for WPA/WPA2 Personal connections on iOS
devices. These profiles are pushed to user's device when the device is enrolled into Intune.
When the profile has been pushed to the device, the next step depends on the profile configuration. If set to
connect automatically, it does so when the network is next needed. When the profile is connects manually, the user
must activate the connection manually.
Access to managed app logs for iOS
End users with the managed Browser installed can now view the management status of all Microsoft published
apps and send logs for troubleshooting their managed iOS apps.
Learn how to enable the troubleshooting mode in the Managed Browser on an iOS device, see How to access to
managed app logs using the Managed Browser on iOS.
Improvements to device setup workflow in the Company Portal for iOS in version 2.9.0
The device setup workflow has been improved in the Company Portal app for iOS. The language is more user-
friendly and we've combined screens where possible. The language is more specific to your company by using
your company name throughout the setup text. You can see this updated workflow on thewhat's new in app
UIpage.
User entity contains latest user data in Data Warehouse data model
The first version of the Intune Data Warehouse data model only contained recent, historical Intune data. Report
makers could not capture the current state of a user. In this update, the User entity is populated with the latest
user data.
October 2017
iOS and Android line-of-business app version number is visible
Apps in Intune now display the version number for iOS and Android line-of-business apps. The number displays in
the Azure portal in the app list and in the app overview blade. End users can see the app number in the Company
Portal app and in the web portal.
Full version number The full version number identifies a specific release of the app. The number appears as
Version(Build). For example, 2.2(2.2.17560800)
The full version number has two components:
Version
The version number is the human-readable release number of the app. This is used by end users to identify
different releases of the app.
Build Number
The build number is an internal number that can be used in app detection and to programmatically manage
the app. The build number refers to an iteration of the app that references changes in the code.
Learn more about version numbers and developing line-of-business apps in Get started with the Microsoft Intune
App SDK.
Device and app management integration
Now that Intune's mobile device management (MDM) and mobile application management (MAM) are both
accessible from the Azure portal, Intune started integrating the IT admin experience around application and device
management. These changes are geared to simplify your device and app management experience.
Learn more about the MDM and MAM changes announced in the Intune support team blog.
New enrollment alerts for Apple devices
The overview page for enrollment will show useful alerts for IT admins regarding management of Apple devices.
Alerts will show up on Overview page when the Apple MDM push certificate is expiring or has already expired;
when the Device Enrollment Program token is expiring or has already expired; and when there are unassigned
devices in the Device Enrollment Program.
Support token replacement for app configuration without device enrollment
You can use tokens for dynamic values in app configurations for apps on devices that are not enrolled. For more
information, see Add app configuration policies for managed apps without device enrollment.
Updates to the Company Portal app for Windows 10
The Settings page in the Company Portal app for Windows 10 has been updated to make the settings and
intended user actions to be more consistent across all settings. It has also been updated to match the layout of
other Windows apps. You can find before/after images in the what's new in app UI page.
Inform end users what device information can be seen for Windows 10 devices
We have added Ownership Type to the Device Details screen on the Company Portal app for Windows 10. This
will allow users to find out more about privacy directly from this page from the Intune end user docs. They will
also be able to locate this information on the About screen.
Feedback prompts for the Company Portal app for Android
The Company Portal app for Android now requests end user feedback. This feedback is sent directly to Microsoft,
and provides end users with an opportunity to review the app in the public Google Play store. Feedback is not
required, and can easily be dismissed so users can continue using the app.
Helping your users help themselves with the Company Portal app for Android
The Company Portal app for Android has added instruction for end users to help them understand and, where
possible, self-solve on new use cases.
End users will be guided to the Azure Active Directory portal to remove a device if they have reached the
maximum number of devices that they are allowed to add.
End users are given steps to follow to help them fix activation errors on Samsung Knox devices or to turn off
power-saving mode. If neither of those solutions resolve their issue, we will provide an explanation of how to
submit logs to Microsoft.
New 'Resolve' action available for Android devices
The Company Portal app for Android is introducing a 'Resolve' action on the Update device settings page.
Selecting this option will take the end user directly to the setting that is causing their device to be noncompliant.
The Company Portal app for Android currently supports this action for the device passcode, USB debugging, and
Unknown Sources settings.
Device setup progress indicator in Android Company Portal
The Company Portal app for Android shows a device setup progress indicator when a user is enrolling their
device. The indicator shows new statuses, beginning with "Setting up your device...", then "Registering your
device...", then "Finishing registering your device...", then "Finishing setting up your device...".
Certificate-based authentication support on the Company Portal for iOS
We have added support for certificate-based authentication (CBA) in the Company Portal app for iOS. Users with
CBA enter their username, then tap the "Sign in with a certificate" link. CBA is already supported on the Company
Portal apps for Android and Windows. You can learn more on the sign in to the Company Portal app page.
Apps that are available with or without enrollment can now be installed without being prompted for enrollment.
Company apps that have been made available with or without enrollment on the Android Company Portal app can
now be installed without a prompt to enroll.
Windows AutoPilot Deployment Program support in Microsoft Intune
You can now use Microsoft Intune with Windows AutoPilot Deployment Program to empower your users to
provision their corporate devices without involving IT. You can customize the out-of-box experience (OOBE) and
guide users to join their device to Azure AD and enroll in Intune. Working together, Microsoft Intune and Windows
AutoPilot eliminate the need to deploy, maintain, and manage operating system images. For details, see Enroll
Windows devices using Windows AutoPilot deployment program.
Quickstart for device enrollment
Quickstart is now available in Device enrollment and provides a table of references for managing platforms and
configuring the enrollment process. A brief description of each item and links to documentation with step-by-step
instructions provides useful documentation to simplify getting started.
Device categorization
The enrolled devices platform chart of the Devices > Over view blade organizes devices by platform, including
Android, iOS, macOS, Windows, and Windows Mobile. Devices running other operating systems are grouped into
"Other." This includes devices manufactured by Blackberry, NOKIA, and others.
To learn which devices are affected in your tenant, choose Manage > All devices and then use Filter to limit the
OS field.
Zimperium - New Mobile Threat Defense partner
You can control mobile device access to corporate resources using Conditional Access based on risk assessment
conducted by Zimperium, a Mobile Threat Defense solution that integrates with Microsoft Intune.
How integration with Intune works
Risk is assessed based on telemetry collected from devices running Zimperium. You can configure EMS
Conditional Access policies based on Zimperium risk assessment enabled through Intune device compliance
policies, which you can use to allow or block non-compliant devices to access corporate resources based on
detected threats.
New settings for Windows 10 device restriction profile
We are adding new settings to the Windows 10 device restriction profile in the Windows Defender SmartScreen
category.
For details about the Windows 10 device restriction profile, see Windows 10 and later device restriction settings.
Remote support for Windows and Windows Mobile devices
Intune can now use the TeamViewer software, purchased separately, to enable you to give remote assistance to
your users who are running Windows, and Windows Mobile devices.
Scan devices with Windows Defender
You can now run a Quick scan , Full scan , and Update signatures with Windows Defender Antivirus on
managed Windows 10 devices. From the device's overview blade, choose the action to run on the device. You are
prompted to confirm the action before the command is sent to the device.
Quick scan : A quick scan scans locations where malware registers to start, such as registry keys and known
Windows startup folders. A quick scan takes an average of five minutes. Combined with the Always-on real-
time protection setting that scans files when they are opened, closed, and whenever a user navigates to a folder,
a quick scan helps provide protection from malware that might be in the system or the kernel. Users see the scan
results on their devices when it finishes.
Full scan : A full scan can be useful on devices that have encountered a malware threat to identify if there are any
inactive components that require a more thorough clean-up, and is useful for running on-demand scans. Full scan
can take an hour to run. Users see the scan results on their devices when it finishes.
Update signatures : The update signature command updates Windows Defender Antivirus malware definitions
and signatures. This helps ensure Windows Defender Antivirus is effective in detecting malware. This feature is for
Windows 10 devices only, pending device internet connectivity.
The Enable/Disable button is removed from the Intune Certificate Authority page of the Intune Azure portal
We are eliminating an extra step in setting up the certificate connector on Intune. Currently, you download the
certificate connector and then enable it in the Intune console. However, if you disable the connector in the Intune
console, the connector continues to issue certificates.
How does this affect me?
Starting in October, the Enable/Disable button will no longer appear on the Certificate Authority page in the Azure
portal. Connector functionality remains the same. Certificates are still deployed to devices enrolled in Intune. You
can continue to download and install the certificate connector. To stop certificates from being issued, you now
uninstall the certificate connector rather than disable it.
What do I need to do to prepare for this change?
If you currently have the certificate connector disabled, you should uninstall it.
New settings for Windows 10 Team device restriction profile
In this release, we've added many new settings to the Windows 10 Team device restriction profile to help you
control Surface Hub devices.
For more information about this profile, see Windows 10 Team device restriction settings.
Prevent users of Android devices from changing their device date and time
You can use an Android custom device policy to prevent Android device users from changing the device date and
time.
To do this, configure an Android custom policy with the setting URI
./Vendor/MSFT/PolicyManager/My/System/AllowDateTimeChange Set this to TRUE , and then assign it to the
required groups.
BitLocker device configuration
The Windows Encr yption > Base Settings include a new Warning for another disk encr yption setting that
lets you disable the warning prompt for other disk encryption that might be in use on the user's device. The
warning prompt requires end user consent before setting up BitLocker on the device and blocks BitLocker setup
until confirmed by the end user. The new setting disables the end user warning.
Volume Purchase Program for Business apps will now sync to your Intune Tenant
Third-party developers can privately distribute apps to authorized Volume Purchase Program (VPP) for Business
members specified in iTunes Connect. These VPP for Business members can sign in to the Volume Purchase
Program App Store and purchase their apps.
With this release, the VPP for Business apps purchased by the end user will now start syncing to their Intune
tenants.
Select Apple country/region store to sync VPP apps
You can configure the Volume Purchase Program (VPP) country/region store when uploading your VPP token.
Intune synchronizes VPP apps for all locales from the specified VPP country/region store.

NOTE
Today, Intune only synchronizes VPP apps from the VPP country/region store that match the Intune locale in which the
Intune tenant was created.

Block copy and paste between work and personal profiles in Android for Work
With this release, you are able to configure the work profile for Android for Work to block copy and paste between
work and personal apps. You can find this new setting in the Device restrictions profile for the Android for
Work Platform in Work profile settings .
Create iOS apps limited to specific regional Apple App Stores
You will be able to specify the country/region locale during the creation of an Apple App Store managed app.
NOTE
Currently, you can only create Apple App Store managed apps that are present in the US country/region store.

Update iOS VPP user and device licensed apps

You will be able to configure the iOS VPP token to update all apps purchased for that token through the Intune
service. Intune will detect the VPP app updates inside the app store and automatically push them to the device
when the device checks-in.
For steps to set a VPP token and enable automatic updates, see [How to manage iOS apps purchased through a
volume-purchase program with Microsoft Intune] (../apps/vpp-apps-ios).
User device association entity Collection added to Intune Data Warehouse data model
You can now build reports and data visualizations using the user device association information that associates
user and device entity collections. The data model can be accessed through the Power BI file (PBIX) retrieved from
the Data Warehouse Intune page, through the OData endpoint, or by developing a custom client.
Review policy compliance for Windows 10 update rings
You will be able to review a policy report for your Windows 10 update rings from Software updates > Per update
ring deployment state. The policy report includes deployment status for the update rings that you have
configured.
New report that lists iOS devices with older iOS versions
The Out-of-date iOS Devices report is available from the Software updates workspace. In the report, you can
view a list of supervised iOS devices that were targeted by an iOS update policy and have available updates. For
each device, you can view a status for why the device has not been automatically updated.
View app protection policy assignments for troubleshooting
In this upcoming release, App protection policy option will be added to the Assignments drop-down list
available on the troubleshooting blade. You can now select app protection policies to see app protection policies
assigned to the selected users.
Improvements to device setup workflow in Company Portal
We've improved the device setup workflow in the Company Portal app for Android. The language is more user-
friendly and specific to your company, and we've combined screens where possible. You can see these on the
what's new in app UI page.
Improved guidance around the request for access to contacts on Android devices
The Company Portal app for Android often requires the end user to accept the Contacts permission. If an end user
declines this access, they will now see an in-app notification that alerts them to grant it for Conditional Access.
Secure startup remediation for Android
End users with Android devices will be able to tap the non-compliance reason in the Company Portal app. When
possible, this will take them directly to the correct location in the settings app to fix the issue.
Additional push notifications for end users on the Company Portal app for Android Oreo
End users will see additional notifications to indicate to them when the Company Portal app for Android Oreo is
performing background tasks, such as retrieving policies from the Intune service. This increases transparency for
end users about when the Company Portal is performing administrative tasks on their device. This is part of the
overall optimization of the Company Portal UI for the Company Portal app for Android Oreo.
There are further optimizations for new UI elements that are enabled in Android Oreo. End users will see
additional notifications that will indicate to them when Company Portal is performing background tasks such as
retrieving policy from the Intune service. This increases transparency for end users about when Company Portal is
performing administrative tasks on the device.
New behaviors for the Company Portal app for Android with work profiles
When you enroll an Android for Work device with a work profile, it's the Company Portal app in the work profile
that performs management tasks on the device.
Unless you are using a MAM-enabled app in the personal profile, the Company Portal app for Android no longer
serves any use. To improve the work profile experience, Intune will automatically hide the personal Company
Portal app after a successful work profile enrollment.
The Company Portal app for Android can be enabled at any time in the personal profile by browsing for Company
Portal in the Play Store and tapping Enable .
Company Portal for Windows 8.1 and Windows Phone 8.1 moving to sustaining mode
Beginning in October 2017, the Company Portal apps for Windows 8.1 and Windows Phone 8.1 will move to
sustaining mode. This means that the apps and existing scenarios, such as enrollment and compliance, will
continue to be supported for these platforms. These apps will continue to be available for download through
existing release channels, such as the Microsoft Store.
Once in sustaining mode, these apps will only receive critical security updates. There will be no additional updates
or features released for these apps. For new features, we recommend that you update devices to Windows 10 or
Windows 10 Mobile.
Block unsupported Samsung Knox device enrollment
The Company Portal app only attempts to enroll supported Samsung Knox devices. To avoid Knox activation errors
that prevent MDM enrollment, device enrollment is only attempted if the device appears in the list of devices
published by Samsung. Samsung devices can have model numbers that support Knox while others that don't.
Verify Knox compatibility with your device reseller before purchase and deployment. You can find the full list of
verified devices in the Android and Samsung Knox Standard policy settings.
End of support for Android 4.3 and lower
Managed apps and the Company Portal app for Android will require Android 4.4 and higher to access company
resources. By December, all enrolled devices will be force-retired in December, resulting in loss of access to
company resources. If you are using app protection policies without MDM, apps will not receive updates, and the
quality of their experience will diminish over time.
Inform end users what device information can be seen on enrolled devices
We are adding Ownership Type to the Device Details screen on all Company Portal apps. This will allow users to
find out more about privacy directly from the What information can your company see? article. This will be rolling
out across all Company Portal apps in the near future. We announced this for iOS in September.
September 2017
Intune supports iOS 11
Intune supports iOS 11. This was previously announced on the Intune Support blog.
End of support for iOS 8.0
Managed apps and the Company Portal app for iOS will require iOS 9.0 and higher to access company resources.
Devices that aren't updated before this September will no longer be able to access the Company Portal or those
apps.
Refresh action added to the Company Portal app for Windows 10
The Company Portal app for Windows 10 allows users to refresh the data in the app by either pulling to refresh or,
on desktops, pressing F5.
Inform end users what device information can be seen for iOS
We have added Ownership Type to the Device Details screen on the Company Portal app for iOS. This will allow
users to find out more about privacy directly from this page from the Intune end user docs. They will also be able
to locate this information on the About screen.
Allow end users to access the Company Portal app for Android without enrollment
End users will soon not have to enroll their device to access the Company Portal app for Android. End users at
organizations that are using App Protection Policies will no longer receive prompts to enroll their device when
they open the Company Portal app. End users will also be able to install apps from the Company Portal without
enrolling the device.
Easier-to-understand phrasing for the Company Portal app for Android
The enrollment process for the Company Portal app for Android has been simplified with new text to make it
easier for end users to enroll. If you have custom enrollment documentation, you will want to update it to reflect
the new screens. You can find sample images on our UI updates for Intune end user apps page.
Windows 10 Company Portal app added to Windows Information Protection allow policy
The Windows 10 Company Portal app has been updated to support Windows Information Protection (WIP). The
app can be added to the WIP allow policy. With this change, the app no longer has to be added to the Exempt list.
August 2017
Improvements to device overview
Improvements to the device overview now display enrolled devices but excludes devices managed by Exchange
ActiveSync. Exchange ActiveSync devices do not have the same management options as enrolled devices. To view
the number of enrolled devices and number of enrolled devices by platform in Intune in the Azure portal, go
Devices > Over view .
Improvements to device inventory collected by Intune
In this release, we've made the following improvements to the inventory information collected by devices you
manage:
For Android devices, you can now add a column to device inventory that shows the latest patch level for each
device. Add the Security patch level column to your device list to see this.
When you filter the device view, you can now filter devices by their enrollment date. For example, you could
display only devices that were enrolled after a date you specify.
We've made improvements to the filter used by the Last Check-in Date item.
In the device list, you can now display the phone number of corporate owned devices. Additionally, you can use
the filter pane to search for devices by phone number.
For more details about device inventory, see How to view Intune device inventory.
Conditional Access support for macOS devices
You can now set a Conditional Access policy that requires Mac devices to be enrolled into Intune and compliant
with its device compliance policies. For example, users can download the Intune Company Portal app for macOS
and enroll their Mac devices into Intune. Intune evaluate whether the Mac device is compliant or not with
requirements like PIN, encryption, OS version, and System Integrity.
Learn more about Conditional Access support for macOS devices.
Company Portal app for macOS is in public preview
The Company Portal app for macOS is now available as part of the public preview for Conditional Access in
Enterprise Mobility + Security. This release supports macOS 10.11 and above. Get it at
https://aka.ms/macOScompanyportal.
New device restriction settings for Windows 10
In this release, we've added new settings for the Windows 10 device restriction profile in the following categories:
Windows Defender SmartScreen
App store
Updates to the Windows 10 endpoint protection device profile for BitLocker settings
In this release, we've made the following improvements to how BitLocker settings work in a Windows 10 endpoint
protection device profile:
Under BitLocker OS drive settings , for the setting BitLocker with non-compatible TPM chip , when you
select Block , previously, this would cause BitLocker to actually be allowed. We have now fixed this to block
BitLocker when it is selected.
Under BitLocker OS drive settings , for the setting Cer tificate-based data recover y agent , you can now
explicitly block the certificate-based data recovery agent. By default, however, the agent is allowed.
Under BitLocker fixed data-drive settings , for the setting Data recover y agent , you can now explicitly
block the data recovery agent. For more information, see Endpoint protection settings for Windows 10 and
later.
New signed-in experience for Android Company Portal users and App Protection Policy users
End users can now browse apps, manage devices, and view IT contact information using the Android Company
Portal app without enrolling their Android devices. In addition, if an end user already uses an app protected by
Intune App Protection Policies and launches the Android Company Portal, the end user no longer receive a prompt
to enroll the device.
New setting in the Android Company Portal app to toggle battery optimization
The Settings page in the Company Portal app for Android has a new setting that easily lets users turn off battery
optimization for Company Portal and Microsoft Authenticator apps. The app name shown in the setting will vary
depending on which app manages the work account. We recommend that users turn battery optimization off for
better performance of work apps that sync email and data.
Multi-identity support for OneNote for iOS
End users can now use different accounts (work and personal) with Microsoft OneNote for iOS. App protection
policies can be applied to corporate data in work notebooks without affecting their personal notebooks. For
example, a policy can allow a user to find information in work notebooks, but will prevent the user from copying
and pasting and corporate data from the work notebook to a personal notebook.
Learn more about the apps that support app protection and multi-identity with Intune.
New settings to allow and block apps on Samsung Knox Standard devices
In this release, we are adding new device restriction settings that let you specify the following app lists:
Apps that users are allowed to install
Apps that users are blocked from running
Apps that are hidden from the user on the device
You can specify the app by URL, package name or from the list of apps you manage.
New Azure AD app-based Conditional Access policy UI link from Intune
IT admins can now set app-based conditional policies via the new Conditional Access policy UI in the Azure AD
workload. The app-based Conditional Access that is in the Intune App Protection section in the Azure portal will
remain there for the time being and will be enforced side-by-side. There's also a convenience link to the new
Conditional Access policy UI in the Intune workload.
Learn more about app-based Conditional Access on Azure AD.
July 2017
Restrict Android and iOS device enrollment restriction by OS version
Intune now supports restricting iOS and Android enrollment by operating system version number. Under Device
Type Restriction , the IT admin can now set a platform configuration to restrict enrollment between a minimum
and maximum operating system value. Android operating system versions must be specified as
Major.Minor.Build.Rev, where Minor, Build and Rev are optional. iOS versions must be specified as
Major.Minor.Build where Minor and Build are optional. Learn more about device enrollment restrictions.

NOTE
Does not restrict enrollment through Apple enrollment programs or Apple Configurator.
Restrict Android, iOS, and macOS device personally owned device enrollment
Intune can restrict personal device enrollment by white-listing corporate device IMEI numbers. Intune has now
expanded this functionality to iOS, Android, and macOS using device serial numbers. By uploading the serial
numbers to Intune, you can predeclare devices as corporate-owned. Using enrollment restrictions, you can block
personally owned (BYOD) devices, allowing enrollment only for corporate-owned devices. Learn more about
device enrollment restrictions.
To import serial numbers, go Device enrollment > Corporate device identifiers and click Add and then
upload a .CSV file (no header, two columns for serial number and details like IMEI numbers). To restrict personally
owned devices, go Device enrollment > Enrollment restrictions . Under Device Type Restrictions , select the
Default and then select Platform Configurations . You can Allow or Block personally owned devices for iOS,
Android, and macOS.
New device action to force devices to sync with Intune
In this release, we've added a new device action that forces the selected device to immediately check in with
Intune. When a device checks in, it immediately receives any pending actions or policies that have been assigned
to it. This action can help you to immediately validate and troubleshoot policies you've assigned, without waiting
for the next scheduled check-in. For details, see Synchronize device
Force supervised iOS devices to automatically install the latest available software update
A new policy is available from the Software updates workspace where you can force supervised iOS devices to
automatically install the latest available software update. For details see, Configure iOS update policies
Check Point SandBlast Mobile - New Mobile Threat Defense partner
You can control mobile device access to corporate resources using Conditional Access based on risk assessment
conducted by Checkpoint SandBlast Mobile, a mobile threat defense solution that integrates with Microsoft Intune.
H o w i n t e g r a t i o n w i t h I n t u n e w o r k s?

Risk is assessed based on telemetry collected from devices running Checkpoint SandBlast Mobile. You can
configure EMS Conditional Access policies based on Checkpoint SandBlast Mobile risk assessment enabled
through Intune device compliance policies. You can allow or block noncompliant devices access to corporate
resources based on detected threats.
Deploy an app as available in the Microsoft Store for Business
With this release, admins can now assign the Microsoft Store for Business as available. When set as available, end-
users can install the app from the Company Portal app or website without being redirected to the Microsoft Store.
UI updates to the Company Portal website
We made several updates to the UI of the Company Portal website to enhance the end user experience.
Enhancements to app tiles : App icons will now display with an automatically generated background
based on the dominant color of the icon (if it can be detected). When applicable, this background replaces
the gray border that was previously visible on app tiles.
The Company Portal website displays large icons whenever possible in an upcoming release. We
recommend that IT admins publish apps using high-resolution icons with a minimum size of 120 x120
pixels.
Navigation changes : Navigation bar items are moved to the hamburger menu in the top left. The
Categories page is removed. Users can now filter content by category while browsing.
Updates to Featured Apps : We've added a dedicated page to the site where users can browse apps that
you've chosen to feature, and made some UI tweaks to the Featured section on the homepage.
iBooks support for the Company Portal website
We've added a dedicated page to the Company Portal website that allows users to browse and download iBooks.
Additional help desk troubleshooting details
Intune has updated the troubleshooting display and added to the information that it provides for admins and help
desk staff. You can now see an Assignments table that summarizes all assignments for the user based on group
membership. This list includes:
Mobile apps
Compliance policies
Configuration profiles
In addition, the Devices table now includes Azure AD join type and Azure AD compliant columns. For more
information, see help users troubleshoot problems.
Intune Data Warehouse (Public Preview)
The Intune Data Warehouse samples data daily to provide a historical view of your tenant. You can access the data
using a Power BI file (PBIX), an OData link that is compatible with many analytics tools, or interacting with the REST
API. For more information, see Use the Intune Data Warehouse.
Light and dark modes available for the Company Portal app for Windows 10
End users will be able to customize the color mode for the Company Portal app for Windows 10. The user is able
to make the change in the Settings section of the Company Portal app. The change will appear after the user has
restarted the app. For Windows 10 version 1607 and later, the app mode will default to the system setting. For
Windows 10 version 1511 and earlier, the app mode will default to the light mode.
Enable end users to tag their device group in the Company Portal app for Windows 10
End users are now able to select which group their device belongs to by tagging it directly from within the
Company Portal app for Windows 10.
June 2017
New role-based administration access for Intune admins
A new Conditional Access admin role is being added to view, create, modify, and delete Azure AD Conditional
Access policies. Previously, only global admins and security admins had this permission. Intune admins can be
granted with this role permission so that they have access to Conditional Access policies.
Tag corporate-owned devices with serial number
Intune now supports uploading iOS, macOS, and Android serial numbers as Corporate Device Identifiers. You can't
use serial numbers to block personal devices from enrolling at this time because serial numbers are not verified
during enrollment. Blocking personal devices by serial number will be released in the near future.
New remote actions for iOS devices
In this release, we've added two new remote device actions for shared iPad devices that manage the Apple
Classroom app:
Logout current user - Signs out the current user of an iOS device you choose.
Remove user - Deletes a user you choose from the local cache on an iOS device.
Support for shared iPads with the iOS Classroom app
In this release, we've expanded the support for managing the iOS Classroom app to include students who log into
shared iPads using their managed Apple ID.
Changes to Intune built-in apps
Previously, Intune contained a number of built-in apps that you could quickly assign. Based on your feedback, we
have removed this list, and you will no longer see built-in apps. However, if you have already assigned any built-in
apps, these will still be visible in the list of apps. You can continue to assign these apps as required. In a later
release, we plan to add an easier method to select and assign built-in apps from the Azure portal.
Easier installation of Microsoft 365 apps
The new Microsoft 365 Apps for Enterprise app type makes it easy for you to assign Microsoft 365 Apps for
enterprise apps to devices that you manage which run the latest version of Windows 10. Additionally, you can also
install Microsoft Project, and Microsoft Visio, if you own licenses for them. The apps you want are bundled
together and appear as one app in the list of apps in the Intune console. For more information, see How to add
Microsoft 365 apps for Windows 10.
Support for offline apps from the Microsoft Store for Business
Offline apps you purchased from the Microsoft Store for Business will now be synchronized to the Azure portal.
You can then deploy these apps to device groups, or user groups. Offline apps are installed by Intune, and not by
the store.
Microsoft teams is now part of the App-based CA list of approved apps
The Microsoft Teams app for iOS and Android is now part of approved apps for app-based Conditional Access
policies for Exchange and SharePoint Online. The app can be configured through the Intune App Protection blade
in the Azure portal to all tenants currently using app-based Conditional Access.
Managed browser and app proxy integration
The Intune Managed Browser can now integrate with the Azure AD Application Proxy service to let users access
internal web sites even when they are working remotely. Users of the browser simply enter the site URL as they
normally would and the Managed Browser routes the request through the application proxy web gateway. For
more information, see Manage Internet access using Managed browser policies.
New app configuration settings for the Intune Managed Browser
In this release, we've added further configurations for the Intune Managed Browser app for iOS and Android. You
can now use an app configuration policy to configure the default home page and bookmarks for the browser. For
more information, see Manage Internet access using Managed browser policies
BitLocker settings for Windows 10
You can now configure BitLocker settings for Windows 10 devices using a new Intune device profile. For example,
you can require that devices are encrypted, and also configure further settings that are applied when BitLocker is
turned on. For more information, see Endpoint protection settings for Windows 10 and later.
New settings for Windows 10 device restriction profile
In this release, we've added new settings for the Windows 10 device restriction profile, in the following categories:
Windows Defender
Cellular and connectivity
Locked screen experience
Privacy
Search
Windows Spotlight
Microsoft Edge browser
For more information about Windows 10 settings, see Windows 10 and later device restriction settings.
Company Portal app for Android now has a new end user experience for App Protection Policies
Based on customer feedback, we've modified the Company Portal app for Android to show an Access Company
Content button. The intent is to prevent end users from unnecessarily going through the enrollment process
when they only need to access apps that support App Protection Policies, a feature of Intune mobile application
management. You can see these changes on the what's new in app UI page.
New menu action to easily remove Company Portal
Based on user feedback, the Company Portal app for Android has added a new menu action to initiate the removal
of Company Portal from your device. This action removes the device from Intune management so that the app can
be removed from the device by the user. You can see these changes on the what's new in app UI page and in the
Android end user documentation.
Improvements to app syncing with Windows 10 Creators Update
The Company Portal app for Windows 10 will now automatically initiate a sync for app install requests for devices
with Windows 10 Creators Update (version 1709). This will reduce the issue of app installs stalling during the
"Pending Sync" state. In addition, users will be able to manually initiate a sync from within the app. You can see
these changes on the what's new in app UI page.
New guided experience for Windows 10 Company Portal
The Company Portal app for Windows 10 will include a guided Intune walkthrough experience for devices that
have not been identified or enrolled. The new experience provides step-by-step instructions that guide the user
through registering into Azure Active Directory (required for Conditional Access features) and MDM enrollment
(required for device management features). The guided experience will be accessible from the Company Portal
home page. Users can continue to use the app if they do not complete registration and enrollment, but will
experience limited functionality.
This update is only visible on devices running Windows 10 Anniversary Update (build 1607) or higher. You can see
these changes on the what's new in app UI page.
Microsoft Intune and Conditional Access admin consoles are generally available
We're announcing the general availability of both the new Intune in the Azure portal admin console and the
Conditional Access admin console. Through Intune in the Azure portal, you can now manage all Intune MAM and
MDM capabilities in one consolidated admin experience, and leverage Azure AD grouping and targeting.
Conditional Access in Azure brings rich capabilities across Azure AD and Intune together in one unified console.
And from an administrative experience, moving to the Azure platform allows you to use modern browsers.
Intune is now visible without the preview label in the Azure portal at portal.azure.com.
There is no action required for existing customers at this time, unless you have received one of a series of
messages in the message center requesting that you take action so that we can migrate your groups. You may
have also received a message center notice informing you that migration is taking longer due to bugs on our side.
We are diligently continuing work to migrate any impacted customer.
Improvements to the app tiles in the Company Portal app for iOS
We updated the design of the app tiles on the homepage to reflect the branding color you set for the Company
Portal. For more information, see what's new in app UI.
Account picker now available for the Company Portal app for iOS
Users of iOS devices might see our new account picker when they sign into the Company Portal if they use their
work or school account to sign into other Microsoft apps. For more information, see what's new in app UI.
May 2017
Change your MDM authority without unenrolling managed devices
You can now change your MDM authority without having to contact Microsoft Support, and without having to
unenroll and reenroll your existing managed devices. In the Configuration Manager console, you can change your
MDM authority from Set to Configuration Manager (hybrid) to Microsoft Intune (standalone) or vice versa.
Improved notification for Samsung Knox startup PINs
When end users need to set a start-up PIN on Samsung Knox devices to become compliant with encryption, the
notification displayed to end users will bring them to the exact place in the Settings app when the notification is
tapped. Previously, the notification brought the end user to the password change screen.
Apple School Manager (ASM) support with shared iPad
Intune now supports use of Apple School Manager (ASM) in place of Apple Device Enrollment Program to provide
out-of-box enrollment of iOS devices. ASM onboarding is required to use the Classroom app for Shared iPads, and
is required to enable syncing data from ASM to Azure Active Directory via Microsoft School Data Sync (SDS). For
more information, see Enable iOS device enrollment with Apple School Manager.

NOTE
Configuring Shared iPads to work with the Classroom app requires iOS Education configurations in Azure are that not yet
available. This functionality will be added soon.
Provide remote assistance to Android devices using TeamViewer
Intune can now use the TeamViewer software, purchased separately, to enable you to give remote assistance to
your users who are running Android devices. For more information, see Provide remote assistance for Intune
managed Android devices.
New app protection policies conditions for MAM
You can now set a requirement for MAM without enrollment users that enforces the following policies:
Minimum application version
Minimum operating system version
Minimum Intune APP SDK version of the targeted application (iOS only)
This feature is available on both Android and iOS. Intune supports minimum version enforcement for OS platform
versions, application versions, and Intune APP SDK. On iOS, applications that have the SDK integrated can also set
a minimum version enforcement at the SDK level. The user will be unable to access the targeted application if the
minimum requirements through the app protection policy are not met at the three different levels mentioned
above. At this point, the user may either remove their account (for multi-identity applications), close the
application, or update the version of the OS or application.
You can also configure additional settings to provide a non-blocking notification that recommends an OS or
application upgrade. This notification can be closed and the application may be used as normal.
For more information, see iOS app protection policy settings and Android app protection policy settings.
Configure app configurations for Android for Work
Some Android apps from the store support managed configuration options that let an IT admin control how an
app runs in the work profile. With Intune, you can now view the configurations supported by an app, and
configure them from the Azure portal with a configuration designer or a JSON editor. For more information, see
Use app configurations for Android for Work.
New app configuration capability for MAM without enrollment
You can now create app configuration policies through the MAM without enrollment channel. This feature is
equivalent to the app configuration policies available in the mobile device management (MDM) app configuration.
For an example of app configuration using MAM without enrollment, see Manage Internet access using Managed
browser policies with Microsoft Intune.
Configure allowed and blocked URL lists for the Managed Browser
You can now configure a list of allowed and blocked domains and URLs for the Intune Managed Browser using
app configuration settings in the Azure portal. These settings can be configured regardless of whether it is being
used on a managed or unmanaged device. For more information, see Manage Internet access using Managed
browser policies with Microsoft Intune.
App protection policy helpdesk view
IT Helpdesk users can now check user license status and the status of app protection policy apps assigned to users
in the Troubleshooting blade. For details, see Troubleshooting.
Control website visits on iOS devices
You can now control which websites users of iOS devices can visit using one of the following two methods:
Add permitted, and blocked URLs using Apples built-in web content filter.
Allow only specified websites to be accessed by the Safari browser. Bookmarks are created in Safari for each
site you specify.
For more information, see Web content filter settings for iOS devices.
Preconfigure device permissions for Android for Work apps
For apps deployed to Android for Work device work profiles, you can now configure the permissions state for
individual apps. By default, Android apps that require device permissions such as access to location or the device
camera will prompt users to accept or deny permissions. For example, if an app uses the device's microphone, then
the end user is prompted to grant the app permission to use the microphone. This feature allows you to define
permissions on behalf of the end user. You can configure permissions to a) automatically deny without notifying
the user, b) automatically approve without notifying the user, or c) prompt the user to accept or deny. For more
information, see Android for Work device restriction settings in Microsoft Intune.
Define app-specific PIN for Android for Work devices
Android 7.0 and above devices with a work profile managed as an Android for Work device let the administrator
define a passcode policy that only applies to apps in the work profile. Options include:
Define just a device-wide passcode policy - This is the passcode that the user must use to unlock their entire
device.
Define just a work profile passcode policy - Users will be prompted to enter a passcode whenever any app in
the work profile is opened.
Define both a device and work profile policy - IT admin has the choice to define both a device passcode policy
and a work profile passcode policy at differing strengths (for example, a four-digit PIN to unlock the device, but
a six-digit PIN to open any work app).
For more information, see Android for Work device restriction settings in Microsoft Intune.

NOTE
This is only available on Android 7.0 and above. By default, the end user can use the two separately defined PINs or they can
elect to combine the two defined PINs into the strongest of the two.

New settings for Windows 10 devices

We've added new Windows device restriction settings that control features like wireless displays, device discovery,
task switching, and SIM card error messages.
Updates to certificate configuration
When creating a SCEP certificate profile, for Subject name format , the Custom option is available for iOS,
Android, and Windows devices. Before this update, the Custom field was available for iOS devices only. For more
information, see Create a SCEP certificate profile.
When creating a PKCS certificate profile, for Subject alternative name , the Custom Azure AD attribute is
available. The Depar tment option is available when you select Custom Azure AD attribute . For more
information, see create a PKCS certificate profile.
Configure multiple apps that can run when an Android device is in kiosk mode
When an Android device is in kiosk mode, you could previously only configure one app that was allowed to run.
You can now configure multiple apps using the app ID, store URL, or by selecting an Android app you already
manage. For more information, see Kiosk mode settings.
April 2017
Support for managing the Apple Classroom app
You can now manage the iOS Classroom app on iPad devices. Set up the Classroom app on the teachers iPad with
the correct class and student data, then configure student iPads registered to a class, so that you can control them
using the app. For details, see Configure iOS education settings.
Support for managed configuration options for Android apps
Android apps in the Play store that support managed configuration options can now be configured by Intune. This
feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to
allow them to configure those values.
New Android policy for complex PINs
You can now set a required password type of Numeric complex in an Android device profile for devices that run
Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or
consecutive numbers, like 1111, or 1234.
Additional support for Android for Work devices
Manage password and work profile settings
This new Android for Work device restriction policy now lets you manage password and work profile
settings on Android for Work devices you manage.
Allow data sharing between work and personal profiles
This Android for Work device restriction profile now has new options to help you configure data sharing between
work and personal profiles.
Restrict copy and paste between work and personal profiles
A new custom device profile for Android for Work devices now lets you restrict whether copy and paste
actions between work and personal apps are allowed.
For more information, see Device restrictions for Android for Work.
Assign LOB apps to iOS and Android devices
You can now assign line of business (LOB) apps for iOS (.ipa files) and Android (.apk files) to users or devices.
New device policies for iOS
Apps on Home screen - Controls which apps users see on the Home screen of their iOS device. This
policy changes the layout of the Home screen, but does not deploy any apps.
Connections to AirPrint devices - Controls which AirPrint devices (network printers) that end users of
iOS device can connect to.
Connections to AirPlay devices - Controls which AirPlay devices (like Apple TV) that end users of iOS
device can connect to.
Custom lock screen message - Configures a custom message that users will see on the lock screen of
their iOS device, that replaces the default lock screen message. For more information, see Activate lost
mode on iOS devices
Restrict push notifications for iOS apps
In an Intune device restriction profile, you can now configure the following notification settings for iOS devices:
Fully turn on or off notification for a specified app.
Turn on or off, the notification in the notification center for a specified app.
Specify the alert type, either None , Banner , or Modal Aler t .
Specify whether badges are allowed for this app.
Specify whether notification sounds are allowed.
Configure iOS apps to run in single app mode autonomously
You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app
mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An
example of this is when you configure an app that lets users take a test on the device. When the app's actions are
complete, or you remove this policy, the device returns to its normal state.
Configure trusted domains for email and web browsing on iOS devices
From an iOS device restriction profile, you can now configure the following domain settings:
Unmarked email domains - Emails that the user sends or receives which don't match the domains you
specify here will be marked as untrusted.
Managed web domains - Documents downloaded from the URLs you specify here will be considered
managed (Safari only).
Safari password auto-fill domains - Users can save passwords in Safari only from URLs matching the
patterns you specify here. To use this setting, the device must be in supervised mode and not configured for
multiple users. (iOS 9.3+)
VPP apps available in iOS Company Portal
You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an
Apple Store account to install the app.
Synchronize eBooks from Apple VPP Store
You can now synchronize books you purchased from the Apple volume-purchase program store with Intune, and
assign the books to users.
Multi-user management for Samsung Knox Standard devices
Devices that run Samsung Knox Standard are now supported for multi-user management by Intune. This means
that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is
centrally managed whether it's in use or not. When end-users sign-in, they have access to apps and get any
policies applied to them. When users sign out, all app data is cleared.
Additional Windows device restriction settings
We've added support for additional Windows device restriction settings like additional Microsoft Edge browser
support, device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper,
and proxy setting.
Multi-user support for Windows 10 Creators Update
We've added support for multi-user management for devices that run the Windows 10 Creators Update and are
Azure Active Directory domain-joined. This means that when different standard users log into the device with their
Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot
currently use the Company Portal for self-service scenarios like installing apps.
Fresh Start for Windows 10 PCs
A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that
were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This
can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if
user data is retained when this device action is issued.
Additional Windows 10 upgrade paths
You can now create an edition upgrade policy to upgrade devices to the following additional Windows 10 editions:
Windows 10 Professional
Windows 10 Professional N
Windows 10 Professional Education
Windows 10 Professional Education N
Bulk Enroll Windows 10 devices
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory
and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD
tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration
Designer, and apply the package to corporate-owned devices you'd like to bulk enroll and manage. Once the
package is applied to your devices, they will join Azure AD, enroll in Intune, and be ready for your Azure AD users
to sign in. Azure AD users are standard users on these devices and receive assigned policies and required apps.
Self-service and Company Portal scenarios are not supported currently.
New MAM settings for PIN and managed storage locations
Two new app settings are now available to help you with mobile application management (MAM) scenarios:
Disable app PIN when device PIN is managed - Detects if a device PIN is present on the enrolled
device, and if so, bypasses the app PIN triggered by the app protection policies. This setting will allow for a
reduction in the number of times a PIN prompt is displayed to users opening a MAM-enabled application
on an enrolled device. This feature is available for both Android and iOS.
Select which storage ser vices corporate data can be saved to -Allows you to specify which storage
locations in which to save corporate data. Users can save to the selected storage location services, which
means all other storage location services not listed will be blocked.
List of supported storage location services:
OneDrive
Business SharePoint Online
Local storage
Help desk troubleshooting portal
The new troubleshooting portal lets help desk operators and Intune administrators view users and their devices,
and perform tasks to resolve Intune technical problems.
March 2017
Support for iOS Lost Mode
For iOS 9.3 and later devices, Intune added support for Lost Mode . You can now lock down a device to prevent all
use and display a message and contact phone number of the device lock screen.
The end user will not be able to unlock the device until an admin disables Lost Mode. When Lost Mode is enabled,
you can use the Locate device action to display the geographical location of the device on a map in the Intune
console.
The device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised mode.
For more information, see What is Microsoft Intune device management?
Improvements to Device Actions report
We've made improvements to the Device Actions report to improve performance. Additionally, you can now filter
the report by state. For example, you could filter the report to show only device actions that were completed."
Custom app categories
You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be
specified in English. See How to add an app to Intune.
Assign LOB apps to users with unenrolled devices
You can now assign line-of-business apps from the store to users whether or not their devices are enrolled with
Intune. If the user's device is not enrolled with Intune, they must go to the Company Portal website to install it,
instead of the Company Portal app.
New compliance reports
You now have compliance reports that give you the compliance posture of devices in your company and allow you
to quickly troubleshoot compliance-related issues encountered by your users. You can view information about
Overall compliance state of devices
Compliance state for an individual setting
Compliance state for an individual policy
You can also use these reports to drill down into an individual device to view specific settings and policies that
affect that device.
Direct access to Apple enrollment scenarios
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios
using the Enroll Devices workload in the Azure portal. Previously, the Apple enrollment preview was only
accessible from links in the Azure portal. Intune accounts created before January 2017 will require a one-time
migration before these features are available in Azure. The schedule for migration has not been announced yet,
but details will be made available as soon as possible. We strongly recommend creating a trial account to test out
the new experience if your existing account cannot access the preview.
February 2017
Ability to restrict mobile device enrollment
Intune is adding new enrollment restrictions that control which mobile device platforms are allowed to enroll.
Intune separates mobile device platforms as iOS, macOS, Android, Windows and Windows Mobile.
Restricting mobile device enrollment does not restrict PC client enrollment.
For iOS and Android only, there is one additional option to block the enrollment of personally owned devices.
Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as
explained in this article.
View all actions on managed devices
A new Device Actions report shows who has performed remote actions like factory reset on devices, and
additionally shows the status of that action. See What is device management?.
Non-managed devices can access assigned apps
As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps
assigned to them as "available without enrollment" on their non-managed devices. Using their Intune credentials,
users will be able to log into the Company Portal website and see the list of apps assigned to them. The app
packages of the "available without enrollment" apps are made available for download via the Company Portal
website. Apps which require enrollment for installation are not affected by this change, as users will be prompted
to enroll their device if they wish to install those apps.
Custom app categories
You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be
specified in English. See How to add an app to Intune.
Display device categories
You can now view the device category as a column in the device list. You can also edit the category from the
properties section of the device properties blade. See How to add an app to Intune.
Configure Windows Update for Business settings
Windows as a Service is the new way of providing updates for Windows 10. Starting with Windows 10, any new
Feature Updates and Quality Updates will contain the contents of all previous updates. This means that as long as
you've installed the latest update, you know that your Windows 10 devices are completely up-to-date. Unlike with
previous versions of Windows, you now must install the entire update instead of part of an update.
By using Windows Update for Business, you can simplify the update management experience so that you don't
need to approve individual updates for groups of devices. You can still manage risk in your environments by
configuring an update rollout strategy and Windows Update will make sure that updates are installed at right time.
Microsoft Intune provides the ability to configure update settings on devices and gives you the ability to defer
update installation. Intune doesn't store the updates, but only the update policy assignment. Devices access
Windows Update directly for the updates.Use Intune to configure and manage Windows 10 update rings . An
update ring contains a group of settings that configure when and how Windows 10 updates get installed. For
details, see Configure Windows Update for Business settings.
What's new in the Intune classic portal - previous
months
9/4/2020 • 24 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as
MDM devices to keep them managed by Intune.
Learn more

This page lists new features and notices previously announced on the What's new page for the Intune classic portal.

April 2017
New capabilities
MyApps available for Managed Browser
Microsoft MyApps now have better support within the Managed Browser. Managed Browser users who are not
targeted for management will be brought directly to the MyApps service, where they can access their admin-
provisioned SaaS apps. Users who are targeted for Intune management will continue to be able to access MyApps
from the built-in Managed Browser bookmark.
New icons for the Managed Browser and the Company Portal
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon
will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility + Security
(EM+S). You can see the new icon for the Managed Browser on the what's new in Intune app UI page.
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to
improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April to
late May.
Sign in progress indicator in Android Company Portal
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or
resumes the app. The indicator progresses through new statuses, beginning with "Connecting...", then "Signing in...",
then "Checking for security requirements..." before allowing the user to access the app. You can see the new screens
for the Company Portal app for Android on the what's new in Intune app UI page.
Block apps from accessing SharePoint Online
You can now create an app-based Conditional Access policy to block apps, which don't have app protection policies
applied to them, from accessing SharePoint Online. In the apps-based Conditional Access scenario, you can specify
the apps that you want to have access to SharePoint Online using the Azure portal.
Single sign-on support from the Company Portal for iOS to Outlook for iOS
Users no longer have to sign in to the Outlook app if they are signed in to the Company Portal app for iOS on the
same device with the same account. When users launch the Outlook app, they will be able to select their account
and automatically sign in. We are also working toward adding this functionality for other Microsoft apps.
Improved status messaging in the Company Portal app for iOS
New, more specific error messages will now be displayed within the Company Portal app for iOS to provide more
accessible information about what is happening on devices. These error cases were previously included in a general
error message titled "Company Portal Temporarily Unavailable". Additionally, if a user launches the Company Portal
on iOS when they do not have an Internet connection, they will now see a persistent status bar on the homepage
saying "No Internet Connection."
Improved app install status for the Windows 10 Company Portal app
New improvements for app install started in the Windows 10 Company Portal app include:
Faster install progress reporting for MSI packages
Faster install progress reporting for modern apps on devices running the Windows 10 Anniversary Update and
beyond
New progress bar for modern app installs on devices running the Windows 10 Anniversary Update and beyond
You can see the new progress bar on the what's new in Intune app UI page.
Bulk Enroll Windows 10 devices
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and
Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant,
create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer,
and apply the package to corporate-owned devices you'd like to bulk enroll and manage. Once the package is
applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on.
Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service
and Company Portal scenarios are not supported at this time.
What's new in the public preview of Intune in the Azure portal
In early calendar year 2017 we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform that's extensible using Graph APIs.
New trial tenants will start to see the public preview of the new admin experience in the Azure portal this month.
While in preview state, capabilities and parity with the existing Intune console will be delivered iteratively.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, if you want to test or look at any of the new functionality
until your tenant is migrated, sign up for a new Intune trial account or take a look at the new documentation.
You can find what's new in the Intune preview in Azure here.
Notices
Direct access to Apple enrollment scenarios
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios
using the Enroll Devices workload in the Azure Preview portal. Previously, the Apple enrollment preview was only
accessible from links in the Azure portal. Intune accounts created before January 2017 will require a one-time
migration before these features are available in Azure. The schedule for migration has not been announced yet, but
details will be made available as soon as possible. We strongly recommend creating a trial account to test out the
new experience if your existing account cannot access the preview.
What's coming for Appx in Intune in the Azure portal
As part of the migration to Intune in the Azure portal, we are making three appx changes:
1. Adding a new appx app type in the Intune console that can only be deployed to MDM-enrolled devices.
2. Repurposing the existing appx app type to only be targeted to PCs managed through the Intune PC agent.
3. Converting all existing appxs into MDM appxs with the migration.
H o w d o e s t h i s a ffe c t m e ?

This will not impact any of your existing deployments to devices that are managed through the Intune PC agent.
However, after migration, you will not be able to deploy those migrated appxs to any new devices that are managed
through the Intune PC agent that were not previously targeted.
W h at ac t i o n do I n eed t o t ake

After migration, you will need to re-upload the appx again as a PC appx if you want to do new PC deployments. To
learn more, see Appx changes in Intune in the Azure portal on the Intune Support team blog.
Administration roles being replaced in Azure portal
The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only) used
in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration controls
(RBAC) in the Intune Azure portal. Once you are migrated to the Azure portal, you will need to re-assign your
admins to these new administration roles. For more information about RBAC and the new roles, see Role-based
access control for Microsoft Intune.
What's coming
Improved sign in experience across Company Portal apps for all platforms
We are announcing a change that is coming in the next few months that will improve the sign-in experience for the
Intune Company Portal apps for Android, iOS, and Windows. The new user experience will automatically appear
across all platforms for the Company Portal app when Azure AD makes this change. In addition, users can now sign
in to the Company Portal from another device with a generated, single-use code. This is especially useful in cases
when users need to sign in without credentials.
You can find screenshots of the previous sign-in experience, the new sign-in experience with credentials, and the
new sign-in experience from another device on the What's new in app UI page.
Plan for change: Intune is changing the Intune Partner Portal experience
We are removing the Intune Partner page from manage.microsoft.com beginning with the service update in mid-
May 2017.
If you are a partner administrator, you will no longer be able to view and take action on behalf of your customers
from the Intune Partner page, but will instead need to sign in at one of two other partner portals at Microsoft.
Both the Microsoft Partner Center and the Microsoft 365 admin center will allow you to sign into the customer
accounts you manage. Moving forward as a partner, please use one of these sites to manage your customers.
Apple to require updates for Application Transport Security
Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is
used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers
using the iOS Company Portal apps.
We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that
enforces the new ATS requirements. If you would like to try it so you can test your ATS compliance, email
[email protected] with your first name, last name, email address, and company name. Review
our Intune support blog for more details.

March 2017
New Capabilities
Support for Skycure
You can now control mobile device access to corporate resources using Conditional Access based on risk
assessment conducted by Skycure, a mobile threat defense solution that integrates with Microsoft Intune. Risk is
assessed based on telemetry collected from devices running Skycure, including:
Physical defense
Network defense
Application defense
Vulnerabilities defense
You can configure EMS Conditional Access policies based on Symantec Endpoint Protection Mobile (Skycure) risk
assessment enabled through Intune device compliance policies. You can use these policies to allow or block
noncompliant devices access to corporate resources based on detected threats. For more information, see
Symantec Endpoint Protection Mobile connector.
New user experience for the Company Portal app for Android
The Company Portal app for Android will be updating its user interface for a more modern look and feel, and better
user experience. The notable updates are:
Colors: Company Portal tab headers are colored in IT-defined branding.
Apps: In the Apps tab, the Featured Apps and All Apps buttons are updated.
Search: In the Apps tab, the Search button is a floating action button.
Navigating Apps: All Apps view shows a tabbed view of Featured , All , and Categories for easier navigation.
Support: My Devices and Contact IT tabs are updated to improve readability.
For more details about these changes, see UI updates for Intune end user apps.
Non-managed devices can access assigned apps
As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps
assigned to them as "available without enrollment" on their non-managed devices. Using their Intune credentials,
users will be able to log into the Company Portal website and see the list of apps assigned to them. The app
packages of the "available without enrollment" apps are made available for download via the Company Portal
website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to
enroll their device if they wish to install those apps.
Signing Script for Windows 10 Company Portal
If you need to download and sideload the Windows 10 Company Portal app, you can now use a script to simplify
and streamline the app-signing process for your organization. To download the script and the instructions for using
it, see Microsoft Intune Signing Script for Windows 10 Company Portal on TechNet Gallery. For more details about
this announcement, see Updating your Windows 10 Company Portal app on the Intune Support Team Blog.
Notices
Support for iOS 10.3
The iOS 10.3 release started rolling out on March 27, 2017 to iOS users. All existing Intune MDM and MAM
scenarios are compatible with the latest version of Apple's OS. We anticipate all existing Intune features currently
available for managing iOS devices will continue to work as your users upgrade their devices and apps to iOS 10.3.
There are currently no known issues to share. If you run into any issues with iOS 10.3, please feel free to reach out
to the Intune support team.
Improved support for Android users based in China
Due to the absence of the Google Play Store in China, Android devices must obtain apps from Chinese
marketplaces. The Company Portal will support this workflow by redirecting Android users in China to download
the Company Portal and Outlook apps from local app stores. This will improve the user experience when
Conditional Access policies are enabled, both for Mobile Device Management and for Mobile Application
Management. The Company Portal and Outlook apps for Android are available on the following Chinese app stores:
Baidu
Tencent
Huawei
Wandoujia
Best practice: make sure your Company Portal apps are up-to-date
In December 2016, we released an update that enabled enforcement for multi-factor authentication (MFA) on a
group of users when they enroll an iOS, Android, Windows 8.1+, or Windows Phone 8.1+ device. This feature
cannot work without certain baseline versions of the Company Portal app for Android (v5.0.3419.0+) and iOS
(v2.1.17+).
Microsoft is continuously improving Intune by adding new functions to both the console and the Company Portal
apps on all supported platforms. As a result, Microsoft only releases fixes for issues that we find in the current
version of the Company Portal app. We therefore recommend to use the latest versions of the Company Portal
apps for the best user experience.

TIP
Have your users set their devices to automatically update apps from the appropriate app store. If you have made the Android
Company Portal app available on a network share, you can download the latest version from Microsoft Download Center.

Microsoft Teams is now enabled for MAM on iOS and Android

Microsoft has announced the general availability of Microsoft Teams. The updated Microsoft Teams apps for iOS
and Android are now enabled with Intune mobile app management (MAM) capabilities, so you can empower your
teams to work freely across devices, while ensuring that conversations and corporate data is protected at every
turn. For more details, see the Microsoft Teams announcement on the Enterprise Mobility and Security blog.

February 2017
New Capabilities
Modernizing the Company Portal website
The Company Portal website will support apps that are targeted to users who do not have managed devices. The
website will align with other Microsoft products and services by using a new contrasting color scheme, dynamic
illustrations, and a "hamburger menu," .
Notices
Group migration will not require any updates to groups or policies for iOS devices
For every Intune device group pre-assigned by a Corporate Device Enrollment profile, a corresponding dynamic
device group will be created in AAD based on the Corporate Device Enrollment profile's name, during the migration
to Azure Active Directory device groups. This will ensure the as devices enroll, they will be automatically grouped
and receive the same policies and apps as the original Intune group.
Once a tenant enters the migration process for grouping and targeting, Intune will automatically create a dynamic
AAD group to correspond to an Intune group targeted by a Corporate Device Enrollment profile. If the Intune
Admin deletes the targeted Intune group, the corresponding dynamic AAD group will not be deleted. The group's
members and the dynamic query will be cleared, but the group itself will remain until the IT Admin removes it via
the AAD portal.
Similarly, if the IT Admin changes which Intune group is targeted by a Corporate Device Enrollment profile, Intune
will create new dynamic group reflecting the new profile assignment, but will not remove the dynamic group
created for the old assignment.
Defaulting to managing Windows desktop devices through Windows settings
The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM
agent enrollment flow rather than through the PC agent. The Company Portal website will provide Windows 10
desktop users with enrollment instructions that guide them through the process of adding Windows 10 desktop
computers as mobile devices. This will not impact currently enrolled PCs, and your organization can still manage
Windows 10 desktops using the PC agent if you prefer.
Improving mobile app management support for selective wipe
End users will be given additional guidance on how to regain access to work or school data if that data is
automatically removed due to the "Offline interval before app data is wiped" policy.
Company Portal for iOS links open inside the app
Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in
the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in
January.
New MDM server address for Windows devices
Windows and Windows Phone users attempting to enroll a device will fail if they enter manage.microsoft.com as
the MDM server address (if prompted). The MDM server address is changing from manage.microsoft.com to
enrollment.manage.microsoft.com . Notify your user to use enrollment.manage.microsoft.com as the MDM
server address if prompted for it while enrolling a Windows or and Windows Phone device. No changes are needed
to your CNAME setup. For additional information about this change, visit aka.ms/intuneenrollsvrchange.
New user experience for the Company Portal app for Android
Beginning in March, the Company Portal app for Android will follow material design guidelines to create a more
modern look and feel. This improved user experience includes:
Colors : tab headers can be colored according to your custom color palette.
Interface : Featured Apps and All Apps buttons have been updated in the Apps tab. The Search button is now a
floating action button.
Navigation : All Apps shows a tabbed view of Featured, All and Categories for easier navigation.
Ser vice : My Devices and Contact IT tabs have improved readability.
You can find before and after images on the UI updates page.
Associate multiple management tools with the Microsoft Store for Business
If you are using more than one management tool to deploy Microsoft Store for Business apps, previously, you could
only associate one of these with the Microsoft Store for Business. You can now associate multiple management
tools with the store, for example, Intune and Configuration Manager. For details, see Manage apps you purchased
from the Microsoft Store for Business with Microsoft Intune.

What's new in the public preview of Intune in the Azure portal

In early calendar year 2017 we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform that's extensible using Graph APIs.
New trial tenants will start to see the public preview of the new admin experience in the Azure portal this month.
While in preview state, capabilities and parity with the existing Intune console will be delivered iteratively.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, if you want to test or look at any of the new functionality
until your tenant is migrated, sign up for a new Intune trial account or take a look at the new documentation.
You can find what's new in the Intune preview in Azure here.

January 2017
New Capabilities
In-console reports for MAM without enrollment
New app protection reports have been added for both enrolled devices and devices that have not been enrolled.
Find out more about how you can monitor mobile app management policies with Intune.
Android 7.1.1 support
Intune now fully supports and manages Android 7.1.1.
Resolve issue where iOS devices are inactive, or the admin console cannot communicate with them
When users' devices lose contact with Intune, you can give them new troubleshooting steps to help them regain
access to company resources. See Devices are inactive, or the admin console cannot communicate with them.
Notices
Defaulting to managing Windows desktop devices through Windows settings
The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM
agent enrollment flow rather than through the PC agent.
The Company Portal website will provide Windows 10 desktop users with enrollment instructions that guide them
through the process of adding Windows 10 desktop computers as mobile devices. This will not impact currently
enrolled PCs, and your organization can still manage Windows 10 desktops using the PC agent if you prefer.
Improving mobile app management support for selective wipe
End users will be given additional guidance on how to regain access to work or school data if that data is
automatically removed due to the "Offline interval before app data is wiped" policy.
Company Portal for iOS links open inside the app
Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in
the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in
January.
Modernizing the Company Portal website
Beginning in February, the Company Portal website will support apps that are targeted to users who do not have
managed devices. The website will align with other Microsoft products and services by using a new contrasting
color scheme, dynamic illustrations, and a "hamburger menu," .
New documentation for app protection policies
We have updated our documentation for admins and app developers who want to enable app protection policies
(known as MAM policies) in their iOS and Android apps using the Intune App Wrapping Tool or Intune App SDK.
The following articles have been updated:
Decide how to prepare apps for mobile application management with Microsoft Intune
Prepare iOS apps for mobile application management with the Intune App Wrapping Tool
Get started with the Microsoft Intune App SDK
Intune App SDK for iOS developer guide
The following articles are new additions to the docs library:
Intune App SDK Cordova Plugin
Intune App SDK Xamarin Component
Progress bar when launching the Company Portal on iOS
The Company Portal for iOS is introducing a progress bar on the launch screen to provide the user with
information about the loading processes that occur. There will be a phased rollout of the progress bar to replace the
spinner. This means that some of your users will see the new progress bar while others will continue to see the
spinner.

December 2016
Public preview of Intune in the Azure portal
In early calendar year 2017, we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform that's extensible using Graph APIs. In
advance of the general availability of this portal for all Intune tenants, we're excited to announce that we will begin
rolling out a preview of this new admin experience later this month to select tenants.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, find out more about what we have in store for Microsoft
Intune in the Azure portal in our new documentation.
Telecom expense management integration in public preview of Azure por tal We are now beginning to
preview integration with third-party telecom expense management (TEM) services within the Azure portal. You can
use Intune to enforce limits on domestic and roaming data usage. We are beginning these integrations with
Saaswedo. To enable this feature in your trial tenant, please contact Microsoft support.
New Capabilities
Multi-factor authentication across all platforms You can now enforce multi-factor authentication (MFA) on a
selected group of users when they enroll an iOS, Android, Windows 8.1+, or Windows Phone 8.1+ device from the
Azure Management Portal by configuring MFA on the Microsoft Intune Enrollment application in Azure Active
Directory.
Ability to restrict mobile device enrollment Intune is adding new enrollment restrictions that control which
mobile device platforms are allowed to enroll. Intune separates mobile device platforms as iOS, macOS, Android,
Windows and Windows Mobile.
Restricting mobile device enrollment does not restrict PC client enrollment.
For iOS only, there is one additional option to block the enrollment of personally owned devices.
Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as
explained in this article.
Notices
Multi-Factor Authentication on Enrollment moving to the Azure por tal Previously, admins would go to
either the Intune console or the Configuration Manager (earlier than release October 2016) console to set MFA for
Intune enrollments. With this updated feature, you will now login to the Microsoft Azure portal using your Intune
credentials and configure MFA settings through Azure AD. Learn more about this here.
Company Por tal app for Android now available in China We are publishing the Company Portal app for
Android for download in China.Due to the absence of Google Play Store in China, Android devices must obtain apps
from Chinese app marketplaces. The Company Portal app for Android will be available for download on the
following stores:
Baidu
Huawei
Tencent
Wandoujia
The Company Portal app for Android uses Google Play Services to communicate with the Microsoft Intune service.
Since Google Play Services are not yet available in China, performing any of the following tasks can take up to 8
hours to complete.

IN T UN E C O M PA N Y P O RTA L A P P F O R
IN T UN E A DM IN C O N SO L E A N DRO ID IN T UN E C O M PA N Y P O RTA L W EB SIT E

Full wipe Remove a remote device Remove device (local and remote)

Selective wipe Reset device Reset device

New or updated app deployments Install available line-of-business apps Device passcode reset

Remote lock
IN T UN E C O M PA N Y P O RTA L A P P F O R
IN T UN E A DM IN C O N SO L E A N DRO ID IN T UN E C O M PA N Y P O RTA L W EB SIT E

Passcode reset

Deprecations
Firefox to no longer suppor t Silverlight Mozilla is removing support for Silverlight in version 52 of the Firefox
browser, effective March 2017. As a result, you will no longer be able to log in to the existing Intune console using
Firefox versions greater than 51. We recommend using Internet Explorer 10 or 11 to access the admin console, or a
version of Firefox prior to version 52. Intune's transition to the Azure portal will allow it to support a number of
modern browsers without dependency on Silverlight.
Removal of Exchange Online mobile inbox policies Beginning in December, admins will no longer be able to
view or configure Exchange Online (EAS) mobile mailbox policies within the Intune console. This change will roll out
to all Intune tenants over December and January. All existing policies will stay as configured; for configuring new
policies, use the Exchange Management Shell. Find out more information here.
Intune AV Player, Image Viewer, and PDF Viewer apps are no longer suppor ted on Android From mid-
December 2016 on, users will no longer be able to use the Intune AV Player, Image Viewer, and PDF Viewer apps.
These apps have been replaced with the Azure Information Protection app. Find out more about the Azure
Information Protection app here.

November 2016
New capabilities
New Microsoft Intune Company Por tal available for Windows 10 devices Microsoft has released a new
Microsoft Intune Company Portal app for Windows 10 devices. This app, which leverages the new Windows 10
Universal format, will provide the user with an updated user experience within the app and identical experiences
across all Windows 10 devices, PC and Mobile alike, while still enabling all the same functionality that they are
using today.
The new app will also allow users to leverage additional platform features like single sign-on (SSO) and certificate-
based authentication on Windows 10 devices. The app will be made available as an upgrade to the existing
Windows 8.1 Company Portal and Windows Phone 8.1 Company Portal installs from the Microsoft Store. For more
details, go to aka.ms/intunecp_universalapp.

IMPORTANT
An Update on Intune and Android for Work While you can deploy Android for Work apps with an action of Required ,
you can only deploy apps as Available if your Intune groups have been migrated to the new Azure AD groups experience.

Intune App SDK for Cordova plugin now suppor ts MAM without enrollment App developers can now use
the Intune App SDK for Cordova plugin to enable MAM functionality without device enrollment in their Cordova-
based apps for Android and iOS/iPadOS.
Intune App SDK Xamarin component now suppor ts MAM without enrollment App developers can now
use the Intune App SDK Xamarin component to enable MAM functionality without device enrollment in their
Xamarin-based apps for Android and iOS/iPadOS. The Intune App SDK Xamarin component can be found here.
Notices
Symantec signing cer tificate no longer requires signed Windows Phone 8 Company Por tal for upload
Uploading the Symantec signing certificate will no longer require a signed Windows Phone 8 Company Portal app.
The certificate can be uploaded independently.
Deprecations
Suppor t for the Windows Phone 8 Company Por tal Support for Windows Phone 8 Company Portal will now
be deprecated. Support for the Windows Phone 8 and WinRT platforms was deprecated in October 2016. Support
for the Windows 8 Company Portal was also deprecated in October 2016.

See also
See What's New in Microsoft Intune for details on recent developments.
Where did my Intune feature go in Azure?
9/4/2020 • 5 minutes to read • Edit Online

We took the opportunity to organize some tasks more logically as we moved Intune into the Azure portal. But
every improvement comes with the cost of learning the new organization. This reference guide is for those of you
who are thoroughly familiar with Intune in the classic portal and are wondering how to get something done in
Intune in the Azure portal. If this article doesn't cover a feature you're trying to find, leave a comment at the end of
the article so we can update it.

Quick reference guide

PAT H IN IN T UN E IN T H E A Z URE
F EAT URE PAT H IN C L A SSIC P O RTA L P O RTA L

Device Enrollment Program (DEP) [iOS Admin > Mobile Device Management > Device enrollment > Apple Enrollment
only] iOS > Device Enrollment Program > Enrollment Program Token

Device Enrollment Program (DEP) [iOS Admin > Mobile Device Management > Device enrollment > Apple Enrollment
only] iOS and Mac OS X > Device Enrollment > Enrollment Program Serial Numbers
Program

Enrollment Rules Admin > Mobile Device Management > Device enrollment > Enrollment
Enrollment Rules Restrictions

Groups by iOS Serial Number Groups > All Devices > Corporate Pre- Device enrollment > Apple Enrollment
enrolled devices > By iOS Serial Number > Enrollment Program Serial Numbers

Groups by iOS Serial Number Groups > All Devices > Corporate Pre- Device enrollment > Apple Enrollment
enrolled devices > By iOS Serial Number > AC Serial numbers

Groups by IMEI (all platforms) Groups > All Devices > Corporate Pre- Device enrollment > Corporate Device
enrolled devices > By IMEI (All Identifiers
platforms)

Corporate Device Enrollment profile Policy > Corporate Device Enrollment Device enrollment > Apple Enrollment
> Enrollment Program Profiles

Corporate Device Enrollment profile Policy > Corporate Device Enrollment Device enrollment > Apple Enrollment
> AC Profiles

Android for Work Admin > Mobile Device Management > Device enrollment > Android
Android for Work enrollment

Terms and Conditions Policy > Terms and Conditions Device enrollment > Terms and
Conditions

Company Portal settings Admin > Company Portal Manage > Mobile apps
Setup > Company Portal branding

Where do I manage groups?

Intune in the Azure portal uses Azure Active Directory (AD) to manage groups.

Where did enrollment rules go?

In the classic portal, you could set rules governing the MDM enrollment of mobile and modern Windows and
macOS devices.

These rules applied to all users in your Intune account without exception. In the Azure portal, these rules now
appear in two distinct policy types: Device Type Restrictions and Device Limit Restrictions.

The default Device Limit Restriction corresponds to the Device Enrollment Limit in the classic portal.
The default Device Type Restriction corresponds to the Platform Restrictions in the classic portal.

The ability to allow or block personally owned devices is now managed under the Device Type Restriction's Platform
Configurations.

New restriction capabilities are added to the Azure portal only.

Where did my Conditional Access policies go?

After your tenant migrates to the Azure portal, your tenant's Conditional Access policies continue to be enforced.
However, you are not able to view or modify them from Intune in the Azure portal.
If you would like to view and make changes to Conditional Access policies from the Azure portal, you will need to
remove the old policies from the classic portal. Then recreate them in the Azure portal. For more information about
migrating Conditional Access policies, see Migrate classic policies in the Azure Portal.

Where did my compliance policies go?

After your tenant migrates to the Azure portal, your tenant's compliance policies continue to be enforced. However,
you are not able to view or modify them from Intune in the Azure portal.
If you would like to view and make changes to compliance policies from the Azure portal, you will need to remove
the old policies from the classic portal. Then recreate them in the Azure portal. For more information about device
compliance policies, see Get started with device compliance policies in Intune.

Where did Apple DEP go?

In the classic portal, you could set up Intune to integrate with Apple's Device Enrollment Program and manually
request synchronization with Apple's service:

In the Azure portal, you set up Apple Device Enrollment Program with the same steps as in Intune classic:

However the Sync option in the classic portal has been moved to the serial number management workflow since
the results of a manual sync appear there:
Where did corporate pre-enrolled devices go?
By iOS serial number
In the classic portal, you can enroll iOS devices through the Apple Device Enrollment Program (DEP) and the Apple
Configurator tool. Both methods offer device pre-enrollment by serial number and involve the assignment of
special Corporate Device Enrollment profiles. Prior to enrollment, the enrollment profile assignment can be
managed through the Corporate Pre-enrolled Device by iOS Serial Number device group:

This lists serial numbers for both Apple DEP and Configurator enrollment in a single list. To reduce profile
assignment mis-match (DEP profile to AC serial number and vice-versa), we have separated the serial numbers into
two lists in the Azure portal:
DEP serial numbers
Apple Configurator serial numbers

By IMEI (all platforms)

In the classic portal, you can pre-list the IMEI numbers of devices to mark them as corporate when they enrolled to
Intune:
In the Azure portal, you must upload the same IMEI to the Corporate Device Identifiers list with a comma-
separated-values (CSV) file. The new portal does not support manual entry of IMEI numbers:

Intune in the Azure portal is future-proofed to support other types of identifiers beside IMEI, but currently only
allows IMEI numbers for pre-listing.

Where did Corporate Device Enrollment profiles go?

To enroll iOS devices through the Apple Device Enrollment Program or with the Apple Configurator tool, you must
supply a Corporate Device Enrollment profile to be assigned the device. In the classic portal, the creation and
management of these profiles was located in a single list:

This list shows profiles enabled for use with the Apple Device Enrollment Program (DEP On ) and profile only
enabled for use with the Apple Configurator tool (DEP Off ).
To reduce confusion between the two profile types and potential mis-matched assignments (DEP profile to
Configurator devices and vice-versa), we have separated creation and management of Enrollment Program profiles
(support both Apples Device Enrollment Program and Apple School Manager) and Apple Configurator profiles:
DEP profiles

Apple Configurator profiles

Microsoft Intune classic groups in the Azure portal
9/4/2020 • 3 minutes to read • Edit Online

We've heard your feedback and have made changes to how you work with groups in Microsoft Intune. If you are
using Intune from the Azure portal, your Intune groups have been migrated to Azure Active Directory security
groups.
The benefit to you is that you now use the same groups experience across all of your Enterprise Mobility +
Security, and Azure AD apps. Additionally, you can use PowerShell and Graph API to extend and customize this new
functionality.
Azure AD security groups support all types of Intune deployments to both users and devices. Additionally, you can
use Azure AD dynamic groups that automatically update based on the attributes you supply. For example, you
could create a group of devices that run iOS 9. Whenever a device running iOS 9 enrolls, the device automatically
appears in the dynamic group.

What is not available?

Some of the Intune groups capabilities you previously might have used are not available in Azure AD:
The Ungrouped Users and Ungrouped Devices Intune groups are no longer available.
The option to Exclude specific members from a group does not exist in the Azure portal. You can,
however, use an Azure AD security group with advanced rules to replicate this behavior. For example, to
create an advanced rule that includes all people in your Sales department in a security group, but excludes
those groups with the word "Assistant" in their title, you could use this advanced rule:
(user.department -eq "Sales") -and -not (user.jobTitle -contains "Assistant") .
The All Exchange ActiveSync Managed Devices group in the Intune classic console was not migrated to
Azure AD. You can, however, still access information about EAS-managed devices from the Azure portal.

How to get started?

Read the following topics to learn about Azure AD security groups and how they work:
Managing access to resources with Azure Active Directory groups.
Managing groups in Azure Active Directory.
Using attributes to create advanced rules.
Ensure that admins who need to create groups are added to the Intune Ser vice Administrator Azure AD
role. The Azure AD Service Admin role does not have Manage Group permissions.
If your Intune groups used the Exclude specific members option, decide whether you can redesign these
groups without exclusions, or if you need advanced rules to meet business needs.

What happened to Intune groups?

When groups are migrated from the Azure portal to Intune in the Azure portal, the following rules are applied:

GRO UP S IN IN T UN E GRO UP S IN A Z URE A D

Static user group Static Azure AD security group

GRO UP S IN IN T UN E GRO UP S IN A Z URE A D

Dynamic user group Static Azure AD security groups with an Azure AD security
group hierarchy

Static device group Static Azure AD security group

Dynamic device group Dynamic Azure AD security group

A group with an include condition Static Azure AD security group containing any static or
dynamic members from the include condition in Intune

A group with an exclude condition Not migrated

The built-in groups: Azure AD security groups

- All Users
- Ungrouped Users
- All Devices
- Ungrouped devices
- All Computers
- All Mobile Devices
- All-MDM managed devices
- All EAS-managed devices

Group hierarchy
In the Intune console, all groups had a parent group. Groups could only contain members of their parent group. In
Azure AD, child groups can contain members not in their parent group.

Group attributes
Attributes are device properties that may be used in defining groups. This table describes how those criteria
migrate to Azure AD security groups.

AT T RIB UT E IN IN T UN E AT T RIB UT E IN A Z URE A D

Organizational Unit (OU) attribute for device groups OU attribute for dynamic groups.

Domain name attribute for device groups Domain Name attribute for dynamic groups.

Security group as an attribute for user groups Groups cannot be attributes in Azure AD dynamic queries.
Dynamic groups can only contain user or device-specific
attributes.

Manager attribute for user groups Advanced Rule for manager attribute in dynamic groups

All users from the parent user group Static group with that group as a member

All mobile devices from the parent device group Static group with that group as a member

All mobile devices managed by Intune Management Type attribute with 'MDM' as value for dynamic
group

Nested groups within static groups Nested groups within static groups
AT T RIB UT E IN IN T UN E AT T RIB UT E IN A Z URE A D

Nested groups within dynamic groups Dynamic group with one level of nesting

What happens to policies and apps you previously deployed?

Policies and apps continue to be deployed to groups, just like before. However, you now manage these groups
from the Azure portal, instead of the Intune console.
How to configure Intune settings for the iOS/iPadOS
Classroom app
9/4/2020 • 5 minutes to read • Edit Online

NOTE
Intune doesn't currently support configuring the Classroom app. This article is only applicable for users with existing
iOS/iPadOS education profiles in Intune.

Introduction
Classroom is an app that helps teachers to guide learning, and control student devices in the classroom. For
example, the app enables teachers to:
Open apps on student devices
Lock, and unlock the iPad screen
View the screen of a student iPad
Navigate students iPads to a bookmark, or chapter in a book
Display the screen from a student iPad on an Apple TV
To set up Classroom on your device, you will need to create and configure an Intune iOS/iPadOS education device
profile.

Before you start

Consider the following before you begin to configure these settings:
Both teachers and student iPads must be enrolled in Intune.
Ensure that you have installed the Apple Classroom app on the teacher's device. You can either install the app
manually, or use Intune app management.
You must configure certificates to authenticate connections between teacher and student devices (see Step 2,
Create and assign an iOS/iPadOS Education profile in Intune).
Teacher and student iPads must be on the same Wi-Fi network, and also have Bluetooth enabled.
The Classroom app runs on supervised iPads running iOS/iPadOS 9.3 or later.
In this release, Intune supports managing a 1:1 scenario where each student has their own dedicated iPad.

Step 1 - Import your school data into Azure Active Directory

Use Microsoft's School Data Sync (SDS) to import school records from an existing Student Information System
(SIS) to Azure Active Directory (Azure AD). SDS synchronizes information from your SIS and stores it in Azure AD.
Azure AD is a Microsoft management system that helps you organize users and devices. You can then use this data
to help you manage your students and classes. Learn more about how to deploy SDS.
How to import data using SDS
You can import information into SDS by using one of the following methods:
CSV files - Manually export and compile comma-separated value (.csv) files
PowerSchool API - An SIS provider that simplifies syncing with Azure AD
OneRoster - A CSV format that you can export and convert to sync with Azure AD
Find out more
Find out more about the full experience of syncing on-premises school data to Azure AD
Find out more about Microsoft School Data Sync
Find out more about licensing in Azure Active Directory

Step 2 - Create and assign an iOS/iPadOS Education profile in Intune

Configure general settings
1. Sign in to Intune.
2. On the Intune pane, choose Device configuration .
3. On the Device configuration pane under the Manage section, choose Profiles .
4. On the profiles pane, choose Create profile .
5. On the Create profile pane, enter a Name and Description for the iOS/iPadOS education profile.
6. From the Platform drop-down list, choose iOS .
7. From the Profile type drop-down list, choose Education .
8. Choose Settings > Configure .
In the next section, you'll create certificates to establish a trust relationship between teacher and student iPads.
Certificates are used to seamlessly and silently authenticate connections between devices without having to enter
user names and passwords.

IMPORTANT
The teacher and student certificates you use must be issued by different certification authorities (CAs). You must create two
new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS education profiles support only PFX certificates. SCEP certificates are not supported.
Created certificates must support server authentication and user authentication.
Configure teacher certificates
On the Education pane, choose Teacher cer tificates .
Configure teacher root certificate
Under Teacher root cer tificate , choose the browse button. Select the root certificate with either:
Extension .cer (DER, or Base64 encoded)
Extension .P7B (with or without full chain)
Configure teacher PKCS#12 certificate
Under Teacher PKCS#12 cer tificate , configure the following values:
Subject name format - Intune automatically prefixes common names for teacher certificates with leader .
Common names for Student certificates are prefixed with member .
Cer tification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Cer tification authority name - Enter the name of your certification authority.
Cer tificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Cer tificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you're finished configuring certificates, choose OK .
Configure student certificates
1. On the Education pane, choose Student cer tificates .
2. On the Student cer tificates pane, from the Student device cer tificates type list, choose 1:1 .
Configure student root certificate
Under Student root cer tificate , choose the browse button. Select the root certificate with either:
Extension .cer (DER, or Base64 encoded)
Extension .P7B (with or without full chain)
Configure student PKCS#12 certificate
Under Student PKCS#12 cer tificate , configure the following values:
Subject name format - Intune automatically prefixes common names for teacher certificates with leader .
Common names for Student certificates are prefixed with member .
Cer tification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Cer tification authority name - Enter the name of your certification authority.
Cer tificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Cer tificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you're finished configuring certificates, choose OK .

Finish up
1. On the Education pane, choose OK.
2. On the Create profile pane, choose Create .
The profile is created and appears on the profiles list pane.
Assign the profile to student devices in the classroom groups that were created when you synchronized your
school data with Azure AD (see How to assign device profiles.

Next steps
Now when teachers use the Classroom app, they'll have full control over student devices.
For more information about the Classroom app, see Classroom help, on the Apple web site.
If you want to configure shared iPad devices for students, see How to configure Intune education settings for
shared iPad devices.
Configure Intune education settings for shared iPad
devices
9/4/2020 • 7 minutes to read • Edit Online

NOTE
Intune doesn't currently support configuring the Classroom app. This article is only applicable for users with existing
iOS/iPadOS education profiles in Intune.

Intune supports the iOS/iPadOS Classroom app that helps teachers to guide learning, and control student devices
in the classroom. In addition, to the Classroom app, Apple supports the ability for student iPad devices to be
configured such that multiple students can share a single device. This document guides you to achieve this goal
with Intune.
For information about configuring dedicated (1:1) iPad devices to use the Classroom app, see How to configure
Intune settings for the iOS/iPadOS Classroom app.

Before you start

The prerequisites to use the shared iPad capabilities are:
Setup Apple School Manager and School Data Sync (SDS).
As part of Apple School Manager setup, configure Managed Apple IDs for students. Learn more about Managed
Apple IDs.
Create an enrollment profile for the device serial numbers synced from Apple School Manager.

Step 1 - Import your school data into Azure Active Directory

Step 2 - Create and assign an iOS/iPadOS Education profile in Intune

Configure general settings
1. Sign in to Intune.
2. On the Intune pane, choose Device configuration .
3. On the Device configuration pane under the Manage section, choose Profiles .
4. On the profiles pane, choose Create profile .
5. On the Create profile pane, enter a Name and Description for the iOS/iPadOS education profile.
6. From the Platform drop-down list, choose iOS .
7. From the Profile type drop-down list, choose Education .
8. Choose Settings > Configure .
Next, you need certificates to establish a trust relationship between teacher and student iPads. Certificates are used
to seamlessly and silently authenticate connections between devices without having to enter user names and
passwords.

IMPORTANT
The teacher and student certificates you use must be issued by different certificate authorities (CAs). You must create two
new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS education profiles support only PFX certificates. SCEP certificates are not supported.
Certificates you create must support server authentication in addition to user authentication.
Configure teacher certificates
On the Education pane, choose Teacher cer tificates .
Configure teacher root certificate
Under Teacher root cer tificate , choose the browse button to select the teacher root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure teacher PKCS#12 certificate
Under Teacher PKCS#12 cer tificate , configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader , for the
teacher certificate, and member , for the student certificate.
Cer tification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Cer tification authority name - Enter the name of your certification authority.
Cer tificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Cer tificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you have finished configuring teacher certificates, choose OK .
Configure student certificates
1. On the Education pane , choose Student cer tificates .
2. On the Student cer tificates pane, from the Student device cer tificates type list, choose Shared iPad .
Configure student root certificate
Under Device root cer tificate , choose the browse button to select the student root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure device PKCS#12 certificate
Under Student PKCS#12 cer tificate , configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher
certificate, and member, for the device certificate.
Cer tification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Cer tification authority name - Enter the name of your certification authority.
Cer tificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Cer tificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you are finished configuring certificates, choose OK .
Complete Certificate Setup
1. On the Education pane, choose OK .
2. On the Create profile pane, choose Create .
The profile is created and appears on the profiles list pane.

Step 3 - Create a device category

1. Sign in to Intune.
2. On the Intune pane, choose Device enrollment .
3. On the Device enrollment - Over view pane, choose Device categories .
4. On the Device enrollment - Device Categories pane, choose Create .
5. On the Create device categor y pane, enter a Name and Description for the category.
6. On the Create device categor y pane, choose Create .
The device category is created in the Enrollment – Device Categories pane.

Step 4 – Create a dynamic group

1. Sign in to Intune.
2. On the Intune pane, choose Groups .
3. On the Users and Groups – All Groups pane, choose New group .
4. On the Group pane, choose a Group type and then enter a Name and Description for the group.
5. From the Membership type drop-down list, choose Dynamic Device .
6. Choose Dynamic device members to create membership rules.
7. On the Dynamic membership rules pane:
8. Select deviceCategor y from the Add devices where drop-down list.
9. Choose Equals .
10. Enter the device category you created in the blank text box.
11. On the Dynamic membership rules pane, choose Add quer y .
12. On the Group pane, choose Create .
The dynamic group is created in the Users and Groups – All Groups pane.

Step 5 – Assign a device to a category (Carts)

1. Sign in to Intune.
2. On the Intune pane, choose Devices .
3. On the Devices pane, choose All devices .
4. On the Devices – All devices pane, choose a device.
5. On the device pane, choose Proper ties .
6. On the device's properties pane, enter the device category in the Device categor y text box.
7. On the device pane, choose Save .
The device is now associated to the device category. Repeat this process for all the devices you want to associate to
the device category you created.

Step 6 – Create classroom profiles

1. Sign in to Intune.
2. On the Intune pane, choose Device configuration .
3. On the Device configuration pane, choose Manage > Car t Profiles .
4. On the profiles pane, choose Create Profile .
5. On the Create Association pane, enter a Name and Description .
6. Choose Select Classes > Configure to associate groups to the Cart Profile.
7. Choose the classes to include to the Cart Profile then choose Select .
8. Choose Select Car ts > Configure to associate groups to the Cart Profile.
9. Choose the groups to include to the Cart Profile then choose Select .
10. On the Create Association pane, choose Save to save the Cart Profile.
The profile is created and appears on the profiles list pane.

Step 7 - Assign the Cart Profile to Classes

1. Sign in to Intune.
2. On the Intune pane, choose Device configuration .
3. On the Device configuration pane, choose Monitor > Assignment status .
4. On the Assignment status pane, select the Car t Profile you created.
5. On the Car t Profile pane choose Assignments and then, under Include choose Select groups to include .
6. Select the classes you want the cart profile to target (do not select a group), then choose Select .
7. When you are finished, choose Save .
The assignment completes, and Intune deploys the Classroom profile to the targeted devices based on the
classroom assignment.

Next Steps
Now students can share devices between students, and students can pick up any iPad in a classroom, log in with a
PIN and have it personalized with their content. For more information about Shared iPads, see the Apple website.
Intune on Azure console and legacy Intune PC client
4/22/2020 • 2 minutes to read • Edit Online

Intune uses an Azure-based SaaS application service architecture. Azure provides significant improvements in scale,
capacity, and performance. This offers enhanced Intune admin experiences and optimized workflows in the Azure
portal.
When using Intune on Azure to manage your organization's Windows devices, consider the following points:

Manage Windows 10 devices by using MDM

We recommend that you use Mobile Device Management (MDM) to manage your Windows 10 devices instead of
using the legacy Intune PC client. The ability to manage Windows 10 via MDM is available in the Intune on Azure
portal. Windows 10 MDM provides many new management and security capabilities that are not available via the
legacy Intune PC client.

Legacy PC Client features are only available in the Silverlight console

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as
MDM devices to keep them managed by Intune.
Learn more

The Intune PC Client management workflows use the Silverlight-based Intune Admin Console, which has the
following consequences:
For all non-grouping management tasks using the Intune PC Client, you must use the Silverlight console.
When managing groups, you must use the Intune on Azure portal. This requirement exists because Intune now
uses Azure AD Groups instead of legacy Intune Groups.
Because of the switch to Azure AD Groups, "group-based" filtering in the Silverlight console dashboard views has
changed slightly. To filter in the updated Silverlight UI, follow these steps:
1. Select a view.
2. In the Filters box, enter the name of the group that you want to filter by and press enter. This will filter the
list view to the devices in that particular group.
Continue to manage Windows 7 by using Intune PC Client
For Windows 7, which can't be managed by using MDM, we will continue to support existing Intune PC Client
capabilities in the Silverlight console only. Consider migrating to MDM management when you upgrade to
Windows 10.

MDM Capabilities
For a detailed comparison between PC Client and MDM capabilities, see Compare managing Windows PCs as
computers or mobile devices. MDM updates will continue to bring new management capabilities to MDM-enrolled,
Windows 10 devices, inclusive of evaluating options for Win 32 apps. View the What's New for the latest release
additions to the service.

Switch from PC Client to MDM

To switch from managing Windows 10 devices with the Intune PC Client to managing with MDM, follow these
steps:
1. In the Silverlight console, perform a Selective wipe to un-enroll the device from the PC Client.

2. Re-enroll the device by using MDM (and/or Azure AD Join).

Next steps
Enroll Windows devices
Manage Windows PCs as computers via Intune
software client
9/4/2020 • 6 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

WARNING
Microsoft announced that Windows 7 support ends onJanuary 14th 2020. On this date, Intune also retires support for
devices running Windows 7. Microsoft strongly recommends that you move to Windows 10 to prevent any service or
support disruptions.
For more information, see Plan for Change blog post.

NOTE
You can use Microsoft Intune to manage Windows PCs either as mobile devices with mobile device management (MDM) or
as computers with the Intune software client as described below. However, Microsoft recommends that customers use the
MDM management solution whenever possible. For more information, see Compare managing Windows PCs as computers
or mobile devices

Intune provides a comprehensive solution for organizations to manage mobile devices. Intune can manage
Windows PCs as mobile devices using the modern device management capabilities built in to the Windows 10
operating system. To meet your organization's management needs, Intune can also manage Windows PCs as
computers with the Intune software client. This management method uses traditional computer management
capabilities in the legacy Windows operating system.
The Intune software client is best suited for Windows PCs running legacy operating systems such as Windows 7
which cannot be managed as mobile devices. The Intune software client uses management capabilities like Group
Policy to manage PCs from the cloud.
Intune supports management of Windows PCs as computers using the software client for up to 7,000 PCs. For
larger deployments, manage Windows 10 PCs as mobile devices. Each release of Intune and update of Windows
10 includes management features based on the mobile device management architecture. We strongly
recommend that you move your organization to Windows 10 managed as mobile devices.

NOTE
You can manage Windows 8.1 and later devices either as PCs by using the Intune client software or as mobile devices. You
cannot use both methods on the same device. Carefully consider before deciding to manage PCs with the Intune client
software. This topic applies only to managing devices as PCs by running the Intune client software.
Requirements for Intune PC client management
Hardware :
The following are minimum hardware requirements for installing the Intune client software:

REQ UIREM EN T M O RE IN F O RM AT IO N

Network The client requires the PC to have Internet connectivity.

Processor and Memory Refer to the processor and RAM requirements for the PC's
operating system.

Disk space 200 MB available disk space before the client software is
installed.

Software :
The following are software requirements for installing the client software:

REQ UIREM EN T M O RE IN F O RM AT IO N

Operating system Windows device running Windows 7 SP1 and Windows 8.1 or
later.
Home edition versions are not suppor ted.

Administrative permissions The account that installs the client software must have local
administrator permissions on that device.

Windows Installer 3.1 The PC must have, at a minimum, Windows Installer 3.1.

To view the version of Windows Installer on a PC:

On the PC, right-click %windir%\System32\msiexec.exe ,

and then click Proper ties .

You can download the latest version of Windows Installer

from Windows Installer Redistributables on the Microsoft
Developer Network website.

Remove incompatible client software Before you install the Intune client software, uninstall any
Configuration Manager, Operations Manager, and Service
Manager client software from that PC.

Deploying the Intune software client

As an Intune admin, you can make the Intune software client available to users in a variety of ways. For guidance,
see Install the Intune software client on Windows PCs.

Computer management capabilities with the Intune client software

In most scenarios, you will enroll your devices with Microsoft Intune, which provides a greater set of capabilities.
However, you can also manage PCs by using the Intune software client, which provides the following features:
Software update management - You can keep PCs up-to-date and decide when updates are applied.
Windows Firewall policy - This helps to ensure that no PC that's used in your company has an inactive
or improperly-configured Windows Firewall.
Anti-malware protection - Intune includes Endpoint Protection, which helps protect your PCs from
malware.
Remote assistance - Intune lets users contact IT support staff, who can then provide assistance by using
a remote desktop feature that is included with Intune (requires TeamViewer software).
Software license management - Track how many software licenses are available, and how many
available licenses are being used.
App deployment - Deploy software to PCs that you manage. Some app management features are not
available when you manage PCs with the software client.

Policies and app deployments for the Intune software client

While the Intune client software supports management capabilities that help protect PCs by managing software
updates, Windows firewall, and Endpoint Protection, PCs managed with the Intune client software cannot be
targeted with other Intune policies, including those Windows policy settings that are specific to mobile device
management.
When you use the Intune client software to manage Windows PCs, you can use only the policies shown under the
Computer Management section.
Intune manages Windows PCs using policies, similar to how Windows Server Active Directory Domain Services
(AD DS) Group Policy Objects (GPOs) do. If you manage Active Directory domain-joined computers with Intune,
ensure that Intune policies do not conflict with other GPOs used in your organization. To read more, see Group
Policy for beginners.

When deploying apps, you can use only the Windows Installer (.exe, .msi).
Common tasks for Windows PCs
You can use the Intune admin console to perform other common computer management tasks on Windows PCs
that have the client installed:
Use policies to simplify PC management - Describes Intune's Computer Management policies and lists
the settings for the Microsoft Intune Center.
View hardware and software inventory for Windows PCs - Explains how to create a report that lists
information about the hardware capabilities of PCs and the software installed on them. Also explains how
to refresh PC inventory to ensure that it is current.
Retire a Windows PC - Lists the steps for retiring a Windows PC and describes what happens when you
retire a PC.
Manage user-device linking for Windows PCs - Explains when and how you need to link a user to a PC
before you deploy software to the user.
Request and provide remote assistance for Windows PCs - Explains how Intune PC users get remote
assistance help from you and describes prerequisites and TeamViewer setup.
For more information about the above tasks, see common computer management tasks.

Management limitations of the Intune client software

Some management options, which can be used to manage PCs as mobile devices, cannot not used for PCs that
are managed with the Intune client software:
Full wipe (selective wipe is available)
Conditional Access
Also note that in the Intune admin console, certain sections, such as Updates , Protection , and Licenses appear
only if you have enrolled devices using the Intune client software.
Help with troubleshooting
The Intune client software usually runs quietly in the background without the need for much user interaction or
troubleshooting. If you need to resolve PC management issues, you can check the logs. The Intune client software
and corresponding logs are installed under the %Program Files%\Microsoft\OnlineManagement directory.
You can also review device enrollment for more information about enrolling devices with Microsoft Intune.
Compare managing Windows PCs as computers or
mobile devices
3/9/2020 • 2 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

Organizations can use Microsoft Intune to manage Windows PCs either as mobile devices with mobile device
management (MDM) or as computers with the Intune software client. Microsoft recommends that customers use
the MDM management solution whenever possible. To help you better understand the differences between these
options, however, the following chart compares the two management options.

W IN DO W S A S C O M P UT ER W IN DO W S A S M O B IL E DEVIC E
C A PA B IL IT Y / SC EN A RIO IN T UN E SO F T WA RE C L IEN T M DM

Operating systems Windows 10, Windows 8+, Windows 7, Windows 10+

Windows Vista

Intune Por tal suppor t Silverlight console Azure portal

Conditional Access Not available Available

What is Conditional Access?

Bulk enrollment Not available Available

Bulk enrollment for Windows devices

Device profiles Not available Available

What are Microsoft Intune device
profiles?

Agentless enrollment Not available Available

Enroll Windows devices

Software update management Windows Updates and Microsoft app Microsoft Store for Business for both
updates Windows 10 and Microsoft apps
Keep Windows PCs up-to-date with updates
software updates Configure Windows Update for
Business settings

Software license management Available Microsoft Store for Business (.appx apps
Manage license agreements for only)
Windows PC software Manage apps purchased from the
Microsoft Store for Business
W IN DO W S A S C O M P UT ER W IN DO W S A S M O B IL E DEVIC E
C A PA B IL IT Y / SC EN A RIO IN T UN E SO F T WA RE C L IEN T M DM

Inventor y Available Available

View hardware and software inventory How to monitor app information
for Windows PCs What is device management

Windows Firewall policy Available Available

Help protect Windows PCs using Microsoft Defender Firewall
Windows Firewall policies

Anti-malware protection Endpoint Protection Microsoft Defender

Help secure Windows PCs with Enable Microsoft Defender
Endpoint Protection

Remote assistance TeamViewer TeamViewer

Request and provide remote assistance Use TeamViewer to remotely administer
for Windows PCs Intune devices

App deployment Not available for Microsoft Store for Available for Microsoft Store apps and
Business, line-of-business apps
.exe, .appx, and multi-file .msi only How to add Windows store apps
Add apps for Windows PCs that run the How to add Windows line-of-business
Intune software client (LOB) apps

App protection Not available Available

What are app protection policies?

Health attestation Not available Available

Advantages of MDM Windows PC management

Windows PC management with modern mobile device management has the following advantages:
Scalability - MDM management scales with Intune cloud management. The Intune software client is limited to
7000 PCs.
Simplicity - Uses modern management capabilities included in the operating system without relying on a
downloaded software client
Consistency - Your Windows PCs are managed like all other mobile devices in your organization
Install the Intune software client on Windows PCs
9/4/2020 • 9 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

NOTE
You can use Microsoft Intune to manage Windows PCs either as mobile devices with mobile device management (MDM) or
as computers with the Intune software client as described below. However, Microsoft recommends that customers use the
MDM management solution whenever possible. For more information see Compare managing Windows PCs as computers
or mobile devices

Windows PCs can be enrolled by installing the Intune client software. The Intune client software can be installed by
using the following methods:
By the IT admin, using one of these methods: manual installation, Group Policy, or installation included in a
disk image
By end users, who manually install the client software
The Intune client software contains the minimum software necessary to enroll the PC in Intune management. After
a PC has been enrolled, the Intune client software then downloads the full client software required for PC
management.
This series of downloads reduces the impact on the network's bandwidth and minimizes the time required to
initially enroll the PC in Intune. It also ensures that the client has the most recent software available after the
second download has finished.
One Intune license allows the installation of the Intune client software on up to five PCs.

Download the Intune client software

All methods, except those in which users install the Intune client software themselves, require that IT admins
download the software first so that it can be subsequently deployed to end users.
1. In the Microsoft Intune administration console, click Admin > Client Software Download .
2. On the Client Software Download page, click Download Client Software . Then save the
Microsoft_Intune_Setup.zip package that contains the software to a secure location on your network.
The Intune client software installation package contains unique and specific information, which is available
through an embedded certificate, about your account. If unauthorized users gain access to the installation
package, they can enroll PCs to the account that is represented by its embedded certificate and might gain
access to company resources.
3. Extract the contents of the installation package to the secure location on your network.

IMPORTANT
Do not rename or remove the ACCOUNTCERT file that is extracted, or the client software installation will fail.

Deploy the client software manually

On the computer(s) on which the client software is going to be installed, go to the folder where the client software
installation files are located. Then run Microsoft_Intune_Setup.exe to install the client software.

NOTE
The status of the installation is displayed when you hover over the icon in the taskbar on the client PC.

Deploy the client software by using Group Policy

1. In the folder that contains the files Microsoft_Intune_Setup.exe and MicrosoftIntune.accountcer t , run
the following command to extract the Windows Installer-based installation programs for 32-bit and 64-bit
computers:

Microsoft_Intune_Setup.exe/Extract <destination folder>

2. Copy the Microsoft_Intune_x86.msi file, the Microsoft_Intune_x64.msi file, and the

MicrosoftIntune.accountcer t file to a network location that can be accessed by all computers on which
the client software is going to be installed.
IMPORTANT
Do not separate or rename the files or the client software installation will fail.

3. Use Group Policy to deploy the software to computers on your network.

For more information about how to use Group Policy to automatically deploy software, see Group Policy for
Beginners.

Deploy the client software as part of an image

You can deploy the Intune client software to computers as part of an operating system image by using the
following procedure as a guide:
1. Copy the client installation files, Microsoft_Intune_Setup.exe and MicrosoftIntune.accountcer t , to the
%Systemdrive%\Temp\Microsoft_Intune_Setup folder on the reference computer.
2. Create the WindowsIntuneEnrollPending registry entry by adding the following command to the
SetupComplete.cmd script:

%windir%\system32\reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Onlinemanagement\Deployment /v

WindowsIntuneEnrollPending /t REG_DWORD /d 1

3. Add the following command to setupcomplete.cmd to run the enrollment package with the
/PrepareEnroll command-line argument:

%systemdrive%\temp\Microsoft_Intune_Setup\Microsoft_Intune_Setup.exe /PrepareEnroll

TIP
The SetupComplete.cmd script enables Windows Setup to make modifications to the system before a user signs
on. The /PrepareEnroll command-line argument prepares a targeted computer to be automatically enrolled in
Intune after Windows Setup finishes.

4. Put SetupComplete.cmd in the %Windir%\Setup\Scripts folder on the reference computer.

5. Capture an image of the reference computer and then deploy this to targeted computers.
When the targeted computer restarts at the completion of Windows Setup, the
WindowsIntuneEnrollPending registry key is created. The enrollment package checks to see if the
computer is enrolled. If the computer is enrolled, no further action is taken. If the computer is not enrolled,
the enrollment package creates a Microsoft Intune Automatic Enrollment Task.
When the automatic enrollment task runs at the next scheduled time, it checks the existence of the
WindowsIntuneEnrollPending registry value, and it tries to enroll the targeted PC in Intune. If the
enrollment fails for any reason, the enrollment is retried the next time the task runs. The retries continue for
a month.
The Intune Automatic Enrollment Task, the WindowsIntuneEnrollPending registry value, and the account
certificate are deleted from the targeted computer either when the enrollment is successful or after a month
(whichever comes first).

Instruct users to self-enroll

Users install the Intune client software by going to the Company Portal website. The exact information that users
see in the web portal varies, depending on your account's MDM Authority and the OS platform/version of the
user's PC.
If users haven't been assigned an Intune license or if the organization's MDM Authority hasn't been set to Intune,
users aren't shown any options to enroll.
If users have been assigned an Intune license, and the organization's MDM Authority has been set to Intune:
Windows 7 or Windows 8 PC users are shown ONLY the option to enroll to Intune by downloading and
installing the PC client software that is unique to their organization.
Windows 10 or Windows 8.1 PC users are shown two enrollment options:
Enroll PC as a mobile device : Users choose the Find Out How to Enroll button and are taken to
instructions on how to enroll their PC as a mobile device. This button is prominently displayed, because
MDM enrollment is considered to be the default and preferred enrollment option. However, the MDM
option is not applicable to this topic, which covers only the client software installation.
Enroll PC using the Intune client software : You'll need to tell your users to select the Click here to
download it link, which takes them through the client software installation.
The following table summarizes the options.

The following screenshots show what users see as they enroll their devices using the software client.
Users are first prompted to identify or to enroll their device.
To have your users install the PC client software, you'll need to tell them to select the Click here to download it
link, which enables users to download the PC client software and takes them through the installation process. The
Find out how to enroll button takes users to documentation about how to enroll using MDM enrollment, which
is not relevant to these software client instructions.

When users click the link, they see a Download Software button, which they select to start the PC client software
installation.
Users are then asked to sign in with their corporate credentials.

Users are taken to the Welcome page for the installation.

Users choose Next , and the installation starts.

When the installation completes, users choose Finish .

If users try to enroll their PC as a mobile device after having already enrolled using the Intune PC client software,
they see the following error screen.

Monitor and validate successful client deployment

Use one of the following procedures to help you monitor and validate successful client deployment.
To verify the installation of the client software from the Microsoft Intune administrator console
1. In the Microsoft Intune administration console, click Groups > All Devices > All Computers .
2. In the list, find the computers that are communicating with Intune, or search for a specific managed
computer by typing the computer name (or any part of the name) in the Search devices box.
3. Examine the status of the computer in the bottom pane of the console. Resolve any errors.
To create a computer inventory report to display all enrolled computers
1. In the Microsoft Intune administration console, click Repor ts > Computer Inventor y Repor ts .
2. On the Create New Repor t page, leave the default values in all fields (unless you want to apply filters),
and then click View Repor t .
3. The Computer Inventor y Repor t page opens in a new window that displays all computers that are
successfully enrolled in Intune.

TIP
Click any column heading in the report to sort the list by the contents of that column.

Uninstall the Windows client software

There are two ways to unenroll the Windows client software:
From the Intune admin console (recommended method)
From a command prompt on the client
Unenroll by using the Intune admin console
To unenroll the software client by using the Intune admin console, go to Groups > All Computers > Devices .
Right-click the client, and select Retire/Wipe .
Unenroll by using a command prompt on the client
Using an elevated command prompt, run one of the following commands.
Method 1 :

"C:\Program Files\Microsoft\OnlineManagement\Common\ProvisioningUtil.exe" /UninstallAgents /MicrosoftIntune

Method 2 Note that all of these agents are installed on every SKU of Windows:

wmic product where name="Microsoft Endpoint Protection Management Components" call uninstall
wmic product where name="Microsoft Intune Notification Service" call uninstall
wmic product where name="System Center 2012 - Operations Manager Agent" call uninstall
wmic product where name="Microsoft Online Management Policy Agent" call uninstall
wmic product where name="Microsoft Policy Platform" call uninstall
wmic product where name="Microsoft Security Client" call uninstall
wmic product where name="Microsoft Online Management Client" call uninstall
wmic product where name="Microsoft Online Management Client Service" call uninstall
wmic product where name="Microsoft Easy Assist v2" call uninstall
wmic product where name="Microsoft Intune Monitoring Agent" call uninstall
wmic product where name="Windows Intune Endpoint Protection Agent" call uninstall
wmic product where name="Windows Firewall Configuration Provider" call uninstall
wmic product where name="Microsoft Intune Center" call uninstall
wmic product where name="Microsoft Online Management Update Manager" call uninstall
wmic product where name="Microsoft Online Management Agent Installer" call uninstall
wmic product where name="Microsoft Intune" call uninstall
wmic product where name="Windows Endpoint Protection Management Components" call uninstall
wmic product where name="Windows Intune Notification Service" call uninstall
wmic product where name="System Center 2012 - Operations Manager Agent" call uninstall
wmic product where name="Windows Online Management Policy Agent" call uninstall
wmic product where name="Windows Policy Platform" call uninstall
wmic product where name="Windows Security Client" call uninstall
wmic product where name="Windows Online Management Client" call uninstall
wmic product where name="Windows Online Management Client Service" call uninstall
wmic product where name="Windows Easy Assist v2" call uninstall
wmic product where name="Windows Intune Monitoring Agent" call uninstall
wmic product where name="Windows Intune Endpoint Protection Agent" call uninstall
wmic product where name="Windows Firewall Configuration Provider" call uninstall
wmic product where name="Windows Intune Center" call uninstall
wmic product where name="Windows Online Management Update Manager" call uninstall
wmic product where name="Windows Online Management Agent Installer" call uninstall
wmic product where name="Windows Intune" call uninstall

TIP
Client unenrollment will leave a stale server-side record for the affected client. The unenrollment process is asynchronous,
and there are nine agents to uninstall, so it may take up to 30 mins to complete.

Check the unenrollment status

Check "%ProgramFiles%\Microsoft\OnlineManagement" and ensure that only the following directories are shown
on the left:
AgentInstaller
Logs
Updates
Common
Remove the OnlineManagement folder
The unenrollment process does not remove the OnlineManagement folder. Wait 30 minutes after the uninstall, and
then run this command. If you run it too soon, the uninstall could be left in an unknown state. To remove the folder,
start an elevated prompt and run:

rd /s /q %ProgramFiles%\Microsoft\OnlineManagement

Next steps
Common Windows PC management tasks with the Intune software client
Common Windows PC management tasks with the
Intune software client
3/9/2020 • 2 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

This topic lists tasks you can do to manage desktops that you manage as PCs by installing the Intune software
client. This topic does not cover managing PCs as mobile devices. If you have not yet installed the client on your
PCs, see Install the Intune software client.
Use policies to simplify PC management - Describes Intune's Computer Management policies and lists
the settings for the Microsoft Intune Center.
View hardware and software inventory for Windows PCs - Explains how to create a report that lists
information about the hardware capabilities of PCs and the software installed on them. Also explains how
to refresh PC inventory to ensure that it is current.
Retire a Windows PC - Lists the steps for retiring a Windows PC and describes what happens when you
retire a PC.
Manage user-device linking for Windows PCs - Explains when and how you need to link a user to a PC
before you deploy software to the user.
Request and provide remote assistance for Windows PCs - Explains how Intune PC users get remote
assistance help from you and describes prerequisites and TeamViewer setup.
Use policies to simplify Windows PC management
3/9/2020 • 2 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as
MDM devices to keep them managed by Intune.
Learn more

To manage Windows desktops as PCs, by running the Intune software client on them, you can use only the policies
that are under Computer Management policies in the Intune admin console. All of the other policies listed in the
admin console are for mobile devices only. Using the Computer Management policies, you can configure the
settings in the Microsoft Intune Center, control updates to PCs, and configure Windows Firewall for PCs.

Manage the Microsoft Intune Center

Users see the Intune software client as the Microsoft Intune Center . The Microsoft Intune Center lets users:
Get applications from the company portal.
Check for updates.
Manage Microsoft Intune Endpoint Protection.
Request remote assistance.
The Microsoft Intune Center is installed on all managed computers. You can configure the following settings in an
Intune policy, and these are displayed to users in the Microsoft Intune Center:
P O L IC Y SET T IN G DETA IL S

Name The name of the administrator who manages the computer.

Maximum length: 40 characters

Phone number The telephone number of the administrator who manages the
computer.
Maximum length: 20 characters

Email address The email address of the administrator who manages the
computer.
Maximum length: 40 characters

Web site name The name of your support website for users.
>Maximum length: 40 characters

Web site URL The URL of your support website.

Maximum length: 150 characters

Notes A note that is displayed to users.

Maximum length: 120 characters

See the following resources for information about policies and settings that you can configure for Windows PCs:
Keep Windows PCs up-to-date with software updates in Microsoft Intune - These policies make managed
computers check for, and download software updates from, Microsoft and from third parties. These updates
do not include OS upgrades (e.g., upgrading from Windows 7 to Windows 10, or upgrades from one
Windows 10 version to a later version).
Help secure Windows PCs with Endpoint Protection for Microsoft Intune - These settings include scan
schedules and actions to take when malware is detected.
Help protect Windows PCs using Windows Firewall policies in Microsoft Intune - These policies simplify the
administration of Windows Firewall settings on managed computers.

See also
Common Windows PC management tasks with the Intune software client
View hardware and software inventory for Windows
PCs
3/9/2020 • 2 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

NOTE
The information in this topic applies only to Windows desktops that you are managing as PCs by using the Intune software
client. If you want to view inventory for Windows PCs enrolled as mobile devices, see View device details in Intune.

Intune collects detailed information about the hardware and software for desktops you manage as PCs by using
the Intune software client. Use the information in the following procedures to learn how to create:
A report that lists information about the hardware capabilities of PCs you manage.
A report that lists the software installed on each PC.
How to refresh a PC's inventory to ensure that the data in the report is current.

To display information about PCs you manage

1. In the Microsoft Intune administration console, choose Repor ts > Computer Inventor y Repor ts .
2. On the Create New Repor t page, accept the default values or customize them to filter the results that will
be returned by the report. For example, you could select that only PCs that run Windows 8.1 are displayed
in the report.
3. Choose View Repor t to open the Computer Inventor y Repor t in a new window.
You can sort the report by any of the columns, like Name , Chassis Type or Manufacturer by selecting
each column heading.

To display software installed on PCs you manage

1. In the Microsoft Intune administration console, choose Repor ts > Detected Software Repor ts .
2. On the Create New Repor t page, accept the default values or customize them to filter the results that will
be returned by the report. For example, you could select that only software published by Microsoft will be
displayed in the report.
3. Choose View Repor t to open the Detected Software Repor t in a new window.
You can sort the report by any of the columns, like Name , Publisher or Categor y by selecting each
column heading. You can expand the updates in the list to show more detail (such as the PCs on which it is
installed) by choosing the directional arrow next to the list item.

To refresh computer inventory to ensure it is current

1. In the Microsoft Intune administration console, choose Groups > All Devices (or another group that
contains the PC for which you want to refresh inventory).
2. Select a PC, or press and hold Ctrl to select multiple PCs.
3. On the taskbar, choose Remote Tasks > Refresh Inventor y .
4. To view the task status, choose Remote Tasks in the bottom right corner of the page.
The Task Status dialog box displays showing current remote tasks, task status, device name, and any
reported errors, and provides a link to troubleshooting information.

See also
Common Windows PC management tasks with the Intune software client
Retire a Windows PC
3/9/2020 • 2 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as
MDM devices to keep them managed by Intune.
Learn more

Use the following steps to retire desktops that you are managing as PCs by running the Intune software client on
them. When you retire a PC, it removes it from Intune management. You cannot wipe a PC from Intune to set it
back to its original factory settings.
1. In the Microsoft Intune administration console, choose Groups > All Devices (or another group that
contains the PC you want to retire).
2. Select the devices you want to retire, and then choose Retire/Wipe .
To re-enroll a PC into Intune, reinstall the software client on the PC using guidance in Install the Windows PC client
with Microsoft Intune.
If a PC cannot connect to Intune, a message is displayed in the Dashboard workspace.
When you retire a PC:
It is removed from the Intune management and inventory, and the license associated with the PC is made
available for re-use. Retire/Wipe removes the Intune software client but does not remove apps or data from
the PC. This retirement does not perform a full wipe on the PC.
Its status no longer displays in the Intune console.
Intune removes the software client from the PC. If the PC is not connected to the Intune service, the software
client will be removed next time it connects.
Microsoft Intune Endpoint Protection is removed from the PC. If the PC has another endpoint application
installed and it is disabled, that application can be re-enabled after Microsoft Intune Endpoint Protection is
removed to ensure that your PC are protected.
Any policies are removed from the PC and the values that were set by the policy will be changed.
The PC no longer receives software updates or malware definition updates from the Intune service.
Depending on how they are configured, retired PC can continue to receive updates by using Windows
Server Update Services, Windows Update, or Microsoft Update.

IMPORTANT
If the client software was installed by using a Group Policy Object (GPO), you must remove the Group Policy Object
(GPO) before you can remove the client software to prevent the software from being reinstalled.

If the Endpoint Protection client fails to uninstall, read Troubleshoot Endpoint Protection for more help.
See also
Common Windows PC management tasks with the Intune software client
Manage user-device linking for Windows PCs
4/22/2020 • 2 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as
MDM devices to keep them managed by Intune.
Learn more

The information in this topic applies only to Windows desktops that you are managing as PCs by using the Intune
software client.
Before you can deploy software to a user, you must link the user to a PC. You can link a user to multiple PCs, but
each PC can be linked to only one user. Users are automatically linked to any PCs that they enroll in Intune by using
the company portal.
For more information about a device's primary user, see Find primary user.
To link a user to a PC:
1. In the Microsoft Intune administration console, choose Groups > All Devices (or another group that
contains the PC you want to link to a user).
2. Select the PC that you want to link a user, and then choose Link User .
The Link User dialog box displays a list of available users with their display name, user ID, and the number
of PCs to which each user is currently linked. If a user is already linked to the selected PC, that user's name
and user ID are displayed under Current user . If the PC is not linked to any user, No User appears under
Current User .
3. Do one of the following:
To leave the PC linked to its current user, if there is one, choose Cancel .
To remove the link to the current user, if there is one, choose Remove link > OK .
To link the PC to a new user, in the All users list, select a user. Confirm that the user data is correct,
and then choose OK .

TIP
If you want to restrict end users ability to link themselves to PCs, enable the option Restrict users' ability to link
themselves to PCs in the Microsoft Intune Agent Settings policy.

See also
Common Windows PC management tasks with the Intune software client
Request and provide remote assistance for Windows
PCs
3/9/2020 • 3 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

The information in this topic applies only to Windows desktops that you are managing as PCs by using the Intune
software client.
Intune can use the TeamViewer software, purchased separately, to enable you to give remote assistance to your
users who are running the Intune software client. When a user requests help from the Microsoft Intune Center, you
are informed by an alert, can accept the request, and then provide assistance. This functionality replaces the
existing Windows Remote Assistance functionality in Intune.

Before you start

Before you begin to establish and to respond to remote assistance requests, ensure that the following
prerequisites are in place:
You must have signed up for a TeamViewer account to log in to the TeamViewer website.
Windows PCs that you want to administer must be managed by the Windows software client
All Windows PC operating systems supported by Intune can be administered.

Configure the TeamViewer Connector

1. In the Microsoft Intune administration console, choose Admin .
2. In the Admin workspace, choose TeamViewer .
3. On the TeamViewer page, under TeamViewer Connector , choose Enable .
4. In the Enable TeamViewer dialog box, view, then Accept the license terms. If you don't already own a
TeamViewer license, choose Purchase a TeamViewer license .
5. After the TeamViewer browser window opens, sign into the site with your TeamViewer credentials.
6. On the TeamViewer site, read, then accept the options to allow Intune to connect with TeamViewer.
7. In the Intune console, verify that the TeamViewer Connector item shows as Enabled .

Open a remote assistance request (end user)

1. On a client Windows PC, open the Microsoft Intune Center .
2. Under Remote Assistance , choose Request Remote Assistance .
3. After you approve the request (see below), TeamViewer opens on the client. The user must accept any
messages indicating that the web browser is trying to open the TeamViewer application.
4. The user sees a message asking if you can control their PC. They must accept this message to continue.
5. During the remote assistance session, the user sees a window that shows them you are connected. If they close
this window, the remote session ends.

Respond to a remote assistance request

1. When a user submits a remote assistance request, you can view it in the Aler ts workspace, under Monitoring
> Remote Assistance . For example:

If a request goes unanswered for more than 4 hours, it is removed. 2. To accept the request, choose Approve
request and launch Remote Assistance . 3. In the A New Remote Assistance Request is Pending dialog
box, choose Accept the remote assistance request . If it's not already installed, TeamViewer will install any
necessary apps on your PC. 4. TeamViewer then notifies the end user that you want to take control of their PC.
After the user has accepted the request, the TeamViewer windows opens, and you can control the PC.
While in a remote assistance session, you can use all available TeamViewer commands to control the remote PC.
For help with these commands, download the Manual for remote control from the TeamViewer website.

Close the remote assistance session

From the Actions menu of the TeamViewer window, choose End Session .

Remotely restart a Windows PC

When helping your users with issues, you might need to remotely restart their PC from time to time. Use the
following steps to remotely restart a Windows PC.
1. In the Microsoft Intune administration console, choose Groups > All Devices (or another group that
contains the PC you want to restart).
2. Select one or more PCs, and then choose Remote Tasks > Restar t Computer .
3. To view the task status, choose Remote Tasks in the bottom right corner of the page.
4. In the Task Status dialog box, review the current remote tasks, task status, device name, and any reported
errors.

See also
Common Windows PC management tasks with the Intune software client
Use policies to help protect Windows PCs that run
the Intune client software
3/9/2020 • 2 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

Microsoft Intune offers three policies that you can use to help ensure the security of Windows PCs that the Intune
client software manages.

Software updates
Intune makes it easy for you to keep Windows PCs that you manage up-to-date by informing you when important
software updates from Microsoft and other companies are available. You can then approve or decline these
updates. Approved updates will automatically be installed on all applicable PCs.

Windows Firewall
The Windows Firewall helps to keep hackers, malware, and other threats from Windows PCs. With Intune, you can
manage settings and features for the Windows Firewall on all PCs that you manage.

Endpoint Protection
As an IT admin, one of your top priorities is to keep the Windows PCs that you manage free of malware and
viruses. Intune integrates with Endpoint Protection to provide real-time protection against malware threats, keep
malware definitions up-to date, and automatically scan computers. Endpoint Protection also provides tools that
help you to manage and monitor malware attacks.

See also
Common questions, issues and resolutions with device policies and profiles
Keep Windows PCs up-to-date with software
updates in Microsoft Intune
3/9/2020 • 14 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

NOTE
The information in this topic applies only to Windows desktops that you are managing as PCs by using the Intune software
client. If you want to manage updates for Windows PCs enrolled as mobile devices, see Manage software updates in Intune.

Microsoft Intune can help you to secure your managed computers in a number of ways, including the
management of software updates that keep your computers up-to-date by ensuring the latest patches and
software updates are quickly installed.
If you have not yet installed the Intune client on your computers, see Install the Windows PC client with Microsoft
Intune.
When new updates are available from Microsoft Update, or you have created a third-party update, and they are
applicable to your managed computers, a notification is displayed on the Over view page of the Updates
workspace. After you choose this notification link, you can then perform various operations like viewing more
information about the update, approving or declining the update, and viewing the computers that will install the
update if it is approved.

IMPORTANT
The Updates workspace is not displayed in the administrator console until you have installed the client on, and are
successfully managing at least one computer client.

As updates are approved and installed, you can examine the success or failure of the installation in the Updates
workspace of the Intune console.
The following sections will help you to keep software up-to-date on your managed computers.

Before you start

Before you begin to create and approve software updates, configure and deploy polices to your computers that
control when and how the updates are installed.
To configure update policy settings
1. In the Microsoft Intune administration console, choose Policy > Over view > Add Policy .
2. Configure and deploy a Microsoft Intune Agent Settings policy for the update settings. You can use
recommended settings or customize the settings. If you need more information about how to create and
deploy policies, see Common Windows PC management tasks with the Microsoft Intune computer client.
The following table shows the values you can configure in the policy and also the recommended values that will
be used if you don't customize the policy. You can find these settings in the Updates section.

P O L IC Y SET T IN G DETA IL S

Update and application detection frequency (hours) Specifies how frequently (from 8-22 hours) Intune checks for
new updates and applications.

Recommended value: 8 hours.

Automated or prompted installation of updates and Specifies whether updates are installed automatically or
applications whether the user is prompted before installation. Additionally,
this setting lets you schedule the installation of updates and
applications.

Install updates and applications automatically as

scheduled installs updates and applications using the
specified schedule.

As a dependent policy setting, Use Automatic

Maintenance for Windows computers specifies that
updates and applications are installed during the Windows
Automatic maintenance window.

Prompt user for installation prompts the user to install

updates when they are ready.

Recommended values:

Install updates and applications automatically as

scheduled selected

Day scheduled: Ever y day

Time scheduled: 3:00 AM

Use Automatic Maintenance for Windows computers

selected

Allow immediate installation of updates that do not Allow installs updates immediately after they are
interrupt Windows downloaded, except for updates that would interrupt or
restart Windows. Those updates are installed according to the
configuration of the Automated or prompted installation
of updates setting.

Do not allow installs updates according to the configuration

of the Automated or prompted installation of updates
setting.

Recommended value: Allow

Delay to restar t Windows after installation of Specifies (from 1-30 minutes), the time to wait to restart
scheduled updates and applications (minutes) Windows after the installation of scheduled updates and
applications.

Recommended value: 15 minutes

P O L IC Y SET T IN G DETA IL S

Delay following Windows restar t to begin installing Specifies (from 1-60 minutes), how long to wait to start the
missed scheduled updates and applications (minutes) installation of updates and applications after Windows is
restarted when a scheduled update was missed.

Recommended value: 5 minutes

Allow logged-on user to control Windows restar t Specifies whether the logged-on user can delay restarting
after installation of scheduled updates and Windows (if set to Yes ), or be notified of the automatic
applications Windows restart (if set to No ). If no user is logged on when
the scheduled installation of updates and applications is
completed, Windows is restarted automatically when required.
When set to No , by default, the time before Windows restarts
is set to 5 minutes.

Recommended value: Yes

Prompt user to restar t Windows during Intune client Specifies whether the logged on users is prompted to restart
agent mandator y updates Windows when an Intune client mandatory update requires
Windows to restart.

Recommended value: Yes

Microsoft Intune client agent mandator y updates Schedules when the installation of client updates occur.
installation schedule
Recommended value: not configured

Delay between prompts to restar t Windows after Specifies how frequently (from 1-1440 minutes) the user is
installation of scheduled updates and applications prompted to restart Windows when a scheduled update or
(minutes) application that requires restarting Windows is installed, and
the user delays the restart.

Recommended value: 30 minutes

Update software made by Microsoft

Updating Microsoft software requires very little work from you. However, before you start, there are two things
you should configure:
Product categories and update classifications – Defines the categories and classifications of the
updates you want to make available to computers. For example, you might decide that you only want
critical updates for Microsoft Office to be installed.
Automatic approval rules – These rules automatically approve specified types of update and reduce your
administrative overhead. For example, you might want to automatically approve all critical software
updates.
Use the following two procedures to help you get ready to use software updates:
Configure the product categories and update classifications you want to make available to managed computers
1. In the Microsoft Intune administration console, choose Admin > Updates .
2. On the Ser vice Settings: Updates page, in the Product Categor y list, select the update categories that
you want to make available to computers. Note that the most common updates are selected by default.
IMPORTANT
To ensure that computers receive the updates that have been approved by the admin, the Windows Server Update
Services (WSUS) Group Policy setting, Specify Intranet Microsoft update ser vice location must not be applied
to computers that have been enrolled with Intune.

3. In the Update Classification list, select the classes of update that you want to make available to managed
computers. Again, the most common options are selected by default.
4. Choose Save to store your selections.
To configure automatic approval rules for software updates
1. In the Microsoft Intune administration console, choose Admin > Updates .
2. In the Automatic Approval Rules section of the Ser ver Settings: Updates page, choose New .
3. On the General page of the Create Automatic Approval Rule Wizard, specify a name and optional
description for the rule.
4. On the Product Categories page, select any products for which you want to have updates approved
automatically.
5. On the Update Classifications page, specify the update classifications that you want to have approved
automatically.
6. On the Deployment page, do the following:
Select the computer groups to which you want to deploy the new rule, and then choose Add .
To specify an installation deadline for the updates, select the Enforce an installation deadline for
these updates check box, and then on the Installation deadline list, select the installation
deadline.

NOTE
If you specify an installation deadline, the managed computer might require one or more restarts after the
deadline interval has passed.

When you are finished, Choose Next .

7. On the Summar y page, review the settings for the new rule, and then choose Finish .
The new rule is shown in the Automatic Approval Rules section of the Ser vice Settings: Updates page.

NOTE
When you create an automatic approval rule, it only approves future updates, and does not automatically approve
previously existing updates that already exist in Intune. To approve these updates you need to run the automatic approval
rule.

To edit, run, or delete an automatically approved update rule

1. In the Microsoft Intune administration console, choose Admin > Updates .
2. In the Automatic Approval Rules section, select a rule, and then do one of the following:
To edit the rule, choose Edit , and then change the rule's parameters in the Update Auto Approval
Rule Wizard .
To run the rule, choose Run Selected .
To delete the rule, choose Delete .

NOTE
Deleting a rule does not affect previous updates that were approved by the deleted rule.

Update software not made by Microsoft

You can deploy updates for software that is not made by Microsoft. You do this by using the Upload Update
wizard to get the update into your Cloud Storage space, after which you can approve or decline the update just like
with Microsoft software.
To upload and configure a third-party update
1. In the Microsoft Intune administration console, choose Updates > Over view > Upload .
2. On the Update files page, choose Browse to select the setup files that are required to install the update
package. The file can be a Windows Installer (.msi) file, a Windows Installer patch (.msp) file, or a .exe
program file. You can also include any additional files or folders that are in the same folder as the setup file.
The total size of the selected files to upload is displayed. Note that this size does not include the
uncompressed or expanded sizes of installation files.
3. After you specify the setup files, the Update description page displays the name, description, and
classification for software information that Intune extracted from the software setup files. You can select a
classification to label the type of update you are deploying (Updates, Critical Updates, Security Updates,
Update Rollups or Service Packs). Choose Next when you are done.
4. On the Requirements page of the wizard, choose the architecture (32-bit, 64-bit, or both), and the
operating systems of the managed computers to which this update will be applicable.
5. On the Detection rules page, specify how Intune determines whether the update already exists on
managed computers. If you use the default option, Use the default detection rules , Intune always
installs the update package on each targeted computer once.

NOTE
If the update setup file that you specified is a Windows Installer or .msp file, the Detection rules page of the wizard
does not appear. This is because Windows Installer and .msp files contain their own instructions for detecting
previous update installations.

Select one or more of the following rules to determine whether the update is already installed on managed
computers:
File exists
MSI product code exists
Registr y key exists
6. Provide any further information that is required to configure the detection rule such as a file path and
name, Windows Installer product code, or a registry key, and then choose Next .
7. On the Prerequisites page of the wizard, you specify any software that must already be installed before
this update can be installed. You can specify None , select a software package that has already been added
to, and is managed by Intune, or you can specify one of the following rules to describe the software:
File exists
MSI product code exists
Registr y key exists
8. Provide any further information that is required to configure the detection rule like a file path and name,
Windows Installer product code, or a registry key, and then choose Next .
9. On the Command line arguments page of the wizard, you can add any required installation properties to
the installation command line to modify the behavior of the setup file. For example, some software
supports the /q property to enable silent installation. Refer to the documentation for your software
package to learn about any supported command line arguments. Specify any command line arguments you
need and then choose Next .

NOTE
If the update does not support silent installation, you cannot install the update using Intune

10. On the Return codes page of the wizard, you can specify how return codes from the update installation
are interpreted. By default, Intune uses industry-standard return codes to report a failed or successful
installation of an update package. The supplied return codes are:

RET URN C O DE DETA IL S

0 Success

3010 Success with restart

11. Any return code that is not listed is considered a failure. Some updates use nonstandard interpretations for
return codes. In this case, you can specify your own return code interpretations.
12. Specify or edit the required return codes, and then choose Next .
13. On the Summar y page of the wizard, review the actions that will be taken, and then choose Upload to
complete the wizard.
The uploaded update is stored in your Intune cloud storage. If you have insufficient free space to upload the
update package, you are notified of this during the upload process. Intune cannot determine sufficient free space
until after the update upload has started, because compressed setup and installation files require more space
when they are uncompressed.
After it is uploaded into Intune, a third-party update is displayed in the Updates workspace in the All Updates
pane. You can then approve and deploy the update. For more information, see the following "Approve and decline
updates" section.

Approve and decline updates

When updates are ready to install, a message is shown on the Updates Over view page of the Updates
workspace, under Update Status . Choose this message to open the All Updates page to see which updates are
ready for approval.
You can use the Filters list to make it easier to find updates. For example, you can display only updates that failed,
or updates that are superseded.
When you select an update from the list, further commands are available that let you manage updates as shown in
the following table:

TA SK DETA IL S

View Proper ties Displays detailed information about the update including the
number of computers to which it is applicable.

Edit For non-Microsoft updates only. Allows you to edit the

properties of the update.

Approve Approves the selected update and allows you to configure

which groups is will be deployed to. For more information, see
the procedure To approve updates in this topic.

Decline Removes any previous approvals for the update and hides the
update from the default views. Additionally, any report data
for the update will be removed.

If you later want to locate a declined update, set the filter on

the All Updates page to Declined . You can then approve
this update as required.

If an update was declined because the update was expired in

Microsoft Update, that update cannot be approved in the
Intune administration console.

If you delete an updates policy that is deployed to computers,

the values of those updates policy settings are reset to the
default state for the operating system that is installed on the
computers.

Delete For non-Microsoft updates only. Deletes the selected update.

Upload Starts the Upload Update wizard that allows you to upload
non-Microsoft updates that you want to deploy.

To approve updates
1. In the Microsoft Intune administration console, choose Updates > Over view > New updates to
approve .
In the Updates workspace, choose Over view > New updates to approve .

NOTE
The New updates to approve link appears in the Updates Status area only when there is at least one managed
computer that needs an update to be approved.

2. Select an update, review the update properties at the bottom of the page to ensure that you want to
approve the update, and then choose Approve . You can select multiple updates by holding down the CTRL
key as you select each item.
3. On the Select Groups page, select a group that you want to deploy the updates to, and then choose Add .
When you have finished specifying groups, choose Next .
4. On the Deployment Action page, do the following for each group in the list:
On the Approval list, select one of the following:
Required Install - Installs the update on computers in the specified group.
Do Not Install - Reports applicability only and does not install the update.
Available Install – The user can install the application on demand from the Company Portal.
Uninstall - Removes updates from computers in the targeted group.

IMPORTANT
The update is removed even if it was not installed by Intune.

On the Deadline list, select one of the following:

None - Indicates that no deadline is enforced for the installation of the update and users may
decline the update continually.
As soon as possible - Installs the update at the next opportunity on targeted computers.
Custom - Specifies the date and time that approved updates are installed.
One week , Two weeks , One month – Installs the update within the specified time period.
5. Choose Finish to save the settings, or Cancel to discard the settings and return to the updates list.

IMPORTANT
Unless the action Do Not Install, Required Install, or Uninstall was explicitly configured for a child group, an
action configured for a parent group is inherited by all its children.

6. You can check the details pane at the bottom of the All Updates page for reminder messages about the
update.

See also
Policies to protect Windows PCs
Help protect Windows PCs using Windows Firewall
policies in Microsoft Intune
4/22/2020 • 7 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

NOTE
The information in this topic applies only to Windows desktops that you are managing as PCs by using the Intune software
client. If you want to manage firewall settings for Windows PCs enrolled as mobile devices, see Add endpoint protection
settings in Intune.

Microsoft Intune can help you to secure Windows PCs that you manage with the Intune client in a number of ways.
One way in which it does this is to provide policies that enable you to configure Windows Firewall settings on PCs.
If you have not yet installed the Intune Windows PC client on your computers, see Install the Windows PC client
with Microsoft Intune.
Use the information in the following sections to help you configure, deploy, and monitor Windows Firewall
policies on Windows PCs.

Use Intune policies to manage Windows Firewall

The Windows Firewall policy lets you create and deploy settings that control Windows Firewall on managed PCs.
You cannot manage custom exceptions for Windows Firewall, and these settings do not affect third-party firewalls.

NOTE
If Microsoft Intune policy and Group Policy are configured to manage the same setting on the PC, the Group Policy setting
overrides the Microsoft Intune policy. For information about how to avoid conflicts between Intune policy and Group Policy,
see Resolve GPO and Microsoft Intune policy conflicts.
If you want to deploy Windows Firewall settings to computers that run Windows Vista, you must first install Hotfix
KB971800 on these computers.

IMPORTANT
To manage Windows Firewall by using Intune, ensure that the following two services are enabled on the computers that you
manage:
Windows Firewall
IPsec Policy Agent
Configure a Windows Firewall policy
1. In the Microsoft Intune administration console, choose Policy > Add Policy .
2. Configure and deploy a Windows Firewall Settings policy. You can use the recommended settings or
customize the settings. If you need more information about how to create and deploy policies, see Common
Windows PC management tasks with the Microsoft Intune computer client.
The following section lists the values that you can configure in the policy and also the default values that
will be used if you don't customize the policy.
After you deploy a Windows Firewall policy, you can view its status on the All Policies page of the Policy
workspace.

Specify policy settings for Windows Firewall

Turn on Windows Firewall
These policy settings enable Windows Firewall on managed computers that are:
Connected to a domain (for example, at the workplace)
Connected to a private (trusted) network (such as a home network)
Connected to an untrusted public network (such as a coffee shop)
The default value for each of these settings is Yes , which is the most secure value.
Block all incoming connections, including those in the list of allowed programs
These policy settings configure Windows Firewall to block incoming network traffic on managed computers that
are:
Connected to a domain (for example, at the workplace)
Connected to a private (trusted) network (such as a home network)
Connected to an untrusted public network (such as a coffee shop)
The default value for each of these settings is Yes , which is the most secure value.

IMPORTANT
If your environment includes managed computers that are running Windows Vista with no service packs installed, you must
either install the update that's associated with article 971800 in the Microsoft Knowledge Base or disable the Block all
incoming connections policy settings in policies that are deployed to those computers.

Notify the user when Windows Firewall blocks a new program

These policy settings determine whether Windows Firewall notifies a PC user when it blocks incoming network
traffic when the managed computer is:
Connected to a domain (for example, at the workplace)
Connected to a private (trusted) network (such as a home network)
Connected to an untrusted public network (such as a coffee shop)
The default value for each of these settings is Yes .
Configure predefined exceptions
You can configure exceptions that allow specific types of network traffic through the firewall regardless of the
values that you configured earlier. None of these settings are configured by default.
SET T IN G N A M E DETA IL S

BranchCache - Content Retrieval Lets BranchCache clients use HTTP to retrieve content from
(Windows 7 or later) other BranchCache clients while in distributed mode and from
the hosted cache while in hosted cache mode. This setting
uses HTTP.

BranchCache - Hosted Cache Client Lets BranchCache clients use a hosted cache. This setting uses
(Windows 7 or later) HTTPS.

BranchCache - Hosted Cache Ser ver Lets BranchCache clients use a hosted cache to communicate
with other clients. This setting uses HTTPS.

BranchCache - Peer Discover y Lets BranchCache clients use the Web Services Dynamic
(Windows 7 or later) Discovery (WS-Discovery) protocol to look up content
availability on the local subnet.

BITS Peercaching Lets clients use Background Intelligent Transfer Service (BITS)
to find and share files that are stored in the BITS cache on
clients in the same subnet. This setting uses Web Services on
Devices (WSDAPI) and Remote Procedure Call (RPC).

Connect to a Network Projector Lets users connect to projectors over wired or wireless
networks to project presentations. This setting uses WSDAPI.

Core Networking Lets clients use IPv4 and IPv6 to connect to network
resources.

Distributed Transaction Coordinator Enables managed computers to coordinate transactions that

update transaction-protected resources, such as databases,
message queues, and file systems.

File and Printer Sharing Enables users to share local files and printers with other users
on the network. This setting uses NetBIOS, Link Local
Multicast Name Resolution (LLMNR), Server Message Block
(SMB) protocol, and RPC.

HomeGroup Enables managed computers to participate in a HomeGroup

(Windows 7 or later) network.

iSCSI Ser vice Enables managed computers to connect to iSCSI servers and
devices.

Key Management Ser vice Lets computers be counted for license compliance in
enterprise environments.

Media Center Extenders Enables Media Center Extenders to communicate with

computers that are running Windows Media Center. This
setting uses Simple Service Discovery Protocol (SSDP) and
qWave.

Netlogon Ser vice Configures a security channel between domain clients and a
domain controller for authenticating users and services. This
setting uses RPC.
SET T IN G N A M E DETA IL S

Network Discover y Lets computers discover other devices and be discovered by

other devices on the network. This setting uses Function
Discovery Host and Publication Services and SSDP, NetBIOS,
LLMNR, and UPnP network protocols.

Performance Logs and Aler ts Enables the Performance Logs and Alerts service to be
remotely managed. This setting uses RPC.

Remote Administration Enables remote administration of the computer.

Remote Assistance Lets users of managed computers request remote assistance

from other users on the network. This setting uses SSDP, Peer
Name Resolution Protocol (PNRP), Teredo, and UPnP network
protocols.

Remote Desktop Lets the computer use Remote Desktop to access other
computers.

Remote Event Log Management Lets client event logs be viewed and managed remotely. This
setting uses Named Pipes and RPC.

Remote Scheduled Tasks Management Enables remote management of the task scheduling service.
This setting uses RPC.

Remote Ser vice Management Enables remote management of local services on clients. This
setting uses Named Pipes and RPC.

Remote Volume Management Enables remote software and hardware disk volume
management. This setting uses RPC.

Routing and Remote Access Enables incoming VPN and remote access connections to
computers.

Secure Socket Tunneling Protocol Enables incoming VPN connections to managed computers
with Secure Socket Tunneling Protocol (SSTP). This setting uses
HTTPS.

SNMP Trap Lets managed computers receive Simple Network

Management Protocol (SNMP) Trap service traffic.

UPnP Framework Configures the UPnP Framework service on computers to let

them discover and use UPnP certified devices.

Windows Collaboration Computer Name Registration Lets computers find and communicate with other computers
Ser vice by using SSDP and PNRP.

Windows Media Player Lets users receive streaming media over User Datagram
Protocol (UDP).

Windows Media Player Network Sharing Ser vice Lets users share media over a network. This setting uses the
SSDP, qWave, and UPnP network protocols.
SET T IN G N A M E DETA IL S

Windows Media Player Network Sharing Ser vice Lets users share home media over the Internet.
(Internet)
(Windows 7 or later)

Windows Meeting Space Lets users collaborate over a network to share documents,
programs, and their desktops. This setting uses Distributed
File System Replication (DFSR) and P2P.

Windows Peer to Peer Collaboration Foundation Configures various peer-to-peer programs and technologies
to enable them to connect. This setting uses SSDP and PNRP.

Windows Remote Management (Compatibility) Enables remote management of managed computers with
WS-Management, a Web services-based protocol for remote
management of operating systems and devices.

Windows Remote Management Enables remote management of managed computers with

(Windows 8 or later) WS-Management, a Web services-based protocol for remote
management of operating systems and devices.

Windows Vir tual PC Lets virtual machines communicate with other computers.
(Windows 7 or later)

Wireless Por table Devices Enables the transfer of media from a network-enabled camera
or media device to managed computers with Media Transfer
Protocol (MTP). This setting uses SSDP and UPnP network
protocols.

See also
Policies to protect Windows PCs
Help secure Windows PCs with Endpoint Protection
for Microsoft Intune
4/22/2020 • 14 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them
as MDM devices to keep them managed by Intune.
Learn more

Microsoft Intune can help you to secure your managed computers with Endpoint Protection, which provides real-
time protection against malware threats, keeps malware definitions up-to date, and automatically scans
computers. Endpoint Protection also provides tools that help you to manage and monitor malware attacks.
If you have not yet installed the Intune client on your computers, see Install the Windows PC client with Microsoft
Intune.
Use the information in the following sections to help you configure, deploy, and monitor Endpoint Protection.

Choose when to use Endpoint Protection

As an IT admin, one of your top priorities is keeping the computers that you manage free of malware and viruses.
Before you deploy Intune to Windows PCs in your organization, you should decide how to protect your computers
by selecting one of the following options and configuring its associated policy settings:

EN DP O IN T P ROT EC T IO N P O L IC Y
Y O U WA N T TO : SET T IN GS M O RE IN F O RM AT IO N

Use Microsoft Intune Endpoint Install Endpoint Protection = Yes If a third-party endpoint protection
Protection only if no third-party application is detected, Microsoft
endpoint protection application is Enable Endpoint Protection = Yes Intune Endpoint Protection is not
installed. installed, and is uninstalled if it was
Install Endpoint Protection even if a installed previously.
You can use Microsoft Intune Endpoint third-party endpoint protection
Protection on all computers where a application is installed = No
third-party endpoint protection
application is not installed.

Use Microsoft Intune Endpoint Install Endpoint Protection = Yes Use when:
Protection, even if a third-party
endpoint protection application is Enable Endpoint Protection = Yes - You want to switch to using Microsoft
installed. Intune Endpoint Protection.
Install Endpoint Protection even if a - You deploy a new client that will use
With this approach, you will be running third-party endpoint protection Microsoft Intune Endpoint Protection.
Microsoft Intune Endpoint Protection application is installed = Yes - You upgrade any client that will use
and the third-party endpoint Microsoft Intune Endpoint Protection.
protection application simultaneously.
Because of potential performance
issues, we don't recommend this
configuration.
EN DP O IN T P ROT EC T IO N P O L IC Y
Y O U WA N T TO : SET T IN GS M O RE IN F O RM AT IO N

Use Intune without Microsoft Intune Install Endpoint Protection = No If you are not using a third-party
Endpoint Protection. Instead, you will endpoint protection application, this
rely on a third-party endpoint configuration is not recommended,
protection application. because it could expose your
organization's computers to malware or
other attacks.

Microsoft Intune Endpoint Protection is

not installed, and is uninstalled if it was
installed previously.

To switch from your current endpoint protection application to Microsoft Intune Endpoint Protection, do the
following:
1. Leave your current endpoint protection application running while you deploy the Intune client software to
those computers.
2. Confirm that Microsoft Intune Endpoint Protection is installed and is helping to secure client computers.
3. Remove the third-party endpoint protection software by:
Using Intune software distribution to deploy a software removal tool that's provided by the
manufacturer of the third-party endpoint protection application. For more information, see Deploy
apps with Microsoft Intune.
Removing the third-party endpoint protection application manually.

NOTE
Intune will not automatically uninstall third-party endpoint protection applications.

Configure Microsoft Intune Endpoint Protection

Use the following steps to help you configure Endpoint Protection for Microsoft Intune.
1. In the Microsoft Intune administration console, choose Policy > Add Policy .
2. Expand Computer Management , and then select Microsoft Intune Agent Settings . Select Create and
Deploy a Custom Policy to specify a policy for Endpoint Protection settings. Then choose the Create
Policy button.
You can use the recommended settings or customize the settings. If you need more information about how to
create and deploy policies, see the topic Common Windows PC management tasks with the Microsoft Intune
computer client.
You can view the deployed Endpoint Protection policy on the All Policies page of the Policy workspace.

Specify Endpoint Protection service settings

P O L IC Y SET T IN G DETA IL S

Install Endpoint Protection Set to Yes to install Endpoint Protection on managed

computers. If a third-party endpoint protection application is
detected during installation, Endpoint Protection will not be
installed unless the setting Install Endpoint Protection
even if a third-par ty endpoint protection application
is installed is set to Yes . Note: Intune Endpoint Protection
is installed on managed computers by default. If you don't
want to install Endpoint Protection on your managed
computers, you must explicitly set this policy to No . If
Endpoint Protection was previously installed and the policy is
updated to No , then the Endpoint Protection client will be
uninstalled.
Recommended value: Yes

Track resolved malware (days) Enables Endpoint Protection to track resolved malware for a
specified time so that you can manually check previously
infected computers.

You can specify a value from 0 to 30 days.

Recommended value: 7 days

If you have set the policy values for the settings Install Endpoint Protection and Enable Endpoint Protection
to Yes , and the policy value for Install Endpoint Protection even if a third-par ty endpoint protection
application is installed to No , Microsoft Intune Endpoint Protection detects that another endpoint protection
application is installed. This means that Endpoint Protection won't be installed, or will be uninstalled if it is already
present. However, Microsoft Intune Endpoint Protection does report about the health of the other endpoint
protection application in Intune.
Microsoft Security Essentials alerts you with real-time protection when potential threats such as viruses and
spyware are trying to install themselves or run on your PC. The moment this happens, you'll see a message in the
notification area to the right side of the taskbar.
Specify real-time protection settings
P O L IC Y SET T IN G DETA IL S

Enable real-time protection Enables monitoring and scanning of all files and applications
that are accessed. It also blocks any malicious files and
applications before they can run on computers.

Recommended value: Yes

Scan all downloads Enables the scanning of all files and attachments that are
downloaded from the Internet to computers.

Recommended value: Yes

Monitor file and program activity on computers Enables the monitoring of incoming and outgoing files, and
program activity on computers. With this setting, Endpoint
Protection can monitor when files and programs start to run
and alert you about any actions they perform or actions that
are taken on them.

Recommended value: Yes

P O L IC Y SET T IN G DETA IL S

Files monitored Enables you to choose if only incoming, only outgoing, or all
files are monitored.

Recommended value: Monitor all files

Enable behavior monitoring Enables Microsoft Intune Endpoint Protection to check for
certain patterns of suspicious activity on client computers.

Recommended value: Yes

Enable Network Inspection System Enables Network Inspection System (NIS) on client computers.
NIS uses signatures of known vulnerabilities from the
Microsoft Malware Protection Center to help detect and block
malicious network traffic.

Recommended value: Yes

Specify scan schedule settings

P O L IC Y SET T IN G M O RE IN F O RM AT IO N

Schedule a daily quick scan Schedules a daily quick scan of both frequently used files and
important system files on computers. This quick scan has a
minimal effect on performance.

Recommended value: Yes

Run a quick scan if you have missed two consecutive Configures Endpoint Protection to automatically run a quick
scans scan on computers if they have missed two consecutive quick
scans.

Recommended value: Yes

P O L IC Y SET T IN G M O RE IN F O RM AT IO N

Schedule a full scan Configures a full scan of all files and resources on the local
computer hard disks. This scan can take time and can affect
computer performance (the amount time it takes depends on
the number of files and resources that are scanned).

Recommended value: No

Run a full scan if you have missed two consecutive Configures Endpoint Protection to automatically run a full
full scans scan on computers if they have missed two consecutive scans.

Recommend value: Not configured

Specify scan options settings

P O L IC Y SET T IN G DETA IL S

P O L IC Y SET T IN G DETA IL S

Scan files opened from network shared folders Set to Yes to configure Endpoint Protection to scan files that
are opened from shared folders on the network. These are
typically files that are accessed by using a Universal Naming
Convention (UNC) path. Enabling this feature can cause
problems for users who have read-only access because they
cannot remove malware.

Recommended value: No

Scan mapped network drives Set to Yes to configure Endpoint Protection to scan files on
mapped network drives. Enabling this feature can cause
problems for users who have read-only access because they
cannot remove malware.

Recommended value: No

Scan removable drives Set to Yes to configure Endpoint Protection to scan for
malware and unwanted software on removable drives, like
USB flash drives, when you run a full scan on computers.

Recommended value: Yes

Limit CPU usage during a scan Set the maximum percentage of CPU usage that can be used
during scheduled scans on computers. You can set this value
from 1 to 100 percent.

Recommended value: 50%

Choose default actions settings

The setting Choose how Endpoint Protection acts on malware of the following aler t levels specifies the
default action that Endpoint Protection takes when malware of various alert levels is detected. For each alert level,
you can remove the malware, quarantine it, or take Microsoft's recommended action.
Recommended value: Recommended action , which enables Endpoint Protection to recommend action.
Decide whether to choose the excluded files and folders settings
The setting Files and folders to exclude when running a scan or using real-time protection excludes
specific files or folders when a scan is run or when real-time protection is used on computers.
Decide whether to choose the excluded processes settings
The setting Processes to exclude when running a scan or using real-time protection lets you exclude
specific processes when a scan is run or when real-time protection is used on computers. You can exclude only
files with the following extensions: .exe , .com , or .scr .
Decide whether to choose the excluded file types settings
The setting File extensions to exclude when running a scan or using real-time protection lets you
exclude specific file name extensions when a scan is run or when real-time protection is used on computers.
Specify Microsoft Active Protection Service Settings
Microsoft Active Protection Service is an online community that helps you decide how to respond to potential
threats. The community also helps stop the spread of new malware infections. You can Join Microsoft Active
Protection Ser vice by selecting Yes , and then specifying your Membership Level :
Basic - Sends basic information to Microsoft about detected malware. This includes where the software came
from, the actions that you apply or that Endpoint Protection applies automatically, and whether the actions
were successful.
Advanced - Sends more information to Microsoft about malware, spyware, and potentially unwanted
software. This includes information about the location of the software, file names, how the software operates,
and how it has affected your computer.
You can also Receive dynamic definitions based on Microsoft Active Protection Ser vice repor ts .

Choose management tasks for Endpoint Protection

The following tasks help you to carry out various management tasks on managed computers that run Endpoint
Protection:
Update malware definitions
Intune console - From the Groups workspace, select the computers that you want to update. Choose
Remote Tasks > Update Malware Definitions .
Managed computer - Start the Endpoint Protection client software from the Windows notification area.
Choose the Update tab, and then choose Update .
Run a malware scan:
Intune console - From the Groups workspace, select the computers that you want to scan. Choose Run
a Full Malware Scan or Run a Quick Malware Scan .
Managed computer - Start the Endpoint Protection client software from the Windows notification area.
Select Quick , Full , or Custom , and then choose Scan now .
You can view the status of a remote task by choosing the Remote Tasks link in the bottom right corner of the
Intune console. The Remote Task Status dialog box lists current remote tasks, task status, device name, and any
reported errors. It also provides a link to troubleshooting information, if appropriate.

Monitor Endpoint Protection

You monitor the status of malware on your computers by using the Protection workspace of the Microsoft Intune
administration console. This workspace contains two pages:
Protection Over view -Displays important issues as links that you can choose for more information. Issues
that might be displayed include:
Malware instances that need follow-up – Click the link to see a list of malware issues, including the
follow-up action that needs to be taken to resolve the issue. You can further explore this list to see which
computers are affected.
Computers with malware that need follow-up – Click the link to see all computers with unresolved
malware issues, as well as the follow-up action that needs to be taken to resolve the issue.
Devices that are not protected – Click the link to see computers that are not protected by any
endpoint protection software, either because no software is installed, or because there is an error. Select
a computer to view more details.
Devices with another endpoint protection application running – Click the link to see computers
that are running a third-party endpoint protection application.
All Malware - Displays a list of all active malware that's found on your computers. You can explore this list to
see all computers that are affected by a particular piece of malware, or you can select one of the following
tasks:
View Proper ties – Opens a page with more information about the selected malware.
Learn About This Malware – Opens a topic from the Microsoft Malware Protection Center with more
information about the malware.
IMPORTANT
The Protection workspace is not displayed in the administration console until you have installed the client and are
managing at least one computer client.

How to view Recent Detection Paths for malware on computers

Intune can display the paths of up to 10 of the most recently detected instances of malware on a device. The
Recent Detection Path is disabled by default. To enable this view:
1. In the Microsoft Intune administration console, choose Groups > All Devices > All Computers .
2. Right-click the computer whose recent detection paths you want to see and select Proper ties .
3. Select Malware from the tabs across the top.

4. Right-click the column header. A list of available columns appears. Select the Recent Detection Paths
check box in the list. The Recent Detection Paths column appears and displays up to 10 of the most
recently monitored malware instances on the device.

Run a malware scan or update malware definitions on a computer

Intune can run either a full or quick malware scan by using Endpoint Protection or Microsoft Defender on a
remotely managed PC that has the Intune client installed.
1. In the Microsoft Intune administration console, go to Groups > Over view > All Devices > All
Computers , and then select the computer that you want to target.
2. Choose the Remote Tasks drop-down list, and then select the task to run on the remote computer.

Need more help?

For further help and support, see Troubleshoot Endpoint Protection in Microsoft Intune.

See also
Policies to protect Windows PCs
Add apps for Windows PCs that run the Intune
software client
4/22/2020 • 5 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as
MDM devices to keep them managed by Intune.
Learn more

Use the information in this topic to learn how to add apps to Intune before you deploy them.

IMPORTANT
The information in this topic helps you add apps for Windows PCs that you manage by using the Intune software client. If
you want to add apps for enrolled Windows PCs and other mobile devices, see Add apps to Microsoft Intune.

To install apps to PCs, they must be capable of being installed silently, with no user interaction. If this is not the
case, the installation will fail.

Additional security settings for Windows installer

You can allow users to control app installs. If enabled, installations that may otherwise be stopped due to a security
violation would be permitted to continue. You can direct the Windows installer to use elevated permissions when it
installs any program on a system. Additionally, you can enabled Windows Information Protection (WIP) items to be
indexed and the metadata about them stored in an unencrypted location. When the policy is disabled, the WIP
protected items are not indexed and do not show up in the results in Cortana or file explorer. The functionality for
these options are disabled by default.

Add the app

You use the Intune Software Publisher to configure the properties of the app and upload it to your cloud storage
space by using the following procedure:
1. In the Microsoft Intune administrator console, choose Apps > Add Apps to start the Intune Software
Publisher.

TIP
You might need to enter your Intune user name and password before the publisher starts.

2. On the Software setup page of the publisher, under Select how this software is made available to
devices , choose Software installer , and then specify:
Select the software installer file type . This indicates the type of software that you want to deploy.
For a Windows PC, choose Windows Installer .
Specify the location of the software setup files . Enter the location of the installation files, or choose
Browse to select the location from a list.
Include additional files and subfolders from the same folder . Some software that uses Windows
Installer requires supporting files. These must be located in the same folder as the installation file. Select
this option if you also want to deploy these supporting files.
For example, if you want to publish an app named Application.msi to Intune, the page would look like this:

This installation type uses some of your cloud storage space.

3. On the Software description page, configure the following.

NOTE
Depending on the installer file that you are using, some of these values might have been automatically entered, or
they might not appear.

Publisher . Enter the name of the publisher of the app.

Name . Enter the name of the app as it will be displayed in the company portal.
Make sure all app names that you use are unique. If the same app name exists twice, only one of the
apps will be displayed to users in the company portal.
Description . Enter a description for the app. This will be displayed to users in the company portal.
URL for software information (optional). Enter the URL of a website that contains information about
this app. The URL will be displayed to users in the company portal.
Privacy URL (optional). Enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Categor y (optional). Select one of the built-in app categories. This will make it easier for users to find
the app when they browse the company portal.
Icon (optional). Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
4. On the Requirements page, select the requirements that must be met before the app can be installed.
Choose from:
Architecture . Select whether this app can be installed on 32-bit, 64-bit, or both operating systems.
Operating System . Select the minimum operating system on which this app can be installed.
5. On the Detection rules page, you can configure rules to detect whether the app that you are configuring is
already installed on a PC. Or, you can use the default detection rules to automatically overwrite any
previously installed versions of the app. This option is for Windows Installer (.exe files only).
The rules that you can configure are:
File exists . Specify the path to the file that you want to detect. You can search under %ProgramFiles%
(which searches Program Files <path> and Program Files (x86) <path>) on the PC or
%SystemDrive% (which searches from the root drive of the PC, typically drive C).
MSI product code exists . Choose Browse to choose the Windows Installer (.msi) file that you want to
detect.
Registr y key exists . Specify a registry key that begins with HKEY_LOCAL_MACHINE</strong>.
Both 32-bit and 64-bit registr y paths are searched. If the key that you specified exists in
either location, the detection rule is satisfied.
If the app satisfies any of the rules that you have configured, it will not be installed.
6. For the Windows Installer file type only (.msi and .exe): On the Command line arguments page, choose
whether you want to supply optional command-line arguments for the installer. The following parameters
are added automatically by Intune:
For .exe files, /install is added.
For .msi files, /quiet is added. Note that these options will only work if the creator of the app package
enabled functionality for this.
7. For the Windows Installer file type only (.exe only): On the Return codes page, you can add new error
codes that Intune interprets when the app is installed on a managed Windows PC.
By default, Intune uses industry-standard return codes to report the failure or success of an app package
installation: 0 (Success) or 3010 (Success with restart). You can also add your own return codes to this list. If
you specify a list of return codes and the app installation returns a code that isn't on the list, it is interpreted
as a failure.
8. On the Summar y page, review the information that you specified. When you are ready, choose Upload .
9. Choose Close to finish.
The app is displayed on the Apps node of the Apps workspace.

Next steps
After you've created an app, the next step is to deploy it. To find out more, see Assign apps to groups with
Microsoft Intune.
If you want to read more information about tips and tricks to deploy software to Windows PCs, see the blog post
Support Tip: Best Practices for Intune Software Distribution to PC's.
Manage license agreements for Windows PC
software in Microsoft Intune
9/4/2020 • 8 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as
MDM devices to keep them managed by Intune.
Learn more

Microsoft Intune lets you add and manage license agreement information for software that was purchased
through Microsoft Volume Licensing agreements. You can also do this for Microsoft or non-Microsoft software that
was purchased by other means. You can organize this information into logical groups.

IMPORTANT
This feature is provided for convenience only, and accuracy is not guaranteed. You should not rely on it to confirm
compliance with Microsoft Volume Licensing agreements. Microsoft will not use any data gathered to investigate potential
violations of, or compliance with, license agreements you may have with us.
Licenses you add to Intune do not affect your license agreements or entitlements to use your software. For example, if you
delete a license/agreement pair from Intune, you do not delete or nullify license agreements that exist between you and
Microsoft.

In the Licenses workspace of the Intune administration console, you can:

Add and edit Microsoft Volume Licensing agreements.
Add and edit other software licensing agreements.
Manage licenses and groups.
Compare the entitlement information that Intune retrieves from the Volume Licensing Service Center
(VLSC) to the inventory of Microsoft software that Intune detects on your managed Windows PCs.
Additionally, you can generate reports that show installation and license counts for software titles. License reports
can help you assess your complete license position for Microsoft software and non-Microsoft software titles.

TIP
The Licenses workspace is not displayed in the administrator console until you are managing at least one Windows PC with
the Intune Windows PC client.

Add Microsoft Volume Licensing agreements

Intune Volume Licensing agreements provide license information for software that was purchased through
Microsoft Volume Licensing agreements. You can add Microsoft Volume Licensing agreements to Intune by
providing matched pairs of agreement numbers. The agreement or authorization numbers must be matched to the
correct license or enrollment numbers. Agreement number pairs are obtained when you purchase your license
agreements from the Volume Licensing Service Center (VLSC).
1. In the Microsoft Intune administrator console, choose Licenses .
2. On the Add Agreements page, under Choose Agreement Type , select Volume Licensing agreement .
3. In the Add Agreement Details section, choose whether you want to upload a file, or manually add the
details.
Upload a CSV file that contains agreement details . Choose Browse and select the CSV file you
want to upload.
The file can contain either two or three columns; two for agreement pairs alone, or three if you
want to add a friendly name for each agreement pair.
The total number of characters in an agreement number pair cannot exceed 16 ASCII
characters.
Only ASCII characters are supported.
The following characters are not allowed in the agreement name: ~ ! @ # $ ^ & * ( ) = + [
] { } \ | ; : ' " < > / . Spaces are allowed in the name.
The file name must be no more than 128 characters in length.
The file must contain at least one agreement pair, and cannot contain more than 5,000
agreement pairs.
Format for the file
You can create this file by adding your agreement pairs to a plain text document in one of the
following formats, depending on the organization type that you have registered with the VLSC.
Specify one agreement number pair per line.
Open Value customers: Agreement number, repeat agreement number, agreement name
Open customers: Authorization number, related license number, agreement name
Select and Enterprise customers: Agreement number, related enrollment number,
agreement name
The Add Agreements form prompts you to browse for this file when you add a new agreement.
The following is an example of .csv file content for an Open Value customer.
01-07001, 01-07001, Office agreements

Manually add agreement details . Provide the following information, and then type the
agreement number pairs in the Authorization/Agreement number and
License/Enrollment/Customer number boxes. After you type both numbers, choose the Add
pair icon to save your numbers, and then optionally add a new pair.
Agreement name - Specify a unique name for the agreement.
The agreement name can have a maximum of 256 characters, and cannot contain the
following characters: ~ ! @ # $ ^ & * ( ) = + [ ] { } \ | ; : ' " < > / . Spaces are allowed in
the name.
Authorization/Agreement number - Enter the authorization/agreement number of the
license pair.
License/Enrollment/Customer number - Enter the license/enrollment/customer number
of the license pair.

NOTE
If you add several agreement number pairs, Intune creates one agreement with the name that you specify,
and all pairs that you added are a part of this agreement.

You can choose + to add another agreement number pair, or - to remove an agreement number pair you
have already entered.
4. In the Select License Group area, do one of the following:
Add the agreements to the Unassigned Agreements group . Select this if you do not want to
add the new agreements to a license group.
Add the agreements to a new license group . Provide a name for the new license group.
Add the agreements to an existing license group . In the Group name list, select the license
group to which you want to add the agreements.
5. Choose OK .
The All Agreements view is displayed, and Intune connects to the Microsoft VLSC to validate the agreement
number pairs that you provided.
To update the volume license information after you have added license agreements in Intune, in the Licenses
Over view page, choose Refresh Now . This action retrieves the current license information from the Microsoft
Volume Licensing Service Center (VLSC).

IMPORTANT
Until you refresh the volume licensing information, you may see different information in the agreements list and the
entitlement information on the Agreements Over view page.

After you refresh the volume license information, you can compare the license information to your detected
Microsoft software in the Apps workspace. You can also run the following license reports:
License Purchase Repor ts - Lets you view the licensed software in license groups you select to help you
find gaps in coverage.
License Installation Repor ts - Helps you determine if you have sufficient license agreement coverage.

NOTE
The Product Title displayed for all Microsoft Volume License agreements is Not available .

Add and edit other software licensing agreements

You can also add other types of license agreements to Intune in addition to Microsoft Volume Licensing
agreements. These agreements can include non-Microsoft software, or Microsoft software that was purchased
through a retailer.
IMPORTANT
You must have at least one Windows PC enrolled in Intune before you can add an agreement. In addition, at least one
enrolled computer must have uploaded a licensable software package that you want to use to add a license agreement.

To add other software agreements

1. In the Microsoft Intune administrator console, choose Licenses .
2. Choose Add Agreements in the Other Software Licensing Agreements section.
3. Select Other software licensing agreement in the Choose Agreement Type section of the Add
Agreements page.
4. In the Add Agreement Details area, specify the following:
Agreement name (required). The agreement name can have a maximum of 256 characters, and
cannot contain the following characters: ~ ! @ # $ ^ & * ( ) = + [ ] { } \ | ; : ' " < > / . Spaces are
allowed in the name.
Publisher (required). When you start to type a publisher name, the service retrieves all publisher
names that contain the letters that you type. For example, if you type "soft," the service retrieves all
publisher names that contain "soft" as part of the name, such as "Microsoft" and "Microsoft
Research." The publisher names are retrieved from the Software Asset Catalog. You must select the
publisher before you can enter the product title.

IMPORTANT
The company that you want to add might not appear in this list. You can only add software agreements for
companies that are already present in the software asset catalog. However, Microsoft continuously works to
add the most popular software titles. If you would like to submit a request to have a company added to this
list, you can do so at the Intune Uservoice site.

Product title (required). When you start to type a product title, the service retrieves all product titles
that contain the letters that you type. You must specify a Publisher before you can specify a Product
title .
License count (required). Enter the number of purchased licenses.
License star t date . Enter the start date of license coverage.
License end date . Enter the end date of license coverage.
Agreement details . You can optionally specify contact information, registration keys, and other
information.
5. In the Select License Group area, do one of the following:
Select Add the agreements to the Unassigned Agreements group if you do not want to add
the new agreements to a new or existing license group. You can add the agreements to user-defined
license groups at any time.
Select Add the agreements to a new license group to add the new agreements to a new license
group. You are prompted to provide a name for the new license group.
Select Add the agreements to an existing license group to add the new agreements to an
existing license group. In the Group name list, select the license group to which you want to add the
agreements.
6. Choose OK .
The All Agreements list view is displayed.

Manage license agreements

Software licensing agreements can be added to license groups. You can use license groups to organize your license
agreements in units that are logical for your organization. Additionally, you can delete license agreements you
previously created.

TA SK DETA IL S

Create a license group On the Over view page of the Licenses workspace, choose
Create License Group from the Tasks menu. Note: You
can create a maximum total of 500 license groups.

Rename a license group In the Licenses workspace, choose a license group, and then
choose Edit License Group from the Tasks Menu.

Delete a license group In the Licenses workspace, choose a license group, and then
choose Delete License Group from the Tasks Menu. Tip:
Any licenses that were in the deleted group are moved to the
Unassigned agreements license group.

Delete a license agreement In the Licenses workspace, choose an agreement, and then
choose Delete . Tip: After you delete Volume Licensing
agreements, to update the license information, choose
Refresh Now on the Licenses Over view page or on the
General tab for a specific license group.
Resolve Group Policy Objects (GPO) and Microsoft
Intune policy conflicts
3/9/2020 • 2 minutes to read • Edit Online

Applies to: Intune in the classic por tal

IMPORTANT
Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as
MDM devices to keep them managed by Intune.
Learn more

NOTE
The information in this topic applies only to Windows desktops that you are managing as PCs by using the Intune software
client.

Intune uses policies that help you manage settings on Windows PCs. For example, you can use a policy to control
settings for the Windows Firewall on PCs. Many Intune settings are similar to settings that you might configure
with Windows Group Policy. However, it is possible that, at times, the two methods might conflict with each
another.
When conflicts happen, domain-level Group Policy takes precedence over Intune policy, unless the PC can't sign in
to the domain. In this case, Intune policy is applied to the client PC.

What to do if you are using Group Policy

Make sure that policies that you apply are not being managed by Group Policy. To help prevent conflicts, you can
use one or more of the following methods:
Move your PCs to an Active Directory organizational unit (OU) that does not have Group Policy settings
applied before you install the Intune client. You can also block Group Policy inheritance on OUs that contain
PCs enrolled in Intune to which you do not want to apply Group Policy settings.
Use a security group filter to restrict GPOs only to PCs that are not managed by Intune.
Disable or remove the Group Policy Objects that conflict with the Intune policies.
For more information about Active Directory and Windows Group Policy, see your Windows Server
Documentation.

How to filter existing GPOs to avoid conflicts with Intune policy

If you have identified GPOs whose settings conflict with Intune policies, you can use security group filters to restrict
those GPOs only to PCs that are not managed by Intune.
You can apply GPOs to only those security groups that are specified in the Security Filtering area of the Group
Policy Management console for a selected GPO. By default, GPOs apply to Authenticated Users.
In the Active Director y Users and Computers snap-in, create a new security group that contains
computers and user accounts that you do not want Intune to manage. For example, you might name the
group Not In Microsoft Intune.
In the Group Policy Management console, on the Delegation tab for the selected GPO, right-click the new
security group to delegate appropriate Read and Apply Group Policy permissions to both users and
computers in the security group. (Apply Group Policy permissions are available on the Advanced dialog
box.)
Then, apply the new security group filter to a selected GPO, and remove the Authenticated Users default
filter.
The new security group must be maintained as enrollment in the Intune service changes.

See also
Manage Windows PCs with Microsoft Intune
Troubleshoot software updates in Microsoft Intune
3/9/2020 • 2 minutes to read • Edit Online

Help solve software update problems in Microsoft Intune. To see a list of the error codes and descriptions, go to
Software update agent error codes in Microsoft Intune.

Windows 7 devices with many superseded updates stop reporting to

Intune
Microsoft Intune clients may experience one or more of the following symptoms:
Devices suddenly stop reporting to Intune.
Devices experience high CPU utilization.
Applications install slowly when installed through Intune.
The Microsoft Intune Center shows the following error:
An error occurred while updating your computer. Error found: Code 0x800705b4 .
The Intune Admin Console > Groups > All Devices > status shows:
One or more agents that are installed on this computer have errors. The information for this computer may not
be accurate or up-to-date.

This problem can occur if superseded updates (updates are replaced by another update) haven't been declined for
an extended period. During certain processes, such as installing an application, Windows checks all superseded
updates in sequence so that the updates and their successors are correctly mapped. If the list of superseded
updates gets too large, this checking task may cause high CPU utilization because of the processing load and time
required. This issue primarily affects Windows 7 devices because of the large number of superseded updates that
are available for Windows 7. Newer operating systems may not have as many available superseded updates, and
may not be susceptible to this issue.
Resolution
1. Sign in to Intune.
2. Select Software Updates .
3. Decline all superseded updates that may apply to Windows 7 or to applications, such as Microsoft Office, that
were installed on the affected clients.
4. Restart the affected clients.
If you're running Windows 7, be sure the following update is installed:3050265 Windows Update Client for
Windows 7: June 2015.

Next steps
Get support help from Microsoft, or use the community forums.
Endpoint protection issues and possible solutions in
Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online

This article lists and describes potential causes and solutions for some errors and warnings. Use the information to
help solve problems when using endpoint protection.

Microsoft Defender error codes

Review event logs and error codes to troubleshoot issues with Microsoft Defender AV.

Common Intune errors and possible resolutions

Endpoint Protection engine unavailable
Potential cause : The Intune endpoint protection engine was corrupted or deleted.
Possible solutions :
If endpoint protection is corrupt or won't update, then update or reinstall the program.
Force an immediate update. In the endpoint protection client program (possibly in the taskbar), choose Update .
In Control Panel > Programs, select Microsoft Intune Endpoint Protection Agent . Uninstall the application.
During the next update synchronization, the Microsoft Online Management Update Manager detects the
missing program and reinstalls it at the scheduled installation time.
Features are disabled
You may get a message that some features are disabled. These messages can happen if Intune endpoint protection
or Microsoft Defender is disabled by an administrator using a configuration profile. Or, it's disabled by an end user
on the device. Possible messages:
Endpoint Protection disabled
Real-time protection disabled
Download scanning disabled
File and program activity monitoring disabled
Behavior monitoring disabled
Script scanning disabled
Network Inspection System disabled

Possible solutions : Enable these features. For guidance, see:

Add endpoint protection settings
Microsoft Defender Antivirus
End users: Turn on real-time protection to access company resources
Malware definitions out of date
This status shows when the malware definitions on the device are out of date by 14 days or more. For example, the
message may show if the device is disconnected from the Internet, or the malware definitions are outdated.
Possible solutions : If malware definitions are out of date, update the definitions using Microsoft Defender
Antivirus.
Full scan overdue or Quick scan overdue
A full scan or quick scan hasn't completed for 14 days. This scenario can happen if the device restarts during a full
scan.
Possible solutions : If a scan is overdue, you can run a one-time scan or schedule recurring scans. See Microsoft
Defender Antivirus.
Another endpoint protection application running
Another endpoint protection application is running, and the device is healthy.
Possible solutions : If another endpoint protection application is installed and Intune detects that application, the
device may become unstable.

Next steps
Get support help from Microsoft, or use the community forums.
What is device enrollment?
9/4/2020 • 4 minutes to read • Edit Online

To get access to work or school resources from your device, you'll need to enroll your device with the Intune
Company Portal app or Microsoft Intune app.
During device enrollment:
Your device is registered with your organization. This step ensures that you're authorized to access your
organization's email, apps, and Wi-Fi.
Your organization's device management policies are applied to your device. Policies could include requirements
for things like device passwords and encryption. The purpose of these requirements is to keep your device and
your organization's data secure from unauthorized access.
Once you update your device settings to meet your organization's requirements, enrollment is complete. You can
securely sign in to your work or school account from virtually anywhere.
This article describes other aspects of enrollment, such as how to get the apps, supported devices, and removing
or resetting your device.

Company Portal and Microsoft Intune app

The Company Portal and the Microsoft Intune apps alert you to policy or setting changes, so you can take action
without losing access to work or school.
The Company Portal app keeps your personal and work information separate, so you can remain productive and
focused. It also makes work and school apps available to you, so you can find and install ones that are relevant to
your line of work.
Get Company Portal
In some cases, your organization will install the Company Portal app on your device for you. The app is also
available to install from app stores such as the Microsoft Store, App Store, and Google Play store. To access the app
from a web browser, sign in to the Company Portal website with your work or school account.
Get Microsoft Intune app
If you're required to use the Microsoft Intune app, your organization will install it on your device for you.

What's the difference between the apps and the website?

The Company Portal app is available for Windows 10, iOS, macOS, and Android devices. It integrates seamlessly
with your device's respective platform. The website version is accessible from any device and gives you the same,
universal experience no matter what device you're using.
The Microsoft Intune app is for corporate-owned Android devices and doesn't have a website.

What kind of devices can you enroll with Company Portal?

You can enroll the following devices with Company Portal:
Windows devices
Windows 10 Mobile
Windows 10 Desktop
Windows Phone 8.1
Windows 8.1
Apple devices
iOS
macOS
Android devices

What kind of devices can you enroll with the Microsoft Intune app?
You can enroll corporate-owned Android devices that your organization has set up to use with the app. The app
supports Android 6.0 and later.

Can you remove a device from the Company Portal?

You can remove or reset a device from the Company Portal. There is a difference between remove and reset .
During device removal, the Company Portal unenrolls and unregisters the device. That device loses access to the
Company Portal. Work or school data might also be removed.
During a device reset, the Company Portal tries to reset your computer or device back to the manufacturer's
default settings. All work or school data and all personal data is removed from the device. A reset is useful if, for
example, you lose your device. You can reset it remotely from the Company Portal website.

Can you remove a device from the Microsoft Intune app?

No, there's no way for you to remove a corporate-owned device from the Microsoft Intune app.

What if I can't see my device in the Company Portal or Microsoft Intune

app?
To see a device in Company Portal, it must first be enrolled. If after enrollment you still don't see all of your devices,
try to sync or check access through the Company Portal. You won't see devices that are owned and managed by
your company.
In the Microsoft Intune app, you only see the device you're currently using. Other enrolled devices will not be
visible to you in the app.

Where else can I go for help?

To troubleshoot common problems, check out these platform-specific docs:
Fix common issues with your Android device
Fix common issues with your iOS device
Fix common issues with your macOS device
Fix common issues with your Windows device
You can also contact to your IT support person. The Company Portal and Microsoft Intune app offer help and
support pages that list contact information and ways to report a problem. Contact information is also available on
your org's Company Portal website.

Next steps
If you're ready to access your work or school account, follow your organization's instructions to enroll your device.
You can also find step-by-step enrollment guidance in the following articles.
Enroll your Windows 10 device
Enroll your Android device
Enroll with Android work profile
Enroll with Microsoft Intune app
Enroll your iOS device
Enroll your organization-provided iOS device
Enroll your macOS device
Enroll your organization-provided macOS device

Microsoft Intune - Configure Devices Settings
100% (3)
Microsoft Intune - Configure Devices Settings
385 pages
Windows Autopilot DEPLOYMENT
No ratings yet
Windows Autopilot DEPLOYMENT
117 pages
Intune Interview
No ratings yet
Intune Interview
40 pages
Azure AD Device Identity Documentation
No ratings yet
Azure AD Device Identity Documentation
211 pages
Enroll Intune
No ratings yet
Enroll Intune
254 pages
Intune Implementation TMINUS
No ratings yet
Intune Implementation TMINUS
61 pages
Intune Migration-Android-Quick Start Guide
No ratings yet
Intune Migration-Android-Quick Start Guide
18 pages
Intune Starter Guide: Nick Ross - Microsoft Certified Expert Administrator
100% (1)
Intune Starter Guide: Nick Ross - Microsoft Certified Expert Administrator
65 pages
Manage Apps With Intune
100% (1)
Manage Apps With Intune
581 pages
Microsoft Intune
No ratings yet
Microsoft Intune
21 pages
Ms IntuneTutorial
100% (1)
Ms IntuneTutorial
23 pages
Windows Intune Guide
100% (1)
Windows Intune Guide
44 pages
Configure and Deploy Intune MDM
100% (2)
Configure and Deploy Intune MDM
92 pages
Managing Windows 10 With Intune and Autopilot v2011
No ratings yet
Managing Windows 10 With Intune and Autopilot v2011
352 pages
INTUNE Interview Questions
No ratings yet
INTUNE Interview Questions
68 pages
Module 7 - Device Management 2 (Autopilot) PDF
100% (1)
Module 7 - Device Management 2 (Autopilot) PDF
47 pages
Microsoft Intune Starter Kit Microsoft Endpoint Manager
No ratings yet
Microsoft Intune Starter Kit Microsoft Endpoint Manager
29 pages
Exchange Hybrid Steps
100% (1)
Exchange Hybrid Steps
61 pages
Office 365 Migration Checklist
No ratings yet
Office 365 Migration Checklist
16 pages
Microsoft 365 For Enterprise Overview
No ratings yet
Microsoft 365 For Enterprise Overview
994 pages
In Tune Setup
100% (2)
In Tune Setup
699 pages
Microsoft Intune Questions
No ratings yet
Microsoft Intune Questions
5 pages
Microsoft Intune Datasheet
50% (2)
Microsoft Intune Datasheet
2 pages
Microsoft Intune
No ratings yet
Microsoft Intune
47 pages
Intune Implementation
No ratings yet
Intune Implementation
61 pages
Microsoft Intune
No ratings yet
Microsoft Intune
8 pages
INTUNE Instructor Handout-V1.7
No ratings yet
INTUNE Instructor Handout-V1.7
210 pages
Microsoft Endpoint Manager Overview
No ratings yet
Microsoft Endpoint Manager Overview
4 pages
Microsoft Intune Datasheet PDF
No ratings yet
Microsoft Intune Datasheet PDF
2 pages
Intune - L200 - Intune Product Overview - FINAL
No ratings yet
Intune - L200 - Intune Product Overview - FINAL
46 pages
Microsoft End-Point Manager
No ratings yet
Microsoft End-Point Manager
25 pages
MD 102T00 ENU PowerPoint - 04
No ratings yet
MD 102T00 ENU PowerPoint - 04
35 pages
Managing Windows 10 With Intune and Autopilot v2106 - Labs
No ratings yet
Managing Windows 10 With Intune and Autopilot v2106 - Labs
380 pages
Windows Intune Product Guide
No ratings yet
Windows Intune Product Guide
49 pages
Enroll Devices in Microsoft Intune
No ratings yet
Enroll Devices in Microsoft Intune
227 pages
Step-By-Step App Deployment Via Microsoft Intune
No ratings yet
Step-By-Step App Deployment Via Microsoft Intune
8 pages
Microsoft 365 Security Defender Endpoint O365 Worldwide
No ratings yet
Microsoft 365 Security Defender Endpoint O365 Worldwide
3,985 pages
Understanding Microsoft Intune Suite vs. Endpoint Manager
No ratings yet
Understanding Microsoft Intune Suite vs. Endpoint Manager
8 pages
Migration To Exchange Online and Office 365 - A Step-By-Step Guide
No ratings yet
Migration To Exchange Online and Office 365 - A Step-By-Step Guide
19 pages
Module 5 - Device Management 1 PDF
No ratings yet
Module 5 - Device Management 1 PDF
14 pages
O365 M365 Companion Guide
60% (5)
O365 M365 Companion Guide
86 pages
Microsoft Security Best Practices
No ratings yet
Microsoft Security Best Practices
265 pages
Enrolling An Android Device in InTune
No ratings yet
Enrolling An Android Device in InTune
15 pages
Guide To Azure Ad
No ratings yet
Guide To Azure Ad
39 pages
Managing Windows Server: With Windows Admin Center
No ratings yet
Managing Windows Server: With Windows Admin Center
31 pages
Microsoft - MD-102.vFeb-2024.by .Rina .114q
100% (1)
Microsoft - MD-102.vFeb-2024.by .Rina .114q
107 pages
MD 102
100% (2)
MD 102
142 pages
Window 11 User Guide
No ratings yet
Window 11 User Guide
83 pages
Exchange Microsoft PDF
No ratings yet
Exchange Microsoft PDF
2,156 pages
Exchange Administrator Interview Questions
No ratings yet
Exchange Administrator Interview Questions
3 pages
MD 102 Demo
100% (1)
MD 102 Demo
15 pages
PDF
No ratings yet
PDF
398 pages
MD 102T00 ENU PowerPoint 08
No ratings yet
MD 102T00 ENU PowerPoint 08
55 pages
Deploy An Endpoint Detection and Response (EDR) Solution With Microsoft
No ratings yet
Deploy An Endpoint Detection and Response (EDR) Solution With Microsoft
6 pages
Microsoft SC-900 LAB GUIDE
100% (1)
Microsoft SC-900 LAB GUIDE
105 pages
Module 4 - Teams Fundamentals PDF
No ratings yet
Module 4 - Teams Fundamentals PDF
64 pages
Exchange, ADFS, O365
No ratings yet
Exchange, ADFS, O365
56 pages
Microsoft 365 Administration
No ratings yet
Microsoft 365 Administration
9 pages
Intune App Troubleshooting-1
No ratings yet
Intune App Troubleshooting-1
10 pages
MAM Policy
No ratings yet
MAM Policy
3 pages
Endpoint Management Workshop: Unified Endpoint Management To Secure The Modern Workplace
100% (1)
Endpoint Management Workshop: Unified Endpoint Management To Secure The Modern Workplace
39 pages
Encryption Consulting Intune Datasheet
No ratings yet
Encryption Consulting Intune Datasheet
10 pages
Hybrid Identity Documentation
No ratings yet
Hybrid Identity Documentation
1,011 pages
Enterprise User Management Documentation - Azure AD
No ratings yet
Enterprise User Management Documentation - Azure AD
540 pages
Core Infrastructure SCCM Side
No ratings yet
Core Infrastructure SCCM Side
1,875 pages
Device Compliance
No ratings yet
Device Compliance
66 pages
OS Deployment
100% (1)
OS Deployment
328 pages
What Is Device Enrollment
100% (1)
What Is Device Enrollment
320 pages
Microsoft Endpoint Manager Solution Brief - Jan 31, 2020 (Final)
No ratings yet
Microsoft Endpoint Manager Solution Brief - Jan 31, 2020 (Final)
2 pages
Powershell For The It Administrator, Part 1: Student Lab Manual (V1.1)
100% (1)
Powershell For The It Administrator, Part 1: Student Lab Manual (V1.1)
361 pages
TI068 - ConfigMgr Day To Day Operation Steps
No ratings yet
TI068 - ConfigMgr Day To Day Operation Steps
4 pages
Advanced Lab Guide
No ratings yet
Advanced Lab Guide
21 pages
Skype For Business - Meetings
No ratings yet
Skype For Business - Meetings
2 pages
Neo 4 J
No ratings yet
Neo 4 J
16 pages
Draft PFE Report
No ratings yet
Draft PFE Report
2 pages
Adhithyan V P: Education
No ratings yet
Adhithyan V P: Education
1 page
Feature Analysis (Event Booking System)
No ratings yet
Feature Analysis (Event Booking System)
8 pages
Que Stio N No Type (MC Q/SAT) CO Mapp Ing Answer Key
No ratings yet
Que Stio N No Type (MC Q/SAT) CO Mapp Ing Answer Key
24 pages
Cap680 Programming in Java Laboratory
No ratings yet
Cap680 Programming in Java Laboratory
2 pages
Rohan
No ratings yet
Rohan
54 pages
Google Cloud Estimate Summary
No ratings yet
Google Cloud Estimate Summary
3 pages
L6 DFS
No ratings yet
L6 DFS
27 pages
Google Certified Associate Cloud Engineer
No ratings yet
Google Certified Associate Cloud Engineer
339 pages
Statusstopstart Workflow Notification Mailer
No ratings yet
Statusstopstart Workflow Notification Mailer
3 pages
Technical Assignment 2 - S2021 1
No ratings yet
Technical Assignment 2 - S2021 1
6 pages
5 Capacity Planning
No ratings yet
5 Capacity Planning
35 pages
Chapter 2 HDFS and ZooKeeper
No ratings yet
Chapter 2 HDFS and ZooKeeper
45 pages
Complete Module Required For A Complete Inventory Management System
No ratings yet
Complete Module Required For A Complete Inventory Management System
11 pages
Cloud Roadmap
No ratings yet
Cloud Roadmap
9 pages
Sample FS - Integration
No ratings yet
Sample FS - Integration
13 pages
Mobile Application Development Report
No ratings yet
Mobile Application Development Report
30 pages
استخدام نظم المعلومات الجغرافية لتقييم الوضع الراهن لمواقع مدارس البنات الحكومية بمدينة مكة المكرمة
No ratings yet
استخدام نظم المعلومات الجغرافية لتقييم الوضع الراهن لمواقع مدارس البنات الحكومية بمدينة مكة المكرمة
65 pages
I. Read The Following Sentences and Decide Whether They Are TRUE or FALSE (1pt)
No ratings yet
I. Read The Following Sentences and Decide Whether They Are TRUE or FALSE (1pt)
4 pages
Anudeep SR Java1
No ratings yet
Anudeep SR Java1
8 pages
Part A - List of Risks, Threats, and Vulnerabilities Commonly Found in An IT Infrastructure
No ratings yet
Part A - List of Risks, Threats, and Vulnerabilities Commonly Found in An IT Infrastructure
4 pages
CV Khải Nguyễn - Cvenglish-TopCV.vn
No ratings yet
CV Khải Nguyễn - Cvenglish-TopCV.vn
1 page
IOS Coding Assignment
No ratings yet
IOS Coding Assignment
5 pages
Edureka Training - Certified Ethical Hacking Course - CEH v12
No ratings yet
Edureka Training - Certified Ethical Hacking Course - CEH v12
11 pages
Cyberjaya Data Centers: With Intelligence Built Into Our Solutions
No ratings yet
Cyberjaya Data Centers: With Intelligence Built Into Our Solutions
9 pages
Introduction To Session Iinitiation Protocol (SIP)
No ratings yet
Introduction To Session Iinitiation Protocol (SIP)
14 pages
Engenharia de Software Eng de Sistemas Informáticos 2018/2019 - 1.º Semestre
No ratings yet
Engenharia de Software Eng de Sistemas Informáticos 2018/2019 - 1.º Semestre
12 pages
Project Scope Management
No ratings yet
Project Scope Management
48 pages
Reconnaissance Playbook - Microsoft Defender For Identity - Microsoft Learn
No ratings yet
Reconnaissance Playbook - Microsoft Defender For Identity - Microsoft Learn
11 pages

What Is Microsoft Intune-ALL

Uploaded by

What Is Microsoft Intune-ALL

Uploaded by

Contents

Microsoft Intune fundamentals

With Intune, you can:

Compliance and conditional access

How to get Intune

Integration with secure-and-protect services

Choose the device management solution that's right for you

Simplify IT tasks using the Device Management admin center

Week of August 31, 2020

Week of August 24, 2020 (2008 Service release)

Week of August 17, 2020

Week of August 10, 2020

Week of July 27, 2020

Week of July 13, 2020 (2007 Service release)

For more information, see Microsoft Intune Data Warehouse API.

Week of July 06, 2020

Week of June 22, 2020

Week of June 15, 2020 (2006 Service release)

Week of June 8, 2020

Week of May 25, 2020

Week of May 18, 2020

Week of May 11, 2020 (2005 Service release)

Week of May 4, 2020

Week of April 20, 2020

Week of April 13, 2020 (2004 Service release)

Week of April 6, 2020

Week of March 30, 2020

Week of March 24, 2020

Week of March 16, 2020 (2003 Service release)

For more information, see Microsoft Intune Data Warehouse API.

Week of March 9, 2020

Week of March 2, 2020

Week of February 24, 2020

Week of February 17, 2020 (2002 Service release)

Week of February 17, 2020

Week of February 10, 2020

What's New archive

Devi c e t ypes t h at w i l l be i m pac t ed

Set Required password type

User experience of impacted settings on impacted devices

Week of August 10, 2020

Week of June 8, 2020

Week of May 4, 2020

Week of February 3, 2020

Week of November 11, 2019

Week of October 28, 2019

Week of September 9, 2019

Week of June 24, 2019

Week of June 17, 2019

Example screenshot the Setup access screen:

Week of February 19, 2019

Week of November 12, 2018

Week of October 22, 2018

Week of August 27, 2018

Week of July 16, 2018

Example screenshot showing the Details view:

Week of April 2, 2018

Combined with previous step

Improvements to the language in the Company Portal app for Windows

Week of March 12, 2018

Week of November 27, 2017

Week of November 13, 2017

Combined with previous step

Week of November 6, 2017

Search improvements to the Company Portal apps and website

Week of October 16, 2017

Week of October 2, 2017

Combined with previous step

Additional steps have been improved on Android work profile devices.

Combined with previous step

Combined with previous step

We've also updated the Conditional Access email activation screen.

Week of September 11, 2017

Launch a browser and go to https://aka.ms/devicelogin.

Coming soon in the UI

Monitor and troubleshoot