What's new in Microsoft Intune

2025-08-27

Learn what's new each week in Microsoft Intune.

You can also read:

Important notices
Past releases in the What's new archive
Information about how Intune service updates are released

Note

Each monthly update can take up to three days to roll out and is in the following order:

Day 1: Asia Pacific (APAC)
Day 2: Europe, Middle East, Africa (EMEA)
Day 3: North America
Day 4+: Intune for Government

Some features roll out over several weeks and might not be available to all customers in the first week.

For a list of upcoming Intune feature releases, see In development for Microsoft Intune.

For new information about Windows Autopilot solutions, see:

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Week of August 25, 2025

App management

Managed Home Screen (MHS) for Android Enterprise dedicated devices now supports two new features: Offline mode and App access without sign in.

Offline mode – Lets users access designated apps when the device is offline or unable to connect to the network. You can configure a grace period before requiring users to sign in once connectivity is restored.
App access without sign in – Lets users launch specific apps from the MHS sign-in screen via the MHS top bar, regardless of network status. This is useful for apps that need to be available immediately, such as help desk or emergency tools.

These features are designed for dedicated devices enrolled in Microsoft Entra shared device mode and can be configured via device configuration policy.

Applies to:

Android Enterprise dedicated devices

Week of August 18, 2025 (Service release 2508)

App management

Android app configuration policies support new variable values

Android Enterprise app configuration policies in Intune now support more variable values. The new values include account name, device name, employee ID, MEID, serial number, and the last four digits of the serial number.

For more information, see Supported variables for configuration values.

Applies to:

Android Enterprise

Device configuration

Managed Installer support for user and device groups

We've updated our Managed Installer policy to add the capability to target individual groups of users and devices, using one or more individual policies. Until now, a Managed Installer policy was a tenant-wide configuration that applied to all Windows devices. With this update, separate policies can now be assigned to different device groups providing you with more flexibility.

If you previously had a tenant-wide managed installer policy in effect, that policy remains available with a group assignment to all your devices. This reconfiguration is equivalent to the previous tenant-wide configuration it had before. You can choose to use that converted policy or implement new policies with more granular control.

For more information about configuring and using managed installers, see Get started with managed installers.

Applies to:

Windows

New Windows settings in the settings catalog

The Intune settings catalog lists all the settings you can configure, and all in one place. There are new settings in the Windows settings catalog (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type).

Microsoft Edge Administrative Templates policy updates:

v138 - Intune supports the following new ADMX-backed policies:

Setting	CSP
Microsoft Edge > Allow pages to use the built-in AI APIs	BuiltInAIAPIsEnabled
Microsoft Edge > Control access to AI-enhanced search in History	EdgeHistoryAISearchEnabled
Microsoft Edge - Default Settings (users can override)\ Identity and sign-in > Use Primary Work Profile as default to open external links	EdgeOpenExternalLinksWithPrimaryWorkProfileEnabled
Microsoft Edge > Allow SpeculationRules prefetch for ServiceWorker-controlled URLs	PrefetchWithServiceWorkerEnabled
Microsoft Edge > Control whether TLS 1.3 Early Data is enabled in Microsoft Edge	TLS13EarlyDataEnabled
Microsoft Edge > Allow pages to use the built-in AI APIs	BuiltInAIAPIsEnabled
Microsoft Edge > Allow SpeculationRules prefetch for ServiceWorker-controlled URLs	PrefetchWithServiceWorkerEnabled

The following legacy settings are deprecated, and should not be used:

Setting	CSP
Microsoft Edge\ Private Network Request Settings	InsecurePrivateNetworkRequestsAllowed
Microsoft Edge Network Settings > Enable zstd content encoding support	ZstdContentEncodingEnabled
Microsoft Edge Network Settings > Specifies whether to block requests from public websites to devices on a user's local network (deprecated)	LocalNetworkAccessRestrictionsEnabled

v139 - Intune supports the following new ADMX-backed policies for Microsoft Edge:

Setting	CSP
Microsoft Edge > Identity and sign-in > Prioritize app-specified profile to open external links	EdgeOpenExternalLinksWithAppSpecifiedProfile
Microsoft Edge > Extensions > Specify extensions users must allow in order to navigate using InPrivate mode	MandatoryExtensionsForIncognitoNavigation
Microsoft Edge > Control whether Microsoft 365 Copilot Chat shows in the Microsoft Edge for Business toolbar	Microsoft365CopilotChatIconEnabled
Microsoft Edge > Configuration policy for Microsoft Edge for Business Reporting Connectors	OnSecurityEventEnterpriseConnector
Microsoft Edge > Allow software WebGL fallback using SwiftShader	EnableUnsafeSwiftShader

The following legacy settings are deprecated, and should not be used:

Setting	CSP
Microsoft Edge > Controls whether the new HTML parser behavior for the `<select>` element is enabled	SelectParserRelaxationEnabled
Microsoft Edge > Enable keyboard focusable scrollers	KeyboardFocusableScrollersEnabled

Some existing policies have string updates that reflect the latest browser behavior and terminology.

OneDrive:

Disable a toast and activity center message to encourage a user to sign in OneDrive using an existing credential that is made available to Microsoft applications - This setting allows IT admins to prevent detection of new accounts in OneDrive, helping enforce organizational sync and access controls.

Administrative Templates\Windows Components\Sync your settings:

Enable Windows Backup - This setting allows IT admins to manage syncing behavior for Windows Backup features. Specifically, this policy controls whether language preferences are included in backup sync, which helps organizations tailor backup configurations to their needs.

Applies to:

Windows

New day zero settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Audio Accessory Settings:

Temporary Pairing Disabled
Temporary Pairing Unpairing Time
Unpairing Policy
Unpairing Hour

Declarative Device Management (DDM) > Safari Settings:

Accept Cookies
Allow Disabling Fraud Warning
Allow History Clearing
Allow JavaScript
Allow Private Browsing
Allow Popups
Allow Summary
Page Type
Homepage URL
Extension Identifier

Restrictions:

Allow Safari History Clearing
Allow Safari Private Browsing
Denied ICCIDs For iMessage And FaceTime
Denied ICCIDs For RCS

macOS

Authentication > Extensible Single Sign On Kerberos:

Allow Platform SSO Auth Fallback

Declarative Device Management (DDM) > Safari Settings:

Allow History Clearing
Allow Private Browsing
Allow Summary
Page Type
Homepage URL
Extension Identifier

Restrictions:

Allow Safari History Clearing
Allow Safari Private Browsing

New setting in the Android settings catalog

There's a new Hide organization name setting (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Settings catalog for profile type). When set to True, the enterprise name isn't shown on the device, such as lock screen.

For a list of existing settings you can configure in the settings catalog, see Android Enterprise device settings list in the Intune settings catalog.

Applies to:

Android Enterprise corporate-owned devices with a work profile (COPE)
Android Enterprise corporate owned fully managed (COBO)

Device enrollment

Intune supports Ubuntu 22.04 and later

Microsoft Intune and the Microsoft Intune app for Linux now support Ubuntu 22.04 LTS and Ubuntu 24.04 LTS, and has ended support for Ubuntu 20.04 LTS. Devices that are currently enrolled on Ubuntu 20.04 LTS remain enrolled even though the version is no longer supported. New devices are unable to enroll if they're running Ubuntu 20.04 LTS. To see what devices or users might be affected, check your Intune reporting. In the admin center, go to **Devices **> All devices and filter OS by Linux. You can add more columns to help identify who in your organization has devices running Ubuntu 20.04 LTS. Notify your users to upgrade their devices to a supported Ubuntu version.

For more information about Linux enrollment, see Linux device enrollment guide for Microsoft Intune.

Device management

Wipe remote action supports multiple administrative approval (MAA)

When you use the multiple administrative approval (MAA) feature, you require a second admin account to approve a change before the change is applied.

The Wipe remote action supports MAA. Use MAA with the Wipe action to help mitigate the risk of unauthorized or compromised remote actions by a single admin account.

For more information on multiple administrative approval, see Use multiple administrative approvals in Intune.

Configure Windows Backup for Organizations (public preview)

Intune administrators can configure a new feature in public preview called Windows Backup for Organizations. With this feature, you can back up your organization's Windows 10 or Windows 11 settings and restore them on a Microsoft Entra joined device. Backup settings are configurable in the Microsoft Intune admin center settings catalog, while a tenant-wide setting that lets you restore a device is available in the admin center under Enrollment. The backup setting is available now in public preview, while the restore setting will be available for public preview beginning August 26th.

For more information about this feature, see Windows Backup for Organizations in Microsoft Intune.

New resolution button improves compliance remediation experience

We improved the Just in Time (JIT) compliance remediation experience for device users in Microsoft Intune. Intune has collaborated with Microsoft Defender to:

Remove user clicks required to view and learn remediation steps.
Add a Resolve button to reduce time-to-remediation.

When a user opens a productivity app and sees they are marked noncompliant due to Microsoft Defender, the user can now select Resolve. This action redirects them to Microsoft Defender, where Microsoft Defender takes steps to remediate the user and then redirect the user back to their productivity app.

Even if you aren't using Microsoft Defender, if you have Conditional Access turned on your users can have an improved experience. With JIT compliance remediation, users go through an embedded flow that shows them their compliance status, noncompliance reasoning, and a list of actions right within a productivity app. This flow eliminates extra steps, the need to switch between apps, and reduces the number of authentications.

As an admin, if you have JIT registration and compliance remediation set up already, you have no action items. If you don't, set it up today to support this new functionality. For more information, see:

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

Avenza Maps for Intune by Avenza Systems Inc.
Datasite for Intune by Datasite (Android)
Dialpad by Dialpad, Inc.
Dialpad Meetings by Dialpad, Inc.
Omega 365 by Omega 365 Core AS
Symphony Messaging Intune by Symphony Communication Services, LLC
Zoho Projects - Intune by Zoho Corporation (Android)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Declarative software update reports for Apple devices

You can now use several new software update reports for Apple devices that are powered by Apples built-in declarative reporting infrastructure. The declarative reporting infrastructure provides Intune with a near real-time view of the software update status of managed devices. The following Apple software update reports are now available:

A per-device software update report - Per-device software update reports are available in the Intune Admin center by going to Devices and then selecting an applicable device. In the Devices Overview pane for that device, below Monitor, you'll find the report listed as iOS software updates for iOS or iPadOS devices, and as macOS software updates for macOS devices.

With these per-device reports available, the previously available macOS per-device Software updates report is now deprecated. While the deprecated report remains available in the admin center and can still be used while viewing a device, the report will be removed from Intune with a future update.
Apple software update failures - With this operational report, you can view details across your entire managed Apple device fleet. Details include why the update failed to install and the timestamp of the last failure. To find this report, in the admin center go to Devices > Monitor, and then select the report's name to view the report details.
Apple software update report - This is an organizational report that displays details about pending and current software update information across your entire managed Apple device fleet. To find this report, in the admin center go to Reports > Device management > Apple updates, select the Reports tab, and then select the report tile.
Apple software update summary report - View the Apple software update summary report, in the admin center go to Reports > Device management > Apple updates, and then select the Summary tab. Here you'll see a roll-up of update status from macOS, iOS, and iPadOS devices. This includes the version of the latest update that is available for each platform, and the date that update became available.

The following Apple devices support these new reports:

iOS 17 and later
iPadOS 17 and later
macOS 14 and later

For more information about the changes behind these reports, see Support tip: Move to declarative device management for Apple software updates.

Role-based access control

Multi-administrator approval support for role-based access control

Multi-administrator approval (MAA) now supports role-based access control. When enabled, any changes to roles, including modifications to role permissions, admin groups, or member group assignments, require a second administrator to approve the change before it's applied. This dual authorization process helps protect your organization from unauthorized or accidental role-based access control changes.

For more information, see Role-based access control in Microsoft Intune.

Week of August 11, 2025

Device management

Platform SSO is generally available (GA) and also supports custom TGT

Platform SSO is a feature in Microsoft Entra that enables single sign-on (SSO) using a Microsoft Entra ID on macOS devices. Using the Intune settings catalog, you can configure Platform SSO and use Intune to deploy the Platform SSO configuration to your macOS devices.

Microsoft Entra announced that Platform SSO for macOS devices is generally available (GA). For more information on this Microsoft Entra feature, see Microsoft Enterprise SSO plug-in for Apple devices.
Microsoft Entra supports Kerberos Ticket Granting Tickets (TGTs) to access on-premises Active Directory and Microsoft Entra ID using Apple's Kerberos SSO extension.

On the Company Portal version 5.2508.0 and newer, you can use the Intune settings catalog Platform SSO policy to enable Kerberos SSO to on-premises and cloud resources using the TGTs.

To configure Platform SSO in Intune, see:

Applies to:

macOS

Device security

Update required for Microsoft Tunnel endpoints

As part of our ongoing improvements to the Microsoft Tunnel infrastructure, we introduced new endpoints with the March 19, 2025 release. You must upgrade your Microsoft Tunnel to the March 19, 2025 release version or later to ensure you're using the new endpoints. Once you upgrade to this version or later, you can't downgrade to an earlier version. Earlier releases that rely on legacy endpoints aren't supported and might cause service disruptions. To continue with uninterrupted service, we recommend upgrading to the latest supported build and avoiding rollback to unsupported versions.

Week of July 28, 2025

Device management

New Microsoft Graph permissions for API calls to device management endpoints

Calls to several Microsoft Graph APIs now require one of two newer DeviceManagement permissions that replace the use of previously supported permissions. The following are the two new permissions and the original permissions that the new permissions replace:

DeviceManagementScripts.Read.All - This new permission replaces use of DeviceManagementConfiguration.Read.All
DeviceManagementScripts.ReadWrite.All - This new permission replaces use of the DeviceManagementConfiguration.ReadWrite.All

Access to the following Microsoft Graph API calls now require using the new permissions:

~/deviceManagement/deviceShellScripts
~/deviceManagement/deviceHealthScripts
~/deviceManagement/deviceComplianceScripts
~/deviceManagement/deviceCustomAttributeShellScripts
~/deviceManagement/deviceManagementScripts

Currently both the DeviceManagementScripts and the older DeviceManagementConfiguration permissions remain functional. However, in early September 2025, tools and scripts that rely on the older permissions to access the listed APIs fail to function.

For more information, see How to use Microsoft Entra ID to access the Intune APIs in Microsoft Graph.

Week of July 21, 2025 (Service release 2507)

Microsoft Intune Suite

Endpoint Privilege Management support for wildcards in elevation rules

You can now use wildcards in the file name and file path of elevation rules you define for Endpoint Privilege Management (EPM). Wildcards allow for more flexible rule creation with broader matching capabilities, enabling file elevations for trusted files that have names that might change with subsequent revisions.

For file names, use of wildcards is supported only in the file name and not for the file extension. You can use a question mark ? to replace a single character at any point in the file name and an asterisk * to replace a string of characters at the end of the file name.

The following are a few examples of wildcard use for a Visual Studio setup file called VSCodeUserSetup-arm64-1.99.2.exe found in C:\Users\<username>\Downloads\:

File name:
- VSCodeUserSetup*.exe
- VSCodeUserSetup-arm64-*.exe
- VSCodeUserSetup-?????-1.??.?.exe
File path:
- C:\Users\*\Downloads\

For more information, see Use variables in elevation rules in Configure policies for Endpoint Privilege Management.

App management

Newly available OEMConfig apps in Intune

The following OEMConfig app is now available in Intune for Android Enterprise:

RugGear

For more information about OEMConfig, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Device configuration

New settings available in the Apple settings catalog

iOS/iPadOS

Cellular Private Network:

Cellular Data Preferred
CSG Network Identifier
Data Set Name
Enable NR Standalone
Geofences
Network Identifier
Version Number

macOS

Microsoft Edge:

The Microsoft Edge category is updated with new settings. Learn more about available macOS settings for Microsoft Edge at Microsoft Edge - Policies.

Device management

Platform support for Device Cleanup rules

Using cleanup rules, you can configure Intune to automatically clean up devices that appear to be inactive, stale, or unresponsive.

With this feature, you can:

Configure individual device cleanup rules per platform, like Windows, iOS/iPadOS, macOS, and Android.
Use the Audit logs to see the devices that the device cleanup rules conceal from the Intune reports.
Use role-based access control (RBAC) to customize the user roles that can create device cleanup rules.

For more information, see device cleanup rules.

Device security

macOS support for local administrator account configuration with (password solution) - GA

macOS automated device enrollment (ADE) profiles can configure newly enrolled macOS devices that run macOS 12 or later with both a local administrator and local user account, along with support for the Microsoft Local Admin Password Solution (LAPS).

With this support:

You can use macOS automated device enrollment (ADE) profiles to configure the local administrator and user accounts for a device. When configured, this capability applies to all new macOS device enrollments and device re-enrollments assigned to that enrollment profile.
Intune creates a randomized, unique, and secure password for the device's admin account. It's 15 alphanumeric characters.
Intune automatically rotates the password every six months by default.
Previously enrolled devices aren't affected unless they re-enroll with Intune through an applicable ADE profile.

For account creation, the profile supports the following variables:

Admin account username:
- {{serialNumber}} - for example, F4KN99ZUG5V2
- {{partialupn}} - for example, John.Dupont
- {{managedDeviceName}} - for example, F2AL10ZUG4W2_14_4/15/2025_12:45PM
- {{onPremisesSamAccountName}} - for example, JDoe
Admin account full name:
- {{username}} - for example, John@contoso.com
- {{serialNumber}} - for example, F4KN99ZUG5V2
- {{onPremisesSamAccountName}} - for example, JDoe

To support LAPS:

There are two new role-based access control permissions for Enrollment program that can grant an administrative account permission to view a managed devices password, and to rotate that password.
By default, these permissions aren't part of any built-in Intune RBAC role, and must be explicitly assigned to admins through custom roles.

To learn about all the details for this new capability, see Configure support for macOS ADE local account configuration with LAPS in Microsoft Intune.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

Vault CRM by Veeva Systems Inc. (iOS)
Workvivo by Workvivo

For more information about protected apps, see Microsoft Intune protected apps.

Week of July 14, 2025

Device management

Experience Microsoft Copilot in Intune

You can now use Microsoft Copilot in Intune to explore your Intune data using natural language, take action on the results, manage policies and settings, understand your security posture, troubleshoot device issues, and view insights about enrolled Surface devices.

Explore your Intune data - Use natural language to explore your Intune data and take action based on the results. Admins can run queries against Intune resource data, including questions about devices, apps, policies, updates, and compliance. When a query runs, a Copilot summary helps you understand the results and offers suggestions. You can add devices or users from the query results to a group to target apps and policies. There are also example queries that you can filter to find an example that best matches your request or use to help you create your own request.

Data coverage, querying capabilities, and actionability will evolve over time as we make improvements to how you explore your data.

To learn more about this feature, see Explore Intune data with natural language and take action.
Conversational chat experience - Use the Copilot in Intune chat experience to interact with your data using natural language to manage tasks, get insights, and troubleshoot issues. Here's what you can do with the chat experience:
- Policy and setting management: Use Copilot in Intune to summarize an existing policy or learn more about individual policy settings and recommended values.
- Device details and troubleshooting: Use Copilot in Intune to get device details and troubleshoot a device to get device-specific information like the installed apps, group memberships and more.
- Device Query: Use Copilot in Intune to help you create Kusto Query Language (KQL) queries to run when using device query in Intune.
- Endpoint Privilege Management (EPM): Use Copilot in Intune to help identify potential elevation risks from within the EPM support approved workflow.
Microsoft Copilot in Surface Management Portal - Microsoft Copilot in Intune includes the Surface Management Portal, a workspace in the Intune admin center that brings together vital data and insights about enrolled Surface devices, all in one place.
- Gain insights into device compliance, support activity, applicable warranty or protection plan coverage, and carbon emission estimates.
- Monitor the status of each device, including applicable warranty or protection plan expirations and active support requests.
- Centralize Surface-specific device administration in a single environment.
- Automatically access comprehensive information from your Intune-enrolled Surface devices, which flows into the Surface Management Portal when users sign in for the first time.
To learn more about this feature, see Security Copilot in Microsoft Surface Management Portal.

Monitor and troubleshoot

Export device query results to CSV file

Now after running a multiple-device query, you can export up to 50,000 query results to a CSV file. For more information, see How to use device query for multiple devices.

Week of June 23, 2025 (Service release 2506)

App management

Microsoft Intune support for Apple AI features

Intune app protection policies have new standalone settings for Apple AI features (Genmojis, Writing tools, and screen capture). Apps running the following Intune App SDK and App Wrapping Tool versions support the standalone settings:

Xcode 15 version 19.7.12 or later
Xcode 16 version 20.4.0 or later

Previously, these Apple AI features were blocked when the app protection policy Send Org data to other apps setting is configured to a value other than All apps.

For more information about Intune's related app protection policies, see iOS app protection policy settings.

Add Enterprise App Catalog apps to ESP blocking apps list

Windows Autopilot now supports Enterprise App Catalog apps. Microsoft Intune Enterprise App Management enables IT admins to easily manage applications from the Enterprise App Catalog. Using Windows Autopilot, you can select apps from the Enterprise App Catalog as blocking apps in the Enrollment Status Page (ESP) and the Device Preparation Page (DPP) profiles. This feature allows you to ensure those apps are delivered before the user can access the desktop.

Applies to:

Windows

Managed Home Screen orientation changes with Android 16

Starting with Android 16, Android stops enforcing screen orientation on devices with 600dp and larger display settings. This change impacts the Managed Home Screen (MHS) on devices with larger form factors, like tablets.

On these Android 16 devices, orientation is determined by the device's orientation setting, not the MHS settings you configure.

To learn more about Android 16 changes, go to Behavior changes: Apps targeting Android 16 or higher (opens Android website).

Applies to:

Android Enterprise

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring settings catalog profiles in Intune, go to Create a policy using settings catalog.

There are new settings in the settings catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Managed Settings:

Idle Reboot Allowed

macOS

Authentication > Extensible Single Sign On (SSO):

Allow Device Identifiers In Attestation

Microsoft Edge:

The Microsoft Edge category has hundreds of new settings. Learn more about available macOS Edge settings at Microsoft Edge - Policies.

Apple deprecated the Identification payload in macOS 15.4.

New Block Bluetooth setting in the Android Enterprise settings catalog

There's a new Block Bluetooth setting (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Settings catalog for profile type). When set to True, Bluetooth is disabled on the device.

There's also a Block Bluetooth Configuration setting that prevents end users from changing the Bluetooth setting on the device.

These settings are different and have different results. Some examples include:

Scenario: An end user turned on the Bluetooth setting on their device. The admin creates an Intune policy that sets the Block Bluetooth setting to True.

In this situation, Bluetooth is blocked on the device, even though the end user turned it on.
Scenario: An end user turned on the Bluetooth setting on their device. The admin creates an Intune policy that sets the Block Bluetooth Configuration setting to True.

In this situation, Bluetooth is turned on since the end user previously turned it on. The end user can't turn off Bluetooth. If the end user previously turned Bluetooth off, and then the Block Bluetooth Configuration policy applies, then Bluetooth is turned off and the end user can't turn it back on.

For a list of existing settings you can configure in the settings catalog, see Android Enterprise device settings list in the Intune settings catalog.

Applies to:

Android Enterprise corporate-owned devices with a work profile (COPE)
Android Enterprise corporate owned fully managed (COBO)
Android Enterprise corporate owned dedicated devices (COSU)

Device management

New reporting system for improved performance and data consistency

Microsoft Intune is rolling out the new Policy Reporting Service (PRS) V3. The new system brings faster report generation, improved reliability, and better data consistency.

In the first phase, some high-traffic compliance and device configuration reports are transitioning to the new system.

Users notice quicker updates in the Intune admin center and fewer issues with stale data. No action is required from users, as your reports transition automatically.

With (PRS) V3, device reports only update when a device checks in. This behavior is an intentional change from previous versions.

If a policy is removed but the device hasn't checked in, the report continues to show the last known status. The policy is removed during the next check-in, at which point the report is updated. This behavior improves accuracy but can differ from what customers experienced with (PRS) V1.

To learn more about the Intune reports you can use, see Intune reports.

Device security

New attributes and S/MIME baseline requirements for SCEP certificate profiles

Intune supports two new attributes for subject name settings in SCEP and PKCS device configuration profiles. They include:

G={{GivenName}}
SN={{SurName}}

Beginning July 16, if you're using a third party public certificate authority (CA) integrated with the Intune SCEP API for issuing S\MIME (encryption or signing) certificates anchored up to a public root CA, then you must use these attributes in the subject name format. After that date, a public CA will not issue or sign S\MIME certificates that omit these attributes.

For more information, see S/MIME certificate requirements for third party public CA.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

Datasite for Intune by Datasite (iOS)
Mijn InPlanning by Intus Workforce Solutions (iOS)
Nitro PDF Pro by Nitro Software, Inc. (iOS)
SMART TeamWorks by SMART Technologies ULC (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

New status column in Windows hardware attestation report

We added a new column, Attest Status, to the Windows hardware attestation report to improve visibility into attestation errors. This column shows error messages received during the attestation process, helping you identify issues from both the service and client sides. Error types shown in this column include:

WinINet errors
HTTP bad request errors
Other attestation-related failures

For more information about the report, see Windows hardware attestation report.

Week of June 9, 2025

App management

ARM64 support for Win32 apps

When adding a Win32 app to Intune, you can select an option to check and install the app on Windows devices running ARM64 operating systems. This capability is available from the Microsoft Intune admin center by selecting Apps > All apps > Create. The ARM64 option is available by selecting the Operating system architecture option under the Requirements step. To ensure that you don't have any impact to any Win32 applications that you previously targeted to 64-bit devices, your existing 64-bit Win32 applications also have ARM64 selected. After the availability of being able to specifically target ARM64 operating system architectures, selecting x64 won't target ARM64 devices.

For related information, see Win32 app management in Microsoft Intune.

Applies to:

Windows devices

Week of June 2, 2025

Device security

Vulnerability Remediation Agent for Intune (public preview)

The Vulnerability Remediation Agent is currently in a limited public preview and available to only a select group of customers. If you're interested in gaining access or would like to learn more, please reach out to your sales team for further details and next steps.

When run, this agent uses data from Microsoft Defender Vulnerability Management to identify and then provide remediation guidance for vulnerabilities on your managed devices. You run and access the agent and view its results from within the Intune admin center where you see suggestions prioritized by the agent for remediation. Each suggestion includes key information like associated CVEs, severity, exploitability, affected systems, organizational exposure, business impact, and remediation guidance.

This information empowers you with a current assessment of potential risk to your environment and guidance to help you decide which risk to address first.

For more information about this agent including prerequisites, see Vulnerability Remediation Agent for Security Copilot in Microsoft Intune.

Week of May 26, 2025 (Service release 2505)

Microsoft Intune Suite

Endpoint Privilege Management rules explicitly deny elevation

Endpoint Privilege Management (EPM) elevation rules now include a new file elevation type of Deny. An EPM elevation rule set to Deny blocks the specified file from running in an elevated context. We recommend using file elevation rules to allow users to elevate specific files. But, a deny rule can help you ensure that certain files like known and potentially malicious software can't be run in an elevated context.

Deny rules support the same configuration options as other elevation types except for child processes, which aren't used.

For more information about EPM, which is available as an Intune Suite add-on-capability, see Endpoint Privilege Management overview.

App management

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

Windows App by Microsoft Corporation (Android)
Microsoft Clipchamp by Microsoft Corporation (iOS)
4CEE Connect by 4CEE Development
Mobile Helix Link for Intune by Mobile Helix

For more information about protected apps, see Microsoft Intune protected apps.

Device configuration

Manage DFCI profiles for Windows devices

You can use DFCI profiles to manage UEFI (BIOS) settings for NEC devices that run Windows 10 or Windows 11. Not all NEC devices running Windows are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

You can manage DFCI profiles from within the Microsoft Intune admin center by going to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type. For more information about DFCI profiles, see:

Applies to:

Windows

Device enrollment

Custom naming template for AOSP devices

Use a custom template for naming AOSP user-affiliated and userless devices when they enroll with Intune. The template is available to configure in the enrollment profile. It can contain a combination of free text and predefined variables (like device serial number, device type), and for user-affiliated devices, the owner's username. For more information about how to configure the template, see:

Change to role-based access control for device enrollment limits

We updated role-based access control (RBAC) for device limits. If you're currently assigned the policy and profile manager role, or the device configurations permissions that are built-in to the role, you now have read-only access to device enrollment limit policies. To create and edit these policies, you must be an Intune Administrator.

Device management

Cross Platform Device Inventory

Android, iOS, and Mac devices are added to device inventory. Intune now collects a default set of inventory data including 74 Apple properties and 32 Android properties.

For more information, see View device details with Microsoft Intune.

Enhanced security during unattended Remote Help sessions on Android devices

During an unattended Remote Help sessions on Android devices, the screen of the device is blocked and users are notified if they interact with it. This feature enhances the security and user awareness during remote assistance.

This feature is for Zebra and Samsung devices that enrolled as Android Enterprise corporate owned dedicated devices.

For more information on Remote Help, see Remote Help.

Device security

Detect rooted corporate-owned Android Enterprise devices

Configure compliance policies to detect if a corporate-owned Android Enterprise device is rooted. If Microsoft Intune detects that a device is rooted, you can mark it as noncompliant. This feature is now available for devices enrolled as fully managed, dedicated, or corporate-owned with a work profile. For more information, see Device compliance settings for Android Enterprise in Intune.

Applies to:

Android

New endpoint security profile for configuring Endpoint detection and response and Antivirus exclusion settings on Linux devices

As part of the Intune scenario for Microsoft Defender for Endpoint security settings management, you can use a new Endpoint detection and response profile for Linux named Microsoft Defender Global Exclusions (AV+EDR) that you can now use to manage Linux device exclusions for both Microsoft Defender Endpoint detection and response (EDR) and Antivirus (AV).

This profile supports settings related to global exclusion settings as detailed in Configure and validate exclusions on Linux in the Microsoft Defender documentation. These exclusion configurations can apply to both the antivirus and EDR engines on the Linux client to stop associated real time protection EDR alerts for excluded items. Exclusions can be defined by the file path, folder, or process explicitly defined by the admin in the policy.

The new Intune profile:

Is available in addition to the existing endpoint security Antivirus policy for Microsoft Defender Antivirus.
Is supported for devices you manage through the Microsoft Defender for Endpoint security settings management scenario.
Isn't supported for Linux devices managed directly by Intune.

For details about the available Defender settings, see Configure security settings in Microsoft Defender for Endpoint on Linux - Microsoft Defender for Endpoint in the Defender for Endpoint documentation.

Applies to:

Linux

Tenant administration

Data collection from SimInfo entity on Windows devices

You can now collect data from the SimInfo entity on Windows devices with enhanced device inventory. For more information, see Intune Data Platform. Applies to:

Windows

Week of April 28, 2025

App management

Intune support for Apple specialty devices

App protection policies (APP) support Microsoft Edge (v136 or later), OneDrive (v16.8.4 or later), and Outlook (v4.2513.0 or later). To enable this setting for these specific apps on visionOS devices, you must set com.microsoft.intune.mam.visionOSAllowiPadCompatApps to Enabled in your app configuration policy. Once you assign your app configuration policy, you can create and assign your app protection policy for your VisionOS devices. For more information, see Protect data on VisionOS devices.

Tenant administration

New icon for Microsoft Intune

Microsoft Intune has a new icon. The Intune icon is being updated across platforms and apps associated with Intune, such as the Intune admin center and Intune Company Portal app. The new icon will gradually be implemented over the next few months.

Week of April 21, 2025 (Service release 2504)

Microsoft Intune Suite

Endpoint Privilege Management elevation rule support for file arguments and parameters

File elevation rules for Endpoint Privilege Management (EPM) now support command line file arguments. When an elevation rule is configured to define one or more file arguments, EPM allows that file to run in an elevated request only when one of the defined arguments is used. EPM blocks elevation of the file should a command line argument be used that isn't defined by the elevation rule. Use of file arguments in your file elevation rules can help you refine how and for what intent different files are successfully run in an elevated context by Endpoint Privilege Management.

EPM is available as an Intune Suite add-on-capability.

App management

Relationship viewer available for Intune apps

The relationship viewer provides a graphical depiction of the relationships between different applications in the system, including superseding and dependent applications. Admins can find relationship viewer in Intune by selecting Apps > All apps > a Win32 app > Relationship viewer. The relationship viewer supports both Win32 apps and Enterprise App Catalog apps. For more information, see App relationship viewer.

Apple VPP using new API v2.0

Apple recently updated the API for their volume purchase program (VPP), which is used to manage apps and books. Apple's related API is now version 2.0. Version 1.0 is deprecated. To support the Apple updates, Microsoft Intune uses the new API, which is faster and more scalable than the previous version.

Applies to:

iOS/iPadOS
macOS

More org data storage service options for Android and iOS apps

Intune now provides more storage services options when saving copies of org data using an app protection policy for Android or iOS. In addition to the existing org data storage options, you can also select iManage and Egnyte as storage options. You must select these services as exemptions from your block list by setting Save copies of org data to Block, then selecting the allowed storage services next to the Allow user to save copies to selected services setting. This setting doesn't apply to all applications.

For more information about data protection using app protection policies, see iOS app protection policy settings - Data protection and Android app protection policy settings - Data protection.

Applies to:

Android
iOS

Device configuration

Updated device configuration template for Windows Delivery Optimization

The device configuration template for Windows Delivery Optimization is updated. The new template uses the settings format in the Settings Catalog. Settings are taken directly from the Windows Configuration Service Providers (CSPs) for Windows Delivery Optimization, as documented by Windows at Policy CSP – DeliveryOptimization.

With this change, you can no longer create new versions of the old profile. However, your preexisting instances of the old profile remain available to use.

For more information about this change, see the Intune Customer Success blog at Support tip: Windows device configuration policies migrating to unified settings platform in Intune.

Applies to:

Windows 10
Windows 11

New settings available in the Apple settings catalog

There's a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, see Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

macOS

Login > Login Window:

Show Input Menu

Android settings in the Settings Catalog

The settings catalog supports Android Enterprise and Android Open Source Project (AOSP).

Currently, to configure Android settings, you use the built-in templates. The settings from these templates are also available in the settings catalog. More settings are continually being added.

In the Intune admin center, when you create a device configuration profile, you select the Profile Type (Devices > Manage devices > Configuration > Create > New policy > select your Platform > Profile Type). All the profile types are moved to Profile Type > Templates.

This change:

Is a UI change with no impact on your existing policies - Your existing policies won't change. You can continue to create, edit, and assign these policies the same way.
Provides the same UI experience as iOS/iPadOS, macOS, and Windows templates.

In the new settings catalog experience, the management mode associated with the setting is available in the tooltip. To get started with settings catalog, see Use the settings catalog to configure settings on your devices.

Applies to:

Android Enterprise
AOSP

Device enrollment

Custom device naming template for Android Enterprise corporate-owned devices

You can use a custom template for naming Android Enterprise corporate-owned devices when they enroll with Intune. The template is available to configure in the enrollment profile. It can contain a combination of custom text and predefined variables (like device serial number, device type), and for user-affiliated devices, the owner's username. For more information, see:

Applies to:

Android

Enrollment-time grouping for Android Enterprise corporate devices

Now available for Android Enterprise corporate-owned devices, enrollment time grouping enables you to assign a static Microsoft Entra group to devices at enrollment time. When a targeted Android device enrolls, it receives all assigned policies, apps, and settings, typically by the time the user lands on the home screen. You can configure one static Microsoft Entra group per enrollment profile under the Device group tab in the Microsoft Intune admin center. For more information, see Enrollment time grouping.

Device management

Intune ending support for custom profiles for personally owned work profile devices

Starting in April 2025, Intune no longer supports custom profiles for Android Enterprise personally owned work profile devices. With this end of support:

Admins can't create new custom profiles for personally owned work profile devices. However, admins can still view and edit previously created custom profiles.
Personally owned work profile devices that currently have a custom profile assigned won't experience any immediate change of functionality. Because these profiles are no longer supported, the functionality set by these profiles might change in the future.
Intune technical support no longer supports custom profiles for personally owned work profile devices.

All custom policies should be replaced with other policy types. Learn more about Intune ending support for personally owned work profile custom profiles

Device security

New settings added to the Windows security baseline version 24H2

Note

Rollout of the new settings for the security baseline is underway, but taking longer than usual. Due to this delay, the new settings might not be available until the week of May 5, 2025.

The most recent Intune security baseline for Windows, version 24H2, is updated to include 15 new settings for managing the Windows Configuration Service Provider (CSP) for Lanman Server and Lanman Workstation. These settings were previously unavailable in the baseline due to missing CSP support. The addition of these settings provides better control and configuration options.

This update is an update to an existing baseline version and not a new baseline version. So, the new settings aren't visible in the baselines properties until you edit and save the baseline:

Pre-existing baseline instances: Before the new settings are available in a preexisting baseline instance, you must select and then Edit that baseline instance. To have the baseline deploy the new settings, you must then Save that baseline instance. When the baseline is opened for editing, each of the new settings becomes visible with its default security baseline configuration. Before saving, you can reconfigure one or more of the new settings. Or, make no changes other than to save the current configuration that then uses the baseline defaults for each of the new settings.
New baseline instances: When you create a new instance of a Windows security baseline version 24H2, that instance includes the new settings along with all the previously available settings.

Following are the new settings that are added to the version 24H2 baseline, and the baseline default for each: Lanman Server

Audit Client Does Not Support Encryption – Baseline default: Enabled
Audit Client Does Not Support Signing – Baseline default: Enabled
Audit Insecure Guest Logon – Baseline default: Enabled
Auth Rate Limiter Delay In Ms – Baseline default: 2000
Enable Auth Rate Limiter – Baseline default: Enabled
Max SMB 2 Dialect – Baseline default: SMB 3.1.1
Min SMB 2 Dialect – Baseline default: SMB 3.0.0
Enable Mailslots - Baseline default: Disabled

Lanman Workstation

Audit Insecure Guest Logon – Baseline default: Enabled
Audit Server Does Not Support Encryption – Baseline default: Enabled
Audit Server Does Not Support Signing – Baseline default: Enabled
Max SMB 2 Dialect – Baseline default: SMB 3.1.1
Min SMB 2 Dialect – Baseline default: SMB 3.0.0
Require Encryption – Baseline default: Disabled
Enable Mailslots - Baseline default: Disabled

For more information, see Intune security baselines.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

FileOrbis for Intune by FileOrbis FZ LLC
PagerDuty for Intune by PagerDuty, Inc.
Outreach.io by Outreach Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Tenant administration

Updates to Intune admin center home page

Microsoft Intune admin center's home page includes more links to interactive demos, documentation, and training. To see these updates, navigate to the Microsoft Intune admin center.

Week of April 14, 2025

Device configuration

Hotpatch updates for Windows 11 Enterprise are now available

Hotpatch updates for Windows 11 Enterprise, version 24H2 for x64 (AMD/Intel) CPU devices are now available. With hotpatch updates, you can deploy and apply security updates faster to help protect your organization from cyberattacks, while minimizing user disruptions. From the Microsoft Intune admin center, navigate to Devices > Windows updates > Create Windows quality update policy and toggle it to Allow.

Enroll and prepare The Windows quality update policy can auto-detect if your targeted devices are eligible for hotpatch updates. Devices running Windows 10 and Windows 11, version 23H2 and lower continue to receive the standard monthly security updates, helping ensure that your ecosystem stays protected and productive.

Maintain robust security with hotpatch updates The general availability of hotpatch technology for Windows clients marks a significant step forward in enhancing security and productivity for Windows 11 Enterprise users. Hotpatch updates help ensure that devices are secured more quickly and that users stay productive with minimal disruptions. We encourage organizations to take advantage of this new feature to maintain a robust security posture while minimizing the impact on the user experience. Hotpatch updates are generally available on Intel and AMD-powered devices as of April 2, 2025, with the feature becoming available on Arm64 devices at a later date.

For more information, see:

Week of March 24, 2025

Device security

New Microsoft Tunnel readiness check for auditd package

The Microsoft Tunnel readiness tool now includes a check for the auditd package for Linux System Auditing (LSA). The presence of auditd is optional and not a required prerequisite by Microsoft Tunnel for the Linux server.

When the mst-readiness tool runs, it now raises a non-blocking warning if the audit package isn't installed. By default, Red Hat Enterprise Linux versions 7 and later install this package by default. Ubuntu versions of Linux currently require this optional package to be installed.

For more information on auditd and how to install it on your Microsoft Tunnel server, see Linux system auditing.

Week of March 17, 2025 (Service release 2503)

Microsoft Intune Suite

Endpoint Privilege Management support for ARM 64-bit devices

Endpoint Protection Manager (EPM) now supports managing file elevations on devices that run on ARM 64-bit architecture.

Applies to:

Windows

Device configuration

New settings available in the Apple settings catalog

iOS/iPadOS

Restrictions:

Allow Apple Intelligence Report
Allow Default Calling App Modification
Allow Default Messaging App Modification
Allow Mail Smart Replies
Allow Notes Transcription
Allow Safari Summary

macOS

Remote Desktop:

Remote Desktop

Restrictions:

Allow Apple Intelligence Report
Allow Mail Smart Replies
Allow Notes Transcription
Allow Safari Summary

Device management

New settings for Windows LAPS policy

Intune policies for Windows Local Administrator Password Solution (LAPS) now include several new settings and updates to two previously available settings. LAPS is a built-in Windows solution and can help you secure the built-in local administrator account that's present on each Windows device. All the settings that you can manage through Intune LAPS policy are described in the Windows LAPS CSP.

The following new settings are available: (Each setting name is a link that opens the CSP documentation for that setting.)

The following settings have new options available:

Password Complexity – The following are new options available for this setting:
- Passphrase (long words)
- Passphrase (short words)
- Passphrase (short words with unique prefixes)
Post Authentication Actions - The following option is now available for this setting:
- Reset the password, log off the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.

By default, each setting in LAPS policies is set to Not configured, which means the addition of these new settings won't change the behavior of your existing policies. To make use of the new settings and options, you can create new profiles or edit your existing profiles.

Applies to:

Windows

Configure devices to stay on the latest OS version using declarative device management (DDM)

As part of the Settings Catalog, you can now configure devices to automatically update to the latest OS version using DDM. To use these new settings in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOSfor platform > Settings catalog for profile type.

Declarative device management > Software Update Enforce Latest.

Enforce Latest Software Update Version: If true, devices upgrade to the latest OS version that is available for that device model. This feature uses the Software Update Enforcement configuration and forces devices to restart and install the update after the deadline passes.
Delay In Days: Specify the number of days that should pass before a deadline is enforced. This delay is based on either the posting date of the new update when released by Apple, or when the policy is configured.
Install Time: Specify the local device time for when updates are enforced. This setting uses the 24-hour clock format where midnight is 00:00 and 11:59pm is 23:59. Ensure that you include the leading 0 on single digit hours. For example, 01:00, 02:00, 03:00.

Learn more about configuring managed updates through DDM at Managed software updates.

Applies To:

iOS/iPadOS
macOS

Remote Help supports Azure Virtual Desktop muti-session

Remote Help now provides support for multi-session AVD with several users on a single virtual machine. Earlier, Remote Help was supporting Azure Virtual Desktop (AVD) sessions with one user on one virtual machine (VM).

For more information, see:

Copilot assistant for device query

You can now use Copilot to generate a KQL query to help you get data from across multiple devices in Intune. This capability is available in the Microsoft Intune admin center by selecting Devices > Device query > Query with Copilot. For more information, see Query with Copilot in device query.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

FacilyLife by Apleona GmbH (iOS)
Intapp 2.0 by Intapp, Inc. (Android)
DealCloud by Intapp, Inc. (Android)
Lemur Pro for Intune by Critigen LLC (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Week of March 03, 2025

Monitor and troubleshoot

Updates to the Feature updates report

We are introducing a new Update Substate in Service-side data. This substate is displayed in the reports for devices that are invalid in Microsoft Entra and is known as Not supported.

For more information, see Use Windows Update for Business reports for Windows Updates

What's new archive

For previous months, see the What's new archive.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Update to the latest Intune App SDK and Intune App Wrapping Tool  for iOS and register your app with Microsoft Entra

To support the upcoming release of iOS/iPadOS 26 and ensure continued app protection policy (APP, also known as MAM) enforcement, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. Important: If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios.

Note

Updating to SDK v21.0.0 or later requires your app to be registered with Microsoft Entra. Review the following GitHub announcements for more details on the specific impact:

If you have questions or concerns, file an issue in the GitHub repository or reply directly to the GitHub announcement.

As a best practice, always update your iOS/iPadOS apps to the latest App SDK or App Wrapping Tool to ensure that your app continues to run smoothly.

How does this change affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool, update to the latest version to support iOS/iPadOS 26. Updating to v21.0.0 or later requires that apps must be registered with Microsoft Entra. While it was previously possible for apps to enable Intune MAM without full Microsoft Entra configuration, this won't be supported starting with SDK 21.0.0. Apps that aren't properly registered may fail to function or receive app protection policies.

How can you prepare?

For apps running on iOS 26, update to the new version of the Intune App SDK for iOS: Releases - microsoftconnect/ms-intune-app-sdk-ios
- For apps built with XCode 16 use the latest v20.x release.
- For apps built with XCode 26 use v21.0.0 or later, which is expected to release in September 2025.
For apps running on iOS 26, update to the new version of the Intune App Wrapping Tool for iOS: Releases - microsoftconnect/intune-app-wrapping-tool-ios
- For apps built with XCode 16 use the latest v20.x release.
- For apps built with XCode 26 use v21.0.0 or later which is expected to release in September 2025.
Ensure your apps are registered in Microsoft Entra. For more details refer to: How to register an app in Microsoft Entra ID

Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 26. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to Apps > Monitor > App protection status, then review “Platform version” and “iOS SDK version”.  

Plan for Change: Intune is moving to support iOS/iPadOS 17 and later

Later in calendar year 2025, we expect iOS 26 and iPadOS 26 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), requires iOS 17/iPadOS 17 and higher shortly after the iOS/iPadOS 26 release.

How does this change affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 17/iPadOS 17).

Given that Microsoft 365 mobile apps are supported on iOS 17/iPadOS 17 and higher, this change may not affect you. You likely already upgraded your OS or devices.

To check which devices support iOS 17 or iPadOS 17 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version changes to iOS 17/iPadOS 17 while the allowed OS version changes to iOS 14/iPadOS 14 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, refer to Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 14 and higher later this year

Later in calendar year 2025, we expect macOS Tahoe 26 to be released by Apple. Microsoft Intune, the Company Portal app, and the Intune mobile device management agent support macOS 14 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 26. This doesn't affect existing enrolled devices.

How does this change affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, refer to macOS Sonoma is compatible with these computers.

Note

Devices that are currently enrolled on macOS 13.x or below will continue to remain enrolled even when those versions are no longer supported. New devices are unable to enroll if they're running macOS 13.x or below.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 13.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Google Play strong integrity definition update for Android 13 or above

Google recently updated the definition of "Strong Integrity" for devices running Android 13 or above, requiring hardware-backed security signals and recent security updates. For more information refer to the Android Developers Blog: Making the Play Integrity API faster, more resilient, and more private. Microsoft Intune will enforce this change by September 30, 2025. Until then we've adjusted app protection policy and compliance policy behavior to align with Google’s recommended backward compatibility guidance to minimize disruption as detailed in Improved verdicts in Android 13 and later devices | Google Play | Android Developers.

How does this change affect you or your users?

If you have targeted users with app protection policies and/or compliance policies that are using devices running Android 13 or above without a security update in the past 12 months, these devices will no longer meet the "Strong Integrity" standard.

User Impact: For users running devices on Android 13 or above after this change:

Devices without the latest security updates may be downgraded from "Strong Integrity" to "Device Integrity" which could result in conditional launch blocks for affected devices.
Devices without the latest security updates may see their devices become noncompliant in the Intune Company Portal app and could lose access to company resources based on your organization's Conditional Access policies.

Note that devices running Android versions 12 or below aren't affected by this change.

How can you prepare?

Before September 30, 2025, review and update your policies as needed. Ensure users with devices running Android 13 or above are receiving timely security updates. You can use the app protection status report to monitor the date of the last Android Security Patch received by the device and notify users to update as needed. The following admin options are available to help warn or block users:

For app protection policies configure the Min OS version and Min patch version conditional launch settings. For more details, review Android app protection policy settings in Microsoft Intune | Microsoft Learn
For compliance policies configure the Minimum security patch level compliance setting. For more details, review: Device compliance settings for Android Enterprise in Intune

Plan for Change: New Intune connector for deploying Microsoft Entra hybrid joined devices using Windows Autopilot

As part of Microsoft’s Secure Future Initiative, we recently released an update to the Intune Connector for Active Directory to use a Managed Service Account instead of a local SYSTEM account for deploying Microsoft Entra hybrid joined devices with Windows Autopilot. The new connector aims to enhance security by reducing unnecessary privileges and permissions associated with the local SYSTEM account.

Important

At the end of June 2025, we'll remove the old connector which uses the local SYSTEM account. At that point, we will stop accepting enrollments from the old connector. For more details, refer to the blog: Microsoft Intune Connector for Active Directory security update

How does this change affect you or your users?

If you have Microsoft Entra hybrid joined devices using Windows Autopilot, you need to transition to the new connector to continue deploying and managing devices effectively. If you don't update to the new connector, you won't be able to enroll new devices using the old connector.

How can you prepare?

Update your environment to the new connector by following these steps:

Download and install the new connector in the Intune admin center.
Sign in to set up the Managed Service Account (MSA).
Update the ODJConnectorEnrollmentWizard.exe.config file to include the required Organizational Units (OUs) for domain join.

For more detailed instructions, review: Microsoft Intune Connector for Active Directory security update and Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot.

Update network endpoints for Windows, Mac and Android AOSP managed devices

Intune has updated the required CDN endpoints for Windows, Mac and Android Open Source Project (AOSP). If you have configured your firewall to allow *.manage.microsoft.com then no action is required, otherwise, we recommend you review and update your proxy settings by April 30, 2025.

How does this change affect you or your users?

If you're using Intune to deploy applications and scripts, you'll need to grant access to the updated endpoints for your location. If access to the new endpoints is not granted, users won't be able to install applications or scripts, and certain functionalities may fail. The CDN endpoints are used in the following scenarios:

Windows: The CDN is used for delivering updates to the Intune management extension which enables scenarios such as Win32 app deployment, PowerShell scripts, Endpoint analytics, and more.
Co-managed devices: The CDN providers the official Configuration Manager binaries, including the main technical preview and official releases, hotfixes, push notifications, and more.
Mac: The CDN is used for delivering updates to the Intune management agent which is used to deploy macOS PKG apps, DMG apps, shell scripts, and custom attributes.
Android AOSP: The CDN is used for delivering applications during device provisioning, such as the Intune Company Portal app, and feature updates.

How can you prepare?

Update your firewall rules to include the new CDN endpoints. For the best experience, we recommend using the *.manage.microsoft.com domain. If your proxy or firewall doesn't allow you to create a firewall rule using a domain, update the address as listed:

Windows CDN requirements: Network requirements for PowerShell scripts and Win32 apps
Configuration Manager co-managed devices CDN requirements: Updates and servicing
Mac CDN requirements: Network requirements for macOS app and script deployments
Android AOSP CDN requirements: Android AOSP dependencies

Plan for Change: New settings for Apple AI features; Genmojis, Writing tools, Screen capture

Today, the Apple AI features for Genmojis, Writing tools, and screen capture are blocked when the app protection policy (APP) "Send Org data to other apps" setting is configured to a value other than "All apps". For more details on the current configuration, app requirements, and the list of current Apple AI controls review the blog: Microsoft Intune support for Apple Intelligence

In an upcoming release, Intune app protection policies have new standalone settings for blocking screen capture, Genmojis, and Writing tools. These standalone settings are supported by apps that have updated to version 19.7.12 or later for Xcode 15 and 20.4.0 or later for Xcode 16 of the Intune App SDK and App Wrapping Tool.

How does this change affect you or your users?

If you configured the APP "Send Org data to other apps" setting to a value other than "All apps", then the new "Genmoji", "Writing Tools" and "Screen capture" settings are set to Block in your app protection policy to prevent changes to your current user experience.

Note

If you configured an app configuration policy (ACP) to allow for screen capture, it overrides the APP setting. We recommend updating the new APP setting to Allow and removing the ACP setting. For more information about the screen capture control, review iOS/iPadOS app protection policy settings | Microsoft Learn.

How can you prepare?

Review and update your app protection policies if you'd like more granular controls for blocking or allowing specific AI features. (Apps > Protection > select a policy > Properties > Basics > Apps > Data protection)

Plan for change: User alerts on iOS for when screen capture actions are blocked

In an upcoming version (20.3.0) of the Intune App SDK and Intune App Wrapping Tool for iOS, support is added to alert users when a screen capture action (including recording and mirroring) is detected in a managed app. The alert is only visible to users if you have configured an app protection policy (APP) to block screen capture.

How does this change affect you or your users?

If APP has been configured to block screen capturing, users see an alert indicating that screen capture actions are blocked by their organization when they attempt to screenshot, screen record, or screen mirror.

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions, screen capture is blocked if you configured "Send Org data to other apps" to a value other than "All apps". To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting "com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Update your IT admin documentation and notify your helpdesk or users as needed. You can learn more about blocking screen capture in the blog: New block screen capture for iOS/iPadOS MAM protected apps

Move to new Microsoft Graph Beta API properties for Windows Autopilot self-deploying mode and pre-provisioning

In late May 2025 (previously March), a select number of old Microsoft Graph Beta API windowsAutopilotDeploymentProfile properties used for Windows Autopilot self-deploying mode and pre-provisioning are removed and stop working. The same data can be found using newer Graph API properties.

How does this change affect you or your users?

If you have automation or scripts using the following Windows Autopilot properties, you must update to the new properties to prevent them from breaking.

Old	New
enableWhiteglove	preprovisioningAllowed
extractHardwareHash	hardwareHashExtractionEnabled
language	Locale
outOfBoxExperienceSettings	outOfBoxExperienceSetting
outOfBoxExperienceSettings.HidePrivacySettings	outOfBoxExperienceSetting.PrivacySettingsHidden
outOfBoxExperienceSettings.HideEULA	outOfBoxExperienceSetting.EULAHidden
outOfBoxExperienceSettings.SkipKeyboardSelectionPage	outOfBoxExperienceSettings.KeyboardSelectionPageSkipped
outOfBoxExperienceSettings.HideEscapeLink	outOfBoxExperienceSettings.EscapeLinkHidden

How can you prepare?

Update your automation or scripts to use the new Graph API properties to avoid deployment issues.

Additional information:

Plan for Change: Blocking screen capture in the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

We recently released updated versions of the Intune App SDK and the Intune App Wrapping Tool. Included in these releases (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) is the support for blocking screen capture, Genmojis, and writing tools in response to the new AI features in iOS/iPadOS 18.2.

How does this change affect you or your users?

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions screen capture will be blocked if you configured "Send Org data to other apps" to a value other than "All apps". To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting "com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Review your app protection policies and if needed, create a Managed apps app configuration policy to allow screen capture by configuring the above setting (Apps > App configuration policies > Create > Managed apps > Step 3 ‘Settings’ under General configuration). For more information review, iOS app protection policy settings – Data protection and App configuration policies - Managed apps.

Plan for Change: Implement strong mapping for SCEP and PKCS certificates

With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows enforces these changes on February 11, 2025.

To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. For more information, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates.

How does this change affect you or your users?

These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:

SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users.
PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. Important: Before you modify the registry key, review how to change the registry key and how to back up and restore the registry.

For detailed steps and additional guidance, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates

How can you prepare?

If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:

(Recommended) Enable strong mapping by reviewing the steps described in the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates
Alternatively, if all certificates can't be renewed before February 11, 2025, with the SID included, enable Compatibility mode by adjusting the registry settings as described in KB5014754. Compatibility mode is valid until September 2025.

Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support

We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.

How does this change affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.

How can you prepare?

If you choose to build apps targeting Android API 35, you need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you wrapped your app and are targeting API 35 you need to use the new version of the App wrapper (v1.0.4549.6).

Note

As a reminder, while apps must update to the latest SDK if targeting Android 15, apps don't need to update the SDK to run on Android 15.

You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.

Here are the public repositories:

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune supports Android 10 and later for user-based management methods, which includes:

Android Enterprise personally owned work profile
Android Enterprise corporate owned work profile
Android Enterprise fully managed
Android Open Source Project (AOSP) user-based
Android device administrator
App protection policies
App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this change affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

Intune technical support won't be provided.
Intune won't make changes to address bugs or issues.
New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, "Device enrollment with Company Portal" is shown as the default method. In an upcoming service release, the default method will change to "Web based device enrollment" during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this change affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display "Web based device enrollment" as the default method, existing profiles aren't impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in December 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning December 31, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access.

How does this change affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

Share via

What's new in Microsoft Intune

Week of August 25, 2025

App management

Offline Mode and App access without sign in for Android Enterprise Dedicated Devices on Managed Home Screen

Week of August 18, 2025 (Service release 2508)

App management

Android app configuration policies support new variable values

Device configuration

Managed Installer support for user and device groups

New Windows settings in the settings catalog

New day zero settings available in the Apple settings catalog

iOS/iPadOS

macOS

New setting in the Android settings catalog

Device enrollment

Intune supports Ubuntu 22.04 and later

Device management

Wipe remote action supports multiple administrative approval (MAA)

Configure Windows Backup for Organizations (public preview)

New resolution button improves compliance remediation experience

Intune apps

Newly available protected apps for Intune

Monitor and troubleshoot

Declarative software update reports for Apple devices

Role-based access control

Multi-administrator approval support for role-based access control

Week of August 11, 2025

Device management

Platform SSO is generally available (GA) and also supports custom TGT

Device security

Update required for Microsoft Tunnel endpoints

Week of July 28, 2025

Device management

New Microsoft Graph permissions for API calls to device management endpoints

Week of July 21, 2025 (Service release 2507)

Microsoft Intune Suite

Endpoint Privilege Management support for wildcards in elevation rules

App management

Newly available OEMConfig apps in Intune

Device configuration

New settings available in the Apple settings catalog

iOS/iPadOS

macOS

Device management

Platform support for Device Cleanup rules

Device security

macOS support for local administrator account configuration with (password solution) - GA

Intune apps

Newly available protected apps for Intune

Week of July 14, 2025

Device management

Experience Microsoft Copilot in Intune

Monitor and troubleshoot

Export device query results to CSV file

Week of June 23, 2025 (Service release 2506)

App management

Microsoft Intune support for Apple AI features

Add Enterprise App Catalog apps to ESP blocking apps list

Managed Home Screen orientation changes with Android 16

Device configuration

New settings available in the Apple settings catalog

iOS/iPadOS

macOS

New Block Bluetooth setting in the Android Enterprise settings catalog

Device management

New reporting system for improved performance and data consistency

Device security

New attributes and S/MIME baseline requirements for SCEP certificate profiles

Intune apps

Newly available protected apps for Intune

Monitor and troubleshoot

New status column in Windows hardware attestation report

Week of June 9, 2025

App management

ARM64 support for Win32 apps

Week of June 2, 2025

Device security

Vulnerability Remediation Agent for Intune (public preview)

Week of May 26, 2025 (Service release 2505)