Edit

In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. Also:

  • If we anticipate that you need to take action before a change, we'll publish a complementary post in the Office message center.
  • When a feature enters production, whether it's in preview or generally available, the feature description moves from this article to What's new.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

Microsoft Intune Suite

Scope tags support for Endpoint Privilege Management reports

We're fixing how scope tags work with Endpoint Privilege Management (EPM) reports. With this change, EPM reports will respect the report viewer's assigned scope and display the details for only the users and devices that the report user is scoped to view.

App management

Auto-update for Enterprise App Management applications

You'll be able to automatically keep Enterprise App Management (EAM) applications up to date using Microsoft Intune. When you enable auto-update for an EAM app with a required assignment, Intune will detect when a newer version is available in the EAM catalog and automatically update the app on targeted devices.

Auto-update for EAM apps will help you:

  • Simplify app lifecycle management by eliminating manual packaging and supersedence workflows.
  • Reduce operational overhead at scale by removing the long tail of update maintenance.
  • Keep devices secure with reliable, timely application updates.

Applies to:

  • Windows

Enterprise App Management support for GCC High and DoD

Enterprise App Management (EAM) in Microsoft Intune will extend to GCC High (GCCH) and DoD cloud environments. Government customers will be able to use the EAM enterprise catalog to discover, deploy, and keep prepackaged Microsoft and third-party apps up to date without manual repackaging. EAM in sovereign clouds uses a secure cross-cloud integration model that maintains the compliance boundaries and authentication requirements expected for government tenants. This brings cloud-native app management, including faster deployment and reduced packaging overhead, to GCCH and DoD organizations.

Applies to:

  • Windows

Multiple managed accounts for app protection policies

The Multiple Managed Accounts (MMA) feature for Intune mobile application management (MAM) will enable users to add and manage more than one managed account within a single app. With MMA, app protection policies will be enforced independently for each account, as defined by the admin. This capability will be especially useful for scenarios such as consultants working across organizations, company acquisitions, or users managing multiple mailboxes within the same tenant.

Applies to:

  • iOS/iPadOS
  • Android

Device configuration

New Android Enterprise settings in the Intune settings catalog

The settings catalog lists all the settings you can configure in a device policy, and all in one place. The following new Android Enterprise settings are available in the Microsoft Intune settings catalog (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Settings catalog for profile type).

Communication and calling

Setting Description Applies to
Block cell broadcast When set to True, the device is prevented from receiving cell broadcast messages, such as emergency alerts. When set to False (default), Intune doesn't change or update this setting, and the OS might allow the reception of cell broadcast messages. COBO, COSU, and COPE
Block SMS When set to True, the device is prevented from sending or receiving SMS messages, restricting text communication. When set to False (default), the device follows the default SMS behavior of the OS. COBO, COSU, and COPE
Block outgoing calls When set to True, users are prevented from making outgoing calls on the device. When set to False (default), Intune doesn't change or update this setting, and the OS might allow outgoing calls. COBO, COSU, and COPE

Connectivity and networking

Setting Description Applies to
Block mobile networks configuration True prevents users from configuring or modifying mobile network settings on the device. When set to False (default), Intune doesn't change or update this setting, and the OS might allow users to adjust mobile network settings. COBO, COSU, and COPE
Block configuring VPN When set to True, users can't add, edit, or remove VPN configurations on the device. When set to False or not configured, the device follows the default VPN configuration behavior of the OS. Found in the Connectivity category. To configure, go to Devices > Manage devices > Configuration > Create > New policy, choose Android Enterprise as the platform, select the corporate-owned device type, and choose Settings catalog as the profile type. Search for Block configuring VPN and add it to your policy. COBO, COSU, and COPE
Block network reset When set to True, the device won't reset network settings even if a reset is attempted. When set to False (default), the device follows the default network reset behavior of the OS. COBO, COSU, and COPE
Block airplane mode When set to True, the device is prevented from enabling airplane mode. When set to False, the device follows the default airplane mode behavior of the OS. COBO, COSU, and COPE
Block ultra wideband When set to True, the device prevents ultra wideband functionality, restricting user access to the setting. When set to False (default), the device follows the default ultra wideband behavior of the OS. Supported on Android 14 and above. COBO, COSU, and COPE
Block cellular 2G When set to True, the device prevents cellular 2G functionality, restricting user access to the setting. When set to False (default), the device follows the default cellular 2G behavior of the OS. Supported on Android 14 and above. COBO, COSU, and COPE
Select minimum Wi-Fi security level Select the minimum Wi-Fi security level required for the device to connect to Wi-Fi networks. Options are Open network security, Personal network security, Enterprise network security, and Enterprise 192-bit network security. The default is Open network security, which allows the device to connect to all types of Wi-Fi networks. Supported on Android 13 and later. COBO, COSU, and COPE
Allow selection of a preferential network service When set to True, the device gives priority to the specified network service over other available options, such as an enterprise slice on 5G networks. When set to False, the device connects using its default network selection process. COBO, COSU, and COPE

eSIM management

Setting Description Applies to
Block users from adding eSIM profiles When set to True, users can't add eSIM profiles to the device. When set to False (default), users can add eSIM profiles based on the default behavior of the OS. COBO, COSU, and COPE

Device personalization and display

Setting Description Applies to
Block wallpaper changes When set to True, users are prevented from changing the wallpaper on the device. When set to False (default), Intune doesn't change or update this setting, and the OS might allow users to change the wallpaper. COBO, COSU, and COPE
Block user icon changes When set to True, users are prevented from changing their user icon or profile image on the device. When set to False (default), Intune doesn't change or update this setting, and the OS might allow users to modify their user icon. COBO, COSU, and COPE

Printing

Setting Description Applies to
Block printing When set to True, the device is prevented from printing documents. When set to False (default), the device follows the default printing behavior of the OS. COBO, COSU, and COPE

Security and work profile

Setting Description Applies to
Block one lock for device and work profile When set to True, forces users to use two different passwords for their lock screen and work profile. When set to False, Intune doesn't change or update this setting. By default, the OS might allow users to have the same password. COPE
Allow widgets from work profile apps When set to True, allows users to access widgets exposed by apps in the work profile on the device's home screen. When set to False, prevents access to these widgets. By default, the OS might allow widget access. COPE
Block apps from exposing app functions This setting controls whether managed apps can expose app functions (programmatic actions that other apps and on-device assistants or AI agents can invoke inside the app). When set to True, apps on fully managed devices and apps in the work profile on corporate-owned devices are blocked from exposing app functions. When set to False (default OS behavior), apps are allowed to expose app functions. COBO, COSU, and COPE

Platform key:

  • COBO: Android Enterprise corporate-owned fully managed
  • COSU: Android Enterprise corporate-owned dedicated devices
  • COPE: Android Enterprise corporate-owned devices with a work profile (at work profile level)

For a list of all settings you can currently configure, see Android Enterprise device settings list in the Intune settings catalog.

Applies to:

  • Android Enterprise

Enforce Routes capability in iOS/iPadOS and macOS VPN profiles

Microsoft Intune will support Apple's Enforce Routes feature in iOS/iPadOS and macOS VPN profiles.

This feature helps prevent situations where VPN traffic accidentally or maliciously goes outside the VPN tunnel, like what happens with de-cloaking risks. It ensures VPN routing aligns with Apple's platform semantics.

When you configure this feature in Intune, routing behavior is defined using Include all networks and Exclude local networks settings. Intune automatically derives the appropriate Enforce Routes configuration based on these selections to ensure consistent and predictable device behavior.

To learn more about VPN profiles in Intune, see:

Applies to:

  • iOS/iPadOS
  • macOS

Support for WPA3-Personal in iOS/iPadOS Wi-Fi profiles

Microsoft Intune will support WPA3-Personal as a security-type option when configuring Wi-Fi device configuration profiles for iOS/iPadOS. Admins will be able to select WPA3-Personal alongside existing options such as WPA2-Personal.

This feature:

  • Allows managed iOS/iPadOS devices to connect to networks that require the stronger WPA3 protocol.
  • Brings iOS/iPadOS in line with the latest Wi-Fi Alliance security standards and helps organizations meet evolving network-security requirements.

Support for WPA3 on Windows, Android, and macOS platforms and for WPA3-Enterprise will be available in a future release (no ETA).

To learn more about the settings you can currently configure, see Add Wi-Fi settings to Apple devices in Microsoft Intune.

Applies to:

  • iOS/iPadOS

Device enrollment

Enrollment time grouping for new Apple ADE enrollment policies generally available

Enrollment time grouping (ETG) will improve the Apple automated device enrollment (ADE) setup experience by providing an efficient way to group devices at enrollment time. The pre-knowledge of the security group that the device will be a member of helps in computing the applicable policies, apps, and settings for the enrolled device, so the configurations are delivered quickly at the time of enrollment.

You'll be able to configure enrollment time grouping in new iOS/iPadOS and macOS enrollment policies that use these authentication methods:

  • iOS/iPadOS:
    • Enroll with user affinity
      • Setup Assistant with modern authentication
      • Company Portal authentication method
    • Enroll without user affinity
      • Microsoft Entra shared mode
      • Shared iPad
  • macOS:
    • Enroll with user affinity
      • Setup Assistant with modern authentication
    • Enroll without user affinity

There will be a new Device group tab within new iOS/iPadOS and macOS enrollment policies where you can add a Microsoft Entra security group. The group you add will map directly to the enrollment profile, and you'll be able to edit the group at any time. The new device grouping tab won't be available in existing enrollment profiles.

Other requirements include adding the Intune first-party app as a security group owner, and ensuring that you have the enrollment time device membership assignment permission within a custom RBAC role.

Applies to:

  • iOS/iPadOS Automated Device Enrollment (ADE)
  • macOS Automated Device Enrollment (ADE)

Device management

Remote Help support for RemoteApp in Azure Virtual Desktop

Remote Help will support RemoteApp in Azure Virtual Desktop (AVD), enabling help desk agents to securely view and control apps running within RemoteApp sessions.

Agentic identity for the Policy Configuration Agent (public preview)

The Intune Policy Configuration Agent will update to use a Microsoft Entra agentic identity instead of a human user identity. This enables the agent to run policy configuration actions securely and independently.

For existing agents, admins will be able to transition to an agentic identity from the agent's Settings tab by selecting Create new identity. After the identity is provisioned, the agent will now run on behalf of the logged-in user and the information will be scoped by the permissions of that account. For new agents, an agentic identity will be auto provisioned at setup.

Android Enterprise personally owned devices with a work profile will use Android Management API (AMAPI)

When users enroll their personally owned Android devices in Intune, a work profile is created with a separate partition on the device for the user's work account. These devices are referred to as personally owned devices with a work profile.

As part of the Intune move to the Android Management API (opens Android's web site), there will be some updates for personally owned devices that enroll in Intune:

  • Web based enrollment for an improved enrollment flow and experience - Users won't have to install an app to enroll in Intune. Web enrollment will be tenant wide.
  • New implementation for how Intune delivers policies - Modern update on how Intune delivers and monitors policies on Android personally owned devices with a work profile. This change also aligns with how Intune manages policies on corporate owned devices with a work profile, fully managed, and dedicated devices. You can scale your migration to targeted groups.

To use these features, you will need to opt in:

  • Web based enrollment: Devices > Device Onboarding > Enrollment > Android > Personally owned devices with a work profile > Use web enrollment for all users enrolling into Android personally-owned work profile management
  • Policy: Devices > Manage devices > Configuration > Create > New policy > Android Enterprise > Move to Android Management API

To learn more, see:

Applies to:

  • Android Enterprise personally owned devices with a work profile

Device security

Audit mode for the Microsoft Defender Antivirus template for Linux

We'll soon add a new Audit value to the Enforcement level setting in the Microsoft Defender Antivirus template for Linux, which is part of Intune's Endpoint Security Antivirus policy. When you set Enforcement level to Audit, the antivirus engine detects threats in real time but doesn't automatically remediate them. Malware detections are reported as alerts in the Microsoft Defender portal through real-time scanning, without quarantining the malicious files. This gives you visibility into the threat landscape before you turn on full protection.

The Microsoft Defender Antivirus template for Linux is supported for devices managed by Intune, and for devices managed only by Defender through the Microsoft Defender for Endpoint security settings management scenario (MDE attach).

Applies to:

  • Linux

Mark Windows devices noncompliant when prohibited AI agents are discovered

Automatically mark Windows devices as noncompliant when prohibited local AI agents, such as OpenClaw, are discovered on the device. As an admin, you'll be able to configure a list of prohibited agents in a Windows compliance policy. When a prohibited agent is detected, the device reports as noncompliant and Conditional Access takes effect. The device returns to a compliant state once the agent is removed.

Updated security baseline for Microsoft 365 Apps for Enterprise

An updated security baseline for Microsoft 365 Apps for Enterprise will be available in Microsoft Intune. This baseline aligns with the most recent Microsoft 365 Apps security guidance and includes updated policy recommendations to help protect against evolving threats.

This new baseline will be version v2512, skipping the previously published version found in the Security Compliance Toolkit (v2412). Once available, review the new baseline carefully before adopting it.

The following three settings won't be available in this baseline release and are expected to be added in a future update. However, the parent setting to these three, (VBA Macro Notification Settings set to Disable all except digitally signed macros) will continue to be included in the 2512 update:

  • Require macros to be signed by a trusted publisher: Pending availability in the Settings Catalog.
  • Block certificates originating from the current user store only: Pending availability in the Settings Catalog.
  • Require Extended Key Usage (EKU) for code signing: Pending availability in the Settings Catalog.

Existing profiles won't automatically upgrade. To use the latest version, create a new baseline profile or update an existing profile to the latest version.

For a detailed breakdown of setting changes, see the blog post Security baseline for M365 Apps for enterprise v2512.

Applies to:

  • Windows

Security Baseline for audits of Security Technical Implementation Guides

We're adding a new security baseline that audits devices against the recommended configuration of Security Technical Implementation Guides (STIGs).

The new baseline will be available for US Government Community Cloud High (GCC High) tenants, and focused on audits and not on configuration. Applicable to Windows devices, the baseline generates detailed reports on which devices meet the recommended settings for compliance with STIGs.

Applies to:

  • Windows

For information about the currently available Intune security baselines, see Security baselines overview.

Support for Intune Device control policy for devices managed by Microsoft Defender for Endpoint

You'll be able to use the endpoint security policy for Device control (Attack surface reduction policy) from Microsoft Intune with the devices you manage through the Microsoft Defender for Endpoint security settings management capability.

Applies to the following when you use the Windows platform:

  • Windows 10
  • Windows 11

When this change takes effect, devices that are assigned this policy while managed by Defender for Endpoint but not enrolled with Intune, will now apply the settings from the policy. Check your policy to make sure only the devices you intend to receive this policy will get it.

Custom compliance settings for macOS

Microsoft Intune will support custom compliance settings for macOS. You'll be able to define compliance checks using scripts and JSON rules, similar to existing support for Windows and Linux. This capability will allow you to evaluate device configuration, security posture, and other custom attributes not covered by built-in settings. Results will appear alongside standard compliance reporting in the Intune admin center.

Applies to:

  • macOS

Client-driven compliance evaluation for Windows devices

Microsoft Intune will introduce client-driven compliance evaluation for Windows devices to reduce delays in compliance reporting. Supported devices will detect important state changes locally and proactively request a compliance re-evaluation when it matters, instead of waiting for the next scheduled check-in. As an admin, you'll see faster updates for remediation, reporting, and access decisions. This capability will roll out in preview for Windows devices.

Applies to:

  • Windows

Controlled Configuration for Microsoft Defender antivirus settings

Microsoft Intune is bringing Controlled Configuration (CC) to public preview for Microsoft Defender antivirus settings. CC introduces a unified approach to endpoint security by making Intune and Microsoft 365 Defender the single source of truth for antivirus and related security settings.

When you enable CC, all of the Defender antivirus settings that are delivered by Intune or Microsoft Defender for Endpoint security settings management will override configurations from all other channels, including Group Policy, Configuration Manager, and local changes or scripts. This single source of truth will help ensure consistent, predictable device states.

CC extends Tamper Protection by letting you lock settings to admin-defined values, not just defaults. Your Defender antivirus policies set by Intune are reliably enforced across your endpoints, without being overridden by legacy on-premises policies or local per-device changes.

Benefits of CC include:

  • Authoritative policy enforcement: Cloud-delivered antivirus settings always take precedence, eliminating conflicts from legacy tools.
  • Improved security posture: Prevents configuration drift and reduces risk from local changes.
  • Simplified troubleshooting: Clear, predictable configurations make auditing and support easier.

Applies to:

  • Windows

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Update to the latest Intune Company Portal for Android, Intune App SDK for iOS, and Intune App Wrapper for iOS

Starting January 19, 2026, or soon after, we're making updates to improve the Intune mobile application management (MAM) service. To stay secure and run smoothly, this update will require iOS wrapped apps, iOS SDK integrated apps, and the Intune Company Portal for Android to be updated to the latest versions.

Important

If you don't update to the latest versions, users will be blocked from launching your app.

The way Android updates, once one Microsoft application with the updated SDK is on the device and the Company Portal is updated to the latest version, Android apps will update, so this message is focused on iOS SDK/app wrapper updates. We recommend to always update your Android and iOS apps to the latest SDK or app wrapper to ensure that your app continues to run smoothly. Review the following GitHub announcements for more details on the specific effect:

If you have questions, leave a comment on the applicable GitHub announcement.

How does this change affect you or your users?

If your users haven't updated to the latest Microsoft or third-party app protection supported apps, they'll be blocked from launching their apps. If you have iOS line-of-business (LOB) applications that are using the Intune wrapper or Intune SDK, you must be on Wrapper/SDK version 20.8.0 or later for apps compiled with Xcode 16 and version 21.1.0 or later for apps compiled with Xcode 26 to avoid your users being blocked.

How can you prepare?

Plan to make the following changes before January 19, 2026:

Note

Use Conditional Access policy to ensure that only apps with app protection policies can access corporate resources. For more information, see the Require approved client apps or app protection policy with mobile devices on creating Conditional Access policies.

Update firewall configurations to include new Intune network endpoints

As part of Microsoft's ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers might be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.

Don't remove any existing network endpoints required for Microsoft Intune. More network endpoints are documented as part of the Azure Front Door and service tags information referenced in the following files:

The other ranges are in the JSON files linked above and can be found by searching for "AzureFrontDoor.MicrosoftSecurity".

How does this change affect you or your users?

If you've configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN, or network security groups, you'll need to update them to include the new Azure Front Door ranges with the "AzureFrontDoor.MicrosoftSecurity" tag.

Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn't include the new Azure Front Door IP address ranges, users can face sign-in issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or the apps protected by app protection policies could be disrupted.

How can you prepare?

Ensure that your firewall rules are updated and added to your firewall's allowlist with the other IP addresses documented under Azure Front Door by December 2, 2025.

Alternatively, you can add the AzureFrontDoor.MicrosoftSecurity service tag to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag.

If you aren't the IT admin who can make this change, notify your networking team. If you're responsible for configuring internet traffic, see the following documentation for more details:

If you have a helpdesk, inform them about this upcoming change.

Update to support statement for Windows 10 in Intune

Windows 10 has reached end of support on October 14, 2025. Windows 10 no longer receives quality or feature updates. Security updates are only available to commercial customers who have enrolled devices into the Extended Security Updates (ESU) program. For more details, review the following additional information.

How does this change affect you or your users?

Microsoft Intune continues to maintain core management functionality for Windows 10, including:

  • Continuity of device management.
  • Support for updates and migration workflows to Windows 11.
  • Ability for ESU customers to deploy Windows security updates and maintain secure patch levels.

The final release of Windows 10 (version 22H2) is designated as an "allowed" version in Intune. While updates and new features are not available, devices running this version can still enroll in Intune and use eligible features, but functionality is not guaranteed and can vary.

How can you prepare?

Use the All devices report in the Intune admin center to identify devices still running Windows 10 and upgrade eligible devices to Windows 11.

If devices cannot be upgraded in time, consider enrolling eligible devices in the Windows 10 ESU program to continue receiving critical security updates.

Additional information

Plan for Change: Intune is moving to support iOS/iPadOS 17 and later

Later in calendar year 2025, we expect iOS 26 and iPadOS 26 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), requires iOS 17/iPadOS 17 and higher shortly after the iOS/iPadOS 26 release.

How does this change affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 17/iPadOS 17).

Given that Microsoft 365 mobile apps are supported on iOS 17/iPadOS 17 and higher, this change might not affect you. You likely already upgraded your OS or devices.

To check which devices support iOS 17 or iPadOS 17 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version changes to iOS 17/iPadOS 17 while the allowed OS version changes to iOS 14/iPadOS 14 and later. For more information, see this statement about ADE Userless support.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 14 and higher later this year

Later in calendar year 2025, we expect macOS Tahoe 26 to be released by Apple. Microsoft Intune, the Company Portal app, and the Intune mobile device management agent support macOS 14 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 26. This change doesn't affect existing enrolled devices.

How does this change affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. If your users have likely already upgraded their macOS devices, then this change might not affect you. For a list of supported devices, refer to macOS Sonoma is compatible with these computers.

Note

Devices that are currently enrolled on macOS 13.x or below will continue to remain enrolled even when those versions are no longer supported. New devices are unable to enroll if they're running macOS 13.x or below.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 13.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Google Play strong integrity definition update for Android 13 or above

Google recently updated the definition of "Strong Integrity" for devices running Android 13 or above, requiring hardware-backed security signals and recent security updates. For more information, see the Android Developers Blog: Making the Play Integrity API faster, more resilient, and more private. Microsoft Intune will enforce this change by October 31, 2026. Until then, we've adjusted app protection policy and compliance policy behavior to align with Google's recommended backward compatibility guidance to minimize disruption as detailed in Improved verdicts in Android 13 and later devices | Google Play | Android Developers.

How does this change affect you or your users?

If you have targeted users with app protection policies and/or compliance policies that are using devices running Android 13 or above without a security update in the past 12 months, these devices will no longer meet the "Strong Integrity" standard.

User impact - For users running devices on Android 13 or above after this change:

  • Devices without the latest security updates might be downgraded from "Strong Integrity" to "Device Integrity", which could result in conditional launch blocks for affected devices.
  • Devices without the latest security updates might see their devices become noncompliant in the Intune Company Portal app and could lose access to company resources based on your organization's Conditional Access policies.

Devices running Android versions 12 or below aren't affected by this change.

How can you prepare?

Review and update your policies as needed. Ensure users with devices running Android 13 or above are receiving timely security updates. You can use the app protection status report to monitor the date of the last Android Security Patch received by the device and notify users to update as needed. The following admin options are available to help warn or block users:

Plan for Change: New Intune connector for deploying Microsoft Entra hybrid joined devices using Windows Autopilot

As part of Microsoft's Secure Future Initiative, we recently released an update to the Intune Connector for Active Directory to use a Managed Service Account instead of a local SYSTEM account for deploying Microsoft Entra hybrid joined devices with Windows Autopilot. The new connector aims to enhance security by reducing unnecessary privileges and permissions associated with the local SYSTEM account.

Important

At the end of June 2025, we'll remove the old connector that uses the local SYSTEM account. At that point, we will stop accepting enrollments from the old connector. For more information, see the Microsoft Intune Connector for Active Directory security update blog.

How does this change affect you or your users?

If you have Microsoft Entra hybrid joined devices using Windows Autopilot, you need to transition to the new connector to continue deploying and managing devices effectively. If you don't update to the new connector, you won't be able to enroll new devices using the old connector.

How can you prepare?

Update your environment to the new connector by following these steps:

  1. Download and install the new connector in the Intune admin center.
  2. Sign in to set up the Managed Service Account (MSA).
  3. Update the ODJConnectorEnrollmentWizard.exe.config file to include the required Organizational Units (OUs) for domain join.

For more detailed instructions, review: Microsoft Intune Connector for Active Directory security update and Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot.

Plan for Change: New settings for Apple AI features; Genmojis, Writing tools, Screen capture

Today, the Apple AI features for Genmojis, Writing tools, and screen capture are blocked when the app protection policy (APP) "Send Org data to other apps" setting is configured to a value other than "All apps". For more details on the current configuration, app requirements, and the list of current Apple AI controls review the blog: Microsoft Intune support for Apple Intelligence

In an upcoming release, Intune app protection policies have new standalone settings for blocking screen capture, Genmojis, and Writing tools. These standalone settings are supported by apps that have updated to version 19.7.12 or later for Xcode 15 and 20.4.0 or later for Xcode 16 of the Intune App SDK and App Wrapping Tool.

How does this change affect you or your users?

If you configured the APP "Send Org data to other apps" setting to a value other than "All apps", then the new "Genmoji", "Writing Tools" and "Screen capture" settings are set to Block in your app protection policy to prevent changes to your current user experience.

Note

If you configured an app configuration policy (ACP) to allow for screen capture, it overrides the APP setting. We recommend updating the new APP setting to Allow and removing the ACP setting. For more information about the screen capture control, review iOS/iPadOS app protection policy settings | Microsoft Learn.

How can you prepare?

Review and update your app protection policies if you'd like more granular controls for blocking or allowing specific AI features. (Apps > Protection > select a policy > Properties > Basics > Apps > Data protection)

Plan for change: User alerts on iOS for when screen capture actions are blocked

In an upcoming version (20.3.0) of the Intune App SDK and Intune App Wrapping Tool for iOS, support is added to alert users when a screen capture action (including recording and mirroring) is detected in a managed app. The alert is only visible to users if you have configured an app protection policy (APP) to block screen capture.

How does this change affect you or your users?

If APP has been configured to block screen capturing, users see an alert indicating that screen capture actions are blocked by their organization when they attempt to screenshot, screen record, or screen mirror.

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions, screen capture is blocked if you configured "Send Org data to other apps" to a value other than "All apps". To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting "com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Update your IT admin documentation and notify your helpdesk or users as needed. You can learn more about blocking screen capture in the blog: New block screen capture for iOS/iPadOS MAM protected apps

Plan for Change: Blocking screen capture in the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

We recently released updated versions of the Intune App SDK and the Intune App Wrapping Tool. Included in these releases (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) is the support for blocking screen capture, Genmojis, and writing tools in response to the new AI features in iOS/iPadOS 18.2.

How does this change affect you or your users?

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions screen capture will be blocked if you configured "Send Org data to other apps" to a value other than "All apps". To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting "com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Review your app protection policies and if needed, create a Managed apps app configuration policy to allow screen capture by configuring the above setting (Apps > App configuration policies > Create > Managed apps > Step 3 'Settings' under General configuration). For more information review, iOS app protection policy settings – Data protection and App configuration policies - Managed apps.

Plan for Change: Implement strong mapping for SCEP and PKCS certificates

With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows enforces these changes on February 11, 2025.

To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. For more information, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates.

How does this change affect you or your users?

These changes will affect SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:

  • SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users.
  • PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. Important: Before you modify the registry key, review how to change the registry key and how to back up and restore the registry.

For detailed steps and more guidance, review the Support tip: Implementing strong mapping in Microsoft Intune certificates blog.

How can you prepare?

If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:

Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support

We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.

How does this change affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.

How can you prepare?

If you choose to build apps targeting Android API 35, you need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you wrapped your app and are targeting API 35, you need to use the new version of the App wrapper (v1.0.4549.6).

Note

As a reminder, while apps must update to the latest SDK if targeting Android 15, apps don't need to update the SDK to run on Android 15.

You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.

Here are the public repositories:

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune supports Android 10 and later for user-based management methods, which includes:

  • Android Enterprise personally owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies
  • App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices aren't affected by this change.

How does this change affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

  • Intune technical support won't be provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

  • Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
  • Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
  • Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

See also

For details about recent developments, see What's new in Microsoft Intune.

  • Last updated on