Intune Release - 2104

App management

Installation status for device-assigned required apps

From the Installed apps page of the Windows Company Portal or the Company Portal website, end users can view the installation status and details for device-assigned required apps. This functionality is provided in addition to the installation status and details of user-assigned required apps. For more information about the Company Portal, see How to configure the Intune Company Portal apps, Company Portal website, and Intune app.

Win32 app version displayed in console

The version of your Win32 app is now displayed in the Microsoft Endpoint Manager admin center. The app version is provided in the All apps list, where you can filter by Win32 apps and select the optional version column. In the Microsoft Endpoint Manager admin center, select Apps > All apps > Columns > Version to display the app version in the app list. For related information, see Win32 app management in Microsoft Intune.

Maximum OS version setting for app conditional launch on iOS devices

Using Intune app protection policies, you can add a new conditional launch setting to ensure end users are not using any pre-release or beta OS build to access work or school account data on iOS devices. This setting ensures that you can vet all OS releases before end users are actively using new OS functionality on iOS devices. In Microsoft Endpoint Manager admin center, select Apps > App protection policies. For related information, see How to create and assign app protection policies.

Device configuration

Updated OEMConfig policy reporting for Android Enterprise devices

On Android Enterprise devices, you can create an OEMConfig policy to add, create, and customize OEM-specific settings. Now, the policy reporting is updated to also show success on a user, a device, and for each setting in the policy.

For more information, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

• Android Enterprise

Disable NFC pairing on iOS/iPadOS devices running 14.2 and newer

On supervised iOS/iPadOS devices, you can create a device restrictions profile that disables NFC (Devices > Configuration profiles> Create profile > iOS/iPadOS for platform > Device restrictions for profile > Connected devices > Disable near field communication (NFC)). When you disable this feature, it prevents devices from pairing with other NFC-enabled devices, and disables NFC.

To see this setting, go to iOS and iPadOS device settings to allow or restrict features using Intune.

Applies to:

• iOS/iPadOS 14.2 and newer

Device management

Locate device remote action for Windows 10 devices

You can now use a new locate device remote action to get the geographical location of a device. Supported devices include:

• Windows 10 version 20H2 (10.0.19042.789) or later
• Windows 10 version 2004 (10.0.19041.789) or later
• Windows 10 version 1909 (10.0.18363.1350) or later
• Windows 10 version 1809 (10.0.17763.1728) or later

To see the new action, sign in to the Microsoft Endpoint Manager admin center and choose Devices > Windows > choose a Windows 10 > Locate device.

This action will work in a similar manner as the current Locate device action for Apple devices (but will not include any lost mode functionality).

Location services must be enabled on devices for this remote action to work. If Intune is unable to fetch the device's location and the user has set a default location in device settings, it will display the default location.

Microsoft Endpoint Manager ending support for Android 5.x

Microsoft Endpoint Manager no longer supports Android 5.x devices.

Support to display phone numbers for corporate Android Enterprise devices

For corporate Android Enterprise devices (Dedicated, Fully Managed, and Fully managed with work profile), the associated device phone numbers are now displayed in the Microsoft Endpoint Manager admin center. If multiple numbers are associated with the device, only one number will be displayed.

EID property support for iOS/iPadOS devices

The eSIM identifier (EID) is a unique identifier for the embedded SIM (eSIM). The EID property now appears on the hardware details page for iOS/iPadOS devices.

Intune support for provisioning Azure Active Directory shared devices

The ability to provision Android Enterprise dedicated devices with Microsoft Authenticator automatically configured into Azure AD shared device mode is now Generally Available. For more info on how to use this enrollment type, see Set up Intune enrollment of Android Enterprise dedicated devices.

View end of support details for your feature update profiles

To help you plan for end-of-service for Windows 10 feature updates you deploy with Intune, we’ve added two new columns of information to Feature Updates profiles in the Microsoft Endpoint Manager admin center.

The first new column displays a status that identifies when the update in the profile is near or has reached its end of service, and the second column displays that end of service date. When an update reaches its end of service, it is no longer deployed to devices, and the policy can be removed from Intune.

The new columns and details include:

• Support – This column displays the status of the feature update:

  • Supported – The update is supported for distribution.
  • Support ending – The update is within two months of its end of service date.
  • Not supported – The update is no longer supported, having reached its end of service date.

• Support End Date – This column displays the end-of-service date for the feature update in the profile.

For information about end of service dates for Windows 10 releases, see Windows 10 release information in the Windows release health documentation.

Device security

Use Antivirus profiles to prevent or allow merger of Antivirus exclusion lists on devices

You can now configure Defender local admin merge as a setting in a Microsoft Defender Antivirus profile to block merger of local exclusion lists for Microsoft Defender Antivirus on Windows 10 devices.

Exclusion lists for Microsoft Defender Antivirus can be configured locally on a device, and specified by Intune Antivirus policy:

• When exclusion lists are merged, locally defined exclusions are merged with those from Intune.
• When merge is blocked, only exclusions from policy will be effective on the device.

For more information about this and related settings, see Microsoft Defender Antivirus Exclusions.

Improved flow for conditional access on Surface Duo devices

We’ve streamlined the conditional access flow on Surface Duo devices. These changes happen automatically and don't require any configuration updates by administrators. (Endpoint security > Conditional access)

On a Duo device:

• When access to a resource is blocked by conditional access, users are now redirected to the Company Portal app that was preinstalled on the device. Previously, they were sent to the Google Play store listing of the Company Portal app.
• For devices that are enrolled as a personally-owned work profile, when a user tries to sign in to a personal version of an app using their work credentials they are now sent to the work version of the Company Portal where guidance messaging is shown. Previously, the user was sent to the Google Play store listing of the personal version of the Company Portal app, where they would have had to reenable the personal Company Portal to see the guidance messaging.

Configure options that apply to Tunnel Gateway server upgrades

We've added options to help you manage the upgrade of your Microsoft Tunnel Gateway servers. The new options apply to the Sites configuration and include:

• Set a maintenance window for each tunnel site. The window defines when the tunnel servers that assigned to that site can start to upgrade.

• Configure the server upgrade type, which determines how all servers at the site proceed with upgrades. You can choose between:

  • Automatic - All servers at the site will upgrade as soon as possible after a new server version becomes available.
  • Manual - Servers at the site will upgrade only after an admin explicitly chooses to allow the upgrade.

• The Health check tab now displays status for the server's software version to help you understand when your tunnel server software is out of date. Status includes:

  • Healthy - up to date with the most recent software version.
  • Warning - one version behind
  • Unhealthy - two or more versions behind

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

• Omnipresence Go by Omnipresence Technologies, Inc.
• Comfy by Building Robotics, Inc.
• M-Files for Intune by M-Files Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

New UI to filter data for new operational reports

New operational reports will now support a new UI to add data filters. The new filter pill offers an improved experience to help slice, refine, and view report data. For more information about reports in Intune, see Intune reports.

Windows restart frequency report in Endpoint analytics is generally available

Endpoint analytics startup performance currently provides IT with insights to measure and optimize PC boot times. However, restart frequency can be just as impactful to the user experience since a device that reboots daily because of blue screens will have a poor user experience even if the boot times are fast. We have now included a report on restart frequencies within your organization to help you identify problematic devices. For more information, see Restart frequency in endpoint analytics.

ur blog post content here…