Intune Service Release 2111

App management

Enable app update priority for Managed Google Play apps

You can set the update priority of Managed Google Play apps on dedicated, fully managed, and corporate-owned with a work profile Android Enterprise devices. Select High Priority to update an app as soon as the developer has published the update, regardless of charge status, Wi-Fi capability, or end user activity on the device. For related information, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Clear app data between sessions for Android Enterprise dedicated devices enrolled with shared device mode

Using Intune, you can choose to clear app data for applications that have not integrated with Shared device mode to ensure user privacy between sign-in sessions. Users will be required to initiate a sign-out from an application that has integrated with AAD's Shared device mode in order for IT-specified apps to have their data cleared. This functionality will be available for Android Enterprise dedicated devices enrolled with shared device mode on Android 9 or later.

Export underlying discovered apps list data

In addition to exporting the summarized discovered apps list data, you can export the more extensive underlying data. The current summarized export experience provides summarized aggregate data, however the additional new experience also provides the raw data. The raw data export will give you the entire dataset, which is used to create the summarized aggregate report. The raw data is a list of every device and each app discovered for that device. This functionality has been added to the Intune console to replace the Intune Data Warehouse Application Inventories dataset. In the Microsoft Endpoint Manager admin center, select Apps > Monitor > Discovered apps > Export to display the export options. For related information, see Intune discovered apps and Export Intune reports using Graph APIs.

Filter improvements when displaying platform-specific app lists

Filters have been improved when displaying platform-specific app lists in the Microsoft Endpoint Manager admin center. Previously, when navigating to a platform-specific app list, you could not use the App type filter on the list. With this change, you can apply filters (including the App Type and Assignment status filters) on the platform-specific list of apps. For related information, see Intune reports.

Newly available protected apps for Intune

The following protected app is now available for Microsoft Intune:

• PenPoint by Pen-Link, Ltd.

For more information about protected apps, see Microsoft Intune protected apps.

New RBAC permission for Win32 app supersedence and dependency relationships

A new Microsoft Endpoint Manager permission has been added to create and edit Win32 app supersedence and dependency relationships with other apps. The permission is available under the Mobile apps category by selecting Relate. Starting in the 2202 service release, MEM admins will need this permission to add supersedence and dependency apps when creating or editing a Win32 app in Microsoft Endpoint Manager admin center. To find this permission in Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles > Create. This permission has been added to the following built-in roles:

• Application Manager
• School administrator

For related information, see Create a custom role in Intune.

Non-applicable status entries are no longer shown in the Device Install Statusreport

Based on a selected app, the Device Install Status report provides a list of devices and status information for the selected app. App installation details related to the device includes UPN, Platform, Version, Status, Status details, and Last check-in. If the device's platform differs from the application's platform, rather then showing Not Applicable for the Status details of the entry, the entry will no longer be provided. For example, if an Android app has been select and the app is targeted to an iOS device, rather than providing a Not Applicable device status value, the device status for that entry will not be shown in the Device Install Status report. To find this report, in Microsoft Endpoint Manager admin center, select Apps > All Apps > Select an app > Device Install status. For related information, see Device Install Status report for apps (Operational).

New ADMX settings for Edge 95 and Edge updater

New ADMX settings for Edge 95 and Edge updater have been added to Administrative Templates. This includes support for "Target Channel override" which allows customers to opt into the Extended Stable release cycle option at any point using Group Policy or through Intune. In Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create profile. Then, select Platform > Windows 10 and later and Profile > Templates > Administrative Templates. For related information, see Overview of the Microsoft Edge channels, Microsoft Edge Browser Policy Documentation, and Configure Microsoft Edge policy settings in Microsoft Intune.

New privacy consent screen during Company Portal installation

We've added a new privacy consent screen to Company Portal for Android to meet privacy requirements for certain app stores, such as those in China. People installing Company Portal for the first time from those stores will see the new screen during installation. The screen explains what information Microsoft collects and how it's used. A person must agree to the terms before they can use the app. Users who installed Company Portal prior to this release will not see the new screen.

Device management

Endpoint analytics per device scoring

Per device scores in Endpoint analytics are now out of preview and generally available. Per device scores help you identify devices that could be impacting user experience. Reviewing scores per device may help you find and resolve end-user impacting issues before a call is made to the help desk.

Safeguard holds are now visible in the Feature update failures report

When a device is blocked form installing a Windows update due to a safeguard hold, you’ll now be able to view details about that hold in Feature update failures report in the Microsoft Endpoint Manager admin center.

A device with a safeguard hold appears as a device with an error in the report. When you view details for such a device, the Alert Message column displays Safeguard Hold, and the Deployment Error Code column displays the ID of the safeguard hold.

Microsoft occasionally places safeguard holds to block installation of an update on a device when something detected on that device is known to result in a poor post-update experience. For example, software or drivers are common reasons to place a safeguard hold. The hold remains in place until the underlying issue is resolved, and the update is safe to install.

To learn more about active safeguard holds and expectations for their resolution, go to the Windows release health dashboard at https://aka.ms/WindowsReleaseHealth.

Improvements for managing Windows Updates for pre-release builds

We've improved the experience of using Update rings for Windows 10 and later to manage Windows updates for pre-release builds. The improvements include the following:

• We've added Enable pre-release builds as a new control in on the Update ring settings page for update rings. Use this setting to configure assigned devices to update to a pre-release build. The list of pre-release builds you can select include:
  • Beta Channel
  • Dev Channel
  • Windows Insider - Release Preview For more information about pre-release builds, see the Windows Insiderwebsite.
• Devices assigned Update rings for Windows 10 and later policies will no longer have the ManagePreviewBuildssetting changed during Autopilot. When this setting changed during Autopilot it forced an additional device reboot.

Use Update Rings for Windows 10 and later to upgrade to Windows 11

We’ve added a new setting to Update Rings for Windows 10 and later that you can use to upgrade eligible devices from Windows 10 to Windows 11, when you are ready to do so.

• Upgrade Windows 10 devices to Latest Windows 11 release By default, this setting is set to No. When set to Yes, eligible Windows 10 devices that receive this policy will update to the latest build of Windows 11.

When set to Yes, Intune displays an information box that confirms that by deploying this setting you are accepting the Microsoft License Terms for devices that upgrade. The information box also contains a link to the Microsoft License Terms.

For more information about update rings, see Update Rings for Windows 10 and later.

Disable Activation Lock remote device action for iOS/iPadOS has been removed from UI

The remote device action to Disable Activation Lock is no longer available in Intune. You can bypass Activation Lock as detailed at Disable Activation Lock on Supervised iOS/iPadOS devices with Intune.

This remote action is removed because the action to disable the iOS/iPadOS Activation Lock feature did not function as intended.

Updates for Security Baselines

We have a pair of updates for security baselines​, which add the following settings:

• Security baseline for Windows 10 and later (Applies to Windows 10 and Windows 11) The new baseline version is November 2021 and adds Scan scripts that are used in Microsoft browsers to the Microsoft Defender category. This baseline has no other changes.

• Windows 365 Security Baseline (Preview) The new baseline version is Version 2110 and adds the following two settings, with no other changes:

  • Scan scripts that are used in Microsoft browsers is added to the Microsoft Defender category.
  • Enable tamper protection to prevent Microsoft Defender being disabled is added to Windows Security, which is a new category added with this baseline version.

Plan to update your baselines to the latest version. To understand what's changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes.

Use custom settings for Device Compliance for Windows 10/11 devices (public preview)

As a public preview, device compliance policy for Windows 10 and Windows 11 devices supports the addition of custom settings to a device compliance policy. Results from custom settings appear in the Microsoft Endpoint Manager admin center along with other compliance policy details.

To use custom settings, you create and add the following to the admin center to power custom compliance settings:

• JSON file – The JSON file details the custom settings and their compliance values. The JSON also includes information you provide to your users on how to remediate the settings when noncompliant.
• PowerShell script – The PowerShell script will deploy to devices where it runs to determine the state of the settings defined in your JSON file, and reports them back to Intune.

With the JSON and script ready, you can then create a standard compliance policy that includes your custom settings. The option to include custom settings is found in a new compliance settings category named Custom Compliance.

To learn more, including examples for the .JSON and PowerShell script, see Custom compliance settings.

New scheduling options for Feature updates for Windows 10 and later

We’ve added a trio of Rollout options to support improved scheduling of when the updates from a policy for Feature updates for Windows 10 and later are made available for your devices to install. These new options include:

• Make update available as soon as possible - There is no delay in making the update available, which has been the previous behavior.
• Make update available on a specific date - With this option you then select the first day that this update will be offered by Windows Update to the devices that receive this policy.
• Make update available gradually - With this option Windows Update divides the devices that receive this policy into a number of groups that are calculated based on a start group time, end group time, and days to wait between groups. Windows update then offers the update to those groups one at a time, until the last group is offered the update. This process helps distribute the availability of the update across the time you’ve configured and can reduce the impact to your network when compared to offering the update to all devices at the same time.

For more information including details for gradual availability, see Rollout options for Windows Updates.

New details for Windows devices available in the Microsoft Endpoint Manager admin center

The following details for Windows 10 and Windows 11 devices are now collected and can be viewed on a devices details pane of the Microsoft Endpoint Manager admin center:

• System Management BIOS version
• TPM Manufacturer version
• TPM Manufacturer ID These details are also included when you Export the details from the All devices pane.

Settings for Shared iPad now generally available

Four Shared iPad settings are now out of preview and generally available to use when creating an Apple enrollment profile These settings are applied during automated device enrollment (ADE).

For iPadOS 14.5 and later in Shared iPad mode:

• Require Shared iPad temporary setting only: Configures the device so that users only see the guest version of the sign-in experience, and must sign in as guest users. They can't sign in with a Managed Apple ID.
• Maximum seconds of inactivity until temporary session logs out: If there isn't any activity after the specified time, the temporary session automatically signs out.
• Maximum seconds of inactivity until user session logs out: If there isn't any activity after the specified time, the user session automatically signs out.

For iPadOS 13.0 and later in Shared iPad mode:

• Maximum seconds after screen lock before password is required for Shared iPad: If the screen lock exceeds this amount of time, a device password will be required to unlock the device.

For more information about setting up devices in Shared iPad mode, see Create an Apple enrollment profile.

Duplicate a settings catalog profile

Settings catalog profiles now support duplication. To create a copy of an existing profile, simply select Duplicate. The copy contains the same setting configurations and scope tags as the original profile, but doesn't have any assignments attached to it. For more information about the settings catalog, see Use the settings catalog to configure settings on Windows and macOS devices.

Work from anywhere report

The Work from anywhere report has replaced the Recommended software report in Endpoint analytics. The Work from anywhere report contains metrics for Windows, cloud management, cloud identity, and cloud provisioning. For more information, see the Work from anywhere report article.

Device security

View BitLocker recovery keys for tenant attached devices

You can now view the BitLocker recovery key for tenant-attached devices in the Microsoft Endpoint Manager admin center. The recovery keys continue to be stored on-premises for tenant-attached devices, but the visibility in the admin center is intended to assist your Helpdesk scenarios from within the admin center.

To view the keys, your Intune account must have the Intune RBAC permissions to view BitLocker keys, and must be associated with an on-premises user that has the related on-premises permissions in Configuration Manager of Collection Role, with the permission Read BitLocker Recovery Key Permission.

Users with the correct permissions can view keys by going to Devices > Windows devices > select a device > Recovery keys.

This capability is supported with Configuration Manager sites that run version 2107 or later. For sites that run version 2107, you’ll need to install an update rollup to support Azure AD joined devices. For more information, see KB11121541.

BitLocker settings added to settings catalog

We have added 9 BitLocker settings that were previously only available in Group Policy (GP) to the Microsoft Intune settings catalog. To access the settings, go to Devices > Configuration profiles and create a settings catalog profile for devices running Windows 10 and later. Then search BitLocker in the settings catalog to view all settings related to BitLocker. For more information about the settings catalog, see Create a policy using settings catalog. The added settings include:

• Provide the unique identifiers for your organization
• Enforce drive encryption type on fixed data drives
• Allow devices compliant with InstantGo or HSTI to opt out of preboot PIN
• Allow enhanced PINs for startup
• Disallow standard users from changing the PIN or password
• Enable use of BitLocker authentication requiring preboot keyboard input on slates
• Enforce drive encryption type on operating system drives
• Control use of BitLocker on removable drives
• Enforce drive encryption type on removable data drives

Monitor and troubleshoot

MDM support data to refresh automatically in Group Policy analytics tool

Now whenever Microsoft makes changes to the mappings in Intune, the MDM Support column in the GP analytics tool automatically updates to reflect the changes. The automation is an improvement over the previous behavior, which required you to reimport your Group Policy object (GPO) to refresh the data. For more information about Group Policy analytics, see Use Group Policy analytics.