What's new in Intune - release 2003 and 2002

Another blog post in my what is new Intune release 2003 series!

I thought about starting a new series of blog posts, the ‘What’s new’ series. I won’t be blogging every week when they update something minor, but for the big releases, like the 2003 one, there is a lot to be said about the new features. So I’ll start blogging about those ones. I’m mostly focussed on Windows 10 management in this series and won’t be targeting the Android/iOS changes much.

You can find the ‘What’s new in Intune’ page here.

The most interesting parts for me about the 2003 and 2002 release are:

1. Updates to Intune branding and customization

Microsoft has updated the Intune pane that was named “Branding and customization” with improvements, including:

Renaming the pane to Customization.
Improving the organization and design of the settings.
Improving the settings text and tooltips.

To find these settings in Intune, navigate to the Microsoft Endpoint Manager admin center, select Tenant administration > Customization.

At the bottom you find a new setting: ‘Device enrollment’. This is also a new update:

Configure if enrollment is available in Company Portal for Android and iOS

You can configure whether device enrollment in the Company Portal on Android and iOS devices is available with prompts, available without prompts, or unavailable to users. To find these setting in Intune, navigate to the Microsoft Endpoint Manager admin center and, select Tenant administration > Customization > Edit > Device enrollment.

Support for the device enrollment setting requires end users have these Company Portal versions:

Company Portal on iOS: version 4.4 or later
Company Portal on Android: version 5.0.4715.0 or later

2. New user experience when creating administrative templates on Windows devices

Based on customer feedback, and the move to the new Azure full screen experience, Microsoft rebuilt the Administrative Templates profile experience with a folder view. They haven’t made changes to any settings or existing profiles. So, your existing profiles will stay the same, and will be usable in the new view. You can still navigate all settings options by selecting All Settings, and using search. The tree view is split by Computer and User configurations. You will find Windows, Office and Edge settings in their associated folders.

Applies to:

Windows 10 and newer

How awesome is this. This is concerning the Administrative Templates in Configuration Profiles. It was already good, but looking for policies was sometimes troubling. The search function didn’t work all the time, and the more administrative templates became available, the messier it was getting. They fixed this very nice giving us an admx like view. Good one Microsoft!

3. UI update when configuring compliance policy

Microsoft updated the UI for creating compliance policies in Microsoft Endpoint manager (Devices > Compliance policies > Policies > Create Policy). They’ve added a new user experience that includes the same settings and details you’ve used previously. The new experience follows a wizard-like process to create the compliance policy and includes a page where you can add Assignments for the policy, and a Review + Create page where you can review your configuration before creating the policy.

No screenshot – not updated yet in my tenant.

4. Retire noncompliant devices

Microsoft added a new action for noncompliant devices that you can add to any policy, to retire the noncompliant device. The new action, Retire the noncompliant device, results in removal of all company data from the device, and also removes the device from being managed by Intune. This action runs when the configured value in days is reached and at that point the device becomes eligible to be retired. The minimum value is 30 days. Explicit IT admin approval will be required to retire the devices by using the Retire Non-compliant devices section, where admins can retire all eligible devices.

This is a great new feature in my opinion! There should be a mechanism to retire non-compliant devices after x days. So happy it is here now.

5. New user experience for certificate, email, VPN, and Wi-Fi, VPN profiles

Microsoft updated the user experience in the Endpoint Management Admin Center (Devices > Configuration profiles > Create profile) for creating and modifying the following profile types. The new experience presents the same settings as before, but uses a wizard-like experience that doesn’t require as much horizontal scrolling. You won’t need to modify existing configurations with the new experience.

Derived credential
Email
PKCS certificate
PKCS imported certificate
SCEP certificate
Trusted certificate
VPN
Wi-Fi

In my experience there are still some issues with this new feature. When I try making a new configuration profile of one of the mentioned profiles (for example Wi-Fi), I get a blank screen in the settings page. Hope this will get fixed asap. If you edit an existing configuration profile, it looks alright:

6. The Data Warehouse now provides the MAC address

The Intune Data Warehouse provides the MAC address as a new property (EthernetMacAddress) in the device entity to allow admins to correlate between the user and host mac address. This property helps to reach specific users and troubleshoot incidents occurring on the network. Admins can also use this property in Power BI reports to build richer reports. For more information, see the Intune Data Warehouse device entity.

7. Additional Data Warehouse device inventory properties

Additional device inventory properties are available using the Intune Data Warehouse. The following properties are now exposed via the devices collection:

‘Model’ – The device model.
‘Office365Version’ – The version of Office 365 that is installed on the device.
‘PhysicalMemoryInBytes` – The physical memory in bytes.
TotalStorageSpaceInBytes – Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API and the Intune Data Warehouse device entity.

8. Help and support workflow update to support additional services

Microsoft updated the Help and support page in the Microsoft Endpoint Manager admin center where you now choose the management type you use. With this change you’ll be able to select from the following management types:

Configuration Manager (includes Desktop Analytics)
Intune
Co-management

9. Use a preview of security administrator focused policies as part of Endpoint security

As a public preview, Microsoft added several new policy groups under the Endpoint security node in the Microsoft Endpoint Management admin center. As a security admin you can use these new policies to focus on specific aspects of device security to manage discrete groups of related settings without the overhead of the larger Device Configuration policy body.

With the exception of the new Antivirus policy for Microsoft Defender Antivirus (see below), the settings in each new of these new preview policies and profiles are the same settings that you might already configure through Device configuration profiles today.

The following are the new policy types that are all in preview, and their available profile types:

Antivirus (Preview):
- macOS:
  - Antivirus – Manage Antivirus policy settings for macOS to manage Microsoft Defender ATP for Mac.
- Windows 10 and later:
  - Microsoft Defender Antivirus – Manage Antivirus policy settings for cloud protection, Antivirus exclusions, remediation, scan options, and more.The Antivirus profile for Microsoft Defender Antivirus is an exception that introduces a new instance of settings that are found as part of a device restriction profile. These new Antivirus settings:
    - Are the same settings as found in device restrictions, but support a third option for configuration that’s not available when configured as a device restriction.
    - Apply to devices that are co-managed with Configuration Manager, when the co-management workload slider for Endpoint Protection is set to Intune.
  Plan to use the new Antivirus > Microsoft Defender Antivirus profile in place of configuring them through a device restriction profile.
- Windows Security experience – Manage the Windows Security settings that end users can view in the Microsoft Defender Security center and the notifications they receive. These settings are unchanged from those available as a Device configuration Endpoint Protection profile.
Disk encryption (Preview):
- macOS:
  - FileVault
- Windows 10 and later:
  - BitLocker
Firewall (Preview):
- macOS:
  - macOS firewall
- Windows 10 and later:
  - Microsoft Defender Firewall
Endpoint detection and response (Preview):
- Windows 10 and later: –Windows 10 Intune
Attack surface reduction (Preview):
- Windows 10 and later:
  - App and browser isolation
  - Web protection
  - Application control
  - Attack surface reduction rules
  - Device control
  - Exploit protection
Account protection (Preview):
- Windows 10 and later:
  - Account protection

10. Configure Delivery Optimization agent when downloading Win32 app content

You can configure the Delivery Optimization agent to download Win32 app content either in background or foreground mode based on assignment. For existing Win32 apps, content will continue to download in background mode. In the Microsoft Endpoint Manager admin center, select Apps > All apps > select the Win32 app > Properties. Select Edit next to Assignments. Edit the assignment by selecting Include under Mode in the Required section. You will find the new setting in the App settings section. For more information about Delivery Optimization, see Win32 app management – Delivery Optimization.

11. Change Primary User for Windows devices

You can change the Primary User for Windows hybrid and Azure AD Joined devices. To do so, go to Intune > Devices > All devices > choose a device > Properties > Primary User. For more information, see Change a device’s primary user.

A new RBAC permission (Managed Devices / Set primary user) has also been created for this task. The permission has been added to built-in roles including Helpdesk Operator, School Administrator, and Endpoint Security Manager.

My testing shows that this feature isn’t working 100% as of today. I still have issues when I change the primary user of a device that the next day it is reverted. Not 100% of the cases. But be aware that there are still some issues here.

Also check out my blog post about this.