What's new in Intune - release 2005

Another blog post in my what is new Intune release 2005 series! Don’t forget that I have a strong focus on Windows 10 management and won’t be touching the Android/iOS/macOS updates a lot.

You can find the ‘What’s new in Intune’ page here.

The most interesting parts for me about the 2005:

1. Customize self-service device actions in the Company Portal

You can customize the available self-service device actions that are shown to end-users in the Company Portal app and website. To help prevent unintended device actions, you can configure these settings for the Company Portal app by selecting Tenant Administration > Customization. The following actions are available:

Hide Remove button on corporate Windows device.
Hide Reset button on corporate Windows devices.
Hide Reset button on corporate iOS devices.
Hide Remove button on corporate iOS devices.

2. Unified delivery of Azure AD Enterprise and Office Online applications in the Company Portal – feature delayed

On the Customization pane of Intune, you can select to Hide or Show both Azure AD Enterprise applications and Office Online applications in the Company Portal. Each end-user will see their entire application catalog from the chosen Microsoft service. By default, each additional app source will be set to Hide. This feature will first take effect in the Company Portal website, with support in the Windows, iOS/iPadOS, and macOS Company Portals expected to follow.

3. Enrollment restrictions support scope tags

You can now assign scope tags to enrollment restrictions. To do so, go to Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions > Create restriction. Create either type of restriction and you’ll see the Scope tags page.

4. Autopilot support for Hololens 2 devices

Windows Autopilot now supports Hololens 2 devices. For more information on using Autopilot for Hololens, see Windows Autopilot for HoloLens 2.

5. Endpoint security content and new features

The documentation for Intune Endpoint Security is now available. In the endpoint security node of the Microsoft Endpoint Manager admin center you can:

Create and deploy focused security policies to your managed devices
Configure integration with Microsoft Defender Advanced Threat Protection, and manage security tasks help remediate risks for at-risk devices as identified by your ATP team
Configure security baselines
Manage device compliance and conditional access policies
View compliance status for all your devices from both Intune and Configuration Manager when Configuration Manager is configured for client attach.

In addition to the availability of content, the following are new for Endpoint Security this month:

Endpoint security policies are out of preview and are now ready to use in production environments, as generally available, with two exceptions:
- In a new public preview, you can use the Microsoft Defender Firewall rules profile for Windows 10 Firewall policy. With each instance of this profile you can configure up to 150 firewall rules to compliment your Microsoft Defender Firewall profiles.
- Account protection security policy remains in preview.
You can now create a duplicate of endpoint security policies. Duplicates keep the settings configuration of the original policy, but get a new name. Then new policy instance doesn’t include any assignments to groups until you edit the new policy instance to add them. You can duplicate the following policies:
- Antivirus
- Disk encryption
- Firewall
- Endpoint detection and response
- Attack surface reduction
- Account protection

You can now create a duplicate of a security baseline. Duplicates keep the settings configuration of the original baseline, but get a new name. The new baseline instance doesn’t include any assignments to groups until you edit the new baseline instance to add them.

A new report for endpoint security antivirus policy is available: Windows 10 unhealthy endpoints. This report is a new page you can select when your viewing your endpoint security antivirus policy. The report displays the antivirus status of your MDM-managed Windows 10 devices.

6. Device reports UI update

The reports overview pane will now provide a Summary and a Reports tab. In the Microsoft Endpoint Manager admin center, select Reports, then select the Reports tab to see the available report types. For related information, see Intune reports.

7. Use Endpoint detection and response policy to onboard devices to Defender ATP

Use endpoint security policy for Endpoint detection and response (EDR) to onboard and configure devices for your deployment of Microsoft Defender Advanced Threat Protection (Defender ATP). EDR supports policy for Windows devices managed by Intune (MDM), and a separate policy for Windows devices managed by Configuration Manager.

To use the policy for Configuration Manager devices, you must set up Configuration Manager to support the EDR policy. Set up includes:

Configure your Configuration manager for tenant attach.
Install an in-console update for Configuration Manager to enable support for the EDR policies. This update applies only to hierarchies that have enabled tenant attach.
Synchronize your device collections form your hierarchy to the Microsoft Endpoint Manager admin center.