What’s new in Intune – release 2007

What’s new in Intune – release 2007

Another blog post in my what is new Intune release 2007 series! Don’t forget that I have a strong focus on Windows 10 management and won’t be touching the Android/iOS/macOS updates a lot.

You can find the ‘What’s new in Intune’ page here.

The most interesting parts for me about the 2007:


1. Win32 app installation notifications and the Company Portal

End users can now decide whether the applications shown in the Microsoft Intune Web Company Portal should be opened by the Company Portal app or the Company Portal website. This option is only available if the end user has the Company Portal app installed and launches a Web Company Portal application outside of a browser.


2. Exchange On-Premises Connector support

Intune is removing support for the Exchange On-Premises Connector feature from the Intune service beginning in the 2007 (July) release. Existing customers with an active connector will be able to continue with the current functionality at this time. New customers and existing customers that do not have an active connector will no longer be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those customers, Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through Outlook Mobile for Exchange on-premises.


3. New VPN settings for Windows 10 and newer devices

When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > VPN for profile > Base VPN):

  • Device Tunnel: Allows devices to automatically connect to VPN without requiring any user interaction, including user log on. This feature requires you to enable Always On, and use Machine certificates as the authentication method.
  • Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations, which allow you to match client and server settings.


4. Administrative templates updated for Microsoft Edge 84

The ADMX settings available for Microsoft Edge have been updated. End users can now configure and deploy new ADMX settings added in Edge 84.


5. Microsoft Defender Firewall rule migration tool preview

As a public preview, we’re working on a PowerShell based tool that will migrate Microsoft Defender Firewall rules. When you install and run the tool, it automatically creates endpoint security firewall rule policies for Intune that are based on the current configuration of a Windows 10 client. For more information, see Endpoint security firewall rule migration tool overview.

I have a blogpost coming about this feature later on the week.


6. Endpoint detection and response policy for onboarding Tenant Attached devices to MDATP is Generally Available

As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies for use with devices managed by Configuration Manager are no longer in preview and are now Generally Available.

To use EDR policy with devices from a supported version of Configuration Manager, configure Tenant attach for Configuration Manager. After you complete the tenant attach configuration, you can deploy EDR policies to onboard devices managed by Configuration Manager to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).


7. Bluetooth settings are available in Device Control profiles for Endpoint security Attack surface reduction policy

We’ve added settings to manage Bluetooth on Windows 10 devices to the Device control profile for Endpoint security Attack surface Reduction policy. These are the same settings as those that have been available in Device restriction profiles for Device configuration.


8. Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices

We’ve added two new settings to the Updates category of endpoint security antivirus policy for Windows 10 devices that can help you manage how devices get update definitions:

  • Define file shares for downloading definition updates
  • Define the order of sources for downloading definition updates

With the new settings you can add UNC file shares as download source locations for definition updates, and define the order in which different source locations are contacted.


9. Improved security baselines node

We’ve made some changes to improve the usability of the security baseline node in the Microsoft Endpoint Manager admin center. Now when you drill in to Endpoint security > Security baselines and then select a security baseline type like the MDM Security Baseline, your presented with the Profiles pane. On the Profiles pane you view the profiles you’ve created for that Baseline type. Previously the console presented an Overview pane which included an aggregate data roll up that didn’t always match the details found in the reports for individual profiles.

Unchanged, from the Profiles pane you can select a profile to drill-in to view that profiles properties as well as various reports that are available under Monitor. Similarly, at the same level as Profiles you can still select Versions to view a the various versions of that profile type that you’ve deployed. When you drill-in to a version, you also gain access to reports, similar to the profile reports.


10. Derived credentials support for Windows

You can now use derived credentials with your Windows devices. This will expand on the existing support for iOS/iPadOS and Android, and will be available for the same derived credential providers:

  • Entrust Datacard
  • Intercede
  • DISA Purebred

Support for Widows includes use of a derived credential to authenticate to Wi-Fi or VPN profiles. For Windows devices, the derived credential is issued from the client app that’s provided by the derived credential provider that you use.


11. Improved view of security baseline details for devices

You can now drill-in to the details for a device to view the settings details for security baselines that apply to the device. The settings appear in a simple, flat list, which includes the setting category, setting name, and status. For more information, see View Endpoint security configurations per device.


12. Device compliance logs now in English

The Intune DeviceComplianceOrg logs previously only had enumerations for ComplianceState, OwnerType, and DeviceHealthThreatLevel. Now, these logs have English information in the columns.


13. Assign profile and Update profile permission changes

Role-based access control permissions has changed for Assign profile and Update profile for the Automated Device Enrollment flow:

Assign profile: Admins with this permission can also assign the profiles to tokens and assign a default profile to a token for Automated Device Enrollment.

Update profile: Admins with this permission can update existing profiles only for Automated Device Enrollment.

To see these roles, go to Microsoft Endpoint Manager admin center > Tenant administration > Roles > All roles > Create > Permissions > Roles.


14. Additional Data Warehouse v1.0 properties

Additional properties are available using the Intune Data Warehouse v1.0. The following properties are now exposed via the devices entity:

  • ethernetMacAddress – The unique network identifier of this device.
  • office365Version – The version of Office 365 that is installed on the device.

The following properties are now exposed via the devicePropertyHistories entity:

  • physicalMemoryInBytes – The physical memory in bytes.
  • totalStorageSpaceInBytes – Total storage capacity in bytes.



So that’s it for the what’s new Intune release 2007!

I’ll update the what’s new Intune release 2007 blog post with the newly added released features!


More articles on What’s new: