What's new in Intune - release 2010

Another blog post in my what is new Intune release 2010 series! Don’t forget that I have a strong focus on Windows 10 management and won’t be touching the Android/iOS/macOS updates a lot.

You can find the ‘What’s new in Intune’ page here.

The most interesting parts for me about the 2010:

1. New and updated planning, setup, and enrollment deployment guides

The existing planning and migration guides are rewritten, and updated with new guidance. There’s also some new deployment guides that focus on Intune setup, and enrollment for Android, iOS/iPadOS, macOS, and Windows devices.

For more information, go to Overview.

2. Apps that require enrollment are hidden when enrollment is set to unavailable

Apps assigned with the Available for enrolled devices and Required intents won’t be displayed in the Company Portal for users where the device enrollment setting is set to Unavailable. This change is only applicable when viewing the Company Portal app or website from an unenrolled device, including unenrolled devices that use app protection policies (MAM-WE). The apps will still be visible for users viewing the Company Portal from an enrolled device, regardless of the value of the Device enrollment setting. For more information, see Device enrollment setting options.

3. Win32 app support for Workplace join (WPJ) devices

Existing Win32 apps are supported for Workplace join (WPJ) devices. PowerShell scripts, which are not officially supported on WPJ devices, can be deployed to WPJ devices. Specifically, device context PowerShell scripts work on WPJ devices, but user context PowerShell scripts are ignored by design. User context scripts will be ignored on WPJ devices and will not be reported to the Microsoft Endpoint Manager console.

Let’s continue with new features from the what’s new Intune release 2010.

4. Device Firmware Configuration Interface (DFCI) is generally available

DFCI is an open-source Unified Extensible Firmware Interface (UEFI) framework. It allows you to securely manage the UEFI (BIOS) settings of your Windows Autopilot devices using Microsoft Endpoint Manager. It also limits end user control over firmware configurations.

Unlike traditional UEFI management, DFCI removes the need for managing third-party solutions. It also provides zero-touch firmware management by using Microsoft Endpoint Manager for cloud management. DFCI also accesses the existing Windows Autopilot device information for authorization.

5. Endpoint Manager Security tasks include details about misconfigured settings from Microsoft Defender ATP TVM

Microsoft Endpoint Manager Security tasks now report on and provide remediation details for misconfigurations discovered by Threat Vulnerability Management (TVM). The misconfigurations that are reported to Intune are limited to issues for which remediation guidance can be provided.

TVM is part of Microsoft Defender Advanced Threat Protection. Prior to this update, details from TVM only included details and remediation steps for Applications.

When you view Security tasks, you’ll find a new column named Remediation Type that identifies the type of issue:

Application – Vulnerable applications and remediation steps. This has been available in Security tasks prior to this update.
Configuration – A new category of details from TVM that identify misconfiguration and provides steps to help you remediate them.

6. Endpoint security Firewall policies for tenant attached devices

As a public preview, you can deploy endpoint security policy for Firewalls to devices you manage with Configuration Manager. This scenario requires you to configure a tenant attach between a supported version of Configuration Manager and your Intune subscription.

Firewall policy for tenant attached devices is supported for devices that run Windows 10 and later, and requires your environment to run Configuration Manager current branch 2006 with the in-console hotfix KB4578605.

For more information, see the requirements for Intune endpoint security policies to support Tenant Attach.

Let’s continue with new features from the what’s new Intune release 2010.

7. Expanded settings to manage hardware device installation through block and allow lists

In Device control profiles, which are part of endpoint security Attack surface reduction policy, we’ve revised and expanded our settings for managing hardware device installation. You’ll now find settings to define block lists and separate allow lists using device IDs, setup classes, and instance identifiers. The following six settings are now available:

Allow hardware device installation by device identifiers
Block hardware device installation by device identifiers
Allow hardware device installation by setup class
Block hardware device installation by setup class
Allow hardware device installation by device instance identifiers
Block hardware device installation by device instance identifiers

Each of these settings supports the options of Yes, No, and Not configured. When you configure Yes you can then define the block or allow list for that setting. On a device, hardware that is specified in an allow list can install or update. However, if that same hardware is specified on a block list, the block overrides the allow list and installation or update of the hardware is prevented.

8. Improvements to endpoint security Firewall rules

We’ve made several changes to improve the experience of configuring firewall rules in the Microsoft Defender Firewall rules profile for endpoint security Firewall policy.

Improvements include:

Improved layout in the UI, including section headers to organize the view.
Increasing the character limit for the description field.
Validation of IP address entries.
Sorting of IP address lists.
Option to select all addresses when you clear entries from an IP address list.

9. Security Experience profiles for Endpoint Security Antivirus policy now have tri-state options

We’ve added a third state of configuration for settings in the Windows Security experience profile for Endpoint security Antivirus policies. This update applies to the Windows Security experience for Windows 10 and later).

For example, where a setting previously offered Not configured and Yes, if supported by the platform, you now have the additional option of No.

10. Updated version of the Edge security baseline

We’ve added a new security baseline for Edge to Intune: September 2020 (Edge version 85 and later).

Updated baseline versions bring support for recent settings to help you maintain the best-practice configurations recommended by the respective product teams.

To understand what’s changed between versions, see Compare baseline versions to learn how to export a .CSV file that shows the changes.

11. New Windows 10 feature update failures report

The Feature update failures operational report provides failure details for devices that are targeted with a Windows 10 feature updates policy and have attempted an update. In the Microsoft Endpoint Manager admin center, select Devices > Monitor > Feature update failures to view this report. For more information, see Feature update failures report and Validation and reporting for Windows 10 updates.

12. Updates to Antivirus reports

Both the Antivirus agent status report and the Detected malware report have been updated. These reports now show data visualizations and provide additional columns of information (SignatureUpdateOverdue, MalwareID, displayName, and InitialDetectionDateTime). In addition, remote actions are included in the Antivirus agent status report.

13. Updated Help and Support for Microsoft Endpoint Manager

The Help and Support experience uses machine learning to display solutions, diagnostics, and insights that will help you resolve your issues. We’ve updated the help and support page in Microsoft Endpoint Manager admin center with a new, easier to navigate, consistent UX experience. The new UX has now been rolled out in all blades in the console and will help us get you more relevant help.

You’ll now find an updated and consolidated support experience for the following cloud-based offerings from within the admin center:

Intune
Configuration Manager
Co-management
Microsoft Managed Desktop

14. View PowerShell scripts in the Intune Troubleshooting pane

You can now view your assigned PowerShell scripts in the Troubleshooting pane. PowerShell scripts provide Windows 10 client communication with Intune to run enterprise management tasks, such as advanced device configuration and troubleshooting.

So that’s it for the what’s new Intune release 2010!

I’ll update the what’s new Intune release 2010 blog post with the newly added released features!

What’s new in Intune – release 2010