What’s new in Intune – release 2011

What’s new in Intune – release 2011

Another blog post in my what is new Intune release 2011 series! Don’t forget that I have a strong focus on Windows 10 management and won’t be touching the Android/iOS/macOS updates a lot.

You can find the ‘What’s new in Intune’ page here.

The most interesting parts for me about the 2011:


1. More authentication settings for Wi-Fi profiles on Windows 10 and newer devices

New settings and features for Wi-Fi profiles on devices running Windows 10 and newer (Devices > Device Configuration > Create profile > Windows 10 and later for platform > Wi-Fi for profile > Enterprise):

  • Authentication mode: Authenticate the user, device, either, or use guest authentication.
  • Remember credentials at each logon: Force users to enter credentials whenever they connect to the VPN. Or, cache the credentials so users only enter their credentials once.
  • More granular control over authentication behavior, including:
    • Authentication period
    • Authentication retry delay period
    • Start period
    • Maximum EAPOL-Start messages
    • Maximum authentication failures
  • Use separate VLANs for device and user authentication: When using single sign-on, the Wi-Fi profile can use a different virtual LAN based on the user’s credentials. Your Wi-Fi server must support this feature.


2. New setting for Device Control profile for endpoint security

We’ve added a new setting, Block write access to removable storage to the Device control profile for Attack surface reduction policy in endpoint security. When set to Yes, write access to removable storage is blocked.


3. Improvements to settings in Attack surface reduction rule profiles

We’ve updated the options for applicable settings in the Attack surface reduction rule profile which is part of endpoint securities Attack surface reduction policy.

We’ve brought consistency across settings to existing options, like Disable and Enable, and added a new option, Warn:

  • Warn – On devices that run Windows 10 version 1809 or later, the device user receives a message that they can bypass the setting. For example, on the setting Block Adobe Reader from creating child processes, the option of Warn presents users with the option to bypass that block and allow Adobe Reader to create a child process. On devices that run earlier versions of Windows 10, the rule enforces the behavior without the option to bypass it.


4.Policy merge support for USB device ID’s in Device control profiles for endpoint security Attack surface reduction policy

We’ve added support for policy merge of USB device ID’s to the Device control profile for the endpoint security Attack surface reduction policy. The following settings from device control profiles are evaluated for policy merge:

  • Allow hardware device installation by device identifiers
  • Block hardware device installation by device identifiers
  • Allow hardware device installation by setup classes
  • Block hardware device installation by setup classes
  • Allow hardware device installation by device instance identifiers
  • Block hardware device installation by device instance identifiers

Policy merge applies to the configuration of each setting across the different profiles that apply to a device. It doesn’t include evaluation between different settings, even when two settings are closely related.

For a more detailed example of what merges, and how to allow and block lists for each supported setting gets merged and applies on a device, see Policy merge for settings for device control profiles.


5. Improved Antivirus status operations report for endpoint security

We’ve added new details to the Antivirus status operations report for Windows Defender Antivirus, which is an endpoint security policy report.

The following new columns of information will be available for each device:

  • Product status – The status of Windows Defender on the device.
  • Tamper protection – Is tamper protection enabled or disabled.
  • Virtual machine – Is the device a virtual machine, or physical device.


6. Improved rule merge for Attack surface reduction rules

Attack surface reduction rules now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed.

Attack surface reduction rule merge behavior is as follows:

  • Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
  • Settings that do not have conflicts are added to a superset of policy for the device.
  • When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
  • Only the configurations for conflicting settings are held back.

So what else is new in Intune release 2011? Let’s move on!


7. New Intune operational report to help troubleshoot configuration profile issues

A new Assignment failures operational report is available in public preview to help troubleshoot errors and conflicts for configuration profiles that have been targeted to devices. This report will show a list of configuration profiles for the tenant and the number of devices in a state of error or conflict. Using this information, you can drill down to a profile to see a list of devices and users in a failure state related to the profile. Additionally, you can drill down even further to view a list of settings and setting details related to the cause of the failure. You have the ability to filter, sort, and search across all of the records throughout the report. In the Microsoft Endpoint Manager admin center, you can find this report by selecting Devices > Monitor > Assignment failures (preview).


8. Reporting updates for Windows Virtual Desktop VMs

The following settings are marked as Not applicable in the Policy reports:

  • BitLocker settings
  • Device encryption
  • Defender Application Guard settings
  • Defender Tamper Protection
  • Wi-Fi profiles


9. Noncompliant policies report to troubleshoot devices in error or that are noncompliant

In preview, the new Noncompliant policies report is an operational report you can use to help troubleshoot errors and conflicts for compliance policies targeting devices. The Noncompliant policies report displays a list of compliance policies that have one or more devices with errors or that are in a state of noncompliance to the policy.

Use this report to:

  • View the device compliance policies with devices in a noncompliant or error state, and then drill in to view of the list of devices and users in a failed state.
  • Drill down further to see the list of settings and setting information causing a failure.
  • Filter, sort, and search across all records in the report. We’ve added paging controls and improved export capability to a csv file.
  • Identify when issues are occurring, and streamline troubleshooting.




So that’s it for the what’s new Intune release 2011!

I’ll update the what’s new Intune release 2011 blog post with the newly added released features!


More articles on What’s new: