From e6dea83fc6d43df49bec4e61f34a45bd549e92a4 Mon Sep 17 00:00:00 2001 From: brenduns Date: Mon, 14 Oct 2024 09:01:58 -0700 Subject: [PATCH 01/14] What's new draft update for 2410 plus quality edits for file mainenance. --- memdocs/intune/fundamentals/in-development.md | 24 +----- memdocs/intune/fundamentals/whats-new.md | 77 +++++++++++-------- 2 files changed, 48 insertions(+), 53 deletions(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index f7f683f9006..625b431b7af 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -7,7 +7,7 @@ keywords: author: dougeby ms.author: dougeby manager: dougeby -ms.date: 10/01/2024 +ms.date: 10/17/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -77,25 +77,6 @@ EPM is available as an [Intune Suite add-on-capability](../fundamentals/intune-a ## App management -### Updates to app configuration policies for Android Enterprise devices - -App configuration policies for Android Enterprise devices will soon support overriding the following additional permissions: - -- Access background location -- Bluetooth (connect) - -For more information about app configuration policies for Android Enterprise devices, see [Add app configuration policies for managed Android Enterprise devices](../apps/app-configuration-policies-use-android.md). - -Applies to: - -- Android Enterprise devices - -### New UI for Intune Company Portal app for Windows - -The UI for the Intune Company Portal app for Windows will be updated. Users will be able to use the same functionality they’re used to with an improved experience for their desktop app. With the updated design, users will see improvements in user experience for the **Home**, **Devices**, and **Downloads & updates** pages. The new design will be more intuitive and will highlight areas where users need to take action. - -For more information, see [New look for Intune Company Portal app for Windows](https://techcommunity.microsoft.com/t5/intune-customer-success/new-look-for-intune-company-portal-app-for-windows/ba-p/4158755). - ### Added protection for iOS/iPadOS app widgets To protect organizational data for MAM managed accounts and apps, Intune app protection policies now provide the capability to block data sync from policy managed app data to app widgets. App widgets can be added to end-user's iOS/iPadOS device lock screen, which can expose data contained by these widgets, such as meeting titles, top sites, and recent notes. In Intune, you'll be able to set the app protection policy setting **Sync policy managed app data with app widgets** to **Block** for iOS/iPadOS apps. This setting will be available as part of the **Data Protection** settings in app protection policies. This new setting will be an app protection feature similar to the **Sync policy managed app data with native app or add-ins** setting. @@ -112,9 +93,6 @@ Applies to: - - - ## Device management diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index e02414fcbe1..7d3d2cd47ec 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 10/09/2024 +ms.date: 10/17/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -54,8 +54,8 @@ You can also read: > > For new information about Windows Autopilot solutions, see: > -> - [Windows Autopilot device preparation: What's new](/autopilot/device-preparation/whats-new). -> - [Windows Autopilot: What's new](/autopilot/whats-new). +> - [Windows Autopilot device preparation: What's new](/autopilot/device-preparation/whats-new) +> - [Windows Autopilot: What's new](/autopilot/whats-new) You can use RSS to be notified when this page is updated. For more information, see [How to use the docs](../../use-docs.md#notifications). @@ -76,18 +76,38 @@ You can use RSS to be notified when this page is updated. For more information, --> +## Week of October 14, 2024 (Service release 2410) + +### App management + +#### Updates to app configuration policies for Android Enterprise devices + +App configuration policies for Android Enterprise devices now support overriding the following permissions: + +- Access background location +- Bluetooth (connect) + +For more information about app configuration policies for Android Enterprise devices, see [Add app configuration policies for managed Android Enterprise devices](../apps/app-configuration-policies-use-android.md). + +Applies to: + +- Android Enterprise devices + ## Week of October 7, 2024 ### App management #### New UI for Intune Company Portal app for Windows -The UI for the Intune Company Portal app for Windows has been updated. Users will see an improved experience for their desktop app without changing the functionality they've used in the past. Specific UI improvements are focused on the **Home**, **Devices**, and **Downloads & updates** pages. The new design is more intuitive and highlights areas where users need to take action. For more information, see [New look for Intune Company Portal app for Windows](https://techcommunity.microsoft.com/t5/intune-customer-success/new-look-for-intune-company-portal-app-for-windows/ba-p/4158755). For end user details, see [Install and share apps on your device](../user-help/install-apps-cpapp-windows.md). + +The UI for the Intune Company Portal app for Windows is updated. Users now see an improved experience for their desktop app without changing the functionality they've used in the past. Specific UI improvements are focused on the **Home**, **Devices**, and **Downloads & updates** pages. The new design is more intuitive and highlights areas where users need to take action. + +For more information, see [New look for Intune Company Portal app for Windows](https://techcommunity.microsoft.com/t5/intune-customer-success/new-look-for-intune-company-portal-app-for-windows/ba-p/4158755). For end user details, see [Install and share apps on your device](../user-help/install-apps-cpapp-windows.md). ### Device security #### Defender for Endpoint security settings support in government cloud environments (public preview) -In public preview, customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments can now use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. This capability is known as [Defender for Endpoint security settings management](../protect/mde-security-integration.md). +In public preview, customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments can now use Intune to manage the Defender security settings on the devices that onboarded to Defender without enrolling those devices with Intune. This capability is known as [Defender for Endpoint security settings management](../protect/mde-security-integration.md). For more information about the Intune features supported in GCC High and DoD environments, see [Intune US Government service description](../fundamentals/intune-govt-service-description.md). @@ -97,14 +117,13 @@ For more information about the Intune features supported in GCC High and DoD env #### Updates to PKCS certificate issuance process in Microsoft Intune Certificate Connector, version 6.2406.0.1001 -We've updated the process for PKCS certificate issuance in Microsoft Intune to support the SID information requirements described in [KB5014754](https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). As part of this update, an OID attribute containing the user or device SID has been added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID. +We've updated the process for Public Key Cryptography Standards (PKCS) certificate issuance in Microsoft Intune to support the security identifiers (SID) information requirements described in [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). As part of this update, an OID attribute containing the user or device SID is added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID. The SID update is available for user certificates across all platforms, and for device certificates specifically on Microsoft Entra hybrid joined Windows devices. For more information, see: - [What's new for the certificate connector](../protect/certificate-connector-overview.md#september-19-2024) - - [Apply PFX changes to certificate](../protect/certificates-pfx-configure.md#update-certificate-connector-for-kb5014754-requirements) ## Week of September 23, 2024 (Service release 2409) @@ -113,7 +132,7 @@ For more information, see: #### Working Time settings for app protection policies -Working time settings allow you to enforce policies that limit access to apps and mute message notifications received from apps during non-working time. The limit access setting is now available for the Microsoft Teams and Microsoft Edge apps. You can limit access by using App Protection Policies (APP) to block or warn end users from using the iOS/iPadOS or Android Teams and Edge apps during non-working time by setting the **Non-working time** conditional launch setting. Also, you can create a non-working time policy to mute notifications from the Teams app to end users during non-working time. +Working time settings allow you to enforce policies that limit access to apps and mute message notifications received from apps during non-working time. The limit access setting is now available for the Microsoft Teams and Microsoft Edge apps. You can limit access by using App Protection Policies (APP) to block or warn end users from using the iOS/iPadOS or Android Teams and Microsoft Edge apps during non-working time by setting the **Non-working time** conditional launch setting. Also, you can create a non-working time policy to mute notifications from the Teams app to end users during non-working time. Applies to: @@ -218,7 +237,7 @@ There are new settings in the Settings Catalog. To see these settings, in the [M #### Consent prompt update for remote log collection -End users might see a different consent experience for remote log collection after the Android APP SDK 10.4.0 and iOS APP SDK 19.6.0 updates. End users will no longer see a common prompt from Intune and will only see a prompt from the application, if it has one. +End users might see a different consent experience for remote log collection after the Android APP SDK 10.4.0 and iOS APP SDK 19.6.0 updates. End users no longer see a common prompt from Intune and only see a prompt from the application, if it has one. Adoption of this change is per-application and is subject to each applications release schedule. @@ -294,9 +313,9 @@ All Android devices automatically migrate to the updated Managed Home Screen (MH #### Support has ended for Apple profile-based user enrollment with Company Portal -Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: *profile-based enrollment* and *account-driven enrollment*. Apple has ended support for profile-based user enrollment, known in Intune as *user enrollment with Company Portal*. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for [profile-based user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md). Users can no longer enroll devices targeted with this enrollment profile type. Devices already enrolled with this profile type aren't impacted by this change, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect the majority of enrolled devices. +Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: *profile-based enrollment* and *account-driven enrollment*. Apple has ended support for profile-based user enrollment, known in Intune as *user enrollment with Company Portal*. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for [profile-based user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md). Users can no longer enroll devices targeted with this enrollment profile type. Devices already enrolled with this profile type aren't impacted by this change, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices. -There is no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected. +There's no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected. We recommend account-driven user enrollment as a replacement method for devices. For more information about your BYOD enrollment options in Intune, see: @@ -376,7 +395,7 @@ For related information, see: #### Updates to the Discovered Apps report -The **Discovered Apps** report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we are including it as a column in the **Discovered Apps** report. +The **Discovered Apps** report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we're including it as a column in the **Discovered Apps** report. For more information, see [Intune Discovered apps](../apps/app-discovered-apps.md#monitor-discovered-apps-with-intune). @@ -518,7 +537,7 @@ For more information, see [Connect Intune account to Managed Google Play account ### Device management -#### 21 Vianet support for Mobile Threat Defense connectors +#### 21Vianet support for Mobile Threat Defense connectors Intune operated by 21Vianet now supports Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices for MTD vendors that also have support in that environment. When an MTD partner is supported and you sign in to a 21Vianet tenant, the supported connectors are available. @@ -632,7 +651,7 @@ For more information, see: ### Microsoft Intune Suite -#### Endpoint Privilege Management, Advanced Analytics, and Intune Plan 2 is available for GCC High and DoD +#### Endpoint Privilege Management, Advanced Analytics, and Intune Plan 2 are available for GCC High and DoD We are excited to announce that the following capabilities from the Microsoft Intune Suite are now supported in U.S. Government Community Cloud (GCC) High and U.S. Department of Defense (DoD) environments. @@ -740,7 +759,7 @@ In an Intune device restrictions configuration policy, you can configure the **A The available options are updated to **Allow**, **Block**, and **Not configured**. -There is no impact to existing profiles using this setting. +There's no impact to existing profiles using this setting. For more information on this setting and the values you can currently configure, see [Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune](../configuration/device-restrictions-android-for-work.md). @@ -894,9 +913,7 @@ For more information about protected apps, see [Microsoft Intune protected apps] We've added a new category and setting to the Device Control profile for the *Windows 10, Windows 11, and Windows Server* platform of Intune [Attack surface reduction policy](../protect/endpoint-security-asr-policy.md). -The new setting is **Allow Storage Card**, and found in the new **System** category of the profile. This setting is also available from the Intune [settings catalog](../configuration/settings-catalog.md). - -for the Windows devices. +The new setting is **Allow Storage Card**, and found in the new **System** category of the profile. This setting is also available from the Intune [settings catalog](../configuration/settings-catalog.md) for the Windows devices. This setting controls whether the user is allowed to use the storage card for device storage, and can prevent programmatic access to the storage card. For more information on this new setting, see [AllowStorageCard](/windows/client-management/mdm/policy-csp-system?branch=main&branchFallbackFrom=pr-en-us-15655&WT.mc_id=Portal-fx#allowstoragecard) in the Windows documentation. @@ -935,13 +952,13 @@ You can now configure Managed Home Screen (MHS) to enable a virtual app-switcher We've made changes to the device registration process for Apple devices enrolling with Intune Company Portal. Previously, Microsoft Entra device registration occurred during enrollment. With this change, registration occurs after enrollment. -Existing enrolled devices are not affected by this change. For new user or device enrollments that utilize Company Portal, users must return to Company Portal to complete registration: +Existing enrolled devices aren't affected by this change. For new user or device enrollments that utilize Company Portal, users must return to Company Portal to complete registration: -- For iOS users: Users with notifications enabled will be prompted to return to the Company Portal app for iOS. If they disable notifications, they won't be alerted, but still need to return to Company Portal to complete registration. +- For iOS users: Users with notifications enabled are prompted to return to the Company Portal app for iOS. If they disable notifications, they aren't alerted, but still need to return to Company Portal to complete registration. -- For macOS devices: The Company Portal app for macOS will detect the installation of the management profile and automatically register the device, unless the user closes the app. If they close the app, they must reopen it to complete registration. +- For macOS devices: The Company Portal app for macOS detects the installation of the management profile and automatically register the device, unless the user closes the app. If they close the app, they must reopen it to complete registration. -If you're using dynamic groups, which rely on device registration to work, it's important for users to complete device registration. Update your user guidance and admin documentation as needed. If you're using Conditional Access (CA) policies, no action is required. When users attempt to sign in to a CA-protected app, they will be prompted to return to Company Portal to complete registration. +If you're using dynamic groups, which rely on device registration to work, it's important for users to complete device registration. Update your user guidance and admin documentation as needed. If you're using Conditional Access (CA) policies, no action is required. When users attempt to sign in to a CA-protected app, they are prompted to return to Company Portal to complete registration. These changes are currently rolling out and will be made available to all Microsoft Intune tenants by the end of July. There's no change to the Company Portal user interface. For more information about device enrollment for Apple devices, see: @@ -954,7 +971,7 @@ These changes are currently rolling out and will be made available to all Micros #### Add corporate device identifiers for Windows -Microsoft Intune now supports corporate device identifiers for devices running Windows 11, version 22H2 and later so that you can identify corporate machines ahead of enrollment. When a device that matches the model, manufacturer, and serial number criteria enrolls, Microsoft Intune will mark it as a corporate device and enable the appropriate management capabilities. For more information, see [Add corporate identifiers](../enrollment/corporate-identifiers-add.md). +Microsoft Intune now supports corporate device identifiers for devices running Windows 11, version 22H2 and later so that you can identify corporate machines ahead of enrollment. When a device that matches the model, manufacturer, and serial number criteria enrolls, Microsoft Intune marks it as a corporate device and enable the appropriate management capabilities. For more information, see [Add corporate identifiers](../enrollment/corporate-identifiers-add.md). ## Week of June 17, 2024 (Service release 2406) @@ -1066,7 +1083,7 @@ For more information, see [Create device platform restrictions](../enrollment/cr ### Updates to replace Wandera with Jamf is complete in the Intune admin center -We've completed rebranding in the Microsoft Intune admin center to support replacing Wandera with Jamf. This includes updates to the name of the Mobile Threat Defense connector, which is now *Jamf*, and changes to the minimum required platforms to use the Jamf connector: +We've completed a rebrand in the Microsoft Intune admin center to support replacing Wandera with Jamf. This includes updates to the name of the Mobile Threat Defense connector, which is now *Jamf*, and changes to the minimum required platforms to use the Jamf connector: - Android 11 and later - iOS / iPadOS 15.6 and later @@ -1130,7 +1147,7 @@ Each new permission supports the following rights for the related policy: - Update - View Reports -Each time we add a new granular permission for an endpoint security policy to Intune, those same rights are removed from the *Security baselines* permission. If you use custom roles with the *Security baselines* permission, the new RBAC permission is assigned automatically to your custom roles with the same rights that were granted through the *Security baseline* permission. This auto-assignment ensures your admins continue to have the same permissions they have today. +Each time we add a new granular permission for an endpoint security policy to Intune, those same rights are removed from the *Security baselines* permission. If you use custom roles with the *Security baselines* permission, the new RBAC permission is assigned automatically to your custom roles with the same rights that were granted through the *Security baseline* permission. This autoassignment ensures your admins continue to have the same permissions they have today. For more information about current RBAC permissions and built-in roles, see: @@ -1148,7 +1165,7 @@ For more information about current RBAC permissions and built-in roles, see: #### New enrollment time grouping feature for devices -Enrollment time grouping is a new, faster way to group devices during enrollment. When it's configured, Intune adds devices to the appropriate group without requiring inventory discovery and dynamic membership evaluations. To set up enrollment time grouping, you must configure a static Microsoft Entra security group in each enrollment profile. After a device enrolls, Intune adds it to the static security group and delivers assigned apps and policies. +Enrollment time grouping is a new, faster way to group devices during enrollment. When configured, Intune adds devices to the appropriate group without requiring inventory discovery and dynamic membership evaluations. To set up enrollment time grouping, you must configure a static Microsoft Entra security group in each enrollment profile. After a device enrolls, Intune adds it to the static security group and delivers assigned apps and policies. This feature is available for Windows 11 devices enrolling via Windows Autopilot device preparation. For more information, see [Enrollment time grouping in Microsoft Intune](../enrollment/enrollment-time-grouping.md). @@ -1258,9 +1275,9 @@ Applies to: #### Optional Feature updates -Feature updates can now be made available to end users as **Optional** updates, with the introduction of **Optional** Feature updates. End users will see the update in the **Windows Update** settings page in the same way that it's shown for consumer devices. +Feature updates can now be made available to end users as **Optional** updates, with the introduction of **Optional** Feature updates. End users see the update in the **Windows Update** settings page in the same way that it's shown for consumer devices. -End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a **Required** update, then admins can change the setting on the policy, and update the rollout settings so that the update is deployed as a **Required** update to devices that do not yet have it installed. +End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a **Required** update, then admins can change the setting on the policy, and update the rollout settings so that the update is deployed as a **Required** update to devices that don't yet have it installed. For more information on Optional Feature updates, see [Feature updates for Windows 10 and later policy in Intune](..//protect/windows-10-feature-updates.md#create-and-assign-feature-updates-for-windows-10-and-later-policy). @@ -1332,9 +1349,9 @@ For related information, see [Change the Portal settings](../fundamentals/tutori #### Updates to the Managed Home Screen experience -We recently released and improved the Managed Home Screen experience, which is now Generally Available. The app has been redesigned to improve the core workflows throughout the application. The updated design offers a more usable and supportable experience. +We recently released and improved the Managed Home Screen experience, which is now Generally Available. The app is redesigned to improve the core workflows throughout the application. The updated design offers a more usable and supportable experience. -With the release, we stop investing in previous Managed Home Screen workflows. New features and fixes for Managed Home Screen are only added to the new experience. During August 2024, the new experience will automatically be enabled for all devices. +With the release, we stop investing in previous Managed Home Screen workflows. New features and fixes for Managed Home Screen are only added to the new experience. During August 2024, the new experience is automatically enabled for all devices. For more information, see [Configure the Microsoft Managed Home Screen app for Android Enterprise](../apps/app-configuration-managed-home-screen-app.md) and [Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune](../configuration/device-restrictions-android-for-work.md). From b8026d3a5c53a7f22d1f205ffa058ebe2547ed38 Mon Sep 17 00:00:00 2001 From: brenduns Date: Mon, 14 Oct 2024 09:05:02 -0700 Subject: [PATCH 02/14] What's new draft update for 2410 plus quality edits for file mainenance. --- memdocs/intune/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 7d3d2cd47ec..2f43a9f7f7f 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -313,7 +313,7 @@ All Android devices automatically migrate to the updated Managed Home Screen (MH #### Support has ended for Apple profile-based user enrollment with Company Portal -Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: *profile-based enrollment* and *account-driven enrollment*. Apple has ended support for profile-based user enrollment, known in Intune as *user enrollment with Company Portal*. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for [profile-based user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md). Users can no longer enroll devices targeted with this enrollment profile type. Devices already enrolled with this profile type aren't impacted by this change, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices. +Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: *profile-based enrollment* and *account-driven enrollment*. Apple has ended support for profile-based user enrollment, known in Intune as *user enrollment with Company Portal*. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for [profile-based user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md). Users can no longer enroll devices targeted with this enrollment profile type. This change doesn't affect devices that are already enrolled with this profile type, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices. There's no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected. From 42677423350d4cf837c95acf17d791e68e406e12 Mon Sep 17 00:00:00 2001 From: brenduns Date: Mon, 14 Oct 2024 09:17:17 -0700 Subject: [PATCH 03/14] adding another --- memdocs/intune/fundamentals/in-development.md | 8 -------- memdocs/intune/fundamentals/whats-new.md | 10 ++++++++++ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index 625b431b7af..006019fb7b6 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -129,14 +129,6 @@ Applies to: - Windows (Corporate owned devices managed by Intune) -### Collection of additional device inventory details - -We're adding additional files and registry keys to be collected to assist in troubleshooting the Device Hardware Inventory feature. - -Applies to: - -- Windows - ## Device security diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 2f43a9f7f7f..52bf0d1e31a 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -93,6 +93,16 @@ Applies to: - Android Enterprise devices +### Device management + +#### Collection of additional device inventory details + +Intune now collects additional files and registry keys to assist in troubleshooting the Device Hardware Inventory feature. + +Applies to: + +- Windows + ## Week of October 7, 2024 ### App management From 9b1660446ebb1b2b739dcb44d563f4cb9e5ffa44 Mon Sep 17 00:00:00 2001 From: brenduns Date: Tue, 15 Oct 2024 09:47:03 -0700 Subject: [PATCH 04/14] two more --- memdocs/intune/fundamentals/in-development.md | 37 ------------------ memdocs/intune/fundamentals/whats-new.md | 39 ++++++++++++++++++- 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index 006019fb7b6..6a3920b61a8 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -97,28 +97,6 @@ Applies to: ## Device management -### Minimum OS version for Android devices will be Android 10 and later for user-based management methods - -From October 2024, the minimum OS supported for Android devices will be Android 10 and later for user-based management methods, which includes: - -- Android Enterprise personally-owned work profile -- Android Enterprise corporate owned work profile -- Android Enterprise fully managed -- Android Open Source Project (AOSP) user-based -- Android device administrator -- App protection policies (APP) -- App configuration policies (ACP) for managed apps - -For enrolled devices on unsupported OS versions (Android 9 and lower) - -- Intune technical support won't be provided. -- Intune won't make changes to address bugs or issues. -- New and existing features aren't guaranteed to work. - -While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended. - -Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be affected by this change. - ### Device Inventory for Windows Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions. @@ -133,21 +111,6 @@ Applies to: ## Device security -### New strong mapping requirements for Intune-issued SCEP certificates - -To align with the Windows Kerberos Key Distribution Center's (KDC) strong mapping attribute requirements described in [KB5014754](https://support.microsoft.com/help/5014754), SCEP certificates issued by Microsoft Intune will be required to have the following tag in the Subject Alternative Name (SAN) field: - -`URL=tag:microsoft.com,2022-09-14:sid:` - -This tag will ensure that certificates are compliant with the KDC's latest requirements, and that certificate-based authentication continues working. Microsoft Intune will be adding support for the SID variable in SCEP profiles. You will be able to modify or create a new SCEP profile to include the OnPremisesSecurityIdentifier variable in the SCEP profile. This action will trigger Microsoft Intune to issue new certificates with the appropriate tag to all applicable users and devices. - -These requirements apply to: - -- Android, iOS/iPadOS, and macOS user certificates. -- Windows 10/11 user and device certificates. - -They don't apply to device certificates used with Microsoft Entra joined users or devices, because SID is an on-premises identifier. - ### Support for Intune Device control policy for devices managed by Microsoft Defender for Endpoint You'll be able to use the endpoint security policy for *Device control* (Attack surface reduction policy) from the Microsoft Intune with the devices you manage through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) capability. diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 52bf0d1e31a..8dc7f410ab2 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -95,6 +95,28 @@ Applies to: ### Device management +#### Minimum OS version for Android devices is Android 10 and later for user-based management methods + +Beginning in October 2024, Android 10 and later is the minimum Android OS version that is supported for user-based management methods, which includes: + +- Android Enterprise personally-owned work profile +- Android Enterprise corporate owned work profile +- Android Enterprise fully managed +- Android Open Source Project (AOSP) user-based +- Android device administrator +- App protection policies (APP) +- App configuration policies (ACP) for managed apps + +For enrolled devices on unsupported OS versions (Android 9 and lower) + +- Intune technical support is not provided. +- Intune won't make changes to address bugs or issues. +- New and existing features aren't guaranteed to work. + +While Intune doesn't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended. + +Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices are not affected by this change. + #### Collection of additional device inventory details Intune now collects additional files and registry keys to assist in troubleshooting the Device Hardware Inventory feature. @@ -115,6 +137,21 @@ For more information, see [New look for Intune Company Portal app for Windows](h ### Device security +#### New strong mapping requirements for SCEP certificates authenticating with KDC + +The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that a Simple Certificate Enrollment Protocol (SCEP) certificate's subject alternative name (SAN) must have a security identifier (SID) extension that maps to the user or device SID in Active Directory. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working. + +To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a `URI` attribute and the `OnPremisesSecurityIdentifier` variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's been synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID. + +For more information and steps, see [Update certificate connector: Strong mapping requirements for KB5014754](./protect/certificates-profile-scep.md). + +Applies to: + +- Windows 10/11, iOS/iPadOS, and macOS user certificates +- Windows 10/11 device certificates + +This requirement isn't applicable to device certificates used with Microsoft Entra joined users or devices, because the SID attribute is an on-premises identifier. + #### Defender for Endpoint security settings support in government cloud environments (public preview) In public preview, customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments can now use Intune to manage the Defender security settings on the devices that onboarded to Defender without enrolling those devices with Intune. This capability is known as [Defender for Endpoint security settings management](../protect/mde-security-integration.md). @@ -913,7 +950,7 @@ The following protected apps are now available for Microsoft Intune: - HCSS Field: Time, cost, safety (iOS) by Heavy Construction Systems Specialists, Inc. - Synchrotab for Intune (iOS) by Synchrotab, LLC -For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md). +For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md). ## Week of July 15, 2024 From 70b5d85df411858e524c289eccee26aa841012c7 Mon Sep 17 00:00:00 2001 From: brenduns Date: Wed, 16 Oct 2024 13:24:15 -0700 Subject: [PATCH 05/14] add autopilot device preperation statement for 21vianet support --- memdocs/intune/fundamentals/whats-new.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 8dc7f410ab2..53941861efb 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 10/17/2024 +ms.date: 10/19/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -93,6 +93,17 @@ Applies to: - Android Enterprise devices +### Device configuration + +#### Windows Autopilot device preparation support in Intune operated by 21Vianet in China + +Intune now supports *Windows Autopilot device preparation* policy for [Intune operated by 21Vianet in China](../fundamentals/china.md) cloud. Customers with tenants located in China can now use *Windows Autopilot device preparation* with Intune to provision devices. + +For information about this Autopilot support, see the following in the Autopilot documentation: + +- Overview: [Overview of Windows Autopilot device preparation](../../autopilot/device-preparation/device-preparation/overview.md) +- Tutorial: [Windows Autopilot device preparation scenarios](../../autopilot/device-preparation/tutorial/scenarios.md) + ### Device management #### Minimum OS version for Android devices is Android 10 and later for user-based management methods From e68809cf6b28c03e4e03abea2a81574ba7ebc37c Mon Sep 17 00:00:00 2001 From: brenduns Date: Wed, 16 Oct 2024 13:29:48 -0700 Subject: [PATCH 06/14] Fixa linksa --- memdocs/intune/fundamentals/whats-new.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 53941861efb..3706b53d724 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -101,8 +101,8 @@ Intune now supports *Windows Autopilot device preparation* policy for [Intune op For information about this Autopilot support, see the following in the Autopilot documentation: -- Overview: [Overview of Windows Autopilot device preparation](../../autopilot/device-preparation/device-preparation/overview.md) -- Tutorial: [Windows Autopilot device preparation scenarios](../../autopilot/device-preparation/tutorial/scenarios.md) +- Overview: [Overview of Windows Autopilot device preparation](/autopilot/device-preparation/device-preparation/overview) +- Tutorial: [Windows Autopilot device preparation scenarios](/autopilot/device-preparation/tutorial/scenarios) ### Device management @@ -154,7 +154,7 @@ The Key Distribution Center (KDC) requires user or device objects to be strongly To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a `URI` attribute and the `OnPremisesSecurityIdentifier` variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's been synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID. -For more information and steps, see [Update certificate connector: Strong mapping requirements for KB5014754](./protect/certificates-profile-scep.md). +For more information and steps, see [Update certificate connector: Strong mapping requirements for KB5014754](../protect/certificates-profile-scep.md). Applies to: From 66b094050e6557cb4eb73dbb8280dc969f635743 Mon Sep 17 00:00:00 2001 From: brenduns Date: Wed, 16 Oct 2024 13:37:02 -0700 Subject: [PATCH 07/14] Link path/url fix --- memdocs/intune/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 3706b53d724..2827a5006cc 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -101,7 +101,7 @@ Intune now supports *Windows Autopilot device preparation* policy for [Intune op For information about this Autopilot support, see the following in the Autopilot documentation: -- Overview: [Overview of Windows Autopilot device preparation](/autopilot/device-preparation/device-preparation/overview) +- Overview: [Overview of Windows Autopilot device preparation](/autopilot/device-preparation/overview) - Tutorial: [Windows Autopilot device preparation scenarios](/autopilot/device-preparation/tutorial/scenarios) ### Device management From 5e6473c3dc316d1bcffd2ac461e24ed3497158c6 Mon Sep 17 00:00:00 2001 From: Yuji Aoki Date: Thu, 17 Oct 2024 19:30:22 +0900 Subject: [PATCH 08/14] Learn Editor: Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 88fbbb2ef04..f86f7bd6a7c 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -102,7 +102,8 @@ With [Microsoft Defender for Endpoint for Linux](/microsoft-365/security/defende - Debian 9 or higher  - SUSE Linux Enterprise Server 12 or higher  - Oracle Linux 7.2 or higher  -- Amazon Linux 2  +- Amazon Linux 2 and 2023 + - Fedora 33 or higher To confirm the version of the Defender agent, in the Defender portal go to the devices page, and on the devices *Inventories* tab, search for *Defender for Linux*. For guidance on updating the agent version, see [Deploy updates for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-updates). From 2c0641130074283ded558f838cc1a9c1a9db16c2 Mon Sep 17 00:00:00 2001 From: Yuji Aoki Date: Thu, 17 Oct 2024 19:30:34 +0900 Subject: [PATCH 09/14] Learn Editor: Update mde-security-integration.md From 4be276e015c680c22c5f00db26f0a49dbf0dc124 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Fri, 18 Oct 2024 11:44:11 -0700 Subject: [PATCH 10/14] Update store-apps-microsoft.md --- memdocs/intune/apps/store-apps-microsoft.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/apps/store-apps-microsoft.md b/memdocs/intune/apps/store-apps-microsoft.md index 1179b58d2e3..c8f5df5290d 100644 --- a/memdocs/intune/apps/store-apps-microsoft.md +++ b/memdocs/intune/apps/store-apps-microsoft.md @@ -77,6 +77,9 @@ An [Intune administrator](../fundamentals/users-add.md#types-of-administrators) The Microsoft Store provides a large variety of apps designed to work on your Microsoft devices. Within Intune, you can search and add the apps you want to assign to your workforce at your organization. +> [!IMPORTANT] +> There is no age restriction when searching for apps in the Microsoft Store. + 1. Select **Search the Microsoft Store app** to display the search panel which features a search bar and includes the following columns: - **Name** – The name of the app. @@ -90,7 +93,6 @@ The Microsoft Store provides a large variety of apps designed to work on your Mi > Specific Microsoft Store apps may not be displayed and available in Intune. Common reasons an app doesn't appear when searching within Intune include the following: > > - The app is not available in US region. - > - The app is not available if there is an age restriction. > - The app is a paid app, which is not supported. > - The app is an Android app. @@ -124,7 +126,7 @@ The Microsoft Store provides a large variety of apps designed to work on your Mi You can choose how you want to assign Microsoft Store apps to users and devices. > [!NOTE] -> If you assign an app to a device that is located in a region where that app is not supported or where that app does not meet the age restrictions, the app will not install on the device. However, if the device is moved to a region that supports the app, the app will install on the device. +> If you assign an app to a device that is located in a region where that app is not supported, the app will not install on the device. However, if the device is moved to a region that supports the app, the app will install on the device. The following table provides assignment type details: From 10472c2e8aec59a8f41cf45db52cd5c688b9d824 Mon Sep 17 00:00:00 2001 From: Jon <48563396+jowiswel@users.noreply.github.com> Date: Fri, 18 Oct 2024 13:44:16 -0500 Subject: [PATCH 11/14] Update updates.md Moved CM 2303 to Unsupported Status as Support ended on Oct 10, 2024 --- memdocs/configmgr/core/servers/manage/updates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/core/servers/manage/updates.md b/memdocs/configmgr/core/servers/manage/updates.md index 16b889671c6..1c1dd2d2e12 100644 --- a/memdocs/configmgr/core/servers/manage/updates.md +++ b/memdocs/configmgr/core/servers/manage/updates.md @@ -59,7 +59,6 @@ The following supported versions`*`, of Configuration Manager are cur |-------------|-----------|------------|--------------|------------------------| | [**2403**](../../plan-design/changes/whats-new-in-version-2403.md)
(5.00.9128) | April 22, 2024 | October 22, 2025 | Yes[Note 1](#bkmk_note1) | Yes | | [**2309**](../../plan-design/changes/whats-new-in-version-2309.md)
(5.00.9122) | October 9, 2023 | April 9, 2025 | No | Yes | -| [**2303**](../../plan-design/changes/whats-new-in-version-2303.md)
(5.00.9106) | April 10, 2023 | October 10, 2024 | Yes[Note 1](#bkmk_note1) | Yes | > [!NOTE] > The **Availability date** in this table is when the [early update ring](checklist-for-installing-update-2403.md#early-update-ring) was released. Baseline media will be available on the VLSC soon after the update is globally available. @@ -87,8 +86,9 @@ The following table lists historical versions of Configuration Manager current b | Version | Availability date | Support end date | Baseline | In-console update | |----------------------------------|-------------------|--------------------|----------|-------------------| -| **2211**
(5.00.9096)) | December 5, 2022 | June 5, 2024 | No | Yes | -| **2207**
(5.00.9088)) | August 12, 2022 | February 12, 2024 | No | Yes | +| **2303**
(5.00.9106) | April 10, 2023 | October 10, 2024 | Yes | Yes | +| **2211**
(5.00.9096) | December 5, 2022 | June 5, 2024 | No | Yes | +| **2207**
(5.00.9088) | August 12, 2022 | February 12, 2024 | No | Yes | | **2203**
(5.00.9078) | April 6, 2022 | October 6, 2023 | Yes | Yes | | **2111**
(5.00.9068) | December 1, 2021 | June 1, 2023 | No | Yes | | **2107**
(5.00.9058) | August 2, 2021 | February 2, 2023 | No | Yes | From 1aa397d873af448c378be3063b28fb48c5d37783 Mon Sep 17 00:00:00 2001 From: Brent Dunsire Date: Fri, 18 Oct 2024 12:20:05 -0700 Subject: [PATCH 12/14] Update mde-security-integration.md Changing presentation, as Amazon version branding might not support the 'or later' we see for other platforms. This will help avoid confusion, as it seems AL2 is based on CentOS/RHEL 7, while AL2023 is based on Fedora/CentOS Stream - which seems to be a significant version difference worth a seperate version bullet point. --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index f86f7bd6a7c..a2a6bf9e890 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -102,8 +102,8 @@ With [Microsoft Defender for Endpoint for Linux](/microsoft-365/security/defende - Debian 9 or higher  - SUSE Linux Enterprise Server 12 or higher  - Oracle Linux 7.2 or higher  -- Amazon Linux 2 and 2023 - +- Amazon Linux 2 +- Amazon Linux 2023 - Fedora 33 or higher To confirm the version of the Defender agent, in the Defender portal go to the devices page, and on the devices *Inventories* tab, search for *Defender for Linux*. For guidance on updating the agent version, see [Deploy updates for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-updates). From 0284db6201148a98d96fc510597f8f09a0508f52 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Fri, 18 Oct 2024 12:33:18 -0700 Subject: [PATCH 13/14] Revert "Update store-apps-microsoft.md" --- memdocs/intune/apps/store-apps-microsoft.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/apps/store-apps-microsoft.md b/memdocs/intune/apps/store-apps-microsoft.md index c8f5df5290d..1179b58d2e3 100644 --- a/memdocs/intune/apps/store-apps-microsoft.md +++ b/memdocs/intune/apps/store-apps-microsoft.md @@ -77,9 +77,6 @@ An [Intune administrator](../fundamentals/users-add.md#types-of-administrators) The Microsoft Store provides a large variety of apps designed to work on your Microsoft devices. Within Intune, you can search and add the apps you want to assign to your workforce at your organization. -> [!IMPORTANT] -> There is no age restriction when searching for apps in the Microsoft Store. - 1. Select **Search the Microsoft Store app** to display the search panel which features a search bar and includes the following columns: - **Name** – The name of the app. @@ -93,6 +90,7 @@ The Microsoft Store provides a large variety of apps designed to work on your Mi > Specific Microsoft Store apps may not be displayed and available in Intune. Common reasons an app doesn't appear when searching within Intune include the following: > > - The app is not available in US region. + > - The app is not available if there is an age restriction. > - The app is a paid app, which is not supported. > - The app is an Android app. @@ -126,7 +124,7 @@ The Microsoft Store provides a large variety of apps designed to work on your Mi You can choose how you want to assign Microsoft Store apps to users and devices. > [!NOTE] -> If you assign an app to a device that is located in a region where that app is not supported, the app will not install on the device. However, if the device is moved to a region that supports the app, the app will install on the device. +> If you assign an app to a device that is located in a region where that app is not supported or where that app does not meet the age restrictions, the app will not install on the device. However, if the device is moved to a region that supports the app, the app will install on the device. The following table provides assignment type details: From 0ae8c92ed4c7c18333f4bd4caf14451c6ff0e0d6 Mon Sep 17 00:00:00 2001 From: mayganm <87776729+mayganm@users.noreply.github.com> Date: Fri, 18 Oct 2024 12:35:07 -0700 Subject: [PATCH 14/14] Update intune-notices.md --- memdocs/intune/includes/intune-notices.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/includes/intune-notices.md b/memdocs/intune/includes/intune-notices.md index 5798b7b85e0..ef1daca0e81 100644 --- a/memdocs/intune/includes/intune-notices.md +++ b/memdocs/intune/includes/intune-notices.md @@ -212,9 +212,8 @@ If applicable, follow the instructions provided by Jamf to migrate your macOS de After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: -1. Users won't be able to enroll devices with Android device administrator. -2. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. -3. Intune technical support will no longer support these devices. +1. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. +2. Intune technical support will no longer support these devices. #### How can you prepare?